diff mbox series

[net,1/2] netfilter: conntrack: skip identical origin tuple in same zone only

Message ID 20210209213511.23298-2-pablo@netfilter.org
State New
Headers show
Series [net,1/2] netfilter: conntrack: skip identical origin tuple in same zone only | expand

Commit Message

Pablo Neira Ayuso Feb. 9, 2021, 9:35 p.m. UTC
From: Florian Westphal <fw@strlen.de>

The origin skip check needs to re-test the zone. Else, we might skip
a colliding tuple in the reply direction.

This only occurs when using 'directional zones' where origin tuples
reside in different zones but the reply tuples share the same zone.

This causes the new conntrack entry to be dropped at confirmation time
because NAT clash resolution was elided.

Fixes: 4e35c1cb9460240 ("netfilter: nf_nat: skip nat clash resolution for same-origin entries")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

patchwork-bot+netdevbpf@kernel.org Feb. 10, 2021, midnight UTC | #1
Hello:

This series was applied to netdev/net.git (refs/heads/master):

On Tue,  9 Feb 2021 22:35:10 +0100 you wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> The origin skip check needs to re-test the zone. Else, we might skip
> a colliding tuple in the reply direction.
> 
> This only occurs when using 'directional zones' where origin tuples
> reside in different zones but the reply tuples share the same zone.
> 
> [...]

Here is the summary with links:
  - [net,1/2] netfilter: conntrack: skip identical origin tuple in same zone only
    https://git.kernel.org/netdev/net/c/07998281c268
  - [net,2/2] netfilter: nftables: relax check for stateful expressions in set definition
    https://git.kernel.org/netdev/net/c/664899e85c13

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
diff mbox series

Patch

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 234b7cab37c3..ff0168736f6e 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1229,7 +1229,8 @@  nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
 			 * Let nf_ct_resolve_clash() deal with this later.
 			 */
 			if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
-					      &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple))
+					      &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple) &&
+					      nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL))
 				continue;
 
 			NF_CT_STAT_INC_ATOMIC(net, found);