linux/net/netfilter
Pablo Neira Ayuso 0eba801b64 netfilter: ctnetlink: force null nat binding on insert
Quoting Andrey Vagin:
  When a conntrack is created  by kernel, it is initialized (sets
  IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
  is added in hashes (__nf_conntrack_hash_insert), so one conntract
  can't be initialized from a few threads concurrently.

  ctnetlink can add an uninitialized conntrack (w/o
  IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
  this conntrack and start initialize it concurrently. It's dangerous,
  because BUG can be triggered from nf_nat_setup_info.

Fix this race by always setting up nat, even if no CTA_NAT_ attribute
was requested before inserting the ct into the hash table. In absence
of CTA_NAT_ attribute, a null binding is created.

This alters current behaviour: Before this patch, the first packet
matching the newly injected conntrack would be run through the nat
table since nf_nat_initialized() returns false.  IOW, this forces
ctnetlink users to specify the desired nat transformation on ct
creation time.

Thanks for Florian Westphal, this patch is based on his original
patch to address this problem, including this patch description.

Reported-By: Andrey Vagin <avagin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
2014-02-18 00:13:51 +01:00
..
ipset Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-01-25 11:17:34 -08:00
ipvs ipvs: fix AF assignment in ip_vs_conn_new() 2014-02-04 21:13:47 +09:00
core.c netfilter: pass hook ops to hookfn 2013-10-14 11:29:31 +02:00
Kconfig netfilter: nf_tables: add reject module for NFPROTO_INET 2014-02-06 09:44:18 +01:00
Makefile netfilter: nf_tables: add reject module for NFPROTO_INET 2014-02-06 09:44:18 +01:00
nf_conntrack_acct.c netfilter: introduce nf_conn_acct structure 2013-11-03 21:48:49 +01:00
nf_conntrack_amanda.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: nf_conntrack: don't release a conntrack with non-zero refcnt 2014-02-05 17:46:06 +01:00
nf_conntrack_ecache.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_expect.c netfilter: ctnetlink: fix incorrect NAT expectation dumping 2013-07-15 11:14:51 +02:00
nf_conntrack_extend.c
nf_conntrack_ftp.c netfilter: Implement RFC 1123 for FTP conntrack 2013-05-27 13:32:43 +02:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c netfilter: nf_conntrack: fix rt6i_gateway checks for H.323 helper 2013-10-21 18:37:01 -04:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_irc.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_l3proto_generic.c
nf_conntrack_labels.c netfilter: connlabels: remove unneeded includes 2013-07-31 16:39:18 +02:00
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: ctnetlink: force null nat binding on insert 2014-02-18 00:13:51 +01:00
nf_conntrack_pptp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto_dccp.c netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages 2014-01-06 17:40:02 +01:00
nf_conntrack_proto_generic.c
nf_conntrack_proto_gre.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto_sctp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto_tcp.c netfilter: add SYNPROXY core/target 2013-08-28 00:27:54 +02:00
nf_conntrack_proto_udp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto_udplite.c netfilter: nf_log: prepare net namespace support for loggers 2013-04-05 20:12:54 +02:00
nf_conntrack_proto.c netfilter: nf_conntrack: remove dead code 2014-01-03 23:41:37 +01:00
nf_conntrack_sane.c
nf_conntrack_seqadj.c netfilter: only warn once on wrong seqadj usage 2014-01-06 14:23:17 +01:00
nf_conntrack_sip.c netfilter: nf_ct_sip: consolidate NAT hook functions 2013-10-01 12:47:09 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
