Commit 3d1e0b40 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: conntrack: remove two args from resolve_clash

ctinfo is whats taken from the skb, i.e.
ct = nf_ct_get(skb, &ctinfo).

We do not pass 'ct' and instead re-fetch it from the skb.
Just do the same for both netns and ctinfo.

Also add a comment on what clash resolution is supposed to do.
While at it, one indent level can be removed.
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent a7da92c2
...@@ -894,31 +894,64 @@ static void nf_ct_acct_merge(struct nf_conn *ct, enum ip_conntrack_info ctinfo, ...@@ -894,31 +894,64 @@ static void nf_ct_acct_merge(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
} }
} }
/* Resolve race on insertion if this protocol allows this. */ /**
* nf_ct_resolve_clash - attempt to handle clash without packet drop
*
* @skb: skb that causes the clash
* @h: tuplehash of the clashing entry already in table
*
* A conntrack entry can be inserted to the connection tracking table
* if there is no existing entry with an identical tuple.
*
* If there is one, @skb (and the assocated, unconfirmed conntrack) has
* to be dropped. In case @skb is retransmitted, next conntrack lookup
* will find the already-existing entry.
*
* The major problem with such packet drop is the extra delay added by
* the packet loss -- it will take some time for a retransmit to occur
* (or the sender to time out when waiting for a reply).
*
* This function attempts to handle the situation without packet drop.
*
* If @skb has no NAT transformation or if the colliding entries are
* exactly the same, only the to-be-confirmed conntrack entry is discarded
* and @skb is associated with the conntrack entry already in the table.
*
* Returns NF_DROP if the clash could not be resolved.
*/
static __cold noinline int static __cold noinline int
nf_ct_resolve_clash(struct net *net, struct sk_buff *skb, nf_ct_resolve_clash(struct sk_buff *skb, struct nf_conntrack_tuple_hash *h)
enum ip_conntrack_info ctinfo,
struct nf_conntrack_tuple_hash *h)
{ {
/* This is the conntrack entry already in hashes that won race. */ /* This is the conntrack entry already in hashes that won race. */
struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
const struct nf_conntrack_l4proto *l4proto; const struct nf_conntrack_l4proto *l4proto;
enum ip_conntrack_info oldinfo; enum ip_conntrack_info ctinfo;
struct nf_conn *loser_ct = nf_ct_get(skb, &oldinfo); struct nf_conn *loser_ct;
struct net *net;
loser_ct = nf_ct_get(skb, &ctinfo);
l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
if (l4proto->allow_clash && if (!l4proto->allow_clash)
!nf_ct_is_dying(ct) && goto drop;
atomic_inc_not_zero(&ct->ct_general.use)) {
if (nf_ct_is_dying(ct))
goto drop;
if (!atomic_inc_not_zero(&ct->ct_general.use))
goto drop;
if (((ct->status & IPS_NAT_DONE_MASK) == 0) || if (((ct->status & IPS_NAT_DONE_MASK) == 0) ||
nf_ct_match(ct, loser_ct)) { nf_ct_match(ct, loser_ct)) {
nf_ct_acct_merge(ct, ctinfo, loser_ct); nf_ct_acct_merge(ct, ctinfo, loser_ct);
nf_conntrack_put(&loser_ct->ct_general); nf_conntrack_put(&loser_ct->ct_general);
nf_ct_set(skb, ct, oldinfo); nf_ct_set(skb, ct, ctinfo);
return NF_ACCEPT; return NF_ACCEPT;
} }
nf_ct_put(ct); nf_ct_put(ct);
} drop:
net = nf_ct_net(loser_ct);
NF_CT_STAT_INC(net, drop); NF_CT_STAT_INC(net, drop);
return NF_DROP; return NF_DROP;
} }
...@@ -1036,7 +1069,7 @@ __nf_conntrack_confirm(struct sk_buff *skb) ...@@ -1036,7 +1069,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
out: out:
nf_ct_add_to_dying_list(ct); nf_ct_add_to_dying_list(ct);
ret = nf_ct_resolve_clash(net, skb, ctinfo, h); ret = nf_ct_resolve_clash(skb, h);
dying: dying:
nf_conntrack_double_unlock(hash, reply_hash); nf_conntrack_double_unlock(hash, reply_hash);
NF_CT_STAT_INC(net, insert_failed); NF_CT_STAT_INC(net, insert_failed);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment