netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH nf] netfilter: nat: fix src map lookup
@ 2017-07-07 11:07 Florian Westphal
  2017-07-17 15:07 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2017-07-07 11:07 UTC (permalink / raw)
  To: netfilter-devel; +Cc: jaco, Florian Westphal

When doing initial conversion to rhashtable I replaced the bucket
walk with a single rhashtable_lookup_fast().

When moving to rhlist I failed to properly walk the list of identical
tuples, but that is what is needed for this to work correctly.
The table contains the original tuples, so the reply tuples are all
distinct.

We currently decide that mapping is (not) in range only based on the
first entry, but in case its not we need to try the reply tuple of the
next entry until we either find an in-range mapping or we checked
all the entries.

This bug makes nat core attempt collision resolution while it might be
able to use the mapping as-is.

Fixes: 870190a9ec90 ("netfilter: nat: convert nat bysrc hash to rhashtable")
Reported-by: Jaco Kroon <jaco@uls.co.za>
Tested-by: Jaco Kroon <jaco@uls.co.za>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_nat_core.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 832c5a0..eb54178 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -222,20 +222,21 @@ find_appropriate_src(struct net *net,
 		.tuple = tuple,
 		.zone = zone
 	};
-	struct rhlist_head *hl;
+	struct rhlist_head *hl, *h;
 
 	hl = rhltable_lookup(&nf_nat_bysource_table, &key,
 			     nf_nat_bysource_params);
-	if (!hl)
-		return 0;
 
-	ct = container_of(hl, typeof(*ct), nat_bysource);
+	rhl_for_each_entry_rcu(ct, h, hl, nat_bysource) {
+		nf_ct_invert_tuplepr(result,
+				     &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
+		result->dst = tuple->dst;
 
-	nf_ct_invert_tuplepr(result,
-			     &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
-	result->dst = tuple->dst;
+		if (in_range(l3proto, l4proto, result, range))
+			return 1;
+	}
 
-	return in_range(l3proto, l4proto, result, range);
+	return 0;
 }
 
 /* For [FUTURE] fragmentation handling, we want the least-used
-- 
2.9.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH nf] netfilter: nat: fix src map lookup
  2017-07-07 11:07 [PATCH nf] netfilter: nat: fix src map lookup Florian Westphal
@ 2017-07-17 15:07 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2017-07-17 15:07 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel, jaco

On Fri, Jul 07, 2017 at 01:07:17PM +0200, Florian Westphal wrote:
> When doing initial conversion to rhashtable I replaced the bucket
> walk with a single rhashtable_lookup_fast().
> 
> When moving to rhlist I failed to properly walk the list of identical
> tuples, but that is what is needed for this to work correctly.
> The table contains the original tuples, so the reply tuples are all
> distinct.
> 
> We currently decide that mapping is (not) in range only based on the
> first entry, but in case its not we need to try the reply tuple of the
> next entry until we either find an in-range mapping or we checked
> all the entries.
> 
> This bug makes nat core attempt collision resolution while it might be
> able to use the mapping as-is.

Also applied, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-07-17 15:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-07 11:07 [PATCH nf] netfilter: nat: fix src map lookup Florian Westphal
2017-07-17 15:07 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).