OpenWrt – Blame information for rev 3
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | From: Felix Fietkau <nbd@nbd.name> |
2 | Date: Wed, 13 Jun 2018 12:33:39 +0200 |
||
3 | Subject: [PATCH] netfilter: nf_flow_table: fix offloaded connection timeout |
||
4 | corner case |
||
5 | |||
6 | The full teardown of offloaded flows is deferred to a gc work item, |
||
7 | however processing of packets by netfilter needs to happen immediately |
||
8 | after a teardown is requested, because the conntrack state needs to be |
||
9 | fixed up. |
||
10 | |||
11 | Since the IPS_OFFLOAD_BIT is still kept until the teardown is complete, |
||
12 | the netfilter conntrack gc can accidentally bump the timeout of a |
||
13 | connection where offload was just stopped, causing a conntrack entry |
||
14 | leak. |
||
15 | |||
16 | Fix this by moving the conntrack timeout bumping from conntrack core to |
||
17 | the nf_flow_offload and add a check to prevent bogus timeout bumps. |
||
18 | |||
19 | Signed-off-by: Felix Fietkau <nbd@nbd.name> |
||
20 | --- |
||
21 | |||
22 | --- a/net/netfilter/nf_conntrack_core.c |
||
23 | +++ b/net/netfilter/nf_conntrack_core.c |
||
3 | office | 24 | @@ -978,18 +978,6 @@ static bool gc_worker_can_early_drop(con |
1 | office | 25 | return false; |
26 | } |
||
27 | |||
28 | -#define DAY (86400 * HZ) |
||
29 | - |
||
30 | -/* Set an arbitrary timeout large enough not to ever expire, this save |
||
31 | - * us a check for the IPS_OFFLOAD_BIT from the packet path via |
||
32 | - * nf_ct_is_expired(). |
||
33 | - */ |
||
34 | -static void nf_ct_offload_timeout(struct nf_conn *ct) |
||
35 | -{ |
||
36 | - if (nf_ct_expires(ct) < DAY / 2) |
||
37 | - ct->timeout = nfct_time_stamp + DAY; |
||
38 | -} |
||
39 | - |
||
40 | static void gc_worker(struct work_struct *work) |
||
41 | { |
||
42 | unsigned int min_interval = max(HZ / GC_MAX_BUCKETS_DIV, 1u); |
||
3 | office | 43 | @@ -1026,10 +1014,8 @@ static void gc_worker(struct work_struct |
1 | office | 44 | tmp = nf_ct_tuplehash_to_ctrack(h); |
45 | |||
46 | scanned++; |
||
47 | - if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) { |
||
48 | - nf_ct_offload_timeout(tmp); |
||
49 | + if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) |
||
50 | continue; |
||
51 | - } |
||
52 | |||
53 | if (nf_ct_is_expired(tmp)) { |
||
54 | nf_ct_gc_expired(tmp); |
||
55 | --- a/net/netfilter/nf_flow_table_core.c |
||
56 | +++ b/net/netfilter/nf_flow_table_core.c |
||
57 | @@ -185,8 +185,27 @@ static const struct rhashtable_params nf |
||
58 | .automatic_shrinking = true, |
||
59 | }; |
||
60 | |||
61 | +#define DAY (86400 * HZ) |
||
62 | + |
||
63 | +/* Set an arbitrary timeout large enough not to ever expire, this save |
||
64 | + * us a check for the IPS_OFFLOAD_BIT from the packet path via |
||
65 | + * nf_ct_is_expired(). |
||
66 | + */ |
||
67 | +static void nf_ct_offload_timeout(struct flow_offload *flow) |
||
68 | +{ |
||
69 | + struct flow_offload_entry *entry; |
||
70 | + struct nf_conn *ct; |
||
71 | + |
||
72 | + entry = container_of(flow, struct flow_offload_entry, flow); |
||
73 | + ct = entry->ct; |
||
74 | + |
||
75 | + if (nf_ct_expires(ct) < DAY / 2) |
||
76 | + ct->timeout = nfct_time_stamp + DAY; |
||
77 | +} |
||
78 | + |
||
79 | int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow) |
||
80 | { |
||
81 | + nf_ct_offload_timeout(flow); |
||
82 | flow->timeout = (u32)jiffies; |
||
83 | |||
84 | rhashtable_insert_fast(&flow_table->rhashtable, |
||
85 | @@ -307,6 +326,8 @@ static int nf_flow_offload_gc_step(struc |
||
86 | rhashtable_walk_start(&hti); |
||
87 | |||
88 | while ((tuplehash = rhashtable_walk_next(&hti))) { |
||
89 | + bool teardown; |
||
90 | + |
||
91 | if (IS_ERR(tuplehash)) { |
||
92 | err = PTR_ERR(tuplehash); |
||
93 | if (err != -EAGAIN) |
||
94 | @@ -319,9 +340,13 @@ static int nf_flow_offload_gc_step(struc |
||
95 | |||
96 | flow = container_of(tuplehash, struct flow_offload, tuplehash[0]); |
||
97 | |||
98 | - if (nf_flow_has_expired(flow) || |
||
99 | - (flow->flags & (FLOW_OFFLOAD_DYING | |
||
100 | - FLOW_OFFLOAD_TEARDOWN))) |
||
101 | + teardown = flow->flags & (FLOW_OFFLOAD_DYING | |
||
102 | + FLOW_OFFLOAD_TEARDOWN); |
||
103 | + |
||
104 | + if (!teardown) |
||
105 | + nf_ct_offload_timeout(flow); |
||
106 | + |
||
107 | + if (nf_flow_has_expired(flow) || teardown) |
||
108 | flow_offload_del(flow_table, flow); |
||
109 | } |
||
110 | out: |