netfilter: nf_conntrack: fix early_drop with reliable event delivery
If reliable event delivery is enabled and ctnetlink fails to deliver the destroy event in early_drop, the conntrack subsystem cannot drop any the candidate flow that was planned to be evicted. Reported-by: Kerin Millar <kerframil@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Pablo Neira Ayuso
David S. Miller
Родитель
739e4505a0
Коммит
7413851197
|
|
@ -635,8 +635,12 @@ static noinline int early_drop(struct net *net, unsigned int hash)
|
||||||
|
|
||||||
if (del_timer(&ct->timeout)) {
|
if (del_timer(&ct->timeout)) {
|
||||||
death_by_timeout((unsigned long)ct);
|
death_by_timeout((unsigned long)ct);
|
||||||
dropped = 1;
|
/* Check if we indeed killed this entry. Reliable event
|
||||||
NF_CT_STAT_INC_ATOMIC(net, early_drop);
|
delivery may have inserted it into the dying list. */
|
||||||
|
if (test_bit(IPS_DYING_BIT, &ct->status)) {
|
||||||
|
dropped = 1;
|
||||||
|
NF_CT_STAT_INC_ATOMIC(net, early_drop);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
nf_ct_put(ct);
|
nf_ct_put(ct);
|
||||||
return dropped;
|
return dropped;
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче