diff options
| author | Florian Westphal <fw@strlen.de> | 2017-07-07 07:07:17 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-07-17 11:02:19 -0400 |
| commit | 97772bcd56efa21d9d8976db6f205574ea602f51 (patch) | |
| tree | 6201ab9cf05ef4e22928dd0270dcf69ccf3b6abb /net | |
| parent | cf56c2f892a8a1870a8358114ad896772da7543a (diff) | |
netfilter: nat: fix src map lookup
When doing initial conversion to rhashtable I replaced the bucket
walk with a single rhashtable_lookup_fast().
When moving to rhlist I failed to properly walk the list of identical
tuples, but that is what is needed for this to work correctly.
The table contains the original tuples, so the reply tuples are all
distinct.
We currently decide that mapping is (not) in range only based on the
first entry, but in case its not we need to try the reply tuple of the
next entry until we either find an in-range mapping or we checked
all the entries.
This bug makes nat core attempt collision resolution while it might be
able to use the mapping as-is.
Fixes: 870190a9ec90 ("netfilter: nat: convert nat bysrc hash to rhashtable")
Reported-by: Jaco Kroon <jaco@uls.co.za>
Tested-by: Jaco Kroon <jaco@uls.co.za>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nf_nat_core.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index 832c5a08d9a5..eb541786ccb7 100644 --- a/net/netfilter/nf_nat_core.c +++ b/net/netfilter/nf_nat_core.c | |||
| @@ -222,20 +222,21 @@ find_appropriate_src(struct net *net, | |||
| 222 | .tuple = tuple, | 222 | .tuple = tuple, |
| 223 | .zone = zone | 223 | .zone = zone |
| 224 | }; | 224 | }; |
| 225 | struct rhlist_head *hl; | 225 | struct rhlist_head *hl, *h; |
| 226 | 226 | ||
| 227 | hl = rhltable_lookup(&nf_nat_bysource_table, &key, | 227 | hl = rhltable_lookup(&nf_nat_bysource_table, &key, |
| 228 | nf_nat_bysource_params); | 228 | nf_nat_bysource_params); |
| 229 | if (!hl) | ||
| 230 | return 0; | ||
| 231 | 229 | ||
| 232 | ct = container_of(hl, typeof(*ct), nat_bysource); | 230 | rhl_for_each_entry_rcu(ct, h, hl, nat_bysource) { |
| 231 | nf_ct_invert_tuplepr(result, | ||
| 232 | &ct->tuplehash[IP_CT_DIR_REPLY].tuple); | ||
| 233 | result->dst = tuple->dst; | ||
| 233 | 234 | ||
| 234 | nf_ct_invert_tuplepr(result, | 235 | if (in_range(l3proto, l4proto, result, range)) |
| 235 | &ct->tuplehash[IP_CT_DIR_REPLY].tuple); | 236 | return 1; |
| 236 | result->dst = tuple->dst; | 237 | } |
| 237 | 238 | ||
| 238 | return in_range(l3proto, l4proto, result, range); | 239 | return 0; |
| 239 | } | 240 | } |
| 240 | 241 | ||
| 241 | /* For [FUTURE] fragmentation handling, we want the least-used | 242 | /* For [FUTURE] fragmentation handling, we want the least-used |