public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-05 16:54:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net/netfilter
History
Xin Long ab6dd1beac netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info 
Commit 4440a2ab3b ("netfilter: synproxy: Check oom when adding synproxy
and seqadj ct extensions") wanted to drop the packet when it fails to add
seqadj ext due to no memory by checking if nfct_seqadj_ext_add returns
NULL.

But that nfct_seqadj_ext_add returns NULL can also happen when seqadj ext
already exists in a nf_conn. It will cause that userspace protocol doesn't
work when both dnat and snat are configured.

Li Shuang found this issue in the case:

Topo:
   ftp client                   router                  ftp server
  10.167.131.2  <-> 10.167.131.254  10.167.141.254 <-> 10.167.141.1

Rules:
  # iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j \
    DNAT --to-destination 10.167.141.1
  # iptables -t nat -A POSTROUTING -o eth2 -p tcp -m tcp --dport 21 -j \
    SNAT --to-source 10.167.141.254

In router, when both dnat and snat are added, nf_nat_setup_info will be
called twice. The packet can be dropped at the 2nd time for DNAT due to
seqadj ext is already added at the 1st time for SNAT.

This patch is to fix it by checking for seqadj ext existence before adding
it, so that the packet will not be dropped if seqadj ext already exists.

Note that as Florian mentioned, as a long term, we should review ext_add()
behaviour, it's better to return a pointer to the existing ext instead.

