iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2954fe60e3
linux/net/ipv4
History
Florian Westphal 2954fe60e3 netfilter: let reset rules clean out conntrack entries 
iptables/nftables support responding to tcp packets with tcp resets.

The generated tcp reset packet passes through both output and postrouting
netfilter hooks, but conntrack will never see them because the generated
skb has its ->nfct pointer copied over from the packet that triggered the
reset rule.

If the reset rule is used for established connections, this
may result in the conntrack entry to be around for a very long
time (default timeout is 5 days).

One way to avoid this would be to not copy the nf_conn pointer
so that the rest packet passes through conntrack too.

Problem is that output rules might not have the same conntrack
zone setup as the prerouting ones, so its possible that the
reset skb won't find the correct entry.  Generating a template
entry for the skb seems error prone as well.

Add an explicit "closing" function that switches a confirmed
conntrack entry to closed state and wire this up for tcp.

If the entry isn't confirmed, no action is needed because
the conntrack entry will never be committed to the table.

Reported-by: Russel King <linux@armlinux.org.uk>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2023-02-17 13:04:56 +01:00
..
bpfilter
netfilter netfilter: let reset rules clean out conntrack entries 2023-02-17 13:04:56 +01:00
af_inet.c inet: control sockets should not use current thread task_frag 2023-01-04 20:38:25 -08:00
ah4.c xfrm: ah: add extack to ah_init_state, ah6_init_state 2022-09-29 07:17:59 +02:00
arp.c ipv4: move from strlcpy with unused retval to strscpy 2022-08-22 17:59:37 -07:00
bpf_tcp_ca.c bpf: Pass const struct bpf_prog * to .check_member 2023-01-25 10:25:57 -08:00
cipso_ipv4.c cipso: Fix data-races around sysctl. 2022-07-08 12:10:33 +01:00
datagram.c Networking fixes for 6.1-rc2, including fixes from netfilter 2022-10-20 17:24:59 -07:00
devinet.c net: devinet: Reduce refcount before grace period 2022-11-30 13:17:52 -08:00
esp4_offload.c xfrm: replay: Fix ESN wrap around for GSO 2022-10-19 09:00:53 +02:00
esp4.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2022-10-03 07:52:13 +01:00
fib_frontend.c ipv4: Fix incorrect route flushing when table ID 0 is used 2022-12-06 20:34:43 -08:00
fib_lookup.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-02-17 11:44:20 -08:00
fib_notifier.c net: ipv4: remove superfluous header files from fib_notifier.c 2021-09-28 17:32:56 -07:00
fib_rules.c ipv4: remove unnecessary type castings 2022-04-30 15:12:58 +01:00
fib_semantics.c ipv4: prevent potential spectre v1 gadget in fib_metrics_match() 2023-01-23 21:37:39 -08:00
fib_trie.c ipv4: Fix error return code in fib_table_insert() 2022-11-22 20:18:20 -08:00
fou_core.c net: fou: use policy and operation tables generated from the spec 2023-01-24 10:58:11 +01:00
fou_nl.c net: fou: use policy and operation tables generated from the spec 2023-01-24 10:58:11 +01:00
fou_nl.h net: fou: use policy and operation tables generated from the spec 2023-01-24 10:58:11 +01:00
gre_demux.c
gre_offload.c net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
icmp.c icmp: Add counters for rate limits 2023-01-26 10:52:18 +01:00
igmp.c treewide: use get_random_u32_below() instead of deprecated function 2022-11-18 02:15:15 +01:00
inet_connection_sock.c inet: Add IP_LOCAL_PORT_RANGE socket option 2023-01-25 22:45:00 -08:00
inet_diag.c net: inet: Retire port only listening_hash 2022-05-12 16:52:18 -07:00
inet_fragment.c net: dropreason: add SKB_DROP_REASON_FRAG_REASM_TIMEOUT 2022-10-31 20:14:27 -07:00
inet_hashtables.c inet: Add IP_LOCAL_PORT_RANGE socket option 2023-01-25 22:45:00 -08:00
inet_timewait_sock.c tcp: avoid the lookup process failing to get sk in ehash table 2023-01-19 13:06:45 +01:00
inetpeer.c inetpeer: Fix data-races around sysctl. 2022-07-08 12:10:33 +01:00
ip_forward.c ip: Fix data-races around sysctl_ip_fwd_update_priority. 2022-07-15 11:49:55 +01:00
ip_fragment.c net: dropreason: add SKB_DROP_REASON_FRAG_TOO_FAR 2022-10-31 20:14:27 -07:00
ip_gre.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-12-08 18:19:59 -08:00
ip_input.c xfrm: fix "disable_policy" on ipv4 early demux 2022-10-12 10:45:34 +02:00
ip_options.c ipv4: drop fragmentation code from ip_options_build() 2022-01-29 17:53:07 +00:00
ip_output.c treewide: use get_random_{u8,u16}() when possible, part 1 2022-10-11 17:42:58 -06:00
ip_sockglue.c inet: Add IP_LOCAL_PORT_RANGE socket option 2023-01-25 22:45:00 -08:00
ip_tunnel_core.c net: Add helper function to parse netlink msg of ip_tunnel_parm 2022-10-03 07:59:06 +01:00
ip_tunnel.c ipv4: tunnels: use DEV_STATS_INC() 2022-11-16 12:48:44 +00:00
ip_vti.c ipv4: tunnels: use DEV_STATS_INC() 2022-11-16 12:48:44 +00:00
ipcomp.c xfrm: ipcomp: add extack to ipcomp{4,6}_init_state 2022-09-29 07:18:00 +02:00