nf_conntrack_tftp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_timeout.c
nf_conntrack_timestamp.c netfilter: nf_ct_timestamp: Fix BUG_ON after netns deletion 2013-12-20 14:58:29 +01:00
nf_internals.h net: misc: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
nf_log.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
nf_nat_amanda.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_nat_core.c netfilter: ctnetlink: force null nat binding on insert 2014-02-18 00:13:51 +01:00
nf_nat_ftp.c
nf_nat_helper.c netfilter: nf_conntrack: make sequence number adjustments usuable without NAT 2013-08-28 00:26:48 +02:00
nf_nat_irc.c netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper 2014-01-06 14:17:17 +01:00
nf_nat_proto_common.c netfilter: nf_nat: add full port randomization support 2014-01-03 23:41:26 +01:00
nf_nat_proto_dccp.c
nf_nat_proto_sctp.c net/sctp: Refactor SCTP skb checksum computation 2013-07-27 20:07:15 -07:00
nf_nat_proto_tcp.c
nf_nat_proto_udp.c
nf_nat_proto_udplite.c
nf_nat_proto_unknown.c
nf_nat_sip.c netfilter: nf_ct_sip: consolidate NAT hook functions 2013-10-01 12:47:09 +02:00
nf_nat_tftp.c
nf_queue.c netfilter: move skb_gso_segment into nfnetlink_queue module 2013-04-29 20:09:05 +02:00
nf_sockopt.c
nf_synproxy_core.c netfilter: nf_conntrack: don't release a conntrack with non-zero refcnt 2014-02-05 17:46:06 +01:00
nf_tables_api.c netfilter: nf_tables: fix loop checking with end interval elements 2014-02-07 17:21:45 +01:00
nf_tables_core.c netfilter: nf_tables: unininline nft_trace_packet() 2014-02-07 17:50:27 +01:00
nf_tables_inet.c netfilter: nf_tables: fix error path in the init functions 2014-01-09 23:25:48 +01:00
nfnetlink_acct.c netfilter: nfnetlink_acct: fix incomplete dumping of objects 2013-06-05 12:36:36 +02:00
nfnetlink_cthelper.c netfilter: check return code from nla_parse_tested 2013-06-20 11:20:13 +02:00
nfnetlink_cttimeout.c netfilter: cttimeout: allow to set/get default protocol timeouts 2013-10-01 13:17:39 +02:00
nfnetlink_log.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2014-01-08 15:04:56 -05:00
nfnetlink_queue_core.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitch 2014-01-06 19:48:38 -05:00
nfnetlink_queue_ct.c netfilter: nf_conntrack: make sequence number adjustments usuable without NAT 2013-08-28 00:26:48 +02:00
nfnetlink.c nfnetlink: do not ack malformed messages 2013-11-08 15:12:11 -05:00
nft_bitwise.c netfilter: nf_tables: expression ops overloading 2013-10-14 17:16:08 +02:00
nft_byteorder.c netfilter: nf_tables: expression ops overloading 2013-10-14 17:16:08 +02:00
nft_cmp.c netfilter: nf_tables: add compatibility layer for x_tables 2013-10-14 18:00:04 +02:00
nft_compat.c netfilter: nf_tables: add support for multi family tables 2014-01-07 23:55:46 +01:00
nft_counter.c netfilter: nf_tables: expression ops overloading 2013-10-14 17:16:08 +02:00
nft_ct.c netfilter: nft_ct: fix missing NFT_CT_L3PROTOCOL key in validity checks 2014-02-06 00:05:33 +01:00
nft_expr_template.c netfilter: nf_tables: expression ops overloading 2013-10-14 17:16:08 +02:00
nft_exthdr.c netfilter: nft_exthdr: call ipv6_find_hdr() with explicitly initialized offset 2013-12-20 11:25:10 +01:00
nft_hash.c Revert "netfilter: avoid get_random_bytes calls" 2014-01-06 14:00:55 +01:00
nft_immediate.c netfilter: nf_tables: add compatibility layer for x_tables 2013-10-14 18:00:04 +02:00
nft_limit.c netfilter: nf_tables: expression ops overloading 2013-10-14 17:16:08 +02:00
nft_log.c netfilter: nf_tables: fix log/queue expressions for NFPROTO_INET 2014-02-06 11:41:38 +01:00
