| From 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 Mon Sep 17 00:00:00 2001 |
| From: Joe Stringer <joestringer@nicira.com> |
| Date: Tue, 21 Jul 2015 21:37:31 -0700 |
| Subject: netfilter: nf_conntrack: Support expectations in different zones |
| |
| From: Joe Stringer <joestringer@nicira.com> |
| |
| commit 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 upstream. |
| |
| When zones were originally introduced, the expectation functions were |
| all extended to perform lookup using the zone. However, insertion was |
| not modified to check the zone. This means that two expectations which |
| are intended to apply for different connections that have the same tuple |
| but exist in different zones cannot both be tracked. |
| |
| Fixes: 5d0aa2ccd4 (netfilter: nf_conntrack: add support for "conntrack zones") |
| Signed-off-by: Joe Stringer <joestringer@nicira.com> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/netfilter/nf_conntrack_expect.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/net/netfilter/nf_conntrack_expect.c |
| +++ b/net/netfilter/nf_conntrack_expect.c |
| @@ -202,7 +202,8 @@ static inline int expect_clash(const str |
| a->mask.src.u3.all[count] & b->mask.src.u3.all[count]; |
| } |
| |
| - return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask); |
| + return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask) && |
| + nf_ct_zone(a->master) == nf_ct_zone(b->master); |
| } |
| |
| static inline int expect_matches(const struct nf_conntrack_expect *a, |