ipconfig.c Driver core / kernfs changes for 6.0-rc1 2022-08-04 11:31:20 -07:00
ipip.c ipv4: tunnels: use DEV_STATS_INC() 2022-11-16 12:48:44 +00:00
ipmr_base.c ipmr: adopt rcu_read_lock() in mr_dump() 2022-06-24 11:34:38 +01:00
ipmr.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
Kconfig tcp: configurable source port perturb table size 2022-11-16 13:02:04 +00:00
Makefile net: fou: use policy and operation tables generated from the spec 2023-01-24 10:58:11 +01:00
metrics.c ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() 2023-01-23 21:37:25 -08:00
netfilter.c netfilter: Use l3mdev flow key when re-routing mangled packets 2022-05-16 13:03:29 +02:00
netlink.c
nexthop.c nh: fix scope used to find saddr when adding non gw nh 2022-10-27 10:17:40 -07:00
ping.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-12-08 18:19:59 -08:00
proc.c icmp: Add counters for rate limits 2023-01-26 10:52:18 +01:00
protocol.c
raw_diag.c raw: complete rcu conversion 2022-06-21 11:38:29 +02:00
raw.c raw: fix a typo in raw_icmp_error() 2022-06-24 22:48:33 -07:00
route.c treewide: use get_random_u32_below() instead of deprecated function 2022-11-18 02:15:15 +01:00
syncookies.c mptcp: remove MPTCP 'ifdef' in TCP SYN cookies 2022-12-12 13:11:24 -08:00
sysctl_net_ipv4.c udp: Introduce optional per-netns hash table. 2022-11-16 09:43:35 +00:00
tcp_bbr.c treewide: use get_random_u32_below() instead of deprecated function 2022-11-18 02:15:15 +01:00
tcp_bic.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_bpf.c bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect 2022-12-01 01:07:36 +01:00
tcp_cdg.c Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
tcp_cong.c tcp: Add tracepoint for tcp_set_ca_state 2022-04-07 20:33:15 -07:00
tcp_cubic.c bpf: Switch to new kfunc flags infrastructure 2022-07-21 20:59:42 -07:00
tcp_dctcp.c tcp: add support for PLB in DCTCP 2022-10-28 10:47:42 +01:00
tcp_dctcp.h
tcp_diag.c tcp: Access &tcp_hashinfo via net. 2022-09-20 10:21:49 -07:00
tcp_fastopen.c tcp: Make SYN ACK RTO tunable by BPF programs with TFO 2022-08-17 10:19:22 +01:00
tcp_highspeed.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_htcp.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_hybla.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_illinois.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_input.c Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
tcp_ipv4.c tcp: use 2-arg optimal variant of kfree_rcu() 2022-12-02 20:44:45 -08:00
tcp_lp.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_metrics.c genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
tcp_minisocks.c net/tcp: Separate initialization of twsk 2022-12-01 15:53:05 -08:00
tcp_nv.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_offload.c gro: add support of (hw)gro packets to gro stack 2022-10-03 12:38:34 +01:00
tcp_output.c net/tcp: Disable TCP-MD5 static key on tcp_md5sig_info destruction 2022-12-01 15:53:05 -08:00
tcp_plb.c prandom: remove prandom_u32_max() 2022-12-20 03:13:45 +01:00
tcp_rate.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-04-28 13:02:01 -07:00
tcp_recovery.c tcp: Fix data-races around sysctl_tcp_recovery. 2022-07-20 10:14:50 +01:00
tcp_scalable.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_timer.c tcp: Make SYN ACK RTO tunable by BPF programs with TFO 2022-08-17 10:19:22 +01:00
tcp_ulp.c net/ulp: use consistent error code when blocking ULP 2023-01-19 09:26:16 -08:00
tcp_vegas.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_vegas.h
tcp_veno.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_westwood.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_yeah.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp.c tcp: fix rate_app_limited to default to 1 2023-01-20 13:23:35 +00:00
tunnel4.c
udp_bpf.c net: remove SOCK_SUPPORT_ZC from sockmap 2022-10-28 20:21:25 -07:00
udp_diag.c udp: Access &udp_table via net. 2022-11-16 09:43:35 +00:00
udp_impl.h net: remove noblock parameter from recvmsg() entities 2022-04-12 15:00:25 +02:00
udp_offload.c udp: allow header check for dodgy GSO_UDP_L4 packets. 2022-12-12 09:29:56 +00:00
udp_tunnel_core.c net/tunnel: wait until all sk_user_data reader finish before releasing the sock 2022-12-12 09:51:52 +00:00
udp_tunnel_nic.c udp_tunnel: Add checks for nla_nest_start() in __udp_tunnel_nic_dump_write() 2022-11-29 08:44:24 -08:00
udp_tunnel_stub.c
udp.c inet: Add IP_LOCAL_PORT_RANGE socket option 2023-01-25 22:45:00 -08:00
udplite.c tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2022-10-12 17:50:37 -07:00
xfrm4_input.c
xfrm4_output.c
xfrm4_policy.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
xfrm4_protocol.c net: xfrm: unexport __init-annotated xfrm4_protocol_init() 2022-06-08 10:10:13 -07:00
xfrm4_state.c
xfrm4_tunnel.c xfrm: tunnel: add extack to ipip_init_state, xfrm6_tunnel_init_state 2022-09-29 07:18:00 +02:00