conntrack-race

Stars
6
View Code on GitHub
Ecosystems: C

conntrack race

Discussion: http://patchwork.ozlabs.org/patch/937963/

Reproducing

  1. Apply nfct_debug.patch on top of the proposed
    patch ^^.
  2. Enable the dynamic debug: echo -n 'file net/netfilter/nf_conntrack_core.c +p' > /sys/kernel/debug/dynamic_debug/control.
  3. Compile and run server.c: gcc server.c -o server && ./server 8000.
  4. Compile and run client.c: gcc -lpthread client.c -o client && for i in $(seq 1 10); do ./client 127.0.0.1 8000; done.
  5. Observe clashes: dmesg | grep nf_ct_resolve_clash.

Logs

No NAT

logs

  • No NAT rules, but NAT null-bindings enabled.
  • Client and server communicates over lo.

DNAT

logs

  • DNAT rules are installed.
  • Client and server communicates over lo.

SNAT

logs

  • SNAT rules are installed by Docker.
  • Client runs in a container network namespace, and its IPv4 addr is 172.17.0.2.
  • Communicates with 172.28.128.3 (remote) via 172.28.128.1 (gw).