Re: [B.A.T.M.A.N.] "Kernel bug detected [...] nf_ct_del_from_dying_or_unconfirmed_list"

Chieh-Min Wang chiehmin18@gmail.com wrote:

I think 71d8c47fc653711c4(netfilter: conntrack: introduce clash resolution on insertion race) is doing the same logic for resolving conntrack clashing.

No, that commit dealsl with the case where two skbs have different conntrack objects but where tuples are the same.

In nfqueue+bridge flood case the skbs point to the same conntrack object.

Maybe one way to fix this would be to let nfqueue perform a deep copy of skb->_nfct in case conntrack is unconfirmed and skb_shared() is true.

But that would of course cause drop for l4 protocols that do not support clash resolution.