mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-27 12:57:53 +00:00
Code Issues Releases Wiki Activity
linux-stable/include/net/netfilter
History
Florian Westphal b8afc22a11 netfilter: let reset rules clean out conntrack entries 
[ Upstream commit 2954fe60e3 ]

iptables/nftables support responding to tcp packets with tcp resets.

The generated tcp reset packet passes through both output and postrouting
netfilter hooks, but conntrack will never see them because the generated
skb has its ->nfct pointer copied over from the packet that triggered the
reset rule.

If the reset rule is used for established connections, this
may result in the conntrack entry to be around for a very long
time (default timeout is 5 days).

One way to avoid this would be to not copy the nf_conn pointer
so that the rest packet passes through conntrack too.

Problem is that output rules might not have the same conntrack
zone setup as the prerouting ones, so its possible that the
reset skb won't find the correct entry.  Generating a template
entry for the skb seems error prone as well.

Add an explicit "closing" function that switches a confirmed
conntrack entry to closed state and wire this up for tcp.

If the entry isn't confirmed, no action is needed because
the conntrack entry will never be committed to the table.

Reported-by: Russel King <linux@armlinux.org.uk>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 62e7151ae3 ("netfilter: bridge: confirm multicast packets before passing them up the stack")
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-03-06 14:45:08 +00:00
..
ipv4
ipv6
br_netfilter.h
nf_conntrack.h netfilter: let reset rules clean out conntrack entries 2024-03-06 14:45:08 +00:00
nf_conntrack_acct.h
nf_conntrack_act_ct.h net/sched: act_ct: Always fill offloading tuple iifidx 2024-01-10 17:10:36 +01:00
nf_conntrack_bpf.h net: netfilter: move bpf_ct_set_nat_info kfunc in nf_nat_bpf.c 2022-10-03 09:17:32 -07:00
nf_conntrack_bridge.h
nf_conntrack_core.h netfilter: conntrack: fix wrong ct->timeout value 2023-05-11 23:03:25 +09:00
nf_conntrack_count.h
nf_conntrack_ecache.h
nf_conntrack_expect.h
nf_conntrack_extend.h
nf_conntrack_helper.h
nf_conntrack_l4proto.h
nf_conntrack_labels.h
nf_conntrack_seqadj.h
nf_conntrack_synproxy.h
nf_conntrack_timeout.h
nf_conntrack_timestamp.h
nf_conntrack_tuple.h
nf_conntrack_zones.h
nf_dup_netdev.h
nf_flow_table.h netfilter: nft_flow_offload: reset dst in route object after setting up flow 2024-03-01 13:26:37 +01:00
nf_hooks_lwtunnel.h
nf_log.h
nf_nat.h
nf_nat_helper.h netfilter: nat: move repetitive nat port reserve loop to a helper 2022-09-07 16:46:04 +02:00
nf_nat_masquerade.h
nf_nat_redirect.h netfilter: nft_redir: use struct nf_nat_range2 throughout and deduplicate eval call-backs 2023-11-20 11:52:17 +01:00
nf_queue.h treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
nf_reject.h
nf_socket.h
nf_synproxy.h
nf_tables.h netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV 2024-02-05 20:13:01 +00:00
nf_tables_core.h
nf_tables_ipv4.h netfilter: nf_tables: set transport offset from mac header for netdev/egress 2024-01-10 17:10:21 +01:00
nf_tables_ipv6.h
nf_tables_offload.h
nf_tproxy.h netfilter: tproxy: fix deadlock due to missing BH disable 2023-03-17 08:50:25 +01:00
nft_fib.h
nft_meta.h
nft_reject.h
xt_rateest.h