diff options
Diffstat (limited to 'netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch')
| -rw-r--r-- | netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch | 62 |
1 files changed, 0 insertions, 62 deletions
diff --git a/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch b/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch deleted file mode 100644 index 750d884df..000000000 --- a/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch +++ /dev/null @@ -1,62 +0,0 @@ -From e7600865db32b69deb0109b8254244dca592adcf Mon Sep 17 00:00:00 2001 -From: Felix Kaechele <felix@kaechele.ca> -Date: Tue, 25 Jun 2019 16:48:59 -0400 -Subject: [PATCH] netfilter: ctnetlink: Fix regression in conntrack entry - deletion - -Commit f8e608982022 ("netfilter: ctnetlink: Resolve conntrack -L3-protocol flush regression") introduced a regression in which deletion -of conntrack entries would fail because the L3 protocol information -is replaced by AF_UNSPEC. As a result the search for the entry to be -deleted would turn up empty due to the tuple used to perform the search -is now different from the tuple used to initially set up the entry. - -For flushing the conntrack table we do however want to keep the option -for nfgenmsg->version to have a non-zero value to allow for newer -user-space tools to request treatment under the new behavior. With that -it is possible to independently flush tables for a defined L3 protocol. -This was introduced with the enhancements in in commit 59c08c69c278 -("netfilter: ctnetlink: Support L3 protocol-filter on flush"). - -Older user-space tools will retain the behavior of flushing all tables -regardless of defined L3 protocol. - -Fixes: f8e608982022 ("netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression") -Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> -Signed-off-by: Felix Kaechele <felix@kaechele.ca> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - net/netfilter/nf_conntrack_netlink.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c -index 7db79c1b8084..1b77444d5b52 100644 ---- a/net/netfilter/nf_conntrack_netlink.c -+++ b/net/netfilter/nf_conntrack_netlink.c -@@ -1256,7 +1256,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, - struct nf_conntrack_tuple tuple; - struct nf_conn *ct; - struct nfgenmsg *nfmsg = nlmsg_data(nlh); -- u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC; - struct nf_conntrack_zone zone; - int err; - -@@ -1266,11 +1265,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, - - if (cda[CTA_TUPLE_ORIG]) - err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, -- u3, &zone); -+ nfmsg->nfgen_family, &zone); - else if (cda[CTA_TUPLE_REPLY]) - err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, -- u3, &zone); -+ nfmsg->nfgen_family, &zone); - else { -+ u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC; -+ - return ctnetlink_flush_conntrack(net, cda, - NETLINK_CB(skb).portid, - nlmsg_report(nlh), u3); --- -2.21.0 - |