Florian Westphal d503b30bd6
netfilter: tproxy: do not assign timewait sockets to skb->sk ...
Assigning a socket in timewait state to skb->sk can trigger
kernel oops, e.g. in nfnetlink_log, which does:
if (skb->sk) {
read_lock_bh(&skb->sk->sk_callback_lock);
if (skb->sk->sk_socket && skb->sk->sk_socket->file) ...
in the timewait case, accessing sk->sk_callback_lock and sk->sk_socket
is invalid.
Either all of these spots will need to add a test for sk->sk_state != TCP_TIME_WAIT,
or xt_TPROXY must not assign a timewait socket to skb->sk.
This does the latter.
If a TW socket is found, assign the tproxy nfmark, but skip the skb->sk assignment,
thus mimicking behaviour of a '-m socket .. -j MARK/ACCEPT' re-routing rule.
The 'SYN to TW socket' case is left unchanged -- we try to redirect to the
listener socket.
Cc: Balazs Scheidler <bazsi@balabit.hu >
Cc: KOVACS Krisztian <hidden@balabit.hu >
Signed-off-by: Florian Westphal <fwestphal@astaro.com >
Signed-off-by: Patrick McHardy <kaber@trash.net >
2011-02-17 11:32:38 +01:00
2011-01-07 16:58:04 -08:00
2011-02-14 17:35:07 +01:00
2010-10-25 13:58:36 -07:00
2010-07-23 12:59:36 +02:00
2010-06-25 14:46:56 +02:00
2010-05-13 15:02:08 +02:00
2011-02-09 08:08:20 +01:00
2011-02-01 16:06:30 +01:00
2011-01-06 11:22:20 -08:00
2010-10-07 09:43:45 +02:00
2010-05-13 15:02:08 +02:00
2008-01-31 19:28:07 -08:00
2010-06-10 23:31:35 -07:00
2008-01-31 19:28:07 -08:00
2010-03-30 22:02:32 +09:00
2010-05-13 15:02:08 +02:00
2008-04-14 11:15:52 +02:00
2010-06-10 23:31:35 -07:00
2011-01-24 19:01:07 +01:00
2010-02-15 18:13:33 +01:00
2010-03-30 22:02:32 +09:00
2009-11-12 02:05:06 -08:00
2010-03-30 22:02:32 +09:00
2010-05-13 15:02:08 +02:00
2010-10-18 11:03:14 +02:00
2010-02-15 17:45:08 +01:00
2010-02-15 17:45:08 +01:00
2010-10-29 19:59:40 +02:00
2010-03-30 22:02:32 +09:00
2010-10-21 08:21:34 -07:00
2011-01-06 11:25:00 -08:00
2010-05-13 15:02:08 +02:00
2010-05-13 15:02:08 +02:00
2010-08-19 17:18:01 -07:00
2010-08-19 17:18:01 -07:00
2009-09-30 16:12:20 -07:00
2011-02-17 11:32:38 +01:00
2010-06-15 13:49:24 -07:00
2010-06-15 13:49:24 -07:00
2010-05-13 15:02:08 +02:00
2011-01-10 20:11:38 +01:00
2010-07-15 17:20:46 +02:00
2010-05-11 18:31:17 +02:00
2010-06-08 16:09:52 +02:00
2010-05-11 18:33:37 +02:00
2010-06-25 14:44:07 +02:00
2010-05-11 18:35:27 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:31:17 +02:00
2010-06-08 16:09:52 +02:00
2010-07-23 12:59:36 +02:00
2010-10-21 10:12:48 +11:00
2010-05-11 18:35:27 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:31:17 +02:00
2010-05-11 18:35:27 +02:00
2010-08-19 17:16:25 -07:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:31:17 +02:00
2010-06-22 08:13:31 +02:00
2011-01-24 21:35:36 +01:00
2010-10-04 21:00:42 +02:00
2010-05-11 18:31:17 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:35:27 +02:00
2010-05-11 18:31:17 +02:00
2010-05-11 18:31:17 +02:00
2010-06-08 16:09:52 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:33:37 +02:00
2010-07-23 14:07:47 +02:00
2010-05-11 18:33:37 +02:00
2010-06-11 18:37:08 -07:00
2010-05-11 18:33:37 +02:00
2010-10-15 15:53:27 +02:00
2010-02-10 17:50:47 +01:00
2010-06-09 14:47:40 +02:00
2010-10-21 10:12:48 +11:00
2011-02-17 11:32:38 +01:00
2010-06-08 16:09:52 +02:00
2010-06-01 12:00:41 +02:00
2010-05-11 18:33:37 +02:00
2010-05-11 18:35:27 +02:00
2010-06-15 11:56:19 -07:00
2010-05-11 18:31:17 +02:00
2010-05-11 18:35:27 +02:00
2010-11-17 12:27:45 -08:00
2010-05-13 15:16:27 +02:00
2011-02-17 11:32:38 +01:00
2010-05-11 18:31:17 +02:00
2010-05-11 18:33:37 +02:00
d503b30bd6