* [PATCH] netfilter: synproxy: fix conntrackd interaction
@ 2017-05-11 13:22 Eric Leblond
2017-05-11 16:14 ` Jesper Dangaard Brouer
0 siblings, 1 reply; 6+ messages in thread
From: Eric Leblond @ 2017-05-11 13:22 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, brouer, Eric Leblond
This patch fixes the creation of connection tracking entry from
netlink when synproxy is used. It was missing the addition of
the synproxy extension.
This was causing kernel crashes when a conntrack entry created by
conntrackd was used after the switch of traffic from active node
to the passive node.
---
net/netfilter/nf_conntrack_netlink.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index dcf561b5c97a..1a127677ffe1 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -45,6 +45,8 @@
#include <net/netfilter/nf_conntrack_zones.h>
#include <net/netfilter/nf_conntrack_timestamp.h>
#include <net/netfilter/nf_conntrack_labels.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
+#include <net/netfilter/nf_conntrack_synproxy.h>
#ifdef CONFIG_NF_NAT_NEEDED
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_nat_l4proto.h>
@@ -1828,6 +1830,8 @@ ctnetlink_create_conntrack(struct net *net,
nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
nf_ct_labels_ext_add(ct);
+ nfct_seqadj_ext_add(ct);
+ nfct_synproxy_ext_add(ct);
/* we must add conntrack extensions before confirmation. */
ct->status |= IPS_CONFIRMED;
--
2.11.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] netfilter: synproxy: fix conntrackd interaction
2017-05-11 13:22 [PATCH] netfilter: synproxy: fix conntrackd interaction Eric Leblond
@ 2017-05-11 16:14 ` Jesper Dangaard Brouer
2017-05-11 16:56 ` Eric Leblond
0 siblings, 1 reply; 6+ messages in thread
From: Jesper Dangaard Brouer @ 2017-05-11 16:14 UTC (permalink / raw)
To: Eric Leblond; +Cc: pablo, netfilter-devel, brouer
On Thu, 11 May 2017 15:22:55 +0200
Eric Leblond <eric@regit.org> wrote:
> This patch fixes the creation of connection tracking entry from
> netlink when synproxy is used. It was missing the addition of
> the synproxy extension.
>
> This was causing kernel crashes when a conntrack entry created by
> conntrackd was used after the switch of traffic from active node
> to the passive node.
You are missing a Signed-off-by line ;-)
> ---
> net/netfilter/nf_conntrack_netlink.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index dcf561b5c97a..1a127677ffe1 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -45,6 +45,8 @@
> #include <net/netfilter/nf_conntrack_zones.h>
> #include <net/netfilter/nf_conntrack_timestamp.h>
> #include <net/netfilter/nf_conntrack_labels.h>
> +#include <net/netfilter/nf_conntrack_seqadj.h>
> +#include <net/netfilter/nf_conntrack_synproxy.h>
> #ifdef CONFIG_NF_NAT_NEEDED
> #include <net/netfilter/nf_nat_core.h>
> #include <net/netfilter/nf_nat_l4proto.h>
> @@ -1828,6 +1830,8 @@ ctnetlink_create_conntrack(struct net *net,
> nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
> nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
> nf_ct_labels_ext_add(ct);
> + nfct_seqadj_ext_add(ct);
> + nfct_synproxy_ext_add(ct);
>
> /* we must add conntrack extensions before confirmation. */
> ct->status |= IPS_CONFIRMED;
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
LinkedIn: http://www.linkedin.com/in/brouer
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] netfilter: synproxy: fix conntrackd interaction
2017-05-11 16:14 ` Jesper Dangaard Brouer
@ 2017-05-11 16:56 ` Eric Leblond
2017-05-15 16:52 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Eric Leblond @ 2017-05-11 16:56 UTC (permalink / raw)
To: pablo; +Cc: brouer, netfilter-devel, Eric Leblond
This patch fixes the creation of connection tracking entry from
netlink when synproxy is used. It was missing the addition of
the synproxy extension.
This was causing kernel crashes when a conntrack entry created by
conntrackd was used after the switch of traffic from active node
to the passive node.
