Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
kernel-fxtec-pro1x/net/ipv6
History
Tan Hu 8ddec6aaad netfilter: masquerade: don't flush all conntracks if only one address deleted on device 
[ Upstream commit 097f95d319f817e651bd51f8846aced92a55a6a1 ]

We configured iptables as below, which only allowed incoming data on
established connections:

iptables -t mangle -A PREROUTING -m state --state ESTABLISHED -j ACCEPT
iptables -t mangle -P PREROUTING DROP

When deleting a secondary address, current masquerade implements would
flush all conntracks on this device. All the established connections on
primary address also be deleted, then subsequent incoming data on the
connections would be dropped wrongly because it was identified as NEW
connection.

So when an address was delete, it should only flush connections related
with the address.

Signed-off-by: Tan Hu <tan.hu@zte.com.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-11-20 18:47:52 +01:00
..
ila ila: Fix rhashtable walker list corruption 2019-04-03 06:26:18 +02:00
netfilter netfilter: masquerade: don't flush all conntracks if only one address deleted on device 2019-11-20 18:47:52 +01:00
addrconf.c ipv6: Handle missing host route in __ipv6_ifa_notify 2019-10-07 18:57:21 +02:00
addrconf_core.c
addrlabel.c
af_inet6.c
ah6.c
anycast.c
calipso.c
datagram.c udp: correct reuseport selection with connected sockets 2019-09-21 07:16:43 +02:00
esp6.c esp: Skip TX bytes accounting when sending from a request socket 2019-03-23 20:09:48 +01:00
esp6_offload.c
exthdrs.c
exthdrs_core.c
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c
fou6.c
icmp.c
inet6_connection_sock.c
inet6_hashtables.c net: annotate accesses to sk->sk_incoming_cpu 2019-11-10 11:27:38 +01:00
ip6_checksum.c
ip6_fib.c ipv6: Unlink sibling route in case of failure 2019-07-28 08:29:24 +02:00
ip6_flowlabel.c ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero 2019-06-22 08:15:13 +02:00
ip6_gre.c erspan: fix the tun_info options_len check for erspan 2019-11-10 11:27:37 +01:00
ip6_icmp.c
ip6_input.c net: ipv6: fix listify ip6_rcv_finish in case of forwarding 2019-10-29 09:19:42 +01:00
ip6_offload.c
ip6_offload.h
ip6_output.c ipv6: Fix dangling pointer when ipv6 fragment 2019-04-17 08:38:40 +02:00
ip6_tunnel.c ip6_tunnel: fix possible use-after-free on xmit 2019-08-09 17:52:30 +02:00
ip6_udp_tunnel.c
ip6_vti.c
ip6mr.c ip6mr: Do not call __IP6_INC_STATS() from preemptible context 2019-03-10 07:17:16 +01:00
ipcomp6.c
ipv6_sockglue.c
Kconfig
Makefile
mcast.c mld: fix memory leak in mld_del_delrec() 2019-09-10 10:33:38 +01:00
mcast_snoop.c
mip6.c
ndisc.c
netfilter.c netfilter: ipv6: Don't preserve original oif for loopback address 2019-02-27 10:09:03 +01:00
output_core.c inet: switch IP ID generator to siphash 2019-06-04 08:02:30 +02:00
ping.c ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' 2019-09-19 09:09:28 +02:00
proc.c
protocol.c
raw.c ipv6: fix EFAULT on sendto with icmpv6 and hdrincl 2019-06-11 12:20:50 +02:00
reassembly.c net: IP6 defrag: use rbtrees for IPv6 defrag 2019-04-27 09:36:33 +02:00
route.c ipv6: fixes rt6_probe() and fib6_nh->last_probe init 2019-11-12 19:20:33 +01:00
seg6.c ipv6: propagate genlmsg_reply return code 2019-02-27 10:08:58 +01:00
seg6_hmac.c
seg6_iptunnel.c
seg6_local.c
sit.c vrf: sit mtu should not be updated when vrf netdev is the link 2019-05-16 19:41:30 +02:00
syncookies.c
sysctl_net_ipv6.c
tcp_ipv6.c tcp: do not use ipv6 header for ipv4 flow 2019-04-03 06:26:18 +02:00
tcpv6_offload.c
tunnel6.c
udp.c net: annotate accesses to sk->sk_incoming_cpu 2019-11-10 11:27:38 +01:00
udp_impl.h
udp_offload.c
udplite.c
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c xfrm: clean up xfrm protocol checks 2019-05-25 18:23:41 +02:00