- 1ElasticSearch(六)— 全文检索
- 2vue快速删除node_modules方法_vue 去掉nodemodal
- 3迁移学习(Transfer Learning)
- 4Autodesk AutoCAD v2025 解锁版下载和安装教程 (CAD设计软件)_cad2025讯雷下载
- 5理解 IPython 与 Python:关键区别与使用场景解析
- 6RK3588 CPU+GPU+NPU三位一体AI边缘控制器,应用于工程车辆/轨道交通+疲劳驾驶检测告警_rk3588 npu
- 7Docker Compose快速入门_docker compose基础‘
- 8【论文笔记】3D LiDAR Mapping in Dynamic Environments Using a 4D Implicit Neural Representation_3d lidar mapping in dynamic enviroments using 4d i
- 9authorization_postman测试工具中的授权“authorization”
- 10灵活应用MPC技术实现智能车避障控制的轨迹重规划,Simulink模型结合Carsim参数设置的联合仿真分析及操作解析_mpc 避障
linux镜像confirm,__ip_conntrack_confirm(struct sk_buff **pskb)扔包的一个疑惑
赞
踩
下面是这个函数,请看最后一行drop操作的疑惑:
/* Confirm a connection given skb; places it in hash table */
int
__ip_conntrack_confirm(struct sk_buff **pskb)
{
unsigned int hash, repl_hash;
struct ip_conntrack *ct;
enum ip_conntrack_info ctinfo;
ct = ip_conntrack_get(*pskb, &ctinfo);
/* ipt_REJECT uses ip_conntrack_attach to attach related
ICMP/TCP RST packets in other direction. Actual packet
which created connection will be IP_CT_NEW or for an
expected connection, IP_CT_RELATED. */
if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) //ip_conntrack_confirm() blocked confirmed packet
return NF_ACCEPT; //so only confirm original and unconfirmed packet
hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
/* We're not in hash table, and we refuse to set up related
connections for unconfirmed conns. But packet copies and
REJECT will give spurious warnings here. */
/* IP_NF_ASSERT(atomic_read(&ct->ct_general.use) == 1); */
/* No external references means noone else could have
confirmed us. */
IP_NF_ASSERT(!is_confirmed(ct));
DEBUGP("Confirming conntrack %p\n", ct);
write_lock_bh(&ip_conntrack_lock);
/* See if there's one in the list already, including reverse:
NAT could have grabbed it without realizing, since we're
not in the hash. If there is, we lost race. */
if (!LIST_FIND(&ip_conntrack_hash[hash],
conntrack_tuple_cmp,
struct ip_conntrack_tuple_hash *,
&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, NULL)
&& !LIST_FIND(&ip_conntrack_hash[repl_hash],
conntrack_tuple_cmp,
struct ip_conntrack_tuple_hash *,
&ct->tuplehash[IP_CT_DIR_REPLY].tuple, NULL)) {
/* Remove from unconfirmed list */
list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
__ip_conntrack_hash_insert(ct, hash, repl_hash); //insert in ct hash table
/* Timer relative to confirmation time, not original
setting time, otherwise we'd get timer wrap in
weird delay cases. */
ct->timeout.expires += jiffies;
add_timer(&ct->timeout);
atomic_inc(&ct->ct_general.use);
set_bit(IPS_CONFIRMED_BIT, &ct->status);
CONNTRACK_STAT_INC(insert);
write_unlock_bh(&ip_conntrack_lock);
if (ct->helper)
ip_conntrack_event_cache(IPCT_HELPER, *pskb);
#ifdef CONFIG_IP_NF_NAT_NEEDED
if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) ||
test_bit(IPS_DST_NAT_DONE_BIT, &ct->status))
ip_conntrack_event_cache(IPCT_NATINFO, *pskb);
#endif
ip_conntrack_event_cache(master_ct(ct) ?
IPCT_RELATED : IPCT_NEW, *pskb);
return NF_ACCEPT;
}
CONNTRACK_STAT_INC(insert_failed);
write_unlock_bh(&ip_conntrack_lock);
return NF_DROP; //why drop? 前面条件判断该tuple是否已经加入tuple_hash链表,程序走到这里说明已经有同一个tuple的另外一个包已经把tuple加入hash链表了,当前这个包“we lost race”了,但是这一个包为什么要drop掉呢?
}
