From patchwork Wed Jan 2 20:42:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mauricio Faria de Oliveira X-Patchwork-Id: 1020069 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43VNKh3SGbz9s4s for ; Thu, 3 Jan 2019 07:43:04 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727693AbfABUnD (ORCPT ); Wed, 2 Jan 2019 15:43:03 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:43820 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727193AbfABUnC (ORCPT ); Wed, 2 Jan 2019 15:43:02 -0500 Received: from mail-qt1-f197.google.com ([209.85.160.197]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1genLw-0002cO-L6 for netdev@vger.kernel.org; Wed, 02 Jan 2019 20:43:00 +0000 Received: by mail-qt1-f197.google.com with SMTP id t18so40289445qtj.3 for ; Wed, 02 Jan 2019 12:43:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=620lz93blX+gMAhdPhC4jRp9+2hZlpL4Fhkk7irNqdg=; b=lvBb2r+S10b5TvnqucrWXoGllU/8BL8FOCRL6ScnkECe+0UjCN9QmbY3Meb8wZ91ZT 6bdr0PWSCNNciDav0kYbPCS326T7VlQkA+gQGwW9cmIEXqK1VfZprPRBS2uI3XSq/3CX 08ZOeXcWqwUSVG0QARmyzvShNHW7IDxI/1lv/gSUYHw1FzWa95ZRr1EkD4j75lMZwCkk JsSmQOS+T4CmHQbeX8Xak9OXKg+w2qxTIk7FdzTqbCplu+YGrzYpujkpzRxL7Kzh/nF6 hRF5HmUjgVuxDm2p9BqpTm3aAza2IezC1ZeYiuG/s1P2kGdIOYQDTbz9i2PeCXhEnygm RuPg== X-Gm-Message-State: AJcUukfJcVEhRAAyhVUGRkzvdMF520XKn09PJe9tbCupzpJeQT3NUz1X GuOQUn0Dr0aWJ9YH2o/eDZFj/swiHjUAoPk6bFpNaefFOfi9NC8vAiAEtE4oZWvNtzQjdbIWMSU Z65XSCJHuWXpgyZWZ6YuTMefG/2qsA2yD/Q== X-Received: by 2002:a0c:af73:: with SMTP id j48mr44173205qvc.172.1546461779872; Wed, 02 Jan 2019 12:42:59 -0800 (PST) X-Google-Smtp-Source: ALg8bN5UySRISkw+lX9bo1sGCR4ARYHGMhJviBlbkRlEmemDjcWPjLMhMID3PeB7OeE6BxlCfsih7w== X-Received: by 2002:a0c:af73:: with SMTP id j48mr44173196qvc.172.1546461779706; Wed, 02 Jan 2019 12:42:59 -0800 (PST) Received: from localhost.localdomain ([179.159.56.118]) by smtp.gmail.com with ESMTPSA id e17sm26679381qte.12.2019.01.02.12.42.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Jan 2019 12:42:59 -0800 (PST) From: Mauricio Faria de Oliveira To: stable@vger.kernel.org, netdev@vger.kernel.org, Florian Westphal Cc: Alakesh Haloi , nivedita.singhvi@canonical.com, Pablo Neira Ayuso , Jozsef Kadlecsik , "David S. Miller" , Yi-Hung Wei Subject: [PATCH v2 4.14 3/5] netfilter: nf_conncount: Fix garbage collection with zones Date: Wed, 2 Jan 2019 18:42:02 -0200 Message-Id: <20190102204204.12389-4-mfo@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190102204204.12389-1-mfo@canonical.com> References: <20190102204204.12389-1-mfo@canonical.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Yi-Hung Wei commit 21ba8847f857028dc83a0f341e16ecc616e34740 upstream. Currently, we use check_hlist() for garbage colleciton. However, we use the ‘zone’ from the counted entry to query the existence of existing entries in the hlist. This could be wrong when they are in different zones, and this patch fixes this issue. Fixes: e59ea3df3fc2 ("netfilter: xt_connlimit: honor conntrack zone if available") Signed-off-by: Yi-Hung Wei Signed-off-by: Pablo Neira Ayuso [mfo: backport: refresh context lines and use older symbol/file names, note hunk 5: - nf_conncount.c -> xt_connlimit.c - nf_conncount_rb -> xt_connlimit_rb - nf_conncount_tuple -> xt_connlimit_conn - hunk 5: remove check for non-NULL 'tuple', that isn't required as it's introduced by upstream commit 35d8deb80 ("netfilter: conncount: Support count only use case") which addresses nf_conncount_count() that does not exist yet -- it's introduced by upstream commit 625c556118f3 ("netfilter: connlimit: split xt_connlimit into front and backend"), a refactor change. - nft_connlimit.c -> removed, not used/doesn't exist yet.] Signed-off-by: Mauricio Faria de Oliveira --- include/net/netfilter/nf_conntrack_count.h | 3 ++- net/netfilter/xt_connlimit.c | 13 +++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h index 54e43b8..4b71a2f 100644 --- a/include/net/netfilter/nf_conntrack_count.h +++ b/include/net/netfilter/nf_conntrack_count.h @@ -7,7 +7,8 @@ unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, bool *addit); bool nf_conncount_add(struct hlist_head *head, - const struct nf_conntrack_tuple *tuple); + const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_zone *zone); void nf_conncount_cache_free(struct hlist_head *hhead); diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 7af5875..ab1f849 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c @@ -46,6 +46,7 @@ struct xt_connlimit_conn { struct hlist_node node; struct nf_conntrack_tuple tuple; + struct nf_conntrack_zone zone; }; struct xt_connlimit_rb { @@ -115,7 +116,8 @@ same_source_net(const union nf_inet_addr *addr, } bool nf_conncount_add(struct hlist_head *head, - const struct nf_conntrack_tuple *tuple) + const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_zone *zone) { struct xt_connlimit_conn *conn; @@ -123,6 +125,7 @@ bool nf_conncount_add(struct hlist_head *head, if (conn == NULL) return false; conn->tuple = *tuple; + conn->zone = *zone; hlist_add_head(&conn->node, head); return true; } @@ -143,7 +146,7 @@ unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, /* check the saved connections */ hlist_for_each_entry_safe(conn, n, head, node) { - found = nf_conntrack_find_get(net, zone, &conn->tuple); + found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple); if (found == NULL) { hlist_del(&conn->node); kmem_cache_free(connlimit_conn_cachep, conn); @@ -152,7 +155,8 @@ unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, found_ct = nf_ct_tuplehash_to_ctrack(found); - if (nf_ct_tuple_equal(&conn->tuple, tuple)) { + if (nf_ct_tuple_equal(&conn->tuple, tuple) && + nf_ct_zone_equal(found_ct, zone, zone->dir)) { /* * Just to be sure we have it only once in the list. * We should not see tuples twice unless someone hooks @@ -231,7 +235,7 @@ count_tree(struct net *net, struct rb_root *root, if (!addit) return count; - if (!nf_conncount_add(&rbconn->hhead, tuple)) + if (!nf_conncount_add(&rbconn->hhead, tuple, zone)) return 0; /* hotdrop */ return count + 1; @@ -270,6 +274,7 @@ count_tree(struct net *net, struct rb_root *root, } conn->tuple = *tuple; + conn->zone = *zone; rbconn->addr = *addr; INIT_HLIST_HEAD(&rbconn->hhead);