git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Mon, 1 Apr 2019 11:08:54 +0000 (13:08 +0200)
committer	Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	Wed, 14 Aug 2019 09:18:49 +0000 (11:18 +0200)
commit	00b947fe31f4d23890e11a7751a6db9c840882b2
tree	4eb3e044dbbeddd71d248047fad2c74f1ef51dad	tree
parent	20ec98fd1a9e846508b0dcd545e0cbf303b9614f	commit \| diff

netfilter: ctnetlink: don't use conntrack/expect object addresses as id

BugLink: https://bugs.launchpad.net/bugs/1838576
[ Upstream commit 3c79107631db1f7fd32cf3f7368e4672004a3010 ]

else, we leak the addresses to userspace via ctnetlink events
and dumps.

Compute an ID on demand based on the immutable parts of nf_conn struct.

Another advantage compared to using an address is that there is no
immediate re-use of the same ID in case the conntrack entry is freed and
reallocated again immediately.

Fixes: 3583240249ef ("[NETFILTER]: nf_conntrack_expect: kill unique ID")
Fixes: 7f85f914721f ("[NETFILTER]: nf_conntrack: kill unique ID")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

include/net/netfilter/nf_conntrack.h		diff \| blob \| blame \| history
net/netfilter/nf_conntrack_core.c		diff \| blob \| blame \| history
net/netfilter/nf_conntrack_netlink.c		diff \| blob \| blame \| history