mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-22 00:40:03 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Tan Hu 85562d7a4f netfilter: masquerade: don't flush all conntracks if only one address deleted on device 
[ Upstream commit 097f95d319 ]

We configured iptables as below, which only allowed incoming data on
established connections:

iptables -t mangle -A PREROUTING -m state --state ESTABLISHED -j ACCEPT
iptables -t mangle -P PREROUTING DROP

When deleting a secondary address, current masquerade implements would
flush all conntracks on this device. All the established connections on
primary address also be deleted, then subsequent incoming data on the
connections would be dropped wrongly because it was identified as NEW
connection.

So when an address was delete, it should only flush connections related
with the address.

Signed-off-by: Tan Hu <tan.hu@zte.com.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-11-20 18:00:52 +01:00
..
6lowpan 6lowpan: iphc: reset mac_header after decompress to fix panic 2018-10-03 17:00:47 -07:00
9p 9p/virtio: Add cleanup path in p9_virtio_init 2019-07-31 07:28:39 +02:00
802
8021q vlan: disable SIOCSHWTSTAMP in container 2019-05-16 19:42:34 +02:00
appletalk appletalk: enforce CAP_NET_RAW for raw sockets 2019-10-05 12:47:43 +02:00
atm net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:25:34 +01:00
ax25 ax25: enforce CAP_NET_RAW for raw sockets 2019-10-05 12:47:43 +02:00
batman-adv batman-adv: Only read OGM2 tvlv_len after buffer len check 2019-09-21 07:15:35 +02:00
bluetooth Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS 2019-11-20 18:00:46 +01:00
bpf
bridge bridge/mdb: remove wrong use of NLM_F_MULTI 2019-09-19 09:07:59 +02:00
caif net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:25:34 +01:00
can can: af_can: Fix error path of can_init() 2019-07-21 09:04:22 +02:00
ceph libceph: fix PG split vs OSD (re)connect race 2019-08-29 08:26:42 +02:00
core net/flow_dissector: switch to siphash 2019-11-10 11:25:37 +01:00
dcb
dccp inet: stop leaking jiffies on the wire 2019-11-10 11:25:37 +01:00
decnet
dns_resolver
dsa net: dsa: fix switch tree list 2019-11-10 11:25:32 +01:00
ethernet
hsr net/hsr: fix possible crash in add_timer() 2019-03-19 13:13:22 +01:00
ieee802154 ieee802154: enforce CAP_NET_RAW for raw sockets 2019-10-05 12:47:44 +02:00
ife
ipv4 netfilter: masquerade: don't flush all conntracks if only one address deleted on device 2019-11-20 18:00:52 +01:00
ipv6 netfilter: masquerade: don't flush all conntracks if only one address deleted on device 2019-11-20 18:00:52 +01:00
ipx
iucv
kcm kcm: switch order of device registration to fix a crash 2019-04-17 08:37:45 +02:00
key xfrm: clean up xfrm protocol checks 2019-09-16 08:20:44 +02:00
l2tp compat_ioctl: pppoe: fix PPPOEIOCSFWD handling 2019-08-09 17:53:35 +02:00
l3mdev
lapb lapb: fixed leak of control-blocks. 2019-06-22 08:16:14 +02:00
llc llc: avoid blocking in llc_sap_close() 2019-11-20 17:59:59 +01:00
mac80211 mac80211: Reject malformed SSID elements 2019-10-29 09:17:35 +01:00
mac802154
mpls mpls: Return error for RTA_GATEWAY attribute 2019-03-13 14:03:09 -07:00
ncsi
netfilter ipvs: move old_secure_tcp into struct netns_ipvs 2019-11-12 19:18:38 +01:00
netlabel netlabel: fix out-of-bounds memory accesses 2019-03-13 14:03:08 -07:00
netlink genetlink: Fix a memory leak on error path 2019-04-03 06:25:08 +02:00
netrom netrom: hold sock when setting skb->destructor 2019-07-31 07:28:46 +02:00
nfc nfc: netlink: fix double device reference drop 2019-11-12 19:17:54 +01:00
nsh
openvswitch net: openvswitch: free vport unless register_netdevice() succeeds 2019-11-12 19:18:37 +01:00
packet net/packet: fix race in tpacket_snd() 2019-08-25 10:50:26 +02:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:25:34 +01:00
psample net: sched: act_sample: fix psample group handling on overwrite 2019-09-10 10:32:21 +01:00
qrtr net: qrtr: Stop rx_worker before freeing node 2019-10-05 12:47:40 +02:00
rds net/rds: Fix error handling in rds_ib_add_one() 2019-10-07 18:55:20 +02:00
rfkill
rose net/rose: fix unbound loop in rose_loopback_timer() 2019-05-02 09:40:34 +02:00
rxrpc rxrpc: Fix call ref leak 2019-11-06 12:43:37 +01:00
sched net/flow_dissector: switch to siphash 2019-11-10 11:25:37 +01:00
sctp inet: stop leaking jiffies on the wire 2019-11-10 11:25:37 +01:00
smc net/smc: make sure EPOLLOUT is raised 2019-09-06 10:20:50 +02:00
strparser
sunrpc net :sunrpc :clnt :Fix xps refcount imbalance on the error path 2019-07-21 09:04:29 +02:00
switchdev
tipc net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:25:34 +01:00
tls net/tls: Fixed return value when tls_complete_pending_work() fails 2018-12-05 19:41:11 +01:00
unix net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:25:34 +01:00
vmw_vsock net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:25:34 +01:00
wimax
wireless cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set 2019-11-20 17:59:40 +01:00
x25 net/x25: fix a race in x25_bind() 2019-03-19 13:13:23 +01:00
xfrm xfrm: clean up xfrm protocol checks 2019-09-16 08:20:44 +02:00
compat.c sock: Make sock->sk_stamp thread-safe 2019-01-09 17:14:46 +01:00
Kconfig
Makefile
socket.c bpf: get rid of pure_initcall dependency to enable jits 2019-08-25 10:50:02 +02:00
sysctl_net.c