www.infradead.org Git - users/dwmw2/linux.git/commit

author	Florian Westphal <fw@strlen.de>
	Mon, 1 Apr 2019 11:08:54 +0000 (13:08 +0200)
committer	Ben Hutchings <ben@decadent.org.uk>
	Tue, 13 Aug 2019 11:39:32 +0000 (12:39 +0100)
commit	3d8b3d0384f709126beef6b917b7e97c23f18e74
tree	ccdc90959be96989c08f494f6b2930ad7fe1573c	tree
parent	9ebeec41ed3f52fd94267f25f8b9bf3f4cbf1e4e	commit \| diff

netfilter: ctnetlink: don't use conntrack/expect object addresses as id

commit 3c79107631db1f7fd32cf3f7368e4672004a3010 upstream.

else, we leak the addresses to userspace via ctnetlink events
and dumps.

Compute an ID on demand based on the immutable parts of nf_conn struct.

Another advantage compared to using an address is that there is no
immediate re-use of the same ID in case the conntrack entry is freed and
reallocated again immediately.

Fixes: 3583240249ef ("[NETFILTER]: nf_conntrack_expect: kill unique ID")
Fixes: 7f85f914721f ("[NETFILTER]: nf_conntrack: kill unique ID")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16:
- Include <net/netns/hash.h> in nf_conntrack_core.c
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

include/net/netfilter/nf_conntrack.h		diff \| blob \| history
net/netfilter/nf_conntrack_core.c		diff \| blob \| history
net/netfilter/nf_conntrack_netlink.c		diff \| blob \| history