Commit 36eae095 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Florian Westphal
Browse files

netfilter: nft_ct: drop pending enqueued packets on removal 



Packets sitting in nfqueue might hold a reference to:

- templates that specify the conntrack zone, because a percpu area is
  used and module removal is possible.
- conntrack timeout policies and helper, where object removal leave
  a stale reference.

Since these objects can just go away, drop enqueued packets to avoid
stale reference to them.

If there is a need for finer grain removal, this logic can be revisited
to make selective packet drop upon dependencies.

Fixes: 7e0b2b57 ("netfilter: nft_ct: add ct timeout support")
Reported-by: default avatarYiming Qian <yimingqian591@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
parent 0548a13b

net/netfilter/nft_ct.c

+4 −0
Original line number Diff line number Diff line
@@ -23,6 +23,7 @@ 
#include <net/netfilter/nf_conntrack_l4proto.h>

#include <net/netfilter/nf_conntrack_expect.h>

#include <net/netfilter/nf_conntrack_seqadj.h>

#include "nf_internals.h"



struct nft_ct_helper_obj  {

	struct nf_conntrack_helper *helper4;
@@ -543,6 +544,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv) 
#endif

#ifdef CONFIG_NF_CONNTRACK_ZONES

	case NFT_CT_ZONE:

		nf_queue_nf_hook_drop(ctx->net);

		mutex_lock(&nft_ct_pcpu_mutex);

		if (--nft_ct_pcpu_template_refcnt == 0)

			nft_ct_tmpl_put_pcpu();
@@ -1015,6 +1017,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, 
	struct nft_ct_timeout_obj *priv = nft_obj_data(obj);

	struct nf_ct_timeout *timeout = priv->timeout;



	nf_queue_nf_hook_drop(ctx->net);

	nf_ct_untimeout(ctx->net, timeout);

	nf_ct_netns_put(ctx->net, ctx->family);

	kfree(priv->timeout);
@@ -1147,6 +1150,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, 
{

	struct nft_ct_helper_obj *priv = nft_obj_data(obj);



	nf_queue_nf_hook_drop(ctx->net);

	if (priv->helper4)

		nf_conntrack_helper_put(priv->helper4);

	if (priv->helper6)