| From 87e94dbc210a720a34be5c1174faee5c84be963e Mon Sep 17 00:00:00 2001 |
| From: Eric Leblond <eric@regit.org> |
| Date: Thu, 11 May 2017 18:56:38 +0200 |
| Subject: netfilter: synproxy: fix conntrackd interaction |
| |
| From: Eric Leblond <eric@regit.org> |
| |
| commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream. |
| |
| This patch fixes the creation of connection tracking entry from |
| netlink when synproxy is used. It was missing the addition of |
| the synproxy extension. |
| |
| This was causing kernel crashes when a conntrack entry created by |
| conntrackd was used after the switch of traffic from active node |
| to the passive node. |
| |
| Signed-off-by: Eric Leblond <eric@regit.org> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/netfilter/nf_conntrack_netlink.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/net/netfilter/nf_conntrack_netlink.c |
| +++ b/net/netfilter/nf_conntrack_netlink.c |
| @@ -45,6 +45,8 @@ |
| #include <net/netfilter/nf_conntrack_zones.h> |
| #include <net/netfilter/nf_conntrack_timestamp.h> |
| #include <net/netfilter/nf_conntrack_labels.h> |
| +#include <net/netfilter/nf_conntrack_seqadj.h> |
| +#include <net/netfilter/nf_conntrack_synproxy.h> |
| #ifdef CONFIG_NF_NAT_NEEDED |
| #include <net/netfilter/nf_nat_core.h> |
| #include <net/netfilter/nf_nat_l4proto.h> |
| @@ -1688,6 +1690,8 @@ ctnetlink_create_conntrack(struct net *n |
| nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); |
| nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); |
| nf_ct_labels_ext_add(ct); |
| + nfct_seqadj_ext_add(ct); |
| + nfct_synproxy_ext_add(ct); |
| |
| /* we must add conntrack extensions before confirmation. */ |
| ct->status |= IPS_CONFIRMED; |
