From patchwork Mon Jan 14 18:55:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauricio Faria de Oliveira X-Patchwork-Id: 1024740 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43djNz0R39z9sD9; Tue, 15 Jan 2019 05:56:18 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1gj7P9-0005DE-8d; Mon, 14 Jan 2019 18:56:11 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1gj7P7-0005CI-NQ for kernel-team@lists.ubuntu.com; Mon, 14 Jan 2019 18:56:09 +0000 Received: from mail-qk1-f199.google.com ([209.85.222.199]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1gj7P7-00014j-DW for kernel-team@lists.ubuntu.com; Mon, 14 Jan 2019 18:56:09 +0000 Received: by mail-qk1-f199.google.com with SMTP id y83so79257qka.7 for ; Mon, 14 Jan 2019 10:56:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=ZnkGDCCxk/LzhcgZsj4HNneOCbvJhkTFwmyi6Te99Xw=; b=Bkuxqr274H58y6pKAYNWCfN5IzFqVJ+u+wD0GrJWrxz3xhPMZ++YC9M2jMnq5iDzhR 2HTR6Ey98jP52dLQi7xFQ+UuT4x89kAQow6QXtaKqcY14IDYks45AF6sgFcmEc8SRDtD 5rQAublgDR/6NiZ6E35bCf/AvBmZuQW8yDet90vNbLLRYpDFEQmxvtHK0KpbjnKXrI0H 3N20H3Ls8iUFlooAlPTPXTSZNbQ8atBAEMMXbw9Lv03vcQ+ZB/XUEy5dhFCjw6Bec/5n WtoTbZ7OMhEmY4UgzGiJgisQVFkiTvA2fQh0hU54J+/lJT6Stf5lJTiIMmyxVnp8zCQa P12g== X-Gm-Message-State: AJcUukcyJy4/u76UBp6YmcI5/8htcJhmHvFOhLWkaYE/GR2ylstkke+J hckYI3A3y337TUIfZJXH8ZNVqJu5A+SQU94JlngJjBgmnzUkeRhbdh8X/qnfzM3EM/jR4x2huAn QWlQAqvtYDMkBnn2IWj1bX+aXoSTX/9NDM/oj02BkYQ== X-Received: by 2002:ac8:7416:: with SMTP id p22mr24553268qtq.318.1547492168486; Mon, 14 Jan 2019 10:56:08 -0800 (PST) X-Google-Smtp-Source: ALg8bN4C06NwkQc6pbLWm4uUfiBAoYcmN9mOpKhkLxugP0U2/sKs5MZzMFvS6jLHLhL/Qh3A7dGX3A== X-Received: by 2002:ac8:7416:: with SMTP id p22mr24553263qtq.318.1547492168331; Mon, 14 Jan 2019 10:56:08 -0800 (PST) Received: from localhost.localdomain ([177.181.227.2]) by smtp.gmail.com with ESMTPSA id d50sm54446935qta.31.2019.01.14.10.56.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Jan 2019 10:56:07 -0800 (PST) From: Mauricio Faria de Oliveira To: kernel-team@lists.ubuntu.com Subject: [SRU T][PATCH 1/3] netfilter: connlimit: improve packet-to-closed-connection logic Date: Mon, 14 Jan 2019 16:55:20 -0200 Message-Id: <20190114185522.10533-2-mfo@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190114185522.10533-1-mfo@canonical.com> References: <20190114185522.10533-1-mfo@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Florian Westphal BugLink: https://bugs.launchpad.net/bugs/1811094 Instead of freeing the entry from our list and then adding it back again in the 'packet to closing connection' case just keep the matching entry around. Also drop the found_ct != NULL test as nf_ct_tuplehash_to_ctrack is just container_of(). Reviewed-by: Jesper Dangaard Brouer Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso (backported from commit d9ec4f1ee280e5f8732e3c40ca672419b2532600) [mfo: backport: s/head/hash/ in the hlist_for_each_entry_safe() call due to lack of commit 15cfd5289575 ("netfilter: connlimit: factor hlist search into new function")] Signed-off-by: Mauricio Faria de Oliveira --- net/netfilter/xt_connlimit.c | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index c40b2695633b..5d18f39ad69b 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c @@ -118,29 +118,22 @@ static int count_them(struct net *net, hlist_for_each_entry_safe(conn, n, hash, node) { found = nf_conntrack_find_get(net, NF_CT_DEFAULT_ZONE, &conn->tuple); - found_ct = NULL; + if (found == NULL) { + hlist_del(&conn->node); + kfree(conn); + continue; + } - if (found != NULL) - found_ct = nf_ct_tuplehash_to_ctrack(found); + found_ct = nf_ct_tuplehash_to_ctrack(found); - if (found_ct != NULL && - nf_ct_tuple_equal(&conn->tuple, tuple) && - !already_closed(found_ct)) + if (nf_ct_tuple_equal(&conn->tuple, tuple)) { /* * Just to be sure we have it only once in the list. * We should not see tuples twice unless someone hooks * this into a table without "-p tcp --syn". */ addit = false; - - if (found == NULL) { - /* this one is gone */ - hlist_del(&conn->node); - kfree(conn); - continue; - } - - if (already_closed(found_ct)) { + } else if (already_closed(found_ct)) { /* * we do not care about connections which are * closed already -> ditch it