Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp5035705pxb; Mon, 15 Feb 2021 07:55:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJxbBsYRoc2Q0X3qtWKnzETfF1bfZfkA74didxZ1hICWgmx4j/baJetCj3J23CTBEPmzqgBs X-Received: by 2002:a17:906:f148:: with SMTP id gw8mr2592333ejb.313.1613404522966; Mon, 15 Feb 2021 07:55:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613404522; cv=none; d=google.com; s=arc-20160816; b=y3Jy6pKkSbF84ifecTqw05Q+iHP0ve5SG+ncej6Q9iRq7L036HyGEbspl1i/7AyVYO Objq1F30cswAKL6+RjQz+ewJdCDE3dnKRDREmBfg+4a1Js5diUtXgWibv00z0deKeTBd arqK2Y5jeUFNPb1mzxWgpiMf7Nssu5Jpmu6CC7yi208Olxn02RjkrkJMZ1s0Oi5ArUfh Xd+h30FWt8Jv8oujyHbyb7nmB0ehU7Nb62IcoyjxJy/pekthf83fRKUa0MYPA9l3i+6G ZgcOp2b7PPrVoeXDcvz6K7QO9LYHxDWa6TBHTo44kBFAHIWihvaPCAxttoTCDtFKp6qM 0sBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=lNXG/BgfY2+wgybkYgnTQQT/qv8FPCzVGfrpwuF2tIU=; b=joHuJ2lRb2r2v8ymoogH46C5Umu1SkxdE0drs6DzgebMptSgzlgVLxQ72Wtlgfb+Ud 9O3sRctQBP9qjFA3l3AZdbxAJTBVby8BerL0QPFY+UGkJwH63KwU6ajvyrMWhlD7XpYn OlyPF63vX9GPa440Txi+S1UpEBPrmd72S9C+vkwARpWnkY8oBmeVfOwJSz+PiFNSHQ/y FxB4gvqPEo2FXldl896zFPSJhl/MaApZoFwR1sok4akUNEUV7to8pU4/jNI/jYB9avQQ OOQqd9cYiaEah/qmwDZYbn23q/ZGr996bIIUhrpi+TYjAIjRZd7l1HZ4pZaF1sHxd5fZ y4sQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=HN7JMRUW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y13si13135074eju.730.2021.02.15.07.54.59; Mon, 15 Feb 2021 07:55:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=HN7JMRUW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231710AbhBOPuL (ORCPT + 99 others); Mon, 15 Feb 2021 10:50:11 -0500 Received: from mail.kernel.org ([198.145.29.99]:46856 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230442AbhBOPbh (ORCPT ); Mon, 15 Feb 2021 10:31:37 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id B40E064E96; Mon, 15 Feb 2021 15:29:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1613402967; bh=PiW0QxYcvN9x0HBY7fA4+AbVQ6ht9bkIF/2x22Ewvmw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HN7JMRUWpXLigEgqkhx3W3icoAd6WSCyLmoLi7yCuXPmPZm4TZvir6IumMXVn+e4b ISxIM2Dq3Ej91L6ZmMqaHl9s27ZGcgwxWlPAAsQX+Qs7LRDqdvro5+JHkl/ldCKtJ+ gyzlmhNm6JqblwfKr71dv1DiFICNSwIpeXrwCe8k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 5.4 37/60] netfilter: conntrack: skip identical origin tuple in same zone only Date: Mon, 15 Feb 2021 16:27:25 +0100 Message-Id: <20210215152716.540051184@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210215152715.401453874@linuxfoundation.org> References: <20210215152715.401453874@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Florian Westphal [ Upstream commit 07998281c268592963e1cd623fe6ab0270b65ae4 ] The origin skip check needs to re-test the zone. Else, we might skip a colliding tuple in the reply direction. This only occurs when using 'directional zones' where origin tuples reside in different zones but the reply tuples share the same zone. This causes the new conntrack entry to be dropped at confirmation time because NAT clash resolution was elided. Fixes: 4e35c1cb9460240 ("netfilter: nf_nat: skip nat clash resolution for same-origin entries") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_conntrack_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 200cdad3ff3ab..9a40312b1f161 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1091,7 +1091,8 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, * Let nf_ct_resolve_clash() deal with this later. */ if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple, - &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)) + &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple) && + nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL)) continue; NF_CT_STAT_INC_ATOMIC(net, found); -- 2.27.0