| Message ID | 20210209213511.23298-2-pablo@netfilter.org |
|---|---|
| State | New |
| Headers | show |
| Series | [net,1/2] netfilter: conntrack: skip identical origin tuple in same zone only | expand |
Hello: This series was applied to netdev/net.git (refs/heads/master): On Tue, 9 Feb 2021 22:35:10 +0100 you wrote: > From: Florian Westphal <fw@strlen.de> > > The origin skip check needs to re-test the zone. Else, we might skip > a colliding tuple in the reply direction. > > This only occurs when using 'directional zones' where origin tuples > reside in different zones but the reply tuples share the same zone. > > [...] Here is the summary with links: - [net,1/2] netfilter: conntrack: skip identical origin tuple in same zone only https://git.kernel.org/netdev/net/c/07998281c268 - [net,2/2] netfilter: nftables: relax check for stateful expressions in set definition https://git.kernel.org/netdev/net/c/664899e85c13 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 234b7cab37c3..ff0168736f6e 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1229,7 +1229,8 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, * Let nf_ct_resolve_clash() deal with this later. */ if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple, - &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)) + &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple) && + nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL)) continue; NF_CT_STAT_INC_ATOMIC(net, found);