Commit 8a9dc07b authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: conntrack: gre: don't set assured flag for clash entries 



Now that conntrack core is allowd to insert clashing entries, make sure
GRE won't set assured flag on NAT_CLASH entries, just like UDP.

Doing so prevents early_drop logic for these entries.

Fixes: d671fd82 ("netfilter: conntrack: allow insertion clash of gre protocol")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 1689f259

net/netfilter/nf_conntrack_proto_gre.c

+9 −1
Original line number Diff line number Diff line
@@ -205,6 +205,8 @@ int nf_conntrack_gre_packet(struct nf_conn *ct, 
			    enum ip_conntrack_info ctinfo,

			    const struct nf_hook_state *state)

{

	unsigned long status;



	if (!nf_ct_is_confirmed(ct)) {

		unsigned int *timeouts = nf_ct_timeout_lookup(ct);
@@ -217,11 +219,17 @@ int nf_conntrack_gre_packet(struct nf_conn *ct, 
		ct->proto.gre.timeout = timeouts[GRE_CT_UNREPLIED];

	}



	status = READ_ONCE(ct->status);

	/* If we've seen traffic both ways, this is a GRE connection.

	 * Extend timeout. */

	if (ct->status & IPS_SEEN_REPLY) {

	if (status & IPS_SEEN_REPLY) {

		nf_ct_refresh_acct(ct, ctinfo, skb,

				   ct->proto.gre.stream_timeout);



		/* never set ASSURED for IPS_NAT_CLASH, they time out soon */

		if (unlikely((status & IPS_NAT_CLASH)))

			return NF_ACCEPT;



		/* Also, more likely to be important, and not a probe. */

		if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))

			nf_conntrack_event_cache(IPCT_ASSURED, ct);