From patchwork Mon Dec 14 12:18:22 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 556427 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id F3B3D1402D6 for ; Mon, 14 Dec 2015 23:18:36 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753023AbbLNMSf (ORCPT ); Mon, 14 Dec 2015 07:18:35 -0500 Received: from mail.us.es ([193.147.175.20]:38846 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753009AbbLNMSe (ORCPT ); Mon, 14 Dec 2015 07:18:34 -0500 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id ABB6F32F81 for ; Mon, 14 Dec 2015 13:18:33 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id A2E9ADA801 for ; Mon, 14 Dec 2015 13:18:33 +0100 (CET) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id 9825EDA7E0; Mon, 14 Dec 2015 13:18:33 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int X-Spam-Level: X-Spam-Status: No, score=-99.2 required=7.5 tests=BAYES_50, USER_IN_WHITELIST autolearn=disabled version=3.4.1 Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id E07A7DA85F for ; Mon, 14 Dec 2015 13:18:27 +0100 (CET) Received: from 192.168.1.13 (192.168.1.13) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/522/antivirus1-rhel7.int); Mon, 14 Dec 2015 13:18:27 +0100 (CET) X-Virus-Status: clean(F-Secure/fsigk_smtp/522/antivirus1-rhel7.int) Received: (qmail 11910 invoked from network); 14 Dec 2015 13:18:27 +0100 Received: from barqueta.lsi.us.es (HELO salvia.here) (pneira@us.es@150.214.188.150) by mail.us.es with SMTP; 14 Dec 2015 13:18:27 +0100 From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: stable@vger.kernel.org Subject: [PATCH -stable-*] netfilter: nf_conntrack: Support expectations in different zones Date: Mon, 14 Dec 2015 13:18:22 +0100 Message-Id: <1450095502-24949-1-git-send-email-pablo@netfilter.org> X-Mailer: git-send-email 2.1.4 X-Virus-Scanned: ClamAV using ClamSMTP Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Joe Stringer [ upstream commit 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 ] When zones were originally introduced, the expectation functions were all extended to perform lookup using the zone. However, insertion was not modified to check the zone. This means that two expectations which are intended to apply for different connections that have the same tuple but exist in different zones cannot both be tracked. Fixes: 5d0aa2ccd4 (netfilter: nf_conntrack: add support for "conntrack zones") Cc: # 3.2.x Cc: # 3.4.x Cc: # 3.12.x Cc: # 3.14.x Cc: # 3.18.x Cc: # 4.1.x Signed-off-by: Joe Stringer Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_expect.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 7a17070..b45a422 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c @@ -219,7 +219,8 @@ static inline int expect_clash(const struct nf_conntrack_expect *a, a->mask.src.u3.all[count] & b->mask.src.u3.all[count]; } - return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask); + return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask) && + nf_ct_zone(a->master) == nf_ct_zone(b->master); } static inline int expect_matches(const struct nf_conntrack_expect *a,