Fixes: 4440a2ab3b ("netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions")
Reported-by: Li Shuang <shuali@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-08-24 16:09:03 +02:00
..
ipset sctp: remove the typedef sctp_sctphdr_t 2017-07-01 09:08:41 -07:00
ipvs sctp: remove the typedef sctp_chunkhdr_t 2017-07-01 09:08:41 -07:00
core.c netfilter: fix netfilter_net_init() return 2017-07-18 14:50:28 -07:00
Kconfig netfilter: nft_exthdr: add TCP option matching 2017-02-08 14:17:09 +01:00
Makefile netfilter, kbuild: use canonical method to specify objs. 2017-06-19 19:09:20 +02:00
nf_conntrack_acct.c netfilter: conntrack: mark extension structs as const 2017-04-26 09:30:22 +02:00
nf_conntrack_amanda.c netfilter: use nf_conntrack_helpers_register when possible 2017-06-19 19:13:21 +02:00
nf_conntrack_broadcast.c
nf_conntrack_core.c netns: add and use net_ns_barrier 2017-06-19 19:09:19 +02:00
nf_conntrack_ecache.c netfilter: conntrack: mark extension structs as const 2017-04-26 09:30:22 +02:00
nf_conntrack_expect.c netfilter: expect: fix crash when putting uninited expectation 2017-07-17 17:03:12 +02:00
nf_conntrack_extend.c netfilter: nf_ct_ext: invoke destroy even when ext is not attached 2017-05-01 11:48:49 +02:00
nf_conntrack_ftp.c netfilter: helpers: remove data_len usage for inkernel helpers 2017-04-19 17:55:17 +02:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c netfilter: use nf_conntrack_helpers_register when possible 2017-06-19 19:13:21 +02:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: nf_ct_helper: use nf_ct_iterate_destroy to unlink helper objs 2017-05-29 12:46:23 +02:00
nf_conntrack_irc.c netfilter: helpers: remove data_len usage for inkernel helpers 2017-04-19 17:55:17 +02:00
nf_conntrack_l3proto_generic.c
nf_conntrack_labels.c netfilter: conntrack: mark extension structs as const 2017-04-26 09:30:22 +02:00
nf_conntrack_netbios_ns.c netfilter: helper: add build-time asserts for helper data size 2017-04-19 17:55:16 +02:00
nf_conntrack_netlink.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-06-30 06:27:09 -07:00
nf_conntrack_pptp.c netfilter: pptp: attach nat extension when needed 2017-04-26 09:30:22 +02:00
nf_conntrack_proto.c netfilter: conntrack: use NFPROTO_MAX to size array 2017-06-19 19:20:49 +02:00
nf_conntrack_proto_dccp.c netfilter: nf_ct_dccp/sctp: fix memory leak after netns cleanup 2017-06-29 18:47:01 +02:00
nf_conntrack_proto_generic.c
nf_conntrack_proto_gre.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
nf_conntrack_proto_sctp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2017-07-06 14:02:22 +01:00
nf_conntrack_proto_tcp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-05-01 10:47:53 -04:00
nf_conntrack_proto_udp.c netfilter: conntrack: no need to pass ctinfo to error handler 2017-02-02 14:31:51 +01:00
nf_conntrack_sane.c netfilter: helpers: remove data_len usage for inkernel helpers 2017-04-19 17:55:17 +02:00
nf_conntrack_seqadj.c netfilter: conntrack: mark extension structs as const 2017-04-26 09:30:22 +02:00
nf_conntrack_sip.c netfilter: helpers: remove data_len usage for inkernel helpers 2017-04-19 17:55:17 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c netfilter: Use seq_puts()/seq_putc() where possible 2017-04-07 17:29:21 +02:00
nf_conntrack_tftp.c netfilter: helpers: remove data_len usage for inkernel helpers 2017-04-19 17:55:17 +02:00
nf_conntrack_timeout.c netfilter: conntrack: mark extension structs as const 2017-04-26 09:30:22 +02:00
nf_conntrack_timestamp.c netfilter: conntrack: mark extension structs as const 2017-04-26 09:30:22 +02:00
nf_dup_netdev.c netfilter: dup: resolve warnings about missing prototypes 2017-05-29 11:32:36 +02:00
nf_internals.h netfilter: nf_queue: only call synchronize_net twice if nf_queue is active 2017-05-01 11:19:12 +02:00
nf_log.c netfilter: nf_log: don't call synchronize_rcu in nf_log_unset 2017-05-01 11:19:07 +02:00
nf_log_common.c netfilter: nf_log: do not assume ethernet header in netdev family 2016-12-04 20:45:33 +01:00
nf_log_netdev.c netfilter: nf_log: do not assume ethernet header in netdev family 2016-12-04 20:45:33 +01:00
nf_nat_amanda.c netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean 2017-04-06 22:01:38 +02:00
nf_nat_core.c netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info 2017-08-24 16:09:03 +02:00
nf_nat_ftp.c
nf_nat_helper.c netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean 2017-04-06 22:01:38 +02:00
nf_nat_irc.c netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean 2017-04-06 22:01:38 +02:00
