Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9933697ybi; Wed, 24 Jul 2019 12:35:26 -0700 (PDT) X-Google-Smtp-Source: APXvYqz1qcgMaPaOypLqlyajOPrICQtyRdHQ2Hb5fjym4lgNwiZpF6iDKCtiBrn8hShk5T+jwhlI X-Received: by 2002:a65:640a:: with SMTP id a10mr81703668pgv.338.1563996926268; Wed, 24 Jul 2019 12:35:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563996926; cv=none; d=google.com; s=arc-20160816; b=WlGgwAmq7t/kbO/M/V12CIKXsqjXXHJ3cIE3DTuqJ4OWbySEi1jnUn7/Qm2T1MdXt/ LrZxWOzhgbm9X/mwEk1hrHsZuAUbl8SUGnlWIdzxlIdfKe2iu3NMmX/CMAJNGlOLCtz2 xAgl2v2sER3WMrxLBK1Ejrd/W4wgEyK5mqbsfZSki7kM12YyUbH8HWZ8s3J4UrZs/ebo 9DtCoiPupV+fnhfSzZe8PQfOjeOZO7E1J/5I0Qfhj/OpzSe8WDbkUyZzA7ZPxBXuudFf 8UJNcgB53volHrH8W+78BZZuqhtNWKFnHmag6BkQALO/3xsT+XRY6J2raG7L8tjuJV9v 2rcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=XCpryX6CP5kvteh4zxyccIDCo21fmoNL63lega7isn8=; b=TVQf63eYN79qHtjZEed4G6LmJYf/WgMn7q8aaqQa0FXutpKXQPS+rUp6ZkpMj7wz5v p58kok+EH7rT4gfMYjaklu0xkIm8wGYL6H5hvZ7aNMZe31jsLzs4vPkCtsFXHRIlkbPt B9pTgcfVpjwSXbu5L28s0m/kkUvFuaxf2Z/7LvtnlAcAEjI6JRvuXBPElwVdS2T1mv0T MQw9JIyctVk4iRE73Dgrmu/1hJyowaXkcw8DWsSd4+XtZiSUH1KuDWhhvKpWvv6+T7rB mA9ncNUeXv/izrULgUSgDBuqwMfKEGZ5JRmCgvnlccXbMAXsQjhSBU65LAkF3lKpru8C zi5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=h6BqHxwl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a190si16895553pgc.25.2019.07.24.12.35.11; Wed, 24 Jul 2019 12:35:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=h6BqHxwl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388758AbfGXTdB (ORCPT + 99 others); Wed, 24 Jul 2019 15:33:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:54468 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388712AbfGXTcz (ORCPT ); Wed, 24 Jul 2019 15:32:55 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7F48921951; Wed, 24 Jul 2019 19:32:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563996775; bh=PpDkzkmxeohIc8Eg/mw5PCrRq/RfsPMNsjVx7ZAKai0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=h6BqHxwl+pkIie2HjsuA8IncHGwmM0HFnEvWzRtIROs+anBeEAa4hFRNjbzlMlu0X H4q5ikH93pwIEH24ylv7CgDLPETMU2d+/Zf5sVAwQJs5jEEto15xnX6e3+zQQ5qy+u l/e6Y4G7BM3cep5eehkVcy0u3kXlUuyxLX643suE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pablo Neira Ayuso , Felix Kaechele , Sasha Levin Subject: [PATCH 5.2 171/413] netfilter: ctnetlink: Fix regression in conntrack entry deletion Date: Wed, 24 Jul 2019 21:17:42 +0200 Message-Id: <20190724191747.193826392@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190724191735.096702571@linuxfoundation.org> References: <20190724191735.096702571@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit e7600865db32b69deb0109b8254244dca592adcf ] Commit f8e608982022 ("netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression") introduced a regression in which deletion of conntrack entries would fail because the L3 protocol information is replaced by AF_UNSPEC. As a result the search for the entry to be deleted would turn up empty due to the tuple used to perform the search is now different from the tuple used to initially set up the entry. For flushing the conntrack table we do however want to keep the option for nfgenmsg->version to have a non-zero value to allow for newer user-space tools to request treatment under the new behavior. With that it is possible to independently flush tables for a defined L3 protocol. This was introduced with the enhancements in in commit 59c08c69c278 ("netfilter: ctnetlink: Support L3 protocol-filter on flush"). Older user-space tools will retain the behavior of flushing all tables regardless of defined L3 protocol. Fixes: f8e608982022 ("netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression") Suggested-by: Pablo Neira Ayuso Signed-off-by: Felix Kaechele Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_conntrack_netlink.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 7db79c1b8084..1b77444d5b52 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1256,7 +1256,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, struct nf_conntrack_tuple tuple; struct nf_conn *ct; struct nfgenmsg *nfmsg = nlmsg_data(nlh); - u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC; struct nf_conntrack_zone zone; int err; @@ -1266,11 +1265,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, if (cda[CTA_TUPLE_ORIG]) err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, - u3, &zone); + nfmsg->nfgen_family, &zone); else if (cda[CTA_TUPLE_REPLY]) err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, - u3, &zone); + nfmsg->nfgen_family, &zone); else { + u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC; + return ctnetlink_flush_conntrack(net, cda, NETLINK_CB(skb).portid, nlmsg_report(nlh), u3); -- 2.20.1