Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

netfilter: conntrack: check netns when comparing conntrack objects

Once we place all conntracks in the same hash table we must also compare
the netns pointer to skip conntracks that belong to a different namespace.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal 9 years ago
parent
245cfdcaba
commit
e0c7d47221
3 changed files with 22 additions and 12 deletions
Split View Show Diff Stats
  1. 6 2
      net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
  2. 13 10
      net/netfilter/nf_conntrack_core.c
  3. 3 0
      net/netfilter/nf_conntrack_netlink.c

+ 6 - 2
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
View File 

@@ -115,6 +115,7 @@ static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
 
 #endif
 
 
 static bool ct_seq_should_skip(const struct nf_conn *ct,
 
+			       const struct net *net,
 
 			       const struct nf_conntrack_tuple_hash *hash)
 
 {
 
 	/* we only want to print DIR_ORIGINAL */
 
@@ -124,6 +125,9 @@ static bool ct_seq_should_skip(const struct nf_conn *ct,
 
 	if (nf_ct_l3num(ct) != AF_INET)
 
 		return true;
 
 
+	if (!net_eq(nf_ct_net(ct), net))
 
+		return true;
 
+
 
 	return false;
 
 }
 
 
@@ -136,7 +140,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
 
 	int ret = 0;
 
 
 	NF_CT_ASSERT(ct);
 
-	if (ct_seq_should_skip(ct, hash))
 
+	if (ct_seq_should_skip(ct, seq_file_net(s), hash))
 
 		return 0;
 
 
 	if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
 
@@ -144,7 +148,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
 
 
 	/* check if we raced w. object reuse */
 
 	if (!nf_ct_is_confirmed(ct) ||
 
-	    ct_seq_should_skip(ct, hash))
 
+	    ct_seq_should_skip(ct, seq_file_net(s), hash))
 
 		goto release;
 
 
 	l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));

+ 13 - 10
net/netfilter/nf_conntrack_core.c
View File 

@@ -447,7 +447,8 @@ static void death_by_timeout(unsigned long ul_conntrack)
 
 static inline bool
 
 nf_ct_key_equal(struct nf_conntrack_tuple_hash *h,
 
 		const struct nf_conntrack_tuple *tuple,
 
-		const struct nf_conntrack_zone *zone)
 
+		const struct nf_conntrack_zone *zone,
 
+		const struct net *net)
 
 {
 
 	struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
 
 
@@ -456,7 +457,8 @@ nf_ct_key_equal(struct nf_conntrack_tuple_hash *h,
 
 	 */
 
 	return nf_ct_tuple_equal(tuple, &h->tuple) &&
 
 	       nf_ct_zone_equal(ct, zone, NF_CT_DIRECTION(h)) &&
 
-	       nf_ct_is_confirmed(ct);
 
+	       nf_ct_is_confirmed(ct) &&
 
+	       net_eq(net, nf_ct_net(ct));
 
 }
 
 
 /*
 
@@ -481,7 +483,7 @@ begin:
 
 	} while (read_seqcount_retry(&nf_conntrack_generation, sequence));
 
 
 	hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[bucket], hnnode) {
 
-		if (nf_ct_key_equal(h, tuple, zone)) {
 
+		if (nf_ct_key_equal(h, tuple, zone, net)) {
 
 			NF_CT_STAT_INC_ATOMIC(net, found);
 
 			return h;
 
 		}
 
@@ -517,7 +519,7 @@ begin:
 
 			     !atomic_inc_not_zero(&ct->ct_general.use)))
 
 			h = NULL;
 
 		else {
 
-			if (unlikely(!nf_ct_key_equal(h, tuple, zone))) {
 
+			if (unlikely(!nf_ct_key_equal(h, tuple, zone, net))) {
 
 				nf_ct_put(ct);
 
 				goto begin;
 
 			}
 
@@ -573,12 +575,12 @@ nf_conntrack_hash_check_insert(struct nf_conn *ct)
 
 	/* See if there's one in the list already, including reverse */
 
 	hlist_nulls_for_each_entry(h, n, &net->ct.hash[hash], hnnode)
 
 		if (nf_ct_key_equal(h, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
 
-				    zone))
 
+				    zone, net))
 
 			goto out;
 
 
 	hlist_nulls_for_each_entry(h, n, &net->ct.hash[reply_hash], hnnode)
 
 		if (nf_ct_key_equal(h, &ct->tuplehash[IP_CT_DIR_REPLY].tuple,
 
-				    zone))
 
+				    zone, net))
 
 			goto out;
 
 
 	add_timer(&ct->timeout);
 
@@ -663,12 +665,12 @@ __nf_conntrack_confirm(struct sk_buff *skb)
 
 	   not in the hash.  If there is, we lost race. */
 
 	hlist_nulls_for_each_entry(h, n, &net->ct.hash[hash], hnnode)
 
 		if (nf_ct_key_equal(h, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
 
-				    zone))
 
+				    zone, net))
 
 			goto out;
 
 
 	hlist_nulls_for_each_entry(h, n, &net->ct.hash[reply_hash], hnnode)
 
 		if (nf_ct_key_equal(h, &ct->tuplehash[IP_CT_DIR_REPLY].tuple,
 
-				    zone))
 
+				    zone, net))
 
 			goto out;
 
 
 	/* Timer relative to confirmation time, not original
 
@@ -740,7 +742,7 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
 
 	hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[hash], hnnode) {
 
 		ct = nf_ct_tuplehash_to_ctrack(h);
 
 		if (ct != ignored_conntrack &&
 
-		    nf_ct_key_equal(h, tuple, zone)) {
 
+		    nf_ct_key_equal(h, tuple, zone, net)) {
 
 			NF_CT_STAT_INC_ATOMIC(net, found);
 
 			rcu_read_unlock();
 
 			return 1;
 
@@ -1383,7 +1385,8 @@ get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data),
 
 				if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
 
 					continue;
 
 				ct = nf_ct_tuplehash_to_ctrack(h);
 
-				if (iter(ct, data))
 
+				if (net_eq(nf_ct_net(ct), net) &&
 
+				    iter(ct, data))
 
 					goto found;
 
 			}
 
 		}

+ 3 - 0
net/netfilter/nf_conntrack_netlink.c
View File 

@@ -837,6 +837,9 @@ restart:
 
 			if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
 
 				continue;
 
 			ct = nf_ct_tuplehash_to_ctrack(h);
 
+			if (!net_eq(net, nf_ct_net(ct)))
 
+				continue;
 
+
 
 			/* Dump entries of a given L3 protocol number.
 
 			 * If it is not specified, ie. l3proto == 0,
 
 			 * then dump everything. */