mirror of
https://github.com/torvalds/linux.git
synced 2024-12-03 09:31:26 +00:00
2954fe60e3
iptables/nftables support responding to tcp packets with tcp resets. The generated tcp reset packet passes through both output and postrouting netfilter hooks, but conntrack will never see them because the generated skb has its ->nfct pointer copied over from the packet that triggered the reset rule. If the reset rule is used for established connections, this may result in the conntrack entry to be around for a very long time (default timeout is 5 days). One way to avoid this would be to not copy the nf_conn pointer so that the rest packet passes through conntrack too. Problem is that output rules might not have the same conntrack zone setup as the prerouting ones, so its possible that the reset skb won't find the correct entry. Generating a template entry for the skb seems error prone as well. Add an explicit "closing" function that switches a confirmed conntrack entry to closed state and wire this up for tcp. If the entry isn't confirmed, no action is needed because the conntrack entry will never be committed to the table. Reported-by: Russel King <linux@armlinux.org.uk> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
---|---|---|
.. | ||
arp_tables.c | ||
arpt_mangle.c | ||
arptable_filter.c | ||
ip_tables.c | ||
ipt_ah.c | ||
ipt_ECN.c | ||
ipt_REJECT.c | ||
ipt_rpfilter.c | ||
ipt_SYNPROXY.c | ||
iptable_filter.c | ||
iptable_mangle.c | ||
iptable_nat.c | ||
iptable_raw.c | ||
iptable_security.c | ||
Kconfig | ||
Makefile | ||
nf_defrag_ipv4.c | ||
nf_dup_ipv4.c | ||
nf_nat_h323.c | ||
nf_nat_pptp.c | ||
nf_nat_snmp_basic_main.c | ||
nf_nat_snmp_basic.asn1 | ||
nf_reject_ipv4.c | ||
nf_socket_ipv4.c | ||
nf_tproxy_ipv4.c | ||
nft_dup_ipv4.c | ||
nft_fib_ipv4.c | ||
nft_reject_ipv4.c |