git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Wed, 2 Feb 2022 11:00:56 +0000 (12:00 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 4 Feb 2022 04:39:57 +0000 (05:39 +0100)
commit	807e52815636f79b0afde58d5097bc698739a351
tree	bfc6a9d7bf7cd19a341a9a24396607c1e11eb3f1	tree \| snapshot
parent	039c8f931eb56ab7355082bd159805ca4a1c6ef8	commit \| diff

netfilter: ctnetlink: disable helper autoassign

When userspace, e.g. conntrackd, inserts an entry with a specified helper,
its possible that the helper is lost immediately after its added:

ctnetlink_create_conntrack
  -> nf_ct_helper_ext_add + assign helper
    -> ctnetlink_setup_nat
      -> ctnetlink_parse_nat_setup
         -> parse_nat_setup -> nfnetlink_parse_nat_setup
                       -> nf_nat_setup_info
                                 -> nf_conntrack_alter_reply
                                   -> __nf_ct_try_assign_helper

... and __nf_ct_try_assign_helper will zero the helper again.

Set IPS_HELPER bit to bypass auto-assign logic, its unwanted, just like
when helper is assigned via ruleset.

Dropped old 'not strictly necessary' comment, it referred to use of
rcu_assign_pointer() before it got replaced by RCU_INIT_POINTER().

NB: Fixes tag intentionally incorrect, this extends the referenced commit,
but this change won't build without IPS_HELPER introduced there.

Fixes: 4abdba00ca5e96 ("netfilter: nf_conntrack: fix explicit helper attachment and NAT")
Reported-by: Pham Thanh Tuyen <phamtyn@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/uapi/linux/netfilter/nf_conntrack_common.h		diff \| blob \| history
net/netfilter/nf_conntrack_netlink.c		diff \| blob \| history