Signed-off-by: Eric Leblond <eric@regit.org>
---
net/netfilter/nf_conntrack_netlink.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index dcf561b5c97a..1a127677ffe1 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -45,6 +45,8 @@
#include <net/netfilter/nf_conntrack_zones.h>
#include <net/netfilter/nf_conntrack_timestamp.h>
#include <net/netfilter/nf_conntrack_labels.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
+#include <net/netfilter/nf_conntrack_synproxy.h>
#ifdef CONFIG_NF_NAT_NEEDED
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_nat_l4proto.h>
@@ -1828,6 +1830,8 @@ ctnetlink_create_conntrack(struct net *net,
nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
nf_ct_labels_ext_add(ct);
+ nfct_seqadj_ext_add(ct);
+ nfct_synproxy_ext_add(ct);
/* we must add conntrack extensions before confirmation. */
ct->status |= IPS_CONFIRMED;
--
2.11.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] netfilter: synproxy: fix conntrackd interaction
2017-05-11 16:56 ` Eric Leblond
@ 2017-05-15 16:52 ` Pablo Neira Ayuso
[not found] ` <fbaa0cbd-a13d-46e3-a796-023439433dda@email.android.com>
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2017-05-15 16:52 UTC (permalink / raw)
To: Eric Leblond; +Cc: brouer, netfilter-devel
On Thu, May 11, 2017 at 06:56:38PM +0200, Eric Leblond wrote:
> This patch fixes the creation of connection tracking entry from
> netlink when synproxy is used. It was missing the addition of
> the synproxy extension.
>
> This was causing kernel crashes when a conntrack entry created by
> conntrackd was used after the switch of traffic from active node
> to the passive node.
Applied, thanks Eric.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] netfilter: synproxy: fix conntrackd interaction
[not found] ` <fbaa0cbd-a13d-46e3-a796-023439433dda@email.android.com>
@ 2017-05-15 17:55 ` Pablo Neira Ayuso
2017-05-15 21:53 ` Eric Leblond
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2017-05-15 17:55 UTC (permalink / raw)
To: Eric Leblond; +Cc: Netfilter Devel, brouer
On Mon, May 15, 2017 at 07:49:18PM +0200, Eric Leblond wrote:
> Hello,
> Le 15 mai 2017 6:52 PM, Pablo Neira Ayuso <pablo@netfilter.org> a
> écrit :
>
> On Thu, May 11, 2017 at 06:56:38PM +0200, Eric Leblond wrote:
> > This patch fixes the creation of connection tracking entry from
> > netlink when synproxy is used. It was missing the addition of
> > the synproxy extension.
> >
> > This was causing kernel crashes when a conntrack entry created by
> > conntrackd was used after the switch of traffic from active node
> > to the passive node.
> Applied, thanks Eric.
>
> Thanks Pablo !
> Will you push it to stable as it is causing a crash on older kernel
> like 3.16?
Does this compile cleanly as is?
If so, I can just request -stable maintainer to take it as soon as
this hits upstream.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] netfilter: synproxy: fix conntrackd interaction
2017-05-15 17:55 ` Pablo Neira Ayuso
@ 2017-05-15 21:53 ` Eric Leblond
0 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2017-05-15 21:53 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Netfilter Devel, brouer
Hi,
On Mon, 2017-05-15 at 19:55 +0200, Pablo Neira Ayuso wrote:
> On Mon, May 15, 2017 at 07:49:18PM +0200, Eric Leblond wrote:
> > Hello,
> > Le 15 mai 2017 6:52 PM, Pablo Neira Ayuso <pablo@netfilter.org>
> > a
> > écrit :
> >
> > On Thu, May 11, 2017 at 06:56:38PM +0200, Eric Leblond wrote:
> > > This patch fixes the creation of connection tracking entry
> > from
> > > netlink when synproxy is used. It was missing the addition
> > of
> > > the synproxy extension.
> > >
> > > This was causing kernel crashes when a conntrack entry
> > created by
> > > conntrackd was used after the switch of traffic from active
> > node
> > > to the passive node.
> > Applied, thanks Eric.
> >
> > Thanks Pablo !
> > Will you push it to stable as it is causing a crash on older
> > kernel
> > like 3.16?
>
> Does this compile cleanly as is?
Yes, I have tested the patch on 3.16.1 and it applies cleanly. I've
build module for 4.1 and patch applies too. I did not test it but code
is unchanged.
> If so, I can just request -stable maintainer to take it as soon as
> this hits upstream.
Thanks!
BR,
--
Eric Leblond <eric@regit.org>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-05-15 21:53 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-11 13:22 [PATCH] netfilter: synproxy: fix conntrackd interaction Eric Leblond
2017-05-11 16:14 ` Jesper Dangaard Brouer
2017-05-11 16:56 ` Eric Leblond
2017-05-15 16:52 ` Pablo Neira Ayuso
[not found] ` <fbaa0cbd-a13d-46e3-a796-023439433dda@email.android.com>
2017-05-15 17:55 ` Pablo Neira Ayuso
2017-05-15 21:53 ` Eric Leblond
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).