Three bugs in nf_conncount are fixed by this patch series.
First patch fixes inconsistent lock state in conn_free().
conn_free() is called both BH and process context. so that
spin_lock_bh() should be used.
Second patch fixes unsafe locking scenario of list element.
conn_free() can't protect double delete of list element.
So that dead flag is added.
Third patch fixes unexpected permanent node of list.
Node of nf_conncount list should be removed by GC. but it never happened.
Because initial count value is 1 and it is never reached zero.
So that GC don't remove it.
Common test commands:
%nft add table ip filter
%nft add chain ip filter input { type filter hook input priority 0\; }
%nft add rule filter input meter test { ip saddr ct count over 2 } \
counter
v2:
- Use spin_lock_bh() in nf_conncount_add() (Pablo Neira Ayuso)
- Add Third patch.
v1: Initial patch
Taehee Yoo (3):
netfilter: nf_conncount: use spin_lock_bh instead of spin_lock
netfilter: nf_conncount: fix list_del corruption in conn_free
netfilter: nf_conncount: fix unexpected permanent node of list.
net/netfilter/nf_conncount.c | 36 +++++++++++++++++++++++++-----------
1 file changed, 25 insertions(+), 11 deletions(-)
--
2.17.1
