linux/net
Jarno Rajahalme cf5d709188 openvswitch: Delete conntrack entry clashing with an expectation.
Conntrack helpers do not check for a potentially clashing conntrack
entry when creating a new expectation.  Also, nf_conntrack_in() will
check expectations (via init_conntrack()) only if a conntrack entry
can not be found.  The expectation for a packet which also matches an
existing conntrack entry will not be removed by conntrack, and is
currently handled inconsistently by OVS, as OVS expects the
expectation to be removed when the connection tracking entry matching
that expectation is confirmed.

It should be noted that normally an IP stack would not allow reuse of
a 5-tuple of an old (possibly lingering) connection for a new data
connection, so this is somewhat unlikely corner case.  However, it is
possible that a misbehaving source could cause conntrack entries be
created that could then interfere with new related connections.

Fix this in the OVS module by deleting the clashing conntrack entry
after an expectation has been matched.  This causes the following
nf_conntrack_in() call also find the expectation and remove it when
creating the new conntrack entry, as well as the forthcoming reply
direction packets to match the new related connection instead of the
old clashing conntrack entry.

Fixes: 7f8a436eaa ("openvswitch: Add conntrack action")
Reported-by: Yang Song <yangsong@vmware.com>
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-04-24 20:04:41 +02:00
..
6lowpan 6lowpan: use rb_entry() 2017-01-22 16:46:13 -05:00
9p Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-03-03 21:44:35 -08:00
802 Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
8021q net: remove ndo_neigh_{construct, destroy} from stacked devices 2017-02-06 11:25:57 -05:00
appletalk lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
atm net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
ax25 net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
batman-adv Here are two batman-adv bugfixes: 2017-03-16 12:05:38 -07:00
bluetooth net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
bridge bridge: netlink: register netdevice before executing changelink 2017-04-11 22:22:44 -04:00
caif sched/headers: Prepare for new header dependencies before moving code to <linux/sched/signal.h> 2017-03-02 08:42:29 +01:00
can can: bcm: fix hrtimer/tasklet termination in bcm op removal 2017-01-30 11:05:04 +01:00
ceph libceph: force GFP_NOIO for socket allocations 2017-03-23 12:03:36 +01:00
core netpoll: Check for skb->queue_mapping 2017-04-21 15:45:19 -04:00
dcb net: dcb: set error code on failures 2016-12-03 23:54:25 -05:00
dccp dccp: fix memory leak during tear-down of unsuccessful connection request 2017-03-13 22:00:42 -07:00
decnet net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
dns_resolver Merge branch 'WIP.sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-03-03 10:16:38 -08:00
dsa Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-02-11 02:31:11 -05:00
ethernet Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2017-02-16 21:25:49 -05:00
hsr net/hsr: use eth_hw_addr_random() 2017-02-21 13:25:22 -05:00
ieee802154 lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
ife net: Introduce ife encapsulation module 2017-02-03 15:16:45 -05:00
ipv4 net-timestamp: avoid use-after-free in ip_recv_error 2017-04-17 12:59:22 -04:00
ipv6 ip6mr: fix notification device destruction 2017-04-21 15:35:47 -04:00
ipx ktime: Get rid of the union 2016-12-25 17:21:22 +01:00
irda net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
iucv net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
kcm kcm: return immediately after copy_from_user() failure 2017-03-24 13:13:53 -07:00
key af_key: Fix sadb_x_ipsecrequest parsing 2017-04-18 08:26:03 +02:00
l2tp l2tp: don't mask errors in pppol2tp_getsockopt() 2017-04-08 08:29:04 -07:00
l3mdev
lapb Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
llc net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
mac80211 mac80211: reject ToDS broadcast data frames 2017-04-20 15:37:46 -04:00
mac802154 sched/headers: Prepare to use <linux/rcuupdate.h> instead of <linux/rculist.h> in <linux/sched.h> 2017-03-02 08:42:38 +01:00
mpls net: mpls: Fix nexthop alive tracking on down events 2017-03-16 20:22:18 -07:00
ncsi net/ncsi: Improve HNCDSC AEN handler 2016-10-20 11:23:08 -04:00
netfilter netfilter: xt_CT: fix refcnt leak on error path 2017-04-24 20:03:01 +02:00
netlabel netlabel: add CALIPSO to the list of built-in protocols 2017-01-06 22:20:45 -05:00
netlink genetlink: fix counting regression on ctrl_dumpfamily() 2017-03-22 15:38:43 -07:00
netrom net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
nfc net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
openvswitch openvswitch: Delete conntrack entry clashing with an expectation. 2017-04-24 20:04:41 +02:00
packet net/packet: fix overflow in check for tp_reserve 2017-03-30 11:04:00 -07:00
phonet net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
psample net: Introduce psample, a new genetlink channel for packet sampling 2017-01-24 13:44:28 -05:00
qrtr net: qrtr: potential use after free in qrtr_sendmsg() 2017-04-21 15:19:27 -04:00
rds net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
rfkill rfkill: remove rfkill-regulator 2017-01-24 11:07:35 +01:00
rose net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
rxrpc rxrpc: Ignore BUSY packets on old calls 2017-03-16 21:27:57 -07:00
sched net sched actions: allocate act cookie early 2017-04-20 16:32:07 -04:00
sctp sctp: listen on the sock only when it's state is listening or closed 2017-04-06 13:55:51 -07:00
smc net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
strparser strparser: destroy workqueue on module exit 2017-03-03 20:43:26 -08:00
sunrpc The restriction of NFSv4 to TCP went overboard and also broke the 2017-04-01 10:43:37 -07:00
switchdev Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-30 12:42:58 -04:00
tipc tipc: fix nametbl deadlock at tipc_nametbl_unsubscribe 2017-03-22 11:59:16 -07:00
unix net: unix: properly re-increment inflight counter of GC discarded candidates 2017-03-21 15:25:10 -07:00
vmw_vsock vsock: cancel packets when failing to connect 2017-03-21 14:41:47 -07:00
wimax genetlink: mark families as __ro_after_init 2016-10-27 16:16:09 -04:00
wireless cfg80211: check rdev resume callback only for registered wiphy 2017-03-29 09:11:29 +02:00
x25 net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
xfrm Merge branch 'apw' (xfrm_user fixes) 2017-03-29 13:26:22 -07:00
compat.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-02-22 10:15:09 -08:00
Kconfig bpf: make jited programs visible in traces 2017-02-17 13:40:05 -05:00
Makefile net: Introduce ife encapsulation module 2017-02-03 15:16:45 -05:00
socket.c tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS 2017-03-21 18:44:17 -07:00
sysctl_net.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2016-10-06 09:52:23 -07:00