nf_nat_proto_common.c
nf_nat_proto_dccp.c netfilter: built-in NAT support for DCCP 2016-12-04 20:45:30 +01:00
nf_nat_proto_sctp.c sctp: remove the typedef sctp_sctphdr_t 2017-07-01 09:08:41 -07:00
nf_nat_proto_tcp.c
nf_nat_proto_udp.c netfilter: nat: merge udp and udplite helpers 2017-01-03 14:33:25 +01:00
nf_nat_proto_unknown.c
nf_nat_redirect.c netfilter: make it safer during the inet6_dev->addr_list traversal 2017-04-08 23:52:16 +02:00
nf_nat_sip.c
nf_nat_tftp.c
nf_queue.c netfilter: nf_queue: only call synchronize_net twice if nf_queue is active 2017-05-01 11:19:12 +02:00
nf_sockopt.c
nf_synproxy_core.c tcp: switch TCP TS option (RFC 7323) to 1ms clock 2017-05-17 16:06:01 -04:00
nf_tables_api.c netfilter: nfnetlink: extended ACK reporting 2017-06-19 19:38:24 +02:00
nf_tables_core.c netfilter: nf_tables: simplify the basic expressions' init routine 2016-11-09 23:42:23 +01:00
nf_tables_inet.c netfilter: Add the missed return value check of nft_register_chain_type 2016-09-12 19:54:45 +02:00
nf_tables_netdev.c netfilter: nf_tables: add nft_is_base_chain() helper 2017-04-06 18:32:04 +02:00
nf_tables_trace.c netfilter: Add nfnl_msg_type() helper function 2017-04-07 16:31:36 +02:00
nfnetlink.c netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv 2017-07-17 13:27:46 +02:00
nfnetlink_acct.c netfilter: nfnetlink: extended ACK reporting 2017-06-19 19:38:24 +02:00
nfnetlink_cthelper.c netfilter: nfnetlink: extended ACK reporting 2017-06-19 19:38:24 +02:00
nfnetlink_cttimeout.c netfilter: nfnetlink: extended ACK reporting 2017-06-19 19:38:24 +02:00
nfnetlink_log.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-06-30 06:27:09 -07:00
nfnetlink_queue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-06-30 06:27:09 -07:00
nft_bitwise.c netfilter: nf_tables: revisit chain/object refcounting from elements 2017-05-15 12:51:41 +02:00
nft_byteorder.c netfilter: nf_tables: simplify the basic expressions' init routine 2016-11-09 23:42:23 +01:00
nft_cmp.c netfilter: nf_tables: revisit chain/object refcounting from elements 2017-05-15 12:51:41 +02:00
nft_compat.c netfilter: nft_compat: check extension hook mask only if set 2017-07-19 11:53:30 +02:00
nft_counter.c netfilter: provide nft_ctx in object init function 2017-03-13 13:42:00 +01:00
nft_ct.c netfilter: introduce nf_conntrack_helper_put helper function 2017-05-15 12:42:29 +02:00
nft_dup_netdev.c
nft_dynset.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2017-05-03 10:11:26 -04:00
nft_exthdr.c netfilter: Remove exceptional & on function name 2017-04-07 18:24:47 +02:00
nft_fib.c netfilter: nft_fib: Support existence check 2017-03-13 13:45:36 +01:00
nft_fib_inet.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00
nft_fwd_netdev.c netfilter: add and use nf_fwd_netdev_egress 2016-12-06 21:48:22 +01:00
nft_hash.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-05-01 10:47:53 -04:00
nft_immediate.c netfilter: nf_tables: revisit chain/object refcounting from elements 2017-05-15 12:51:41 +02:00
nft_limit.c netfilter: limit: use per-rule spinlock to improve the scalability 2017-03-13 19:30:31 +01:00
nft_log.c netfilter: nft_log: restrict the log prefix length to 127 2017-01-24 21:46:29 +01:00
nft_lookup.c netfilter: nf_tables: add nft_set_lookup() 2017-03-06 18:23:23 +01:00
nft_masq.c netfilter: nf_tables: validate the expr explicitly after init successfully 2017-03-06 18:22:12 +01:00
nft_meta.c netfilter: Remove exceptional & on function name 2017-04-07 18:24:47 +02:00
nft_nat.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-03-23 16:41:27 -07:00
nft_numgen.c netfilter: Remove exceptional & on function name 2017-04-07 18:24:47 +02:00
nft_objref.c netfilter: nf_tables: add nft_set_lookup() 2017-03-06 18:23:23 +01:00
nft_payload.c netfilter: nft_payload: mangle ckecksum if NFT_PAYLOAD_L4CSUM_PSEUDOHDR is set 2016-12-14 23:39:11 +01:00
nft_queue.c netfilter: Remove exceptional & on function name 2017-04-07 18:24:47 +02:00
nft_quota.c netfilter: provide nft_ctx in object init function 2017-03-13 13:42:00 +01:00
nft_range.c netfilter: nf_tables: revisit chain/object refcounting from elements 2017-05-15 12:51:41 +02:00
nft_redir.c netfilter: nf_tables: validate the expr explicitly after init successfully 2017-03-06 18:22:12 +01:00
nft_reject.c netfilter: nf_tables: validate the expr explicitly after init successfully 2017-03-06 18:22:12 +01:00
nft_reject_inet.c netfilter: nf_tables: validate the expr explicitly after init successfully 2017-03-06 18:22:12 +01:00
