netfilter: nf_conntrack: fix early_drop with reliable event delivery

If reliable event delivery is enabled and ctnetlink fails to deliver the destroy event in early_drop, the conntrack subsystem cannot drop any the candidate flow that was planned to be evicted. Reported-by: N Kerin Millar <kerframil@gmail.com> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N David S. Miller <davem@davemloft.net>

netfilter: nf_conntrack: fix early_drop with reliable event delivery
If reliable event delivery is enabled and ctnetlink fails to deliver the destroy event in early_drop, the conntrack subsystem cannot drop any the candidate flow that was planned to be evicted. Reported-by: N Kerin Millar <kerframil@gmail.com> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N David S. Miller <davem@davemloft.net>
74138511 · Pablo Neira Ayuso · David S. Miller · 739e4505 · 74138511
隐藏空白更改
内联并排

Showing with 6 addition and 2 deletion

net/netfilter/nf_conntrack_core.c net/netfilter/nf_conntrack_core.c +6 -2

未找到文件。
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -635,8 +635,12 @@ static noinline int early_drop(struct net *net, unsigned int hash)

 	if (del_timer(&ct->timeout)) {
 		death_by_timeout((unsigned long)ct);
-		dropped = 1;
-		NF_CT_STAT_INC_ATOMIC(net, early_drop);
+		/* Check if we indeed killed this entry. Reliable event
+		   delivery may have inserted it into the dying list. */
+		if (test_bit(IPS_DYING_BIT, &ct->status)) {
+			dropped = 1;
+			NF_CT_STAT_INC_ATOMIC(net, early_drop);
+		}
 	}
 	nf_ct_put(ct);
 	return dropped;