netfilter: nf_conntrack: fix event flooding in GRE protocol tracker

GRE connections cause ctnetlink event flood because the ASSURED event is set for every packet received. Reported-by: Denys Fedoryshchenko <denys@visp.net.lb> Tested-by: Denys Fedoryshchenko <denys@visp.net.lb> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2011-09-30 10:38:29 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2011-10-03 06:43:24 -0400
commit: 98d9ae841ad620045d653fb05764e4a899f42dbd (patch)
tree: 040d36bf3b350c16e6af847584fddc70272ccf9c
parent: b582ad8e961c78458005250ae28fdd7a25db55aa (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index cf616e55ca41..d69facdd9a7a 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -241,8 +241,8 @@ static int gre_packet(struct nf_conn *ct,
                nf_ct_refresh_acct(ct, ctinfo, skb,
                                   ct->proto.gre.stream_timeout);
                /* Also, more likely to be important, and not a probe. */
-                set_bit(IPS_ASSURED_BIT, &ct->status);
+                if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
-                nf_conntrack_event_cache(IPCT_ASSURED, ct);
+                        nf_conntrack_event_cache(IPCT_ASSURED, ct);
        } else
                nf_ct_refresh_acct(ct, ctinfo, skb,
                                   ct->proto.gre.timeout);
author	Florian Westphal <fw@strlen.de>	2011-09-30 10:38:29 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2011-10-03 06:43:24 -0400
commit	98d9ae841ad620045d653fb05764e4a899f42dbd (patch)
tree	040d36bf3b350c16e6af847584fddc70272ccf9c
parent	b582ad8e961c78458005250ae28fdd7a25db55aa (diff)

diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c index cf616e55ca41..d69facdd9a7a 100644 --- a/net/netfilter/nf_conntrack_proto_gre.c +++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -241,8 +241,8 @@ static int gre_packet(struct nf_conn *ct,
241	nf_ct_refresh_acct(ct, ctinfo, skb,	241	nf_ct_refresh_acct(ct, ctinfo, skb,
242	ct->proto.gre.stream_timeout);	242	ct->proto.gre.stream_timeout);
243	/* Also, more likely to be important, and not a probe. */	243	/* Also, more likely to be important, and not a probe. */
244	set_bit(IPS_ASSURED_BIT, &ct->status);	244	if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
245	nf_conntrack_event_cache(IPCT_ASSURED, ct);	245	nf_conntrack_event_cache(IPCT_ASSURED, ct);
246	} else	246	} else
247	nf_ct_refresh_acct(ct, ctinfo, skb,	247	nf_ct_refresh_acct(ct, ctinfo, skb,
248	ct->proto.gre.timeout);	248	ct->proto.gre.timeout);