提交 a88e22ad 编写于 作者: P Pablo Neira Ayuso 提交者: Patrick McHardy

netfilter: ctnetlink: fix creation of conntrack with helpers

This patch fixes a bug that triggers an assertion if you create
a conntrack entry with a helper and netfilter debugging is enabled.
Basically, we hit the assertion because the confirmation flag is
set before the conntrack extensions are added. To fix this, we
move the extension addition before the aforementioned flag is
set.

This patch also removes the possibility of setting a helper for
existing conntracks. This operation would also trigger the
assertion since we are not allowed to add new extensions for
existing conntracks. We know noone that could benefit from
this operation sanely.

Thanks to Eric Dumazet for initial posting a preliminary patch
to address this issue.
Reported-by: NDavid Ramblewski <David.Ramblewski@atosorigin.com>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
上级 4bac6b18
...@@ -1077,9 +1077,8 @@ ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[]) ...@@ -1077,9 +1077,8 @@ ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])
/* need to zero data of old helper */ /* need to zero data of old helper */
memset(&help->help, 0, sizeof(help->help)); memset(&help->help, 0, sizeof(help->help));
} else { } else {
help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); /* we cannot set a helper for an existing conntrack */
if (help == NULL) return -EOPNOTSUPP;
return -ENOMEM;
} }
rcu_assign_pointer(help->helper, helper); rcu_assign_pointer(help->helper, helper);
...@@ -1263,7 +1262,6 @@ ctnetlink_create_conntrack(struct net *net, u16 zone, ...@@ -1263,7 +1262,6 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT])); ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
ct->timeout.expires = jiffies + ct->timeout.expires * HZ; ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
ct->status |= IPS_CONFIRMED;
rcu_read_lock(); rcu_read_lock();
if (cda[CTA_HELP]) { if (cda[CTA_HELP]) {
...@@ -1314,14 +1312,19 @@ ctnetlink_create_conntrack(struct net *net, u16 zone, ...@@ -1314,14 +1312,19 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
goto err2; goto err2;
} }
if (cda[CTA_STATUS]) { if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
err = ctnetlink_change_status(ct, cda); err = ctnetlink_change_nat(ct, cda);
if (err < 0) if (err < 0)
goto err2; goto err2;
} }
if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) { nf_ct_acct_ext_add(ct, GFP_ATOMIC);
err = ctnetlink_change_nat(ct, cda); nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
/* we must add conntrack extensions before confirmation. */
ct->status |= IPS_CONFIRMED;
if (cda[CTA_STATUS]) {
err = ctnetlink_change_status(ct, cda);
if (err < 0) if (err < 0)
goto err2; goto err2;
} }
...@@ -1340,9 +1343,6 @@ ctnetlink_create_conntrack(struct net *net, u16 zone, ...@@ -1340,9 +1343,6 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
goto err2; goto err2;
} }
nf_ct_acct_ext_add(ct, GFP_ATOMIC);
nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
#if defined(CONFIG_NF_CONNTRACK_MARK) #if defined(CONFIG_NF_CONNTRACK_MARK)
if (cda[CTA_MARK]) if (cda[CTA_MARK])
ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册