public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-11-15 19:25:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

netfilter: conntrack: udp: only extend timeout to stream mode after 2s

Browse source 
Currently DNS resolvers that send both A and AAAA queries from same source port
can trigger stream mode prematurely, which results in non-early-evictable conntrack entry
for three minutes, even though DNS requests are done in a few milliseconds.

Add a two second grace period where we continue to use the ordinary
30-second default timeout.  Its enough for DNS request/response traffic,
even if two request/reply packets are involved.

ASSURED is still set, else conntrack (and thus a possible
NAT mapping ...) gets zapped too in case conntrack table runs full.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal 2018-12-06 11:50:49 +01:00 committed by Pablo Neira Ayuso
parent 06aa151ad1
commit d535c8a69c
2 changed files with 18 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
include/net/netfilter/nf_conntrack.h
View file

@ -27,12 +27,17 @@
#include <net/netfilter/nf_conntrack_tuple.h> #include <net/netfilter/nf_conntrack_tuple.h>
struct nf_ct_udp {
unsigned long stream_ts;
};
/* per conntrack: protocol private data */ /* per conntrack: protocol private data */
union nf_conntrack_proto { union nf_conntrack_proto {
/* insert conntrack proto private data here */ /* insert conntrack proto private data here */
struct nf_ct_dccp dccp; struct nf_ct_dccp dccp;
struct ip_ct_sctp sctp; struct ip_ct_sctp sctp;
struct ip_ct_tcp tcp; struct ip_ct_tcp tcp;
struct nf_ct_udp udp;
struct nf_ct_gre gre; struct nf_ct_gre gre;
unsigned int tmpl_padto; unsigned int tmpl_padto;
}; };

16
net/netfilter/nf_conntrack_proto_udp.c
View file

@ -100,11 +100,21 @@ static int udp_packet(struct nf_conn *ct,
if (!timeouts) if (!timeouts)
timeouts = udp_get_timeouts(nf_ct_net(ct)); timeouts = udp_get_timeouts(nf_ct_net(ct));
if (!nf_ct_is_confirmed(ct))
ct->proto.udp.stream_ts = 2 * HZ + jiffies;
/* If we've seen traffic both ways, this is some kind of UDP /* If we've seen traffic both ways, this is some kind of UDP
stream. Extend timeout. */ * stream. Set Assured.
*/
if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
nf_ct_refresh_acct(ct, ctinfo, skb, unsigned long extra = timeouts[UDP_CT_UNREPLIED];
timeouts[UDP_CT_REPLIED]);
/* Still active after two seconds? Extend timeout. */
if (time_after(jiffies, ct->proto.udp.stream_ts))
extra = timeouts[UDP_CT_REPLIED];
nf_ct_refresh_acct(ct, ctinfo, skb, extra);
/* Also, more likely to be important, and not a probe */ /* Also, more likely to be important, and not a probe */
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
nf_conntrack_event_cache(IPCT_ASSURED, ct); nf_conntrack_event_cache(IPCT_ASSURED, ct);