netfilter: conntrack: gre: don't set assured flag for clash entries
Now that conntrack core is allowd to insert clashing entries, make sure GRE won't set assured flag on NAT_CLASH entries, just like UDP. Doing so prevents early_drop logic for these entries. Fixes: d671fd82eaa9 ("netfilter: conntrack: allow insertion clash of gre protocol") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
1689f25924
commit
8a9dc07ba9
@ -205,6 +205,8 @@ int nf_conntrack_gre_packet(struct nf_conn *ct,
|
||||
enum ip_conntrack_info ctinfo,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
unsigned long status;
|
||||
|
||||
if (!nf_ct_is_confirmed(ct)) {
|
||||
unsigned int *timeouts = nf_ct_timeout_lookup(ct);
|
||||
|
||||
@ -217,11 +219,17 @@ int nf_conntrack_gre_packet(struct nf_conn *ct,
|
||||
ct->proto.gre.timeout = timeouts[GRE_CT_UNREPLIED];
|
||||
}
|
||||
|
||||
status = READ_ONCE(ct->status);
|
||||
/* If we've seen traffic both ways, this is a GRE connection.
|
||||
* Extend timeout. */
|
||||
if (ct->status & IPS_SEEN_REPLY) {
|
||||
if (status & IPS_SEEN_REPLY) {
|
||||
nf_ct_refresh_acct(ct, ctinfo, skb,
|
||||
ct->proto.gre.stream_timeout);
|
||||
|
||||
/* never set ASSURED for IPS_NAT_CLASH, they time out soon */
|
||||
if (unlikely((status & IPS_NAT_CLASH)))
|
||||
return NF_ACCEPT;
|
||||
|
||||
/* Also, more likely to be important, and not a probe. */
|
||||
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
|
||||
nf_conntrack_event_cache(IPCT_ASSURED, ct);
|
||||
|
Loading…
x
Reference in New Issue
Block a user