ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling
Commitb0e214d212
("netfilter: keep conntrack reference until IPsecv6 policy checks are done") is a direct copy of the old commitb59c270104
("[NETFILTER]: Keep conntrack reference until IPsec policy checks are done") but for IPv6. However, it also copies a bug that this old commit had. That is: when the third packet of 3WHS connection establishment contains payload, it is added into socket receive queue without the XFRM check and the drop of connection tracking context. That leads to nf_conntrack module being impossible to unload as it waits for all the conntrack references to be dropped while the packet release is deferred in per-cpu cache indefinitely, if not consumed by the application. The issue for IPv4 was fixed in commit6f0012e351
("tcp: add a missing nf_reset_ct() in 3WHS handling") by adding a missing XFRM check and correctly dropping the conntrack context. However, the issue was introduced to IPv6 code afterwards. Fixing it the same way for IPv6 now. Fixes:b0e214d212
("netfilter: keep conntrack reference until IPsecv6 policy checks are done") Link: https://lore.kernel.org/netdev/d589a999-d4dd-2768-b2d5-89dec64a4a42@ovn.org/ Signed-off-by: Ilya Maximets <i.maximets@ovn.org> Acked-by: Florian Westphal <fw@strlen.de> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20230922210530.2045146-1-i.maximets@ovn.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
parent
4b2b606075
commit
9593c7cb6c
@ -1640,9 +1640,12 @@ process:
|
||||
struct sock *nsk;
|
||||
|
||||
sk = req->rsk_listener;
|
||||
drop_reason = tcp_inbound_md5_hash(sk, skb,
|
||||
&hdr->saddr, &hdr->daddr,
|
||||
AF_INET6, dif, sdif);
|
||||
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
|
||||
drop_reason = SKB_DROP_REASON_XFRM_POLICY;
|
||||
else
|
||||
drop_reason = tcp_inbound_md5_hash(sk, skb,
|
||||
&hdr->saddr, &hdr->daddr,
|
||||
AF_INET6, dif, sdif);
|
||||
if (drop_reason) {
|
||||
sk_drops_add(sk, skb);
|
||||
reqsk_put(req);
|
||||
@ -1689,6 +1692,7 @@ process:
|
||||
}
|
||||
goto discard_and_relse;
|
||||
}
|
||||
nf_reset_ct(skb);
|
||||
if (nsk == sk) {
|
||||
reqsk_put(req);
|
||||
tcp_v6_restore_cb(skb);
|
||||
|
Loading…
Reference in New Issue
Block a user