1. 17 Feb, 2023 1 commit
    • Florian Westphal's avatar
      netfilter: let reset rules clean out conntrack entries · 2954fe60
      Florian Westphal authored
      iptables/nftables support responding to tcp packets with tcp resets.
      
      The generated tcp reset packet passes through both output and postrouting
      netfilter hooks, but conntrack will never see them because the generated
      skb has its ->nfct pointer copied over from the packet that triggered the
      reset rule.
      
      If the reset rule is used for established connections, this
      may result in the conntrack entry to be around for a very long
      time (default timeout is 5 days).
      
      One way to avoid this would be to not copy the nf_conn pointer
      so that the rest packet passes through conntrack too.
      
      Problem is that output rules might not have the same conntrack
      zone setup as the prerouting ones, so its possible that the
      reset skb won't find the correct entry.  Generating a template
      entry for the skb seems error prone as well.
      
      Add an explicit "closing" function that switches a confirmed
      conntrack entry to closed state and wire this up for tcp.
      
      If the entry isn't confirmed, no action is needed because
      the conntrack entry will never be committed to the table.
      Reported-by: default avatarRussel King <linux@armlinux.org.uk>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      2954fe60
  2. 02 Feb, 2023 1 commit
  3. 01 Feb, 2023 38 commits