From 71def1c5869af69e4127f2b07ebd7d5c62642597 Mon Sep 17 00:00:00 2001 From: Ghanan Gowripalan Date: Thu, 4 Feb 2021 17:58:58 -0800 Subject: Lock ConnTrack before initializing buckets PiperOrigin-RevId: 355751801 --- pkg/tcpip/stack/conntrack.go | 6 ++++++ pkg/tcpip/stack/iptables.go | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'pkg/tcpip') diff --git a/pkg/tcpip/stack/conntrack.go b/pkg/tcpip/stack/conntrack.go index 54617f2e6..cdb435644 100644 --- a/pkg/tcpip/stack/conntrack.go +++ b/pkg/tcpip/stack/conntrack.go @@ -231,6 +231,12 @@ func newConn(orig, reply tupleID, manip manipType, hook Hook) *conn { return &conn } +func (ct *ConnTrack) init() { + ct.mu.Lock() + defer ct.mu.Unlock() + ct.buckets = make([]bucket, numBuckets) +} + // connFor gets the conn for pkt if it exists, or returns nil // if it does not. It returns an error when pkt does not contain a valid TCP // header. diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go index 63832c200..52890f6eb 100644 --- a/pkg/tcpip/stack/iptables.go +++ b/pkg/tcpip/stack/iptables.go @@ -235,7 +235,7 @@ func (it *IPTables) ReplaceTable(id TableID, table Table, ipv6 bool) tcpip.Error // If iptables is being enabled, initialize the conntrack table and // reaper. if !it.modified { - it.connections.buckets = make([]bucket, numBuckets) + it.connections.init() it.startReaper(reaperDelay) } it.modified = true -- cgit v1.2.3