Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp5068781pxb; Mon, 15 Feb 2021 08:41:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJwKv/a8jqYi1yMbFVPHxi8hH6Sro0TOay+kNBeSt/Y+/ZttW8NQ8513snZ1ozh/y+3PS4CZ X-Received: by 2002:a17:907:9cd:: with SMTP id bx13mr1435538ejc.11.1613407277512; Mon, 15 Feb 2021 08:41:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613407277; cv=none; d=google.com; s=arc-20160816; b=xb+ChNCFy3T1TePmo/sBstU9pcO8zMtp3ywA1Rqqx1a8gbVy7U/C1u4/JYRSdFRmiV yalPc8yHBZH5zLVukOwHNTrkBnjSOvIWr7Td//xGa7d6t/u4CRGXtOg0+/LRbiZ2U6f5 TxnE1P5gbgnVNFvHXbrwWztEZuJM0+oad11480kh0n/Hna+OI+UZ3Hjojun1THTMU7v/ w1/QvPxt11e4qM9gS4lHPMe2SI4wGCgBXkLDUZaDX+18WFeF4+AlMcok+YkejKqPT3qW ZXD9oIbFpG7aOnwU//QneAnSz8b5mj+OJrNKfdqoGNlvhi5nXGdtYyq1E4WA3F1pmSW3 ajsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hzqFR/6hn27yZNVtzj0/P+PAXvKRTgTBgx5zd/5Rn1o=; b=rn3DCqX32tmHRCNWPC2fRmMq+ihKzTpCwurssbNUmH01BjRkEFK6WlSMe57WFXpFVX AtQ2E1W+IsPq+JMBC/gpyhj99Cx9ZwBuN/XdR/v0++tfnveH9kUuJJWQreh+3P3DVzdZ DhOJqNvSC7157PaIPMc69UQMwaRiiyer8JxMrVBwHw0iD5TyyH/epvGupazRPUinxL/8 oVm8VXT080Cg1/w3Pr01KyLFxLijGjSfY+1EG4o4LkFhfto/O3TYrtrhbf/U+I8CZ8q9 h6SaWUt3YtB2M/C+cD6K9iOgtvValQWM5ZoE1dKv7/V1NpPc8mqjJ+2jPw6uDbo22FBh T9Gg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tCf5mjh+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m3si13310896edq.484.2021.02.15.08.40.53; Mon, 15 Feb 2021 08:41:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tCf5mjh+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230475AbhBOQii (ORCPT + 99 others); Mon, 15 Feb 2021 11:38:38 -0500 Received: from mail.kernel.org ([198.145.29.99]:50206 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231490AbhBOPhz (ORCPT ); Mon, 15 Feb 2021 10:37:55 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2929464EE7; Mon, 15 Feb 2021 15:33:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1613403212; bh=4p7+N+6bGP8zeHfJrVntL64zZgTx+xM4Q/GXNBJRB9Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tCf5mjh+B576P3kakigXuwW3q9DaTG982Pume50cc1Oc8uQ8P+udc8A1KRfQ0/Avc L6PuRqoBqv9g36pITy9hsi48GpkCtybh2y4aaFngOmXZQpYjzhctn2TphSURAPYsIY 2cP/UgCPQlJyO1B2lot+npVbor1EEzJfEE5lrnvc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 5.10 069/104] netfilter: conntrack: skip identical origin tuple in same zone only Date: Mon, 15 Feb 2021 16:27:22 +0100 Message-Id: <20210215152721.690083805@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210215152719.459796636@linuxfoundation.org> References: <20210215152719.459796636@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Florian Westphal [ Upstream commit 07998281c268592963e1cd623fe6ab0270b65ae4 ] The origin skip check needs to re-test the zone. Else, we might skip a colliding tuple in the reply direction. This only occurs when using 'directional zones' where origin tuples reside in different zones but the reply tuples share the same zone. This causes the new conntrack entry to be dropped at confirmation time because NAT clash resolution was elided. Fixes: 4e35c1cb9460240 ("netfilter: nf_nat: skip nat clash resolution for same-origin entries") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_conntrack_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 234b7cab37c30..ff0168736f6ea 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1229,7 +1229,8 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, * Let nf_ct_resolve_clash() deal with this later. */ if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple, - &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)) + &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple) && + nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL)) continue; NF_CT_STAT_INC_ATOMIC(net, found); -- 2.27.0