netfilter: SYNPROXY core: fix warning in __nf_ct_ext_add_length()

Submitted by Patrick McHardy on Aug. 29, 2013, 8:32 a.m.

Details

Message ID 1377765129-8490-1-git-send-email-kaber@trash.net
State Accepted
Headers show

Commit Message

Patrick McHardy Aug. 29, 2013, 8:32 a.m.
With CONFIG_NETFILTER_DEBUG we get the following warning during SYNPROXY init:

[   80.558906] WARNING: CPU: 1 PID: 4833 at net/netfilter/nf_conntrack_extend.c:80 __nf_ct_ext_add_length+0x217/0x220 [nf_conntrack]()

The reason is that the conntrack template is set to confirmed before adding
the extension and it is invalid to add extensions to already confirmed
conntracks. Fix by adding the extensions before setting the conntrack to
confirmed.

Reported-by: Jesper Dangaard Brouer <jesper.brouer@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_synproxy_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Jesper Dangaard Brouer Aug. 29, 2013, 10:38 a.m.
On Thu, 29 Aug 2013 10:32:09 +0200
Patrick McHardy <kaber@trash.net> wrote:

> With CONFIG_NETFILTER_DEBUG we get the following warning during SYNPROXY init:
> 
> [   80.558906] WARNING: CPU: 1 PID: 4833 at net/netfilter/nf_conntrack_extend.c:80 __nf_ct_ext_add_length+0x217/0x220 [nf_conntrack]()
> 
> The reason is that the conntrack template is set to confirmed before adding
> the extension and it is invalid to add extensions to already confirmed
> conntracks. Fix by adding the extensions before setting the conntrack to
> confirmed.
> 
> Reported-by: Jesper Dangaard Brouer <jesper.brouer@gmail.com>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>

I have verified that the warning is gone after this patch, thanks!
Pablo Neira Sept. 4, 2013, 12:56 p.m.
On Thu, Aug 29, 2013 at 12:38:52PM +0200, Jesper Dangaard Brouer wrote:
> On Thu, 29 Aug 2013 10:32:09 +0200
> Patrick McHardy <kaber@trash.net> wrote:
> 
> > With CONFIG_NETFILTER_DEBUG we get the following warning during SYNPROXY init:
> > 
> > [   80.558906] WARNING: CPU: 1 PID: 4833 at net/netfilter/nf_conntrack_extend.c:80 __nf_ct_ext_add_length+0x217/0x220 [nf_conntrack]()
> > 
> > The reason is that the conntrack template is set to confirmed before adding
> > the extension and it is invalid to add extensions to already confirmed
> > conntracks. Fix by adding the extensions before setting the conntrack to
> > confirmed.
> > 
> > Reported-by: Jesper Dangaard Brouer <jesper.brouer@gmail.com>
> > Signed-off-by: Patrick McHardy <kaber@trash.net>
> 
> Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Sept. 4, 2013, 12:57 p.m.
On Thu, Aug 29, 2013 at 10:32:09AM +0200, Patrick McHardy wrote:
> With CONFIG_NETFILTER_DEBUG we get the following warning during SYNPROXY init:
> 
> [   80.558906] WARNING: CPU: 1 PID: 4833 at net/netfilter/nf_conntrack_extend.c:80 __nf_ct_ext_add_length+0x217/0x220 [nf_conntrack]()
> 
> The reason is that the conntrack template is set to confirmed before adding
> the extension and it is invalid to add extensions to already confirmed
> conntracks. Fix by adding the extensions before setting the conntrack to
> confirmed.

applied, thanks Patrick.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch hide | download patch | download mbox

diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index d23dc79..6fd967c 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -356,12 +356,12 @@  static int __net_init synproxy_net_init(struct net *net)
 		goto err1;
 	}
 
-	__set_bit(IPS_TEMPLATE_BIT, &ct->status);
-	__set_bit(IPS_CONFIRMED_BIT, &ct->status);
 	if (!nfct_seqadj_ext_add(ct))
 		goto err2;
 	if (!nfct_synproxy_ext_add(ct))
 		goto err2;
+	__set_bit(IPS_TEMPLATE_BIT, &ct->status);
+	__set_bit(IPS_CONFIRMED_BIT, &ct->status);
 
 	snet->tmpl = ct;