Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
7a85bd22
Commit
7a85bd22
authored
Mar 02, 2003
by
Harald Welte
Committed by
David S. Miller
Mar 02, 2003
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[NETFILTER]: Fix conntrack bug introduced by list_del change.
parent
1bf453b3
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
17 additions
and
14 deletions
+17
-14
include/linux/netfilter_ipv4/ip_conntrack.h
include/linux/netfilter_ipv4/ip_conntrack.h
+7
-2
net/ipv4/netfilter/ip_conntrack_core.c
net/ipv4/netfilter/ip_conntrack_core.c
+5
-7
net/ipv4/netfilter/ip_conntrack_proto_tcp.c
net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+1
-1
net/ipv4/netfilter/ip_conntrack_proto_udp.c
net/ipv4/netfilter/ip_conntrack_proto_udp.c
+1
-1
net/ipv4/netfilter/ip_conntrack_standalone.c
net/ipv4/netfilter/ip_conntrack_standalone.c
+3
-3
No files found.
include/linux/netfilter_ipv4/ip_conntrack.h
View file @
7a85bd22
...
@@ -6,6 +6,7 @@
...
@@ -6,6 +6,7 @@
#include <linux/config.h>
#include <linux/config.h>
#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
#include <linux/bitops.h>
#include <asm/atomic.h>
#include <asm/atomic.h>
enum
ip_conntrack_info
enum
ip_conntrack_info
...
@@ -41,6 +42,10 @@ enum ip_conntrack_status {
...
@@ -41,6 +42,10 @@ enum ip_conntrack_status {
/* Conntrack should never be early-expired. */
/* Conntrack should never be early-expired. */
IPS_ASSURED_BIT
=
2
,
IPS_ASSURED_BIT
=
2
,
IPS_ASSURED
=
(
1
<<
IPS_ASSURED_BIT
),
IPS_ASSURED
=
(
1
<<
IPS_ASSURED_BIT
),
/* Connection is confirmed: originating packet has left box */
IPS_CONFIRMED_BIT
=
3
,
IPS_CONFIRMED
=
(
1
<<
IPS_CONFIRMED_BIT
),
};
};
#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
...
@@ -159,7 +164,7 @@ struct ip_conntrack
...
@@ -159,7 +164,7 @@ struct ip_conntrack
struct
ip_conntrack_tuple_hash
tuplehash
[
IP_CT_DIR_MAX
];
struct
ip_conntrack_tuple_hash
tuplehash
[
IP_CT_DIR_MAX
];
/* Have we seen traffic both ways yet? (bitset) */
/* Have we seen traffic both ways yet? (bitset) */
volatile
unsigned
long
status
;
unsigned
long
status
;
/* Timer function; drops refcnt when it goes off. */
/* Timer function; drops refcnt when it goes off. */
struct
timer_list
timeout
;
struct
timer_list
timeout
;
...
@@ -255,7 +260,7 @@ ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data),
...
@@ -255,7 +260,7 @@ ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data),
/* It's confirmed if it is, or has been in the hash table. */
/* It's confirmed if it is, or has been in the hash table. */
static
inline
int
is_confirmed
(
struct
ip_conntrack
*
ct
)
static
inline
int
is_confirmed
(
struct
ip_conntrack
*
ct
)
{
{
return
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
list
.
next
!=
NULL
;
return
test_bit
(
IPS_CONFIRMED_BIT
,
&
ct
->
status
)
;
}
}
extern
unsigned
int
ip_conntrack_htable_size
;
extern
unsigned
int
ip_conntrack_htable_size
;
...
...
net/ipv4/netfilter/ip_conntrack_core.c
View file @
7a85bd22
...
@@ -290,9 +290,6 @@ clean_from_lists(struct ip_conntrack *ct)
...
@@ -290,9 +290,6 @@ clean_from_lists(struct ip_conntrack *ct)
{
{
DEBUGP
(
"clean_from_lists(%p)
\n
"
,
ct
);
DEBUGP
(
"clean_from_lists(%p)
\n
"
,
ct
);
MUST_BE_WRITE_LOCKED
(
&
ip_conntrack_lock
);
MUST_BE_WRITE_LOCKED
(
&
ip_conntrack_lock
);
/* Remove from both hash lists: must not NULL out next ptrs,
otherwise we'll look unconfirmed. Fortunately, LIST_DELETE
doesn't do this. --RR */
LIST_DELETE
(
&
ip_conntrack_hash
LIST_DELETE
(
&
ip_conntrack_hash
[
hash_conntrack
(
&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
)],
[
hash_conntrack
(
&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
)],
&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
]);
&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
]);
...
@@ -465,6 +462,7 @@ __ip_conntrack_confirm(struct nf_ct_info *nfct)
...
@@ -465,6 +462,7 @@ __ip_conntrack_confirm(struct nf_ct_info *nfct)
ct
->
timeout
.
expires
+=
jiffies
;
ct
->
timeout
.
expires
+=
jiffies
;
add_timer
(
&
ct
->
timeout
);
add_timer
(
&
ct
->
timeout
);
atomic_inc
(
&
ct
->
ct_general
.
use
);
atomic_inc
(
&
ct
->
ct_general
.
use
);
set_bit
(
IPS_CONFIRMED_BIT
,
&
ct
->
status
);
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
return
NF_ACCEPT
;
return
NF_ACCEPT
;
}
}
...
@@ -583,7 +581,7 @@ icmp_error_track(struct sk_buff *skb,
...
@@ -583,7 +581,7 @@ icmp_error_track(struct sk_buff *skb,
connection. Too bad: we're in trouble anyway. */
connection. Too bad: we're in trouble anyway. */
static
inline
int
unreplied
(
const
struct
ip_conntrack_tuple_hash
*
i
)
static
inline
int
unreplied
(
const
struct
ip_conntrack_tuple_hash
*
i
)
{
{
return
!
(
i
->
ctrack
->
status
&
IPS_ASSURED
);
return
!
(
test_bit
(
IPS_ASSURED_BIT
,
&
i
->
ctrack
->
status
)
);
}
}
static
int
early_drop
(
struct
list_head
*
chain
)
static
int
early_drop
(
struct
list_head
*
chain
)
...
@@ -718,7 +716,7 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
...
@@ -718,7 +716,7 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
conntrack
,
expected
);
conntrack
,
expected
);
/* Welcome, Mr. Bond. We've been expecting you... */
/* Welcome, Mr. Bond. We've been expecting you... */
IP_NF_ASSERT
(
master_ct
(
conntrack
));
IP_NF_ASSERT
(
master_ct
(
conntrack
));
conntrack
->
status
=
IPS_EXPECTED
;
__set_bit
(
IPS_EXPECTED_BIT
,
&
conntrack
->
status
)
;
conntrack
->
master
=
expected
;
conntrack
->
master
=
expected
;
expected
->
sibling
=
conntrack
;
expected
->
sibling
=
conntrack
;
LIST_DELETE
(
&
ip_conntrack_expect_list
,
expected
);
LIST_DELETE
(
&
ip_conntrack_expect_list
,
expected
);
...
@@ -766,11 +764,11 @@ resolve_normal_ct(struct sk_buff *skb,
...
@@ -766,11 +764,11 @@ resolve_normal_ct(struct sk_buff *skb,
*
set_reply
=
1
;
*
set_reply
=
1
;
}
else
{
}
else
{
/* Once we've had two way comms, always ESTABLISHED. */
/* Once we've had two way comms, always ESTABLISHED. */
if
(
h
->
ctrack
->
status
&
IPS_SEEN_REPLY
)
{
if
(
test_bit
(
IPS_SEEN_REPLY_BIT
,
&
h
->
ctrack
->
status
)
)
{
DEBUGP
(
"ip_conntrack_in: normal packet for %p
\n
"
,
DEBUGP
(
"ip_conntrack_in: normal packet for %p
\n
"
,
h
->
ctrack
);
h
->
ctrack
);
*
ctinfo
=
IP_CT_ESTABLISHED
;
*
ctinfo
=
IP_CT_ESTABLISHED
;
}
else
if
(
h
->
ctrack
->
status
&
IPS_EXPECTED
)
{
}
else
if
(
test_bit
(
IPS_EXPECTED_BIT
,
&
h
->
ctrack
->
status
)
)
{
DEBUGP
(
"ip_conntrack_in: related packet for %p
\n
"
,
DEBUGP
(
"ip_conntrack_in: related packet for %p
\n
"
,
h
->
ctrack
);
h
->
ctrack
);
*
ctinfo
=
IP_CT_RELATED
;
*
ctinfo
=
IP_CT_RELATED
;
...
...
net/ipv4/netfilter/ip_conntrack_proto_tcp.c
View file @
7a85bd22
...
@@ -190,7 +190,7 @@ static int tcp_packet(struct ip_conntrack *conntrack,
...
@@ -190,7 +190,7 @@ static int tcp_packet(struct ip_conntrack *conntrack,
have an established connection: this is a fairly common
have an established connection: this is a fairly common
problem case, so we can delete the conntrack
problem case, so we can delete the conntrack
immediately. --RR */
immediately. --RR */
if
(
!
(
conntrack
->
status
&
IPS_SEEN_REPLY
)
&&
tcph
->
rst
)
{
if
(
!
test_bit
(
IPS_SEEN_REPLY_BIT
,
&
conntrack
->
status
)
&&
tcph
->
rst
)
{
WRITE_UNLOCK
(
&
tcp_lock
);
WRITE_UNLOCK
(
&
tcp_lock
);
if
(
del_timer
(
&
conntrack
->
timeout
))
if
(
del_timer
(
&
conntrack
->
timeout
))
conntrack
->
timeout
.
function
((
unsigned
long
)
conntrack
);
conntrack
->
timeout
.
function
((
unsigned
long
)
conntrack
);
...
...
net/ipv4/netfilter/ip_conntrack_proto_udp.c
View file @
7a85bd22
...
@@ -51,7 +51,7 @@ static int udp_packet(struct ip_conntrack *conntrack,
...
@@ -51,7 +51,7 @@ static int udp_packet(struct ip_conntrack *conntrack,
{
{
/* If we've seen traffic both ways, this is some kind of UDP
/* If we've seen traffic both ways, this is some kind of UDP
stream. Extend timeout. */
stream. Extend timeout. */
if
(
conntrack
->
status
&
IPS_SEEN_REPLY
)
{
if
(
test_bit
(
IPS_SEEN_REPLY_BIT
,
&
conntrack
->
status
)
)
{
ip_ct_refresh
(
conntrack
,
UDP_STREAM_TIMEOUT
);
ip_ct_refresh
(
conntrack
,
UDP_STREAM_TIMEOUT
);
/* Also, more likely to be important, and not a probe */
/* Also, more likely to be important, and not a probe */
set_bit
(
IPS_ASSURED_BIT
,
&
conntrack
->
status
);
set_bit
(
IPS_ASSURED_BIT
,
&
conntrack
->
status
);
...
...
net/ipv4/netfilter/ip_conntrack_standalone.c
View file @
7a85bd22
...
@@ -76,7 +76,7 @@ print_expect(char *buffer, const struct ip_conntrack_expect *expect)
...
@@ -76,7 +76,7 @@ print_expect(char *buffer, const struct ip_conntrack_expect *expect)
}
}
static
unsigned
int
static
unsigned
int
print_conntrack
(
char
*
buffer
,
const
struct
ip_conntrack
*
conntrack
)
print_conntrack
(
char
*
buffer
,
struct
ip_conntrack
*
conntrack
)
{
{
unsigned
int
len
;
unsigned
int
len
;
struct
ip_conntrack_protocol
*
proto
struct
ip_conntrack_protocol
*
proto
...
@@ -94,12 +94,12 @@ print_conntrack(char *buffer, const struct ip_conntrack *conntrack)
...
@@ -94,12 +94,12 @@ print_conntrack(char *buffer, const struct ip_conntrack *conntrack)
len
+=
print_tuple
(
buffer
+
len
,
len
+=
print_tuple
(
buffer
+
len
,
&
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
,
&
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
,
proto
);
proto
);
if
(
!
(
conntrack
->
status
&
IPS_SEEN_REPLY
))
if
(
!
(
test_bit
(
IPS_SEEN_REPLY_BIT
,
&
conntrack
->
status
)
))
len
+=
sprintf
(
buffer
+
len
,
"[UNREPLIED] "
);
len
+=
sprintf
(
buffer
+
len
,
"[UNREPLIED] "
);
len
+=
print_tuple
(
buffer
+
len
,
len
+=
print_tuple
(
buffer
+
len
,
&
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
,
&
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
,
proto
);
proto
);
if
(
conntrack
->
status
&
IPS_ASSURED
)
if
(
test_bit
(
IPS_ASSURED_BIT
,
&
conntrack
->
status
)
)
len
+=
sprintf
(
buffer
+
len
,
"[ASSURED] "
);
len
+=
sprintf
(
buffer
+
len
,
"[ASSURED] "
);
len
+=
sprintf
(
buffer
+
len
,
"use=%u "
,
len
+=
sprintf
(
buffer
+
len
,
"use=%u "
,
atomic_read
(
&
conntrack
->
ct_general
.
use
));
atomic_read
(
&
conntrack
->
ct_general
.
use
));
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment