[PATCH] netfilter: synproxy: fix conntrackd interaction

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] netfilter: synproxy: fix conntrackd interaction
@ 2017-05-11 13:22 Eric Leblond
  2017-05-11 16:14 ` Jesper Dangaard Brouer
  0 siblings, 1 reply; 6+ messages in thread
From: Eric Leblond @ 2017-05-11 13:22 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, brouer, Eric Leblond

This patch fixes the creation of connection tracking entry from
netlink when synproxy is used. It was missing the addition of
the synproxy extension.

This was causing kernel crashes when a conntrack entry created by
conntrackd was used after the switch of traffic from active node
to the passive node.
---
 net/netfilter/nf_conntrack_netlink.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index dcf561b5c97a..1a127677ffe1 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -45,6 +45,8 @@
 #include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/nf_conntrack_timestamp.h>
 #include <net/netfilter/nf_conntrack_labels.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
+#include <net/netfilter/nf_conntrack_synproxy.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_core.h>
 #include <net/netfilter/nf_nat_l4proto.h>
@@ -1828,6 +1830,8 @@ ctnetlink_create_conntrack(struct net *net,
 	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
 	nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
 	nf_ct_labels_ext_add(ct);
+	nfct_seqadj_ext_add(ct);
+	nfct_synproxy_ext_add(ct);
 
 	/* we must add conntrack extensions before confirmation. */
 	ct->status |= IPS_CONFIRMED;
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] netfilter: synproxy: fix conntrackd interaction
  2017-05-11 13:22 [PATCH] netfilter: synproxy: fix conntrackd interaction Eric Leblond
@ 2017-05-11 16:14 ` Jesper Dangaard Brouer
  2017-05-11 16:56   ` Eric Leblond
  0 siblings, 1 reply; 6+ messages in thread
From: Jesper Dangaard Brouer @ 2017-05-11 16:14 UTC (permalink / raw)
  To: Eric Leblond; +Cc: pablo, netfilter-devel, brouer

On Thu, 11 May 2017 15:22:55 +0200
Eric Leblond <eric@regit.org> wrote:

> This patch fixes the creation of connection tracking entry from
> netlink when synproxy is used. It was missing the addition of
> the synproxy extension.
> 
> This was causing kernel crashes when a conntrack entry created by
> conntrackd was used after the switch of traffic from active node
> to the passive node.

You are missing a Signed-off-by line ;-)

> ---
>  net/netfilter/nf_conntrack_netlink.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index dcf561b5c97a..1a127677ffe1 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -45,6 +45,8 @@
>  #include <net/netfilter/nf_conntrack_zones.h>
>  #include <net/netfilter/nf_conntrack_timestamp.h>
>  #include <net/netfilter/nf_conntrack_labels.h>
> +#include <net/netfilter/nf_conntrack_seqadj.h>
> +#include <net/netfilter/nf_conntrack_synproxy.h>
>  #ifdef CONFIG_NF_NAT_NEEDED
>  #include <net/netfilter/nf_nat_core.h>
>  #include <net/netfilter/nf_nat_l4proto.h>
> @@ -1828,6 +1830,8 @@ ctnetlink_create_conntrack(struct net *net,
>  	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
>  	nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
>  	nf_ct_labels_ext_add(ct);
> +	nfct_seqadj_ext_add(ct);
> +	nfct_synproxy_ext_add(ct);
>  
>  	/* we must add conntrack extensions before confirmation. */
>  	ct->status |= IPS_CONFIRMED;



-- 
Best regards,
  Jesper Dangaard Brouer
  MSc.CS, Principal Kernel Engineer at Red Hat
  LinkedIn: http://www.linkedin.com/in/brouer

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH] netfilter: synproxy: fix conntrackd interaction
  2017-05-11 16:14 ` Jesper Dangaard Brouer
@ 2017-05-11 16:56   ` Eric Leblond
  2017-05-15 16:52     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Eric Leblond @ 2017-05-11 16:56 UTC (permalink / raw)
  To: pablo; +Cc: brouer, netfilter-devel, Eric Leblond

This patch fixes the creation of connection tracking entry from
netlink when synproxy is used. It was missing the addition of
the synproxy extension.

