Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1576809pxb; Mon, 22 Feb 2021 05:49:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJwNQx8NUJ56+C/FPe7hbhBr4FRpb93kf5k/IQxSqTDsG1O0z7V0XXCKgjbFkQaJ9Hu6unLe X-Received: by 2002:a50:a45b:: with SMTP id v27mr22480500edb.141.1614001776562; Mon, 22 Feb 2021 05:49:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614001776; cv=none; d=google.com; s=arc-20160816; b=hBkXuO9TSLaugggyihDMnpv6R0JNzK50KvNCqJOX6gCfKL2quThcYmBSRa1pHvwPTr yBMWRdqb5X/1womqqqOG6TROLHxm/LVrbiNMHBtkYPVhSkMaJMu3MkH1vs3NlLWIoEaU 4e3ZaVS0bmDzBf4LBCGiarEVcA6nhGx3VhnS+UMbXHebXWdqmN9nqeXRQ/6ZFCt5Wyy4 9syEdMzJWCxnqaYGfNHNN970co3G1/Jk2/eqZynSkX0PzVemZvYTaipK8WMx8bI+O0Rg bN7T1x0k8Bfx03pZRT+hLChrNOnTmbr1ZOYxogNNKdZW6lG6YZ3zw7qo5QGtlqXNJ0YZ Nf8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1PNlVlOWWlTnYd8OcP9kw+Yzddl3pk5VR/fpTjM0qxQ=; b=v5daIo/WRyfxaMvxqiZEEvCgi1+OrokCu7f1jwVPqMva81gzwEpVCCIzvsui7wRe+C VS3H/b9PdCATl9cCOurmNpRhB+aeHq+BW7g8bHgE969vdRg/X7AwBDJUWVQQwH48DeRk 7ZEuHHd/R+/HhHnj9zqcuBUGCodvAn1A9Dz/J+w/6PbwqgYzD/wpEb59iN8U2tL5D3SH 9PFd66GQvJDrftZf15YSns13JZs5MlP0M6U6/PQhxLpNf/P2fN+4tdZ6bljI1Ia2ts2J 88TufYaq4jHAw8mIMk9Wto9+inaD0G8GrZJRmfy3j6df2iPH1aWXhCBIIiREp8lC7ZOg PHpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LwVJ6J4X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id mb25si12623627ejb.519.2021.02.22.05.49.13; Mon, 22 Feb 2021 05:49:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LwVJ6J4X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232056AbhBVNsP (ORCPT + 99 others); Mon, 22 Feb 2021 08:48:15 -0500 Received: from mail.kernel.org ([198.145.29.99]:56550 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231651AbhBVMoj (ORCPT ); Mon, 22 Feb 2021 07:44:39 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 74B4B64F55; Mon, 22 Feb 2021 12:41:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1613997687; bh=3cAhZggnByc7kiAB7NJ2hTqyAJ6yXki2cXldoW1F1CY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LwVJ6J4XPxOI3O4fm2jEgjZH6DuvYDKNPATUD5snja56utDmIIP8v5H136+UzUtT5 aasmeKilEHXOmdX3Wc/pSuAbrDfELYg1lFolBPH/q6OYJFHC2T297c8SBIsBxtfRXq Vbu/E3JFsIpJ7Ub2XHuXO4hPyfTlh3hhTWONS6o8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.9 27/49] netfilter: conntrack: skip identical origin tuple in same zone only Date: Mon, 22 Feb 2021 13:36:25 +0100 Message-Id: <20210222121026.954707566@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210222121022.546148341@linuxfoundation.org> References: <20210222121022.546148341@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Florian Westphal [ Upstream commit 07998281c268592963e1cd623fe6ab0270b65ae4 ] The origin skip check needs to re-test the zone. Else, we might skip a colliding tuple in the reply direction. This only occurs when using 'directional zones' where origin tuples reside in different zones but the reply tuples share the same zone. This causes the new conntrack entry to be dropped at confirmation time because NAT clash resolution was elided. Fixes: 4e35c1cb9460240 ("netfilter: nf_nat: skip nat clash resolution for same-origin entries") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_conntrack_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index d507d0fc7858a..ddd90a3820d39 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -903,7 +903,8 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, * Let nf_ct_resolve_clash() deal with this later. */ if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple, - &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)) + &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple) && + nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL)) continue; NF_CT_STAT_INC_ATOMIC(net, found); -- 2.27.0