netfilter: nf_conntrack: fix early_drop with reliable event delivery
authorPablo Neira Ayuso <pablo@netfilter.org>
Tue, 6 Mar 2012 01:22:55 +0000 (01:22 +0000)
committerDavid S. Miller <davem@davemloft.net>
Tue, 6 Mar 2012 19:43:50 +0000 (14:43 -0500)
If reliable event delivery is enabled and ctnetlink fails to deliver
the destroy event in early_drop, the conntrack subsystem cannot
drop any the candidate flow that was planned to be evicted.

Reported-by: Kerin Millar <kerframil@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/netfilter/nf_conntrack_core.c

index ed86a3b..fa4b82c 100644 (file)
@@ -635,8 +635,12 @@ static noinline int early_drop(struct net *net, unsigned int hash)
 
        if (del_timer(&ct->timeout)) {
                death_by_timeout((unsigned long)ct);
-               dropped = 1;
-               NF_CT_STAT_INC_ATOMIC(net, early_drop);
+               /* Check if we indeed killed this entry. Reliable event
+                  delivery may have inserted it into the dying list. */
+               if (test_bit(IPS_DYING_BIT, &ct->status)) {
+                       dropped = 1;
+                       NF_CT_STAT_INC_ATOMIC(net, early_drop);
+               }
        }
        nf_ct_put(ct);
        return dropped;