diff options
Diffstat (limited to 'netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch')
| -rw-r--r-- | netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch b/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch new file mode 100644 index 000000000..750d884df --- /dev/null +++ b/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch @@ -0,0 +1,62 @@ +From e7600865db32b69deb0109b8254244dca592adcf Mon Sep 17 00:00:00 2001 +From: Felix Kaechele <felix@kaechele.ca> +Date: Tue, 25 Jun 2019 16:48:59 -0400 +Subject: [PATCH] netfilter: ctnetlink: Fix regression in conntrack entry + deletion + +Commit f8e608982022 ("netfilter: ctnetlink: Resolve conntrack +L3-protocol flush regression") introduced a regression in which deletion +of conntrack entries would fail because the L3 protocol information +is replaced by AF_UNSPEC. As a result the search for the entry to be +deleted would turn up empty due to the tuple used to perform the search +is now different from the tuple used to initially set up the entry. + +For flushing the conntrack table we do however want to keep the option +for nfgenmsg->version to have a non-zero value to allow for newer +user-space tools to request treatment under the new behavior. With that +it is possible to independently flush tables for a defined L3 protocol. +This was introduced with the enhancements in in commit 59c08c69c278 +("netfilter: ctnetlink: Support L3 protocol-filter on flush"). + +Older user-space tools will retain the behavior of flushing all tables +regardless of defined L3 protocol. + +Fixes: f8e608982022 ("netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression") +Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Felix Kaechele <felix@kaechele.ca> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + net/netfilter/nf_conntrack_netlink.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 7db79c1b8084..1b77444d5b52 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -1256,7 +1256,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, + struct nf_conntrack_tuple tuple; + struct nf_conn *ct; + struct nfgenmsg *nfmsg = nlmsg_data(nlh); +- u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC; + struct nf_conntrack_zone zone; + int err; + +@@ -1266,11 +1265,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, + + if (cda[CTA_TUPLE_ORIG]) + err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, +- u3, &zone); ++ nfmsg->nfgen_family, &zone); + else if (cda[CTA_TUPLE_REPLY]) + err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, +- u3, &zone); ++ nfmsg->nfgen_family, &zone); + else { ++ u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC; ++ + return ctnetlink_flush_conntrack(net, cda, + NETLINK_CB(skb).portid, + nlmsg_report(nlh), u3); +-- +2.21.0 + |