[Devel,2/2] net: Do not allow conntrack if netlink conntrack is requested

Submitted by Kirill Tkhai on Oct. 3, 2016, 2:16 p.m.

Details

Message ID 147550419315.32608.3904762921476330548.stgit@localhost.localdomain
State New
Series "Series without cover letter"
Headers show

Commit Message

Kirill Tkhai Oct. 3, 2016, 2:16 p.m.
The scheme with allowing conntracks suggestes to allow conntrack
only after a rule is inserted. But this place is not inserting
a rule, it's a manual conntrack creation.

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
---
 net/netfilter/nf_conntrack_netlink.c |    1 -
 1 file changed, 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index aad05a0..d6b6465 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1617,7 +1617,6 @@  ctnetlink_create_conntrack(struct net *net, u16 zone,
 	struct nf_conntrack_helper *helper;
 	struct nf_conn_tstamp *tstamp;
 
-	allow_conntrack_allocation(net);
 	ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
 	if (IS_ERR(ct))
 		return ERR_PTR(-ENOMEM);

Comments

Pavel Tikhomirov Oct. 3, 2016, 4:13 p.m.
On 10/03/2016 05:16 PM, Kirill Tkhai wrote:
> The scheme with allowing conntracks suggestes to allow conntrack
> only after a rule is inserted. But this place is not inserting
> a rule, it's a manual conntrack creation.
>
> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>

Reviewed-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>

> ---
>  net/netfilter/nf_conntrack_netlink.c |    1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index aad05a0..d6b6465 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1617,7 +1617,6 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
>  	struct nf_conntrack_helper *helper;
>  	struct nf_conn_tstamp *tstamp;
>
> -	allow_conntrack_allocation(net);
>  	ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
>  	if (IS_ERR(ct))
>  		return ERR_PTR(-ENOMEM);
>