netfilter: conntrack: Use consistent ct id hash calculation
This fixes a regression in 4.19.44.
This commit is contained in:
parent
00ee7f7173
commit
57f74f6573
|
@ -8,6 +8,8 @@ linux (4.19.67-2) UNRELEASED; urgency=medium
|
|||
* KVM: Ignore ABI changes
|
||||
* [ppc64el] Disable PPC_TRANSACTIONAL_MEM (Closes: #866122)
|
||||
* [ppc64el] Avoid ABI change for disabling TM
|
||||
* netfilter: conntrack: Use consistent ct id hash calculation
|
||||
(fixes regression in 4.19.44)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 21 Aug 2019 23:37:56 +0100
|
||||
|
||||
|
|
61
debian/patches/bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch
vendored
Normal file
61
debian/patches/bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch
vendored
Normal file
|
@ -0,0 +1,61 @@
|
|||
From: Dirk Morris <dmorris@metaloft.com>
|
||||
Date: Thu, 8 Aug 2019 13:57:51 -0700
|
||||
Subject: netfilter: conntrack: Use consistent ct id hash calculation
|
||||
Origin: https://git.kernel.org/linus/656c8e9cc1badbc18eefe6ba01d33ebbcae61b9a
|
||||
|
||||
Change ct id hash calculation to only use invariants.
|
||||
|
||||
Currently the ct id hash calculation is based on some fields that can
|
||||
change in the lifetime on a conntrack entry in some corner cases. The
|
||||
current hash uses the whole tuple which contains an hlist pointer which
|
||||
will change when the conntrack is placed on the dying list resulting in
|
||||
a ct id change.
|
||||
|
||||
This patch also removes the reply-side tuple and extension pointer from
|
||||
the hash calculation so that the ct id will will not change from
|
||||
initialization until confirmation.
|
||||
|
||||
Fixes: 3c79107631db1f7 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
|
||||
Signed-off-by: Dirk Morris <dmorris@metaloft.com>
|
||||
Acked-by: Florian Westphal <fw@strlen.de>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/netfilter/nf_conntrack_core.c | 16 ++++++++--------
|
||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
|
||||
index a542761e90d1..81a8ef42b88d 100644
|
||||
--- a/net/netfilter/nf_conntrack_core.c
|
||||
+++ b/net/netfilter/nf_conntrack_core.c
|
||||
@@ -453,13 +453,12 @@ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
|
||||
* table location, we assume id gets exposed to userspace.
|
||||
*
|
||||
* Following nf_conn items do not change throughout lifetime
|
||||
- * of the nf_conn after it has been committed to main hash table:
|
||||
+ * of the nf_conn:
|
||||
*
|
||||
* 1. nf_conn address
|
||||
- * 2. nf_conn->ext address
|
||||
- * 3. nf_conn->master address (normally NULL)
|
||||
- * 4. tuple
|
||||
- * 5. the associated net namespace
|
||||
+ * 2. nf_conn->master address (normally NULL)
|
||||
+ * 3. the associated net namespace
|
||||
+ * 4. the original direction tuple
|
||||
*/
|
||||
u32 nf_ct_get_id(const struct nf_conn *ct)
|
||||
{
|
||||
@@ -469,9 +468,10 @@ u32 nf_ct_get_id(const struct nf_conn *ct)
|
||||
net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
|
||||
|
||||
a = (unsigned long)ct;
|
||||
- b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
|
||||
- c = (unsigned long)ct->ext;
|
||||
- d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash),
|
||||
+ b = (unsigned long)ct->master;
|
||||
+ c = (unsigned long)nf_ct_net(ct);
|
||||
+ d = (unsigned long)siphash(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
|
||||
+ sizeof(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple),
|
||||
&ct_id_seed);
|
||||
#ifdef CONFIG_64BIT
|
||||
return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed);
|
|
@ -160,6 +160,7 @@ features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
debian/ntfs-mark-it-as-broken.patch
|
||||
bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue