Commit 590b52e1 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: conntrack: skip clash resolution if nat is in place

The clash resolution is not easy to apply if the NAT table is
registered. Even if no NAT rules are installed, the nul-binding ensures
that a unique tuple is used, thus, the packet that loses race gets a
different source port number, as described by:

http://marc.info/?l=netfilter-devel&m=146818011604484&w=2

Clash resolution with NAT is also problematic if addresses/port range
ports are used since the conntrack that wins race may describe a
different mangling that we may have earlier applied to the packet via
nf_nat_setup_info().

Fixes: 71d8c47f ("netfilter: conntrack: introduce clash resolution on insertion race")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Tested-by: default avatarMarc Dionne <marc.c.dionne@gmail.com>
parent 4edfa9d0
...@@ -646,6 +646,7 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb, ...@@ -646,6 +646,7 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb,
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
if (l4proto->allow_clash && if (l4proto->allow_clash &&
!nfct_nat(ct) &&
!nf_ct_is_dying(ct) && !nf_ct_is_dying(ct) &&
atomic_inc_not_zero(&ct->ct_general.use)) { atomic_inc_not_zero(&ct->ct_general.use)) {
nf_ct_acct_merge(ct, ctinfo, (struct nf_conn *)skb->nfct); nf_ct_acct_merge(ct, ctinfo, (struct nf_conn *)skb->nfct);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment