netfilter: conntrack: destroy functions need to free queued packets
authorFlorian Westphal <fw@strlen.de>
Tue, 25 Jul 2017 22:02:33 +0000 (00:02 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 31 Jul 2017 17:09:39 +0000 (19:09 +0200)
commite2a750070aeec7af3818065b39d61cb38627ce64
tree54dd9cce351fb40fa4eb95d5d27e60992360c9fe
parent84657984c26fd0b64743a397f3a1a587fa4b575a
netfilter: conntrack: destroy functions need to free queued packets

queued skbs might be using conntrack extensions that are being removed,
such as timeout.  This happens for skbs that have a skb->nfct in
unconfirmed state (i.e., not in hash table yet).

This is destructive, but there are only two use cases:
 - module removal (rare)
 - netns cleanup (most likely no conntracks exist, and if they do,
   they are removed anyway later on).

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_conntrack_core.c
net/netfilter/nf_queue.c