[1/2] netfilter: reset nf_trace in nf_reset

Message ID	1363931322-2286-1-git-send-email-gaofeng@cn.fujitsu.com
State	Accepted
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Gao feng <gaofeng@cn.fujitsu.com> To: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org Cc: Gao feng <gaofeng@cn.fujitsu.com> Subject: [PATCH 1/2] netfilter: reset nf_trace in nf_reset Date: Fri, 22 Mar 2013 13:48:41 +0800 Message-Id: <1363931322-2286-1-git-send-email-gaofeng@cn.fujitsu.com> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Message ID

1363931322-2286-1-git-send-email-gaofeng@cn.fujitsu.com

State

Accepted

Headers

From: Gao feng <gaofeng@cn.fujitsu.com>
To: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Cc: Gao feng <gaofeng@cn.fujitsu.com>
Subject: [PATCH 1/2] netfilter: reset nf_trace in nf_reset
Date: Fri, 22 Mar 2013 13:48:41 +0800
Message-Id: <1363931322-2286-1-git-send-email-gaofeng@cn.fujitsu.com>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Gao feng March 22, 2013, 5:48 a.m. UTC

We forgot to clear the nf_trace of sk_buff in nf_reset,
When we use veth device, this nf_trace information will
be leaked from one net namespace to another net namespace.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 include/linux/skbuff.h | 3 +++
 1 file changed, 3 insertions(+)

Comments

Pablo Neira Ayuso March 25, 2013, 7:31 p.m. UTC | #1

On Fri, Mar 22, 2013 at 01:48:41PM +0800, Gao feng wrote:
> We forgot to clear the nf_trace of sk_buff in nf_reset,
> When we use veth device, this nf_trace information will
> be leaked from one net namespace to another net namespace.

Applied to the nf tree, thanks Gao.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 441f5bf..72b3967 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2641,6 +2641,9 @@  static inline void nf_reset(struct sk_buff *skb)
 	nf_bridge_put(skb->nf_bridge);
 	skb->nf_bridge = NULL;
 #endif
+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
+	skb->nf_trace = 0;
+#endif
 }
 
 /* Note: This doesn't put any conntrack and bridge info in dst. */

[1/2] netfilter: reset nf_trace in nf_reset

Commit Message

Comments

Patch