Re: [PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction
On Thu, Aug 17, 2017 at 07:57:07AM +0200, Stefan Bader wrote: > On 03.07.2017 15:34, Greg Kroah-Hartman wrote: > > 4.4-stable review patch. If anyone has any objections, please let me know. > > We found that pulling below patch into stable trees without also pulling > > commit 9c3f3794926a997b1cab6c42480ff300efa2d162 > Author: Liping Zhang> Date: Sat Mar 25 16:35:29 2017 +0800 > > netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister > > will result in a regression, at least in 4.4.y[1]. Stable maintainers who > picked > up below patch might want to consider picking up above fix. Thanks, I've now picked this one up too. greg k-h
Re: [PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction
On Thu, Aug 17, 2017 at 07:57:07AM +0200, Stefan Bader wrote: > On 03.07.2017 15:34, Greg Kroah-Hartman wrote: > > 4.4-stable review patch. If anyone has any objections, please let me know. > > We found that pulling below patch into stable trees without also pulling > > commit 9c3f3794926a997b1cab6c42480ff300efa2d162 > Author: Liping Zhang > Date: Sat Mar 25 16:35:29 2017 +0800 > > netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister > > will result in a regression, at least in 4.4.y[1]. Stable maintainers who > picked > up below patch might want to consider picking up above fix. Thanks, I've now picked this one up too. greg k-h
Re: [PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction
On 03.07.2017 15:34, Greg Kroah-Hartman wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. We found that pulling below patch into stable trees without also pulling commit 9c3f3794926a997b1cab6c42480ff300efa2d162 Author: Liping ZhangDate: Sat Mar 25 16:35:29 2017 +0800 netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister will result in a regression, at least in 4.4.y[1]. Stable maintainers who picked up below patch might want to consider picking up above fix. -Stefan [1] http://bugs.launchpad.net/bugs/1709032 > > -- > > From: Eric Leblond > > commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream. > > This patch fixes the creation of connection tracking entry from > netlink when synproxy is used. It was missing the addition of > the synproxy extension. > > This was causing kernel crashes when a conntrack entry created by > conntrackd was used after the switch of traffic from active node > to the passive node. > > Signed-off-by: Eric Leblond > Signed-off-by: Pablo Neira Ayuso > Signed-off-by: Greg Kroah-Hartman > > --- > net/netfilter/nf_conntrack_netlink.c |4 > 1 file changed, 4 insertions(+) > > --- a/net/netfilter/nf_conntrack_netlink.c > +++ b/net/netfilter/nf_conntrack_netlink.c > @@ -45,6 +45,8 @@ > #include > #include > #include > +#include > +#include > #ifdef CONFIG_NF_NAT_NEEDED > #include > #include > @@ -1798,6 +1800,8 @@ ctnetlink_create_conntrack(struct net *n > nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); > nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); > nf_ct_labels_ext_add(ct); > + nfct_seqadj_ext_add(ct); > + nfct_synproxy_ext_add(ct); > > /* we must add conntrack extensions before confirmation. */ > ct->status |= IPS_CONFIRMED; > > signature.asc Description: OpenPGP digital signature
Re: [PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction
On 03.07.2017 15:34, Greg Kroah-Hartman wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. We found that pulling below patch into stable trees without also pulling commit 9c3f3794926a997b1cab6c42480ff300efa2d162 Author: Liping Zhang Date: Sat Mar 25 16:35:29 2017 +0800 netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister will result in a regression, at least in 4.4.y[1]. Stable maintainers who picked up below patch might want to consider picking up above fix. -Stefan [1] http://bugs.launchpad.net/bugs/1709032 > > -- > > From: Eric Leblond > > commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream. > > This patch fixes the creation of connection tracking entry from > netlink when synproxy is used. It was missing the addition of > the synproxy extension. > > This was causing kernel crashes when a conntrack entry created by > conntrackd was used after the switch of traffic from active node > to the passive node. > > Signed-off-by: Eric Leblond > Signed-off-by: Pablo Neira Ayuso > Signed-off-by: Greg Kroah-Hartman > > --- > net/netfilter/nf_conntrack_netlink.c |4 > 1 file changed, 4 insertions(+) > > --- a/net/netfilter/nf_conntrack_netlink.c > +++ b/net/netfilter/nf_conntrack_netlink.c > @@ -45,6 +45,8 @@ > #include > #include > #include > +#include > +#include > #ifdef CONFIG_NF_NAT_NEEDED > #include > #include > @@ -1798,6 +1800,8 @@ ctnetlink_create_conntrack(struct net *n > nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); > nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); > nf_ct_labels_ext_add(ct); > + nfct_seqadj_ext_add(ct); > + nfct_synproxy_ext_add(ct); > > /* we must add conntrack extensions before confirmation. */ > ct->status |= IPS_CONFIRMED; > > signature.asc Description: OpenPGP digital signature
[PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction
4.4-stable review patch. If anyone has any objections, please let me know. -- From: Eric Leblondcommit 87e94dbc210a720a34be5c1174faee5c84be963e upstream. This patch fixes the creation of connection tracking entry from netlink when synproxy is used. It was missing the addition of the synproxy extension. This was causing kernel crashes when a conntrack entry created by conntrackd was used after the switch of traffic from active node to the passive node. Signed-off-by: Eric Leblond Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_conntrack_netlink.c |4 1 file changed, 4 insertions(+) --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -45,6 +45,8 @@ #include #include #include +#include +#include #ifdef CONFIG_NF_NAT_NEEDED #include #include @@ -1798,6 +1800,8 @@ ctnetlink_create_conntrack(struct net *n nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); nf_ct_labels_ext_add(ct); + nfct_seqadj_ext_add(ct); + nfct_synproxy_ext_add(ct); /* we must add conntrack extensions before confirmation. */ ct->status |= IPS_CONFIRMED;
[PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction
4.4-stable review patch. If anyone has any objections, please let me know. -- From: Eric Leblond commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream. This patch fixes the creation of connection tracking entry from netlink when synproxy is used. It was missing the addition of the synproxy extension. This was causing kernel crashes when a conntrack entry created by conntrackd was used after the switch of traffic from active node to the passive node. Signed-off-by: Eric Leblond Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_conntrack_netlink.c |4 1 file changed, 4 insertions(+) --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -45,6 +45,8 @@ #include #include #include +#include +#include #ifdef CONFIG_NF_NAT_NEEDED #include #include @@ -1798,6 +1800,8 @@ ctnetlink_create_conntrack(struct net *n nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); nf_ct_labels_ext_add(ct); + nfct_seqadj_ext_add(ct); + nfct_synproxy_ext_add(ct); /* we must add conntrack extensions before confirmation. */ ct->status |= IPS_CONFIRMED;