Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 74138511 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by David S. Miller
Browse files

netfilter: nf_conntrack: fix early_drop with reliable event delivery 



If reliable event delivery is enabled and ctnetlink fails to deliver
the destroy event in early_drop, the conntrack subsystem cannot
drop any the candidate flow that was planned to be evicted.

Reported-by: default avatarKerin Millar <kerframil@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 739e4505

net/netfilter/nf_conntrack_core.c

+6 −2
Original line number Diff line number Diff line
@@ -635,9 +635,13 @@ static noinline int early_drop(struct net *net, unsigned int hash) 


	if (del_timer(&ct->timeout)) {

		death_by_timeout((unsigned long)ct);

		/* Check if we indeed killed this entry. Reliable event

		   delivery may have inserted it into the dying list. */

		if (test_bit(IPS_DYING_BIT, &ct->status)) {

			dropped = 1;

			NF_CT_STAT_INC_ATOMIC(net, early_drop);

		}

	}

	nf_ct_put(ct);

	return dropped;

}