This was causing kernel crashes when a conntrack entry created by
conntrackd was used after the switch of traffic from active node
to the passive node.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 net/netfilter/nf_conntrack_netlink.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index dcf561b5c97a..1a127677ffe1 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -45,6 +45,8 @@
 #include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/nf_conntrack_timestamp.h>
 #include <net/netfilter/nf_conntrack_labels.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
+#include <net/netfilter/nf_conntrack_synproxy.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_core.h>
 #include <net/netfilter/nf_nat_l4proto.h>
@@ -1828,6 +1830,8 @@ ctnetlink_create_conntrack(struct net *net,
 	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
 	nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
 	nf_ct_labels_ext_add(ct);
+	nfct_seqadj_ext_add(ct);
+	nfct_synproxy_ext_add(ct);
 
 	/* we must add conntrack extensions before confirmation. */
 	ct->status |= IPS_CONFIRMED;
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] netfilter: synproxy: fix conntrackd interaction
  2017-05-11 16:56   ` Eric Leblond
@ 2017-05-15 16:52     ` Pablo Neira Ayuso
       [not found]       ` <fbaa0cbd-a13d-46e3-a796-023439433dda@email.android.com>
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2017-05-15 16:52 UTC (permalink / raw)
  To: Eric Leblond; +Cc: brouer, netfilter-devel

On Thu, May 11, 2017 at 06:56:38PM +0200, Eric Leblond wrote:
> This patch fixes the creation of connection tracking entry from
> netlink when synproxy is used. It was missing the addition of
> the synproxy extension.
> 
> This was causing kernel crashes when a conntrack entry created by
> conntrackd was used after the switch of traffic from active node
> to the passive node.

Applied, thanks Eric.

^ permalink raw reply	[flat|nested] 6+ messages in thread

[parent not found: <fbaa0cbd-a13d-46e3-a796-023439433dda@email.android.com>]

* Re: [PATCH] netfilter: synproxy: fix conntrackd interaction
       [not found]       ` <fbaa0cbd-a13d-46e3-a796-023439433dda@email.android.com>
@ 2017-05-15 17:55         ` Pablo Neira Ayuso
  2017-05-15 21:53           ` Eric Leblond
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2017-05-15 17:55 UTC (permalink / raw)
  To: Eric Leblond; +Cc: Netfilter Devel, brouer

On Mon, May 15, 2017 at 07:49:18PM +0200, Eric Leblond wrote:
>    Hello,
>    Le 15 mai 2017 6:52 PM, Pablo Neira Ayuso <pablo@netfilter.org> a
>    écrit :
> 
>      On Thu, May 11, 2017 at 06:56:38PM +0200, Eric Leblond wrote:
>      > This patch fixes the creation of connection tracking entry from
>      > netlink when synproxy is used. It was missing the addition of
>      > the synproxy extension.
>      >
>      > This was causing kernel crashes when a conntrack entry created by
>      > conntrackd was used after the switch of traffic from active node
>      > to the passive node.
>      Applied, thanks Eric.
> 
>    Thanks Pablo !
>    Will you push it to stable as it is causing a crash on older kernel
>    like 3.16?

Does this compile cleanly as is?

If so, I can just request -stable maintainer to take it as soon as
this hits upstream.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] netfilter: synproxy: fix conntrackd interaction
  2017-05-15 17:55         ` Pablo Neira Ayuso
@ 2017-05-15 21:53           ` Eric Leblond
  0 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2017-05-15 21:53 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Netfilter Devel, brouer

Hi,

On Mon, 2017-05-15 at 19:55 +0200, Pablo Neira Ayuso wrote:
> On Mon, May 15, 2017 at 07:49:18PM +0200, Eric Leblond wrote:
> >    Hello,
> >    Le 15 mai 2017 6:52 PM, Pablo Neira Ayuso <pablo@netfilter.org>
> > a
> >    écrit :
> > 
> >      On Thu, May 11, 2017 at 06:56:38PM +0200, Eric Leblond wrote:
> >      > This patch fixes the creation of connection tracking entry
> > from
> >      > netlink when synproxy is used. It was missing the addition
> > of
> >      > the synproxy extension.
> >      >
> >      > This was causing kernel crashes when a conntrack entry
> > created by
> >      > conntrackd was used after the switch of traffic from active
> > node
> >      > to the passive node.
> >      Applied, thanks Eric.
> > 
> >    Thanks Pablo !
> >    Will you push it to stable as it is causing a crash on older
> > kernel
> >    like 3.16?
> 
> Does this compile cleanly as is?

Yes, I have tested the patch on 3.16.1 and it applies cleanly. I've
build module for 4.1 and patch applies too. I did not test it but code
is unchanged.

> If so, I can just request -stable maintainer to take it as soon as
> this hits upstream.

Thanks!

BR,
-- 
Eric Leblond <eric@regit.org>

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2017-05-15 21:53 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-11 13:22 [PATCH] netfilter: synproxy: fix conntrackd interaction Eric Leblond
2017-05-11 16:14 ` Jesper Dangaard Brouer
2017-05-11 16:56   ` Eric Leblond
2017-05-15 16:52     ` Pablo Neira Ayuso
     [not found]       ` <fbaa0cbd-a13d-46e3-a796-023439433dda@email.android.com>
2017-05-15 17:55         ` Pablo Neira Ayuso
2017-05-15 21:53           ` Eric Leblond

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).