Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp136571ybc; Mon, 18 Nov 2019 21:58:43 -0800 (PST) X-Google-Smtp-Source: APXvYqwhKWbim98PwHFD6CpSb3a/zmfMmcy1R1SHwdQYJX5U7ZIwujOZjXImtQbM4oWWzzMd7SnX X-Received: by 2002:a17:906:b80f:: with SMTP id dv15mr33364165ejb.188.1574143123858; Mon, 18 Nov 2019 21:58:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574143123; cv=none; d=google.com; s=arc-20160816; b=IohzRUZFS4e7JYXONbW5zSHbdC5UpldjI0vG2ps8NbFBXFbEboIiyz35YFfzLLZdG/ MLMRN2R4W0tliknORd1NooAN9EGa8ZAzipDkH0slw1iJAxzKcw9qUwXglzVLPoWDa5FD E3DOcaJgmi83tNKOK9T9xKrzmXpUwAlqN9VsnuWW8b0SG7ClgODnk8dPrI+nVusNJBmz atYIgq6nqTn02auA6COWJ7V4/yRPjJ9LyhIbW4JtdN44VtQqDX+NZBzHzksnBVx4WmRT UiwUiNC4fPVN5j/Jm+96VJF8aybOKZitxr868JnGFt44+0zqlCR1S0GlfiUmxo0GLnu4 u7UA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=o4ArE+Odm2xIlqFZ/Qw4rlB+uaQyeSSsKql81/NvY8I=; b=KhK0WKrEVY61AkNPb6yxw1ThXJ6nchfVVbk0ybces+TjLH9T/o5oKY03YByTPtpvzE UZL4k2rctNYHpjo7pML1gzjrH2QVIBS4kFj7dsJ9w9voOaTBnQdBxYHA+AEndyUHFLlr 2mGAXLrpyZFxUC+gLj1hwYlhidDBhmhf6NKlBHmMAhrKiIeTW/wfdep7mwsNXpG+qRDf xroh/q1iYFceTeYog9Q+4gDNAlD3YqTaH64/QQfkZ4khQO7WM3wTSIDEGFPL/yY1e5sn Qsxst4uvsfakq42ccZPyeVRY72GQMXmWGrcNy8xOOgDCDVWGygKblpoFFfnL9EHibc55 mhCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0yEJ43RJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k14si12253876eji.255.2019.11.18.21.58.20; Mon, 18 Nov 2019 21:58:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0yEJ43RJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732201AbfKSFys (ORCPT + 99 others); Tue, 19 Nov 2019 00:54:48 -0500 Received: from mail.kernel.org ([198.145.29.99]:52988 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732198AbfKSFyq (ORCPT ); Tue, 19 Nov 2019 00:54:46 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4EA7D21783; Tue, 19 Nov 2019 05:54:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574142885; bh=6A8AMzApxeD633JBTo2GcM4Q0z+6kicVCh4alMGaeGo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0yEJ43RJtby/7ytdd8bPmyNWrFktMOUEttEXkx8XWveBpPwbMGcwgoW/gdcQYHhcP wHCkxWAAZ+hIVBYyCJ80d4iatZXYXrlL4Y1/93/c+AHTAelazVX+Zw4KwC0LLPOBc6 LMHEcyqE9glFH9MeJ+N7oK5snIl8EuEde4fJ/8JE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tan Hu , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.14 234/239] netfilter: masquerade: dont flush all conntracks if only one address deleted on device Date: Tue, 19 Nov 2019 06:20:34 +0100 Message-Id: <20191119051342.412438262@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191119051255.850204959@linuxfoundation.org> References: <20191119051255.850204959@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tan Hu [ Upstream commit 097f95d319f817e651bd51f8846aced92a55a6a1 ] We configured iptables as below, which only allowed incoming data on established connections: iptables -t mangle -A PREROUTING -m state --state ESTABLISHED -j ACCEPT iptables -t mangle -P PREROUTING DROP When deleting a secondary address, current masquerade implements would flush all conntracks on this device. All the established connections on primary address also be deleted, then subsequent incoming data on the connections would be dropped wrongly because it was identified as NEW connection. So when an address was delete, it should only flush connections related with the address. Signed-off-by: Tan Hu Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 22 ++++++++++++++++++--- net/ipv6/netfilter/nf_nat_masquerade_ipv6.c | 19 +++++++++++++++--- 2 files changed, 35 insertions(+), 6 deletions(-) diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c index 0c366aad89cb4..b531fe204323d 100644 --- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c +++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c @@ -105,12 +105,26 @@ static int masq_device_event(struct notifier_block *this, return NOTIFY_DONE; } +static int inet_cmp(struct nf_conn *ct, void *ptr) +{ + struct in_ifaddr *ifa = (struct in_ifaddr *)ptr; + struct net_device *dev = ifa->ifa_dev->dev; + struct nf_conntrack_tuple *tuple; + + if (!device_cmp(ct, (void *)(long)dev->ifindex)) + return 0; + + tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple; + + return ifa->ifa_address == tuple->dst.u3.ip; +} + static int masq_inet_event(struct notifier_block *this, unsigned long event, void *ptr) { struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev; - struct netdev_notifier_info info; + struct net *net = dev_net(idev->dev); /* The masq_dev_notifier will catch the case of the device going * down. So if the inetdev is dead and being destroyed we have @@ -120,8 +134,10 @@ static int masq_inet_event(struct notifier_block *this, if (idev->dead) return NOTIFY_DONE; - netdev_notifier_info_init(&info, idev->dev); - return masq_device_event(this, event, &info); + if (event == NETDEV_DOWN) + nf_ct_iterate_cleanup_net(net, inet_cmp, ptr, 0, 0); + + return NOTIFY_DONE; } static struct notifier_block masq_dev_notifier = { diff --git a/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c b/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c index 98f61fcb91088..b0f3745d1bee9 100644 --- a/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c +++ b/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c @@ -88,18 +88,30 @@ static struct notifier_block masq_dev_notifier = { struct masq_dev_work { struct work_struct work; struct net *net; + struct in6_addr addr; int ifindex; }; +static int inet_cmp(struct nf_conn *ct, void *work) +{ + struct masq_dev_work *w = (struct masq_dev_work *)work; + struct nf_conntrack_tuple *tuple; + + if (!device_cmp(ct, (void *)(long)w->ifindex)) + return 0; + + tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple; + + return ipv6_addr_equal(&w->addr, &tuple->dst.u3.in6); +} + static void iterate_cleanup_work(struct work_struct *work) { struct masq_dev_work *w; - long index; w = container_of(work, struct masq_dev_work, work); - index = w->ifindex; - nf_ct_iterate_cleanup_net(w->net, device_cmp, (void *)index, 0, 0); + nf_ct_iterate_cleanup_net(w->net, inet_cmp, (void *)w, 0, 0); put_net(w->net); kfree(w); @@ -148,6 +160,7 @@ static int masq_inet_event(struct notifier_block *this, INIT_WORK(&w->work, iterate_cleanup_work); w->ifindex = dev->ifindex; w->net = net; + w->addr = ifa->addr; schedule_work(&w->work); return NOTIFY_DONE; -- 2.20.1