From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, fw@strlen.de, stgraber@stgraber.org
Subject: Re: [PATCH nf] netfilter: conntrack: restore IPS_CONFIRMED out of nf_conntrack_hash_check_insert()
Date: Wed, 19 Apr 2023 08:17:23 +0200 [thread overview]
Message-ID: <20230419061723.GF21058@breakpoint.cc> (raw)
In-Reply-To: <20230418214024.14653-1-pablo@netfilter.org>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> e6d57e9ff0ae ("netfilter: conntrack: fix rmmod double-free race")
> consolidates IPS_CONFIRMED bit set in nf_conntrack_hash_check_insert().
> However, this breaks ctnetlink:
>
> # conntrack -I -p tcp --timeout 123 --src 1.2.3.4 --dst 5.6.7.8 --state ESTABLISHED --sport 1 --dport 4 -u SEEN_REPLY
> conntrack v1.4.6 (conntrack-tools): Operation failed: Device or resource busy
>
> This is a partial revert of the aforementioned commit.
>
> Fixes: e6d57e9ff0ae ("netfilter: conntrack: fix rmmod double-free race")
> Reported-by: Stéphane Graber <stgraber@stgraber.org>
> Tested-by: Stéphane Graber <stgraber@stgraber.org>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> net/netfilter/nf_conntrack_bpf.c | 1 +
> net/netfilter/nf_conntrack_core.c | 1 -
> net/netfilter/nf_conntrack_netlink.c | 3 +++
> 3 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index bfc3aaa2c872..d3ee18854698 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -2316,6 +2316,9 @@ ctnetlink_create_conntrack(struct net *net,
> nfct_seqadj_ext_add(ct);
> nfct_synproxy_ext_add(ct);
>
> + /* we must add conntrack extensions before confirmation. */
> + ct->status |= IPS_CONFIRMED;
> +
I'd guess that these 2 lines are the only part that is needed, but up
to you.
next prev parent reply other threads:[~2023-04-19 6:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-18 21:40 [PATCH nf] netfilter: conntrack: restore IPS_CONFIRMED out of nf_conntrack_hash_check_insert() Pablo Neira Ayuso
2023-04-19 6:17 ` Florian Westphal [this message]
2023-04-19 7:41 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230419061723.GF21058@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stgraber@stgraber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.