nft_lookup.c net: Include appropriate header file in netfilter/nft_lookup.c 2014-02-09 17:32:50 -08:00
nft_meta.c netfilter: nft_meta: fix typo "CONFIG_NET_CLS_ROUTE" 2014-02-14 11:37:34 +01:00
nft_nat.c netfilter: nft_nat: Fix endianness issue reported by sparse 2013-10-28 17:41:49 +01:00
nft_payload.c netfilter: nf_tables: check if payload length is a power of 2 2014-02-17 11:21:17 +01:00
nft_queue.c netfilter: nf_tables: fix log/queue expressions for NFPROTO_INET 2014-02-06 11:41:38 +01:00
nft_rbtree.c netfilter: nft_rbtree: fix data handling of end interval elements 2014-02-07 14:22:06 +01:00
nft_reject_inet.c netfilter: nft_reject_inet: fix unintended fall-through in switch-statatement 2014-02-14 11:37:33 +01:00
nft_reject.c netfilter: nft_reject: split up reject module into IPv4 and IPv6 specifc parts 2014-02-06 09:44:10 +01:00
x_tables.c netfilter: x_tables: fix ordering of jumpstack allocation and table update 2013-10-22 10:11:29 +02:00
xt_addrtype.c netfilter: xt_addrtype: fix trivial typo 2013-07-31 16:36:25 +02:00
xt_AUDIT.c
xt_bpf.c
xt_cgroup.c netfilter: x_tables: lightweight process control group matching 2014-01-03 23:41:44 +01:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c
xt_comment.c
xt_connbytes.c netfilter: introduce nf_conn_acct structure 2013-11-03 21:48:49 +01:00
xt_connlabel.c
xt_connlimit.c Revert "netfilter: avoid get_random_bytes calls" 2014-01-06 14:00:55 +01:00
xt_connmark.c netfilter: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
xt_CONNSECMARK.c
xt_conntrack.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
xt_cpu.c
xt_CT.c netfilter: nf_conntrack: don't release a conntrack with non-zero refcnt 2014-02-05 17:46:06 +01:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c Revert "netfilter: avoid get_random_bytes calls" 2014-01-06 14:00:55 +01:00
xt_helper.c
xt_hl.c
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c
xt_ipcomp.c netfilter: add IPv4/6 IPComp extension match support 2013-12-24 12:37:58 +01:00
xt_iprange.c
xt_ipvs.c
xt_l2tp.c netfilter: introduce l2tp match extension 2014-01-09 21:36:39 +01:00
xt_LED.c
xt_length.c
xt_limit.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
xt_LOG.c netfilter: xt_LOG: fix mark logging for IPv6 packets 2013-05-29 12:29:18 +02:00
xt_mac.c
xt_mark.c
xt_multiport.c
xt_nat.c
xt_NETMAP.c
xt_nfacct.c
xt_NFLOG.c netfilter: log: netns NULL ptr bug when calling from conntrack 2013-05-15 14:11:07 +02:00
xt_NFQUEUE.c netfilter: xt_NFQUEUE: separate reusable code 2013-12-07 23:20:45 +01:00
xt_osf.c netfilter: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
xt_owner.c
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c net_sched: add 64bit rate estimators 2013-06-11 02:51:03 -07:00
xt_RATEEST.c Revert "netfilter: avoid get_random_bytes calls" 2014-01-06 14:00:55 +01:00
xt_realm.c
xt_recent.c Revert "netfilter: avoid get_random_bytes calls" 2014-01-06 14:00:55 +01:00
xt_REDIRECT.c
xt_repldata.h
xt_sctp.c
xt_SECMARK.c
xt_set.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-11-15 16:47:22 -08:00
xt_socket.c netfilter: xt_socket: use sock_gen_put() 2013-10-17 10:27:25 +02:00
xt_state.c
xt_statistic.c net: replace macros net_random and net_srandom with direct calls to prandom 2014-01-14 15:15:25 -08:00
xt_string.c
xt_tcpmss.c
xt_TCPMSS.c netfilter: xt_TCPMSS: lookup route from proper net namespace 2013-09-27 16:18:23 +02:00
xt_TCPOPTSTRIP.c netfilter: xt_TCPOPTSTRIP: fix possible off by one access 2013-08-01 11:45:15 +02:00
xt_tcpudp.c
xt_TEE.c net: pass info struct via netdevice notifier 2013-05-28 13:11:01 -07:00
xt_time.c
xt_TPROXY.c ipv6: make lookups simpler and faster 2013-10-09 00:01:25 -04:00
xt_TRACE.c
xt_u32.c