leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
9e924cf407
linux/include/net/netfilter
History
Florian Westphal d503b30bd6 netfilter: tproxy: do not assign timewait sockets to skb->sk 
Assigning a socket in timewait state to skb->sk can trigger
kernel oops, e.g. in nfnetlink_log, which does:

if (skb->sk) {
        read_lock_bh(&skb->sk->sk_callback_lock);
        if (skb->sk->sk_socket && skb->sk->sk_socket->file) ...

in the timewait case, accessing sk->sk_callback_lock and sk->sk_socket
is invalid.

Either all of these spots will need to add a test for sk->sk_state != TCP_TIME_WAIT,
or xt_TPROXY must not assign a timewait socket to skb->sk.

This does the latter.

If a TW socket is found, assign the tproxy nfmark, but skip the skb->sk assignment,
thus mimicking behaviour of a '-m socket .. -j MARK/ACCEPT' re-routing rule.

The 'SYN to TW socket' case is left unchanged -- we try to redirect to the
listener socket.

Cc: Balazs Scheidler <bazsi@balabit.hu>
Cc: KOVACS Krisztian <hidden@balabit.hu>
Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2011-02-17 11:32:38 +01:00
..
ipv4 netfilter: nf_ct_icmp: keep the ICMP ct entries longer 2009-06-08 15:53:43 +02:00
ipv6 netfilter: fix compilation when conntrack is disabled but tproxy is enabled 2011-01-12 20:25:08 +01:00
nf_conntrack_acct.h netfilter: xt_connbytes: Force CT accounting to be enabled 2010-06-25 14:44:07 +02:00
nf_conntrack_core.h netfilter: nf_conntrack: IPS_UNTRACKED bit 2010-06-08 16:09:52 +02:00
nf_conntrack_ecache.h netfilter: ecache: always set events bits, filter them later 2011-02-01 16:06:30 +01:00
nf_conntrack_expect.h netfilter: ctnetlink: add expectation deletion events 2010-10-19 10:19:06 +02:00
nf_conntrack_extend.h netfilter: nf_conntrack_extend: introduce __nf_ct_ext_exist() 2010-08-02 17:06:19 +02:00
nf_conntrack_helper.h netfilter: xtables: add CT target 2010-02-03 17:17:06 +01:00
nf_conntrack_l3proto.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
nf_conntrack_l4proto.h netfilter: nf_conntrack: pass template to l4proto ->error() handler 2010-02-15 17:45:08 +01:00
nf_conntrack_tuple.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
nf_conntrack_zones.h netfilter: nf_defrag_ipv4: fix compilation error with NF_CONNTRACK=n 2010-02-18 19:04:44 +01:00
nf_conntrack.h netfilter: fix the race when initializing nf_ct_expect_hash_rnd 2011-01-06 11:22:20 -08:00
nf_log.h netfilter: use a linked list of loggers 2009-03-16 14:54:21 +01:00
nf_nat_core.h netfilter: nfnetlink: constify message attributes and headers 2009-08-25 16:07:58 +02:00
nf_nat_helper.h netfilter: nf_nat: support mangling a single TCP packet multiple times 2010-02-11 12:27:09 +01:00
nf_nat_protocol.h netfilter: nf_nat: make find/put static 2010-10-04 20:53:18 +02:00
nf_nat_rule.h netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN 2010-06-17 06:12:26 +02:00
nf_nat.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
nf_queue.h netfilter: Use unsigned types for hooknum and pf vars 2008-10-08 11:35:00 +02:00
nf_tproxy_core.h netfilter: tproxy: do not assign timewait sockets to skb->sk 2011-02-17 11:32:38 +01:00
nfnetlink_log.h nfnetlink_log: do not expose NFULNL_COPY_DISABLED to user-space 2010-07-15 11:27:41 +02:00
xt_log.h netfilter: add missing xt_log.h file 2010-10-04 23:24:21 +02:00
xt_rateest.h Merge branch 'master' of /repos/git/net-next-2.6 2010-06-15 17:31:06 +02:00