nft_rt.c netfilter: nft_rt: make local functions static 2017-05-29 12:45:59 +02:00
nft_set_bitmap.c netfilter: nf_tables: pass set description to ->privsize 2017-05-29 12:46:18 +02:00
nft_set_hash.c netfilter: nft_set_hash: add lookup variant for fixed size hashtable 2017-05-29 12:46:22 +02:00
nft_set_rbtree.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-06-30 06:27:09 -07:00
x_tables.c netfilter: xtables: fix build failure from COMPAT_XT_ALIGN outside CONFIG_COMPAT 2017-05-18 13:10:03 +02:00
xt_addrtype.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_AUDIT.c audit: normalize NETFILTER_PKT 2017-05-02 10:16:04 -04:00
xt_bpf.c xtables: extend matches and targets with .usersize 2017-01-09 17:24:55 +01:00
xt_cgroup.c xtables: extend matches and targets with .usersize 2017-01-09 17:24:55 +01:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c netfilter: remove nf_ct_is_untracked 2017-04-15 11:51:33 +02:00
xt_comment.c
xt_connbytes.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_connlabel.c netfilter: remove nf_ct_is_untracked 2017-04-15 11:51:33 +02:00
xt_connlimit.c xtables: extend matches and targets with .usersize 2017-01-09 17:24:55 +01:00
xt_connmark.c netfilter: remove nf_ct_is_untracked 2017-04-15 11:51:33 +02:00
xt_CONNSECMARK.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_conntrack.c netfilter: kill the fake untracked conntrack objects 2017-04-15 11:47:57 +02:00
xt_cpu.c
xt_CT.c netfilter: introduce nf_conntrack_helper_put helper function 2017-05-15 12:42:29 +02:00
xt_dccp.c
xt_devgroup.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_dscp.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_DSCP.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c netfilter: Remove unnecessary cast on void pointer 2017-04-07 17:29:17 +02:00
xt_helper.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_HL.c
xt_hl.c
xt_HMARK.c netfilter: remove nf_ct_is_untracked 2017-04-15 11:51:33 +02:00
xt_IDLETIMER.c
xt_ipcomp.c netfilter: xt_ipcomp: add "ip[6]t_ipcomp" module alias name 2016-10-17 17:38:19 +02:00
xt_iprange.c
xt_ipvs.c netfilter: remove nf_ct_is_untracked 2017-04-15 11:51:33 +02:00
xt_l2tp.c
xt_LED.c
xt_length.c
xt_limit.c netfilter: limit: use per-rule spinlock to improve the scalability 2017-03-13 19:30:31 +01:00
xt_LOG.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_mac.c
xt_mark.c
xt_multiport.c netfilter: xt_multiport: Fix wrong unmatch result with multiple ports 2016-12-06 21:48:20 +01:00
xt_nat.c netfilter: nat: add dependencies on conntrack module 2016-12-04 21:16:51 +01:00
xt_NETMAP.c netfilter: nat: add dependencies on conntrack module 2016-12-04 21:16:51 +01:00
xt_nfacct.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_NFLOG.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_NFQUEUE.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_osf.c netfilter: nfnetlink: extended ACK reporting 2017-06-19 19:38:24 +02:00
xt_owner.c sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h> 2017-03-02 08:42:31 +01:00
xt_physdev.c
xt_pkttype.c netfilter: pkttype: unnecessary to check ipv6 multicast address 2017-01-18 20:32:43 +01:00
xt_policy.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_quota.c xtables: extend matches and targets with .usersize 2017-01-09 17:24:55 +01:00
xt_RATEEST.c xtables: extend matches and targets with .usersize 2017-01-09 17:24:55 +01:00
xt_rateest.c xtables: extend matches and targets with .usersize 2017-01-09 17:24:55 +01:00
xt_realm.c
xt_recent.c treewide: use kv[mz]alloc* rather than opencoded variants 2017-05-08 17:15:13 -07:00
xt_REDIRECT.c netfilter: nat: add dependencies on conntrack module 2016-12-04 21:16:51 +01:00
xt_repldata.h
xt_sctp.c sctp: remove the typedef sctp_chunkhdr_t 2017-07-01 09:08:41 -07:00
xt_SECMARK.c
xt_set.c netfilter: ipset: Improve skbinfo get/init helpers 2016-11-10 13:28:42 +01:00
xt_socket.c netfilter: xt_socket: Fix broken IPv6 handling 2017-04-24 20:06:29 +02:00
xt_state.c netfilter: kill the fake untracked conntrack objects 2017-04-15 11:47:57 +02:00
xt_statistic.c
xt_string.c xtables: extend matches and targets with .usersize 2017-01-09 17:24:55 +01:00
xt_TCPMSS.c netfilter: xt_TCPMSS: add more sanity tests on tcph->doff 2017-04-08 22:24:19 +02:00
xt_tcpmss.c
xt_TCPOPTSTRIP.c
xt_tcpudp.c
xt_TEE.c xtables: extend matches and targets with .usersize 2017-01-09 17:24:55 +01:00
xt_time.c ktime: Get rid of the union 2016-12-25 17:21:22 +01:00
xt_TPROXY.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
xt_TRACE.c
xt_u32.c