62 lines
2.6 KiB
Diff
62 lines
2.6 KiB
Diff
From e7600865db32b69deb0109b8254244dca592adcf Mon Sep 17 00:00:00 2001
|
|
From: Felix Kaechele <felix@kaechele.ca>
|
|
Date: Tue, 25 Jun 2019 16:48:59 -0400
|
|
Subject: [PATCH] netfilter: ctnetlink: Fix regression in conntrack entry
|
|
deletion
|
|
|
|
Commit f8e608982022 ("netfilter: ctnetlink: Resolve conntrack
|
|
L3-protocol flush regression") introduced a regression in which deletion
|
|
of conntrack entries would fail because the L3 protocol information
|
|
is replaced by AF_UNSPEC. As a result the search for the entry to be
|
|
deleted would turn up empty due to the tuple used to perform the search
|
|
is now different from the tuple used to initially set up the entry.
|
|
|
|
For flushing the conntrack table we do however want to keep the option
|
|
for nfgenmsg->version to have a non-zero value to allow for newer
|
|
user-space tools to request treatment under the new behavior. With that
|
|
it is possible to independently flush tables for a defined L3 protocol.
|
|
This was introduced with the enhancements in in commit 59c08c69c278
|
|
("netfilter: ctnetlink: Support L3 protocol-filter on flush").
|
|
|
|
Older user-space tools will retain the behavior of flushing all tables
|
|
regardless of defined L3 protocol.
|
|
|
|
Fixes: f8e608982022 ("netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression")
|
|
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Felix Kaechele <felix@kaechele.ca>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
---
|
|
net/netfilter/nf_conntrack_netlink.c | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
|
|
index 7db79c1b8084..1b77444d5b52 100644
|
|
--- a/net/netfilter/nf_conntrack_netlink.c
|
|
+++ b/net/netfilter/nf_conntrack_netlink.c
|
|
@@ -1256,7 +1256,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
|
|
struct nf_conntrack_tuple tuple;
|
|
struct nf_conn *ct;
|
|
struct nfgenmsg *nfmsg = nlmsg_data(nlh);
|
|
- u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
|
|
struct nf_conntrack_zone zone;
|
|
int err;
|
|
|
|
@@ -1266,11 +1265,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
|
|
|
|
if (cda[CTA_TUPLE_ORIG])
|
|
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
|
|
- u3, &zone);
|
|
+ nfmsg->nfgen_family, &zone);
|
|
else if (cda[CTA_TUPLE_REPLY])
|
|
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
|
|
- u3, &zone);
|
|
+ nfmsg->nfgen_family, &zone);
|
|
else {
|
|
+ u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
|
|
+
|
|
return ctnetlink_flush_conntrack(net, cda,
|
|
NETLINK_CB(skb).portid,
|
|
nlmsg_report(nlh), u3);
|
|
--
|
|
2.21.0
|
|
|