62 lines
2.5 KiB
Diff
62 lines
2.5 KiB
Diff
From: Dirk Morris <dmorris@metaloft.com>
|
|
Date: Thu, 8 Aug 2019 13:57:51 -0700
|
|
Subject: netfilter: conntrack: Use consistent ct id hash calculation
|
|
Origin: https://git.kernel.org/linus/656c8e9cc1badbc18eefe6ba01d33ebbcae61b9a
|
|
|
|
Change ct id hash calculation to only use invariants.
|
|
|
|
Currently the ct id hash calculation is based on some fields that can
|
|
change in the lifetime on a conntrack entry in some corner cases. The
|
|
current hash uses the whole tuple which contains an hlist pointer which
|
|
will change when the conntrack is placed on the dying list resulting in
|
|
a ct id change.
|
|
|
|
This patch also removes the reply-side tuple and extension pointer from
|
|
the hash calculation so that the ct id will will not change from
|
|
initialization until confirmation.
|
|
|
|
Fixes: 3c79107631db1f7 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
|
|
Signed-off-by: Dirk Morris <dmorris@metaloft.com>
|
|
Acked-by: Florian Westphal <fw@strlen.de>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
---
|
|
net/netfilter/nf_conntrack_core.c | 16 ++++++++--------
|
|
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
|
|
index a542761e90d1..81a8ef42b88d 100644
|
|
--- a/net/netfilter/nf_conntrack_core.c
|
|
+++ b/net/netfilter/nf_conntrack_core.c
|
|
@@ -453,13 +453,12 @@ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
|
|
* table location, we assume id gets exposed to userspace.
|
|
*
|
|
* Following nf_conn items do not change throughout lifetime
|
|
- * of the nf_conn after it has been committed to main hash table:
|
|
+ * of the nf_conn:
|
|
*
|
|
* 1. nf_conn address
|
|
- * 2. nf_conn->ext address
|
|
- * 3. nf_conn->master address (normally NULL)
|
|
- * 4. tuple
|
|
- * 5. the associated net namespace
|
|
+ * 2. nf_conn->master address (normally NULL)
|
|
+ * 3. the associated net namespace
|
|
+ * 4. the original direction tuple
|
|
*/
|
|
u32 nf_ct_get_id(const struct nf_conn *ct)
|
|
{
|
|
@@ -469,9 +468,10 @@ u32 nf_ct_get_id(const struct nf_conn *ct)
|
|
net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
|
|
|
|
a = (unsigned long)ct;
|
|
- b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
|
|
- c = (unsigned long)ct->ext;
|
|
- d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash),
|
|
+ b = (unsigned long)ct->master;
|
|
+ c = (unsigned long)nf_ct_net(ct);
|
|
+ d = (unsigned long)siphash(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
|
|
+ sizeof(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple),
|
|
&ct_id_seed);
|
|
#ifdef CONFIG_64BIT
|
|
return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed);
|