From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nf-next] netfilter: ctnetlink: do not bail out with EBUSY on unchangeable bits
Date: Mon, 25 Feb 2019 14:26:54 +0100 [thread overview]
Message-ID: <20190225132654.8710-1-pablo@netfilter.org> (raw)
Since a963d710f367 ("netfilter: ctnetlink: Fix regression in CTA_STATUS
processing"), the IPS_UNCHANGEABLE_MASK definition specifies what status
bits are unchangeable: this includes the NAT, dying, expected and
confirmed status bits.
Such commit also relaxed the check to ignore userspace updates that do
not make sense from the nfqueue path, ie. expected, confirmed and dying
bits.
This patch just ignores any attempt to disable the unchangeable bits
from nfqueue and usual ctnetlink path, instead of hitting EBUSY.
For seen reply and assured bits, it's safe to disable them since the
kernel does not crash, and state synchronization scenario may need to
update an existing stale conntrack entry that is out-of-sync, rather
than forcing userspace to tear it down and create a clean session.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 23 -----------------------
1 file changed, 23 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 349b42a65c8a..3fe7074e25e2 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1563,21 +1563,7 @@ __ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
static int
ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
{
- unsigned long d;
unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
- d = ct->status ^ status;
-
- if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
- /* unchangeable */
- return -EBUSY;
-
- if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
- /* SEEN_REPLY bit can only be set */
- return -EBUSY;
-
- if (d & IPS_ASSURED && !(status & IPS_ASSURED))
- /* ASSURED bit can only be set */
- return -EBUSY;
__ctnetlink_change_status(ct, status, 0);
return 0;
@@ -2490,15 +2476,6 @@ static int
ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
{
unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
- unsigned long d = ct->status ^ status;
-
- if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
- /* SEEN_REPLY bit can only be set */
- return -EBUSY;
-
- if (d & IPS_ASSURED && !(status & IPS_ASSURED))
- /* ASSURED bit can only be set */
- return -EBUSY;
/* This check is less strict than ctnetlink_change_status()
* because callers often flip IPS_EXPECTED bits when sending
--
2.11.0
reply other threads:[~2019-02-25 13:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190225132654.8710-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).