netfilter: nf_conntrack: fix early_drop with reliable event delivery

If reliable event delivery is enabled and ctnetlink fails to deliver the destroy event in early_drop, the conntrack subsystem cannot drop any the candidate flow that was planned to be evicted. Reported-by: Kerin Millar <kerframil@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2012-03-05 20:22:55 -0500
committer: David S. Miller <davem@davemloft.net> 2012-03-06 14:43:50 -0500
commit: 741385119706d4370eb7899c5ca96ad125c520e5 (patch)
tree: ba34e2f3100a95f11a55bdf3b782169095661e47
parent: 739e4505a0e8209622dc71743bfa1c804eacf7f4 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index ed86a3be678e..fa4b82c8ae80 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -635,8 +635,12 @@ static noinline int early_drop(struct net *net, unsigned int hash)
        if (del_timer(&ct->timeout)) {
                death_by_timeout((unsigned long)ct);
-                dropped = 1;
+                /* Check if we indeed killed this entry. Reliable event
-                NF_CT_STAT_INC_ATOMIC(net, early_drop);
+                   delivery may have inserted it into the dying list. */
+                if (test_bit(IPS_DYING_BIT, &ct->status)) {
+                        dropped = 1;
+                        NF_CT_STAT_INC_ATOMIC(net, early_drop);
+                }
        }
        nf_ct_put(ct);
        return dropped;
author	Pablo Neira Ayuso <pablo@netfilter.org>	2012-03-05 20:22:55 -0500
committer	David S. Miller <davem@davemloft.net>	2012-03-06 14:43:50 -0500
commit	741385119706d4370eb7899c5ca96ad125c520e5 (patch)
tree	ba34e2f3100a95f11a55bdf3b782169095661e47
parent	739e4505a0e8209622dc71743bfa1c804eacf7f4 (diff)