diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-03-06 02:22:55 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-03-06 20:43:50 +0100 |
commit | 741385119706d4370eb7899c5ca96ad125c520e5 (patch) | |
tree | ba34e2f3100a95f11a55bdf3b782169095661e47 /net | |
parent | bridge: netfilter: don't call iptables on vlan packets if sysctl is off (diff) | |
download | linux-741385119706d4370eb7899c5ca96ad125c520e5.tar.xz linux-741385119706d4370eb7899c5ca96ad125c520e5.zip |
netfilter: nf_conntrack: fix early_drop with reliable event delivery
If reliable event delivery is enabled and ctnetlink fails to deliver
the destroy event in early_drop, the conntrack subsystem cannot
drop any the candidate flow that was planned to be evicted.
Reported-by: Kerin Millar <kerframil@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_conntrack_core.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index ed86a3be678e..fa4b82c8ae80 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -635,8 +635,12 @@ static noinline int early_drop(struct net *net, unsigned int hash) if (del_timer(&ct->timeout)) { death_by_timeout((unsigned long)ct); - dropped = 1; - NF_CT_STAT_INC_ATOMIC(net, early_drop); + /* Check if we indeed killed this entry. Reliable event + delivery may have inserted it into the dying list. */ + if (test_bit(IPS_DYING_BIT, &ct->status)) { + dropped = 1; + NF_CT_STAT_INC_ATOMIC(net, early_drop); + } } nf_ct_put(ct); return dropped; |