netfilter: handle NF_REPEAT from nf_conntrack_in()

NF_REPEAT is only needed from nf_conntrack_in() under a very specific case required by the TCP protocol tracker, we can handle this case without returning to the core hook path. Handling of NF_REPEAT from the nf_reinject() is left untouched. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: handle NF_REPEAT from nf_conntrack_in()
NF_REPEAT is only needed from nf_conntrack_in() under a very specific case required by the TCP protocol tracker, we can handle this case without returning to the core hook path. Handling of NF_REPEAT from the nf_reinject() is left untouched. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Pablo Neira Ayuso
1 parent 26dfab7216
Showing 3 changed files with 8 additions and 13 deletions Side-by-side Diff
net/netfilter/core.c
net/netfilter/nf_conntrack_core.c
net/openvswitch/conntrack.c
@@ -322,8 +322,6 @@
 			if (ret == 0)
 				ret = -EPERM;
 			return ret;
-		case NF_REPEAT:
-			continue;
 		case NF_QUEUE:
 			ret = nf_queue(skb, state, &entry, verdict);
 			if (ret == 1 && entry)
@@ -1305,7 +1305,7 @@
 		if (skb->nfct)
 			goto out;
 	}
-
+repeat:
 	ct = resolve_normal_ct(net, tmpl, skb, dataoff, pf, protonum,
 			       l3proto, l4proto, &set_reply, &ctinfo);
 	if (!ct) {
  
@@ -1345,11 +1345,12 @@
 		nf_conntrack_event_cache(IPCT_REPLY, ct);
 out:
 	if (tmpl) {
-		/* Special case: we have to repeat this hook, assign the
-		 * template again to this packet. We assume that this packet
-		 * has no conntrack assigned. This is used by nf_ct_tcp. */
+		/* Special case: TCP tracker reports an attempt to reopen a
+		 * closed/aborted connection. We have to go back and create a
+		 * fresh conntrack.
+		 