From patchwork Wed Jan 2 17:00:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mauricio Faria de Oliveira X-Patchwork-Id: 1020036 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43VHPy2BMfz9sBn for ; Thu, 3 Jan 2019 04:01:26 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730551AbfABRBZ (ORCPT ); Wed, 2 Jan 2019 12:01:25 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:41805 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728720AbfABRBZ (ORCPT ); Wed, 2 Jan 2019 12:01:25 -0500 Received: from mail-qk1-f198.google.com ([209.85.222.198]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1gejtS-00044m-Fu for netdev@vger.kernel.org; Wed, 02 Jan 2019 17:01:22 +0000 Received: by mail-qk1-f198.google.com with SMTP id j125so37143441qke.12 for ; Wed, 02 Jan 2019 09:01:22 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=620lz93blX+gMAhdPhC4jRp9+2hZlpL4Fhkk7irNqdg=; b=uA9FrFBUrLvSJZEdcjsF8X3COHXHtuWV6OZSCcRmSOE4JPqoM/veOc5JodV+Xg1GDk FHcu1yxvJJ9JbYjIccOpAFbwtXAkVpweE1gzETJuCQ1c8Vlv/b4iF/7DTzCHWrZrHHbo uL4ygbXPe0n1muk7sehzkMjHyHnnLERk10mCvnPcbSa9+atBH1Gd5BCNKhe/qQa8xbg0 +njrng2sK+IAuQ24bRlvU81D0x3hI1FDy0kSnMXKeIW7+1R4MiWo0B8tWCzOWEs7YHl0 HqgTxzAxqFAfPhZ9/ADD23CZ2R8c2BeogOj+mYYkYT8Ytffwlmk6KiHru21mvtCGejJH SE9Q== X-Gm-Message-State: AJcUukd46C0QUj5qp0jInrF2C3tU/5dUXszUe5timB9MBcGjYh2INRNW Ee1nIQ2wCmBY+3IGGge0SsdVOPuzmESqH3pIT7ZTJRlqZofk618QRBbH9LDoKv4dV8Up3Nfw0/n pJwLHV7XNfdLavcp+5RR4PmYQ5gF3eNCd+g== X-Received: by 2002:a0c:878d:: with SMTP id 13mr43197612qvj.8.1546448481680; Wed, 02 Jan 2019 09:01:21 -0800 (PST) X-Google-Smtp-Source: ALg8bN7aAEayhah8E5ubJhuRjxoDV0uBueJ0vu4+z03HG2v4WY48oK/BXqth9L7SPwF4OQpn9YSW5w== X-Received: by 2002:a0c:878d:: with SMTP id 13mr43197589qvj.8.1546448481464; Wed, 02 Jan 2019 09:01:21 -0800 (PST) Received: from localhost.localdomain ([179.159.56.118]) by smtp.gmail.com with ESMTPSA id i26sm20333938qkg.12.2019.01.02.09.01.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Jan 2019 09:01:20 -0800 (PST) From: Mauricio Faria de Oliveira To: stable@vger.kernel.org, netdev@vger.kernel.org, Florian Westphal Cc: Alakesh Haloi , nivedita.singhvi@canonical.com, Pablo Neira Ayuso , Jozsef Kadlecsik , "David S. Miller" , Yi-Hung Wei Subject: [PATCH 4.14 3/4] netfilter: nf_conncount: Fix garbage collection with zones Date: Wed, 2 Jan 2019 15:00:22 -0200 Message-Id: <20190102170023.10415-4-mfo@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190102170023.10415-1-mfo@canonical.com> References: <20190102170023.10415-1-mfo@canonical.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Yi-Hung Wei commit 21ba8847f857028dc83a0f341e16ecc616e34740 upstream. Currently, we use check_hlist() for garbage colleciton. However, we use the ‘zone’ from the counted entry to query the existence of existing entries in the hlist. This could be wrong when they are in different zones, and this patch fixes this issue. Fixes: e59ea3df3fc2 ("netfilter: xt_connlimit: honor conntrack zone if available") Signed-off-by: Yi-Hung Wei Signed-off-by: Pablo Neira Ayuso [mfo: backport: refresh context lines and use older symbol/file names, note hunk 5: - nf_conncount.c -> xt_connlimit.c - nf_conncount_rb -> xt_connlimit_rb - nf_conncount_tuple -> xt_connlimit_conn - hunk 5: remove check for non-NULL 'tuple', that isn't required as it's introduced by upstream commit 35d8deb80 ("netfilter: conncount: Support count only use case") which addresses nf_conncount_count() that does not exist yet -- it's introduced by upstream commit 625c556118f3 ("netfilter: connlimit: split xt_connlimit into front and backend"), a refactor change. - nft_connlimit.c -> removed, not used/doesn't exist yet.] Signed-off-by: Mauricio Faria de Oliveira --- include/net/netfilter/nf_conntrack_count.h | 3 ++- net/netfilter/xt_connlimit.c | 13 +++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h index 54e43b8..4b71a2f 100644 --- a/include/net/netfilter/nf_conntrack_count.h +++ b/include/net/netfilter/nf_conntrack_count.h @@ -7,7 +7,8 @@ unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, bool *addit); bool nf_conncount_add(struct hlist_head *head, - const struct nf_conntrack_tuple *tuple); + const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_zone *zone); void nf_conncount_cache_free(struct hlist_head *hhead); diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 7af5875..ab1f849 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c @@ -46,6 +46,7 @@ struct xt_connlimit_conn { struct hlist_node node; struct nf_conntrack_tuple tuple; + struct nf_conntrack_zone zone; }; struct xt_connlimit_rb { @@ -115,7 +116,8 @@ same_source_net(const union nf_inet_addr *addr, } bool nf_conncount_add(struct hlist_head *head, - const struct nf_conntrack_tuple *tuple) + const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_zone *zone) { struct xt_connlimit_conn *conn; @@ -123,6 +125,7 @@ bool nf_conncount_add(struct hlist_head *head, if (conn == NULL) return false; conn->tuple = *tuple; + conn->zone = *zone; hlist_add_head(&conn->node, head); return true; } @@ -143,7 +146,7 @@ unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, /* check the saved connections */ hlist_for_each_entry_safe(conn, n, head, node) { - found = nf_conntrack_find_get(net, zone, &conn->tuple); + found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple); if (found == NULL) { hlist_del(&conn->node); kmem_cache_free(connlimit_conn_cachep, conn); @@ -152,7 +155,8 @@ unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, found_ct = nf_ct_tuplehash_to_ctrack(found); - if (nf_ct_tuple_equal(&conn->tuple, tuple)) { + if (nf_ct_tuple_equal(&conn->tuple, tuple) && + nf_ct_zone_equal(found_ct, zone, zone->dir)) { /* * Just to be sure we have it only once in the list. * We should not see tuples twice unless someone hooks @@ -231,7 +235,7 @@ count_tree(struct net *net, struct rb_root *root, if (!addit) return count; - if (!nf_conncount_add(&rbconn->hhead, tuple)) + if (!nf_conncount_add(&rbconn->hhead, tuple, zone)) return 0; /* hotdrop */ return count + 1; @@ -270,6 +274,7 @@ count_tree(struct net *net, struct rb_root *root, } conn->tuple = *tuple; + conn->zone = *zone; rbconn->addr = *addr; INIT_HLIST_HEAD(&rbconn->hhead);