Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cc41c84b authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: kill the fake untracked conntrack objects 



resurrect an old patch from Pablo Neira to remove the untracked objects.

Currently, there are four possible states of an skb wrt. conntrack.

1. No conntrack attached, ct is NULL.
2. Normal (kmem cache allocated) ct attached.
3. a template (kmalloc'd), not in any hash tables at any point in time
4. the 'untracked' conntrack, a percpu nf_conn object, tagged via
   IPS_UNTRACKED_BIT in ct->status.

Untracked is supposed to be identical to case 1.  It exists only
so users can check

-m conntrack --ctstate UNTRACKED vs.
-m conntrack --ctstate INVALID

e.g. attempts to set connmark on INVALID or UNTRACKED conntracks is
supposed to be a no-op.

Thus currently we need to check
 ct == NULL || nf_ct_is_untracked(ct)

in a lot of places in order to avoid altering untracked objects.

The other consequence of the percpu untracked object is that all
-j NOTRACK (and, later, kfree_skb of such skbs) result in an atomic op
(inc/dec the untracked conntracks refcount).

This adds a new kernel-private ctinfo state, IP_CT_UNTRACKED, to
make the distinction instead.

The (few) places that care about packet invalid (ct is NULL) vs.
packet untracked now need to test ct == NULL vs. ctinfo == IP_CT_UNTRACKED,
but all other places can omit the nf_ct_is_untracked() check.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 6e354a5e

include/net/ip_vs.h

+1 −5
Original line number Diff line number Diff line
@@ -1556,12 +1556,8 @@ static inline void ip_vs_notrack(struct sk_buff *skb) 
	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);



	if (!ct || !nf_ct_is_untracked(ct)) {

		struct nf_conn *untracked;



		nf_conntrack_put(&ct->ct_general);

		untracked = nf_ct_untracked_get();

		nf_conntrack_get(&untracked->ct_general);

		nf_ct_set(skb, untracked, IP_CT_NEW);

		nf_ct_set(skb, NULL, IP_CT_UNTRACKED);

	}

#endif

}

include/net/netfilter/nf_conntrack.h

+1 −9
Original line number Diff line number Diff line
@@ -243,14 +243,6 @@ extern s32 (*nf_ct_nat_offset)(const struct nf_conn *ct, 
			       enum ip_conntrack_dir dir,

			       u32 seq);



/* Fake conntrack entry for untracked connections */

DECLARE_PER_CPU_ALIGNED(struct nf_conn, nf_conntrack_untracked);

static inline struct nf_conn *nf_ct_untracked_get(void)

{

	return raw_cpu_ptr(&nf_conntrack_untracked);

}

void nf_ct_untracked_status_or(unsigned long bits);



/* Iterate over all conntracks: if iter returns true, it's deleted. */

void nf_ct_iterate_cleanup(struct net *net,

			   int (*iter)(struct nf_conn *i, void *data),
@@ -283,7 +275,7 @@ static inline int nf_ct_is_dying(const struct nf_conn *ct) 


static inline int nf_ct_is_untracked(const struct nf_conn *ct)

{

	return test_bit(IPS_UNTRACKED_BIT, &ct->status);

	return false;

}



/* Packet is received from loopback */

include/uapi/linux/netfilter/nf_conntrack_common.h

+4 −2
Original line number Diff line number Diff line
@@ -28,12 +28,14 @@ enum ip_conntrack_info { 
	/* only for userspace compatibility */

#ifndef __KERNEL__

	IP_CT_NEW_REPLY = IP_CT_NUMBER,

#else

	IP_CT_UNTRACKED = 7,

#endif

};



#define NF_CT_STATE_INVALID_BIT			(1 << 0)

#define NF_CT_STATE_BIT(ctinfo)			(1 << ((ctinfo) % IP_CT_IS_REPLY + 1))

#define NF_CT_STATE_UNTRACKED_BIT		(1 << (IP_CT_NUMBER + 1))

#define NF_CT_STATE_UNTRACKED_BIT		(1 << (IP_CT_UNTRACKED + 1))



/* Bitset representing status of connection. */

enum ip_conntrack_status {
@@ -94,7 +96,7 @@ enum ip_conntrack_status { 
	IPS_TEMPLATE_BIT = 11,

	IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),



	/* Conntrack is a fake untracked entry */

	/* Conntrack is a fake untracked entry.  Obsolete and not used anymore */

	IPS_UNTRACKED_BIT = 12,

	IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),

net/ipv4/netfilter/nf_dup_ipv4.c

+1 −2
Original line number Diff line number Diff line
@@ -69,8 +69,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, 
#if IS_ENABLED(CONFIG_NF_CONNTRACK)

	/* Avoid counting cloned packets towards the original connection. */

	nf_reset(skb);

	nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);

	nf_conntrack_get(skb_nfct(skb));

	nf_ct_set(skb, NULL, IP_CT_UNTRACKED);

#endif

	/*

	 * If we are in PREROUTING/INPUT, decrease the TTL to mitigate potential

net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c

+1 −2
Original line number Diff line number Diff line
@@ -221,8 +221,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl, 
	type = icmp6h->icmp6_type - 130;

	if (type >= 0 && type < sizeof(noct_valid_new) &&

	    noct_valid_new[type]) {

		nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);

		nf_conntrack_get(skb_nfct(skb));

		nf_ct_set(skb, NULL, IP_CT_UNTRACKED);

		return NF_ACCEPT;

	}