github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-06 05:27:07 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
bc9199271c
linux/net
History
Pablo Neira Ayuso bc9199271c netfilter: conntrack: set on IPS_ASSURED if flows enters internal stream state 
[ Upstream commit b7b1d02fc4 ]

The internal stream state sets the timeout to 120 seconds 2 seconds
after the creation of the flow, attach this internal stream state to the
IPS_ASSURED flag for consistent event reporting.

Before this patch:

      [NEW] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
   [UPDATE] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
   [UPDATE] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
  [DESTROY] udp      17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]

Note IPS_ASSURED for the flow not yet in the internal stream state.

after this update:

      [NEW] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
   [UPDATE] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
   [UPDATE] udp      17 120 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
  [DESTROY] udp      17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]

Before this patch, short-lived UDP flows never entered IPS_ASSURED, so
they were already candidate flow to be deleted by early_drop under
stress.

Before this patch, IPS_ASSURED is set on regardless the internal stream
state, attach this internal stream state to IPS_ASSURED.

packet #1 (original direction) enters NEW state
packet #2 (reply direction) enters ESTABLISHED state, sets on IPS_SEEN_REPLY
paclet #3 (any direction) sets on IPS_ASSURED (if 2 seconds since the
          creation has passed by).

Reported-by: Maciej Żenczykowski <zenczykowski@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-11-18 14:04:01 +01:00
..
6lowpan 6lowpan: iphc: Fix an off-by-one check of array index 2021-09-15 09:50:34 +02:00
9p 9p/trans_virtio: Remove sysfs file on probe failure 2021-09-26 14:08:57 +02:00
802 net/802/garp: fix memleak in garp_request_join() 2021-07-31 08:16:11 +02:00
8021q
appletalk
atm
ax25
batman-adv net: batman-adv: fix error handling 2021-11-02 19:48:22 +01:00
bluetooth Bluetooth: fix use-after-free error in lock_sock_nested() 2021-11-18 14:03:52 +01:00
bpf bpf, test, cgroup: Use sk_{alloc,free} for test cases 2021-10-27 09:56:56 +02:00
bpfilter bpfilter: Specify the log level for the kmsg message 2021-07-14 16:56:29 +02:00
bridge net: bridge: mcast: use multicast_membership_interval for IGMPv3 2021-10-27 09:56:54 +02:00
caif net-caif: avoid user-triggerable WARN_ON(1) 2021-09-22 12:27:56 +02:00
can can: j1939: j1939_can_recv(): ignore messages with invalid source address 2021-11-18 14:03:48 +01:00
ceph
core net-sysfs: try not to restart the syscall if it will fail eventually 2021-11-18 14:03:56 +01:00
dcb
dccp dccp: don't duplicate ccid when cloning dccp sock 2021-09-22 12:27:56 +02:00
decnet net: decnet: Fix sleeping inside in af_decnet 2021-07-28 14:35:38 +02:00
dns_resolver
dsa net: dsa: don't allocate the slave_mii_bus using devres 2021-09-30 10:11:02 +02:00
ethernet
ethtool ethtool: Fix rxnfc copy to user buffer overflow 2021-09-22 12:27:56 +02:00
hsr net: hsr: fix mac_len checks 2021-06-03 09:00:50 +02:00
ieee802154 net: Fix memory leak in ieee802154_raw_deliver 2021-08-18 08:59:12 +02:00
ife
ipv4 tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function 2021-11-02 19:48:21 +01:00
ipv6 gre/sit: Don't generate link-local addr if addr_gen_mode is IN6_ADDR_GEN_MODE_NONE 2021-11-18 14:03:59 +01:00
iucv
kcm
key
l2tp net/l2tp: Fix reference count leak in l2tp_udp_recv_core 2021-09-22 12:27:56 +02:00
l3mdev
lapb
llc net: llc: fix skb_over_panic 2021-08-04 12:46:43 +02:00
mac80211 mac80211: check return value of rhashtable_init 2021-10-17 10:43:33 +02:00
mac802154 net: mac802154: Fix general protection fault 2021-04-14 08:42:13 +02:00
mpls
mptcp mptcp: don't return sockets in foreign netns 2021-10-06 15:55:52 +02:00
ncsi net/ncsi: Avoid channel_monitor hrtimer deadlock 2021-04-14 08:42:08 +02:00
netfilter netfilter: conntrack: set on IPS_ASSURED if flows enters internal stream state 2021-11-18 14:04:01 +01:00
netlabel net: fix NULL pointer reference in cipso_v4_doi_free 2021-09-18 13:40:35 +02:00
netlink netlink: annotate data races around nlk->bound 2021-10-13 10:04:27 +02:00
netrom netrom: Decrease sock refcount when sock timers expire 2021-07-28 14:35:38 +02:00
nfc nfc: nci: fix the UAF of rf_conn_info object 2021-10-27 09:56:53 +02:00
nsh
openvswitch ovs: clear skb->tstamp in forwarding path 2021-08-26 08:35:50 -04:00
packet net/packet: annotate accesses to po->ifindex 2021-06-30 08:47:22 -04:00
phonet
psample
qrtr net: qrtr: fix another OOB Read in qrtr_endpoint_post 2021-09-03 10:09:21 +02:00
rds rds: stop using dmapool 2021-11-18 14:03:44 +01:00
rfkill
rose
rxrpc
sched net: sched: update default qdisc visibility after Tx queue cnt changes 2021-11-18 14:03:53 +01:00
sctp sctp: add vtag check in sctp_sf_ootb 2021-11-02 19:48:24 +01:00
smc net/smc: Correct spelling mistake to TCPF_SYN_RECV 2021-11-18 14:03:44 +01:00
strparser
sunrpc SUNRPC: fix sign error causing rpcsec_gss drops 2021-10-13 10:04:24 +02:00
switchdev
tipc tipc: fix size validations for the MSG_CRYPTO type 2021-11-02 19:48:19 +01:00
tls net/tls: Fix flipped sign in async_wait.err assignment 2021-11-02 19:48:23 +01:00
unix af_unix: fix races in sk_peer_pid and sk_peer_cred accesses 2021-10-06 15:55:58 +02:00
vmw_vsock vsock/virtio: avoid potential deadlock when vsock device remove 2021-08-18 08:59:14 +02:00
wimax
wireless cfg80211: correct bridge/4addr mode check 2021-11-02 19:48:22 +01:00
x25 net/x25: Return the correct errno code 2021-06-18 10:00:06 +02:00
xdp xsk: Fix broken Tx ring validation 2021-07-14 16:56:23 +02:00
xfrm net: xfrm: Fix end of loop tests for list_for_each_entry 2021-08-26 08:35:35 -04:00
compat.c net: Return the correct errno code 2021-06-18 10:00:06 +02:00
devres.c
Kconfig
Makefile
socket.c ethtool: improve compat ioctl handling 2021-09-18 13:40:21 +02:00
sysctl_net.c