| 1 |
Hi! |
| 2 |
|
| 3 |
(fixed the subject) |
| 4 |
|
| 5 |
On Tue, 27 Jan 2009, Peter Alfredsen wrote: |
| 6 |
> [Mike: This looks like your field of expertise] |
| 7 |
> On Tue, 27 Jan 2009 16:47:50 +0100 |
| 8 |
> Tobias Klausmann <klausman@g.o> wrote: |
| 9 |
> |
| 10 |
> > glibc 2.9 uses a different way to implement getaddrinfo() which |
| 11 |
> > triggers a race condition in most (if not all) Netfilter |
| 12 |
> > firewalls that use connection tracking. glibc does nothing wrong |
| 13 |
> > per se, it just triggers the condition. (technical details here: |
| 14 |
> > http://marc.info/?l=linux-netdev&m=123304473331445) |
| 15 |
> [...] |
| 16 |
> > I don't have any experience with glibc upstream but pestering |
| 17 |
> > them about this out of the blue might only cause a flame war |
| 18 |
> > between kernel and glibc folks. Thus, I'm asking you, my fellow |
| 19 |
> > devs (and the glibc and kernel teams specifically), what you |
| 20 |
> > think is the best idea/course of action. |
| 21 |
> |
| 22 |
> The connection with IPv6 leads me to believe that this is |
| 23 |
> http://bugs.gentoo.org/250468 |
| 24 |
> http://sourceware.org/bugzilla/show_bug.cgi?id=7060 |
| 25 |
|
| 26 |
I doubt it: sometimes the lookups work, as this race is very |
| 27 |
timing-critical. When experimenting, I had to go below 50 |
| 28 |
microseconds between the two packets to actually trigger it plus |
| 29 |
the forwarding machines always were multicore. Also, the content |
| 30 |
is irrelevant. I implemented this myself sending the payloads |
| 31 |
with sendto() and it didn't matter if I sent the A or AAAA query |
| 32 |
first. |
| 33 |
|
| 34 |
That said, without seeing a tcpdump from those people with the |
| 35 |
error described in those two bugs, I can not rule it out. |
| 36 |
|
| 37 |
On the wire between the client and the firewall, this happens: |
| 38 |
|
| 39 |
a packet 1 is sent |
| 40 |
b packet 2 is sent |
| 41 |
c answer 1 is received |
| 42 |
d answer 2 is received |
| 43 |
|
| 44 |
Sometimes d doesn't happen because b is lost in the firewall |
| 45 |
along the way (where the race condition happens). |
| 46 |
|
| 47 |
> Mike has added a patch to Gentoo's patchset but hasn't bumped the |
| 48 |
> revision yet. It does look spectacularly hacky, though :-) |
| 49 |
> |
| 50 |
> Anyway, if this is your problem, it looks like upstream is already |
| 51 |
> working on it and that we just need to *prod* Mike a bit to get a fix |
| 52 |
> into the tarball. |
| 53 |
|
| 54 |
The bug is in the kernel, not glibc. The latter just triggers it |
| 55 |
because the newer resolver has a more aggressive timing. Note |
| 56 |
that I think that what the glibc guys did is a *good* idea. It |
| 57 |
just happens to rub Netfilter the wrong way. |
| 58 |
|
| 59 |
Regards, |
| 60 |
Tobias |
| 61 |
|
| 62 |
-- |
| 63 |
printk("Cool stuff's happening!\n") |
| 64 |
linux-2.4.3/fs/jffs/intrep.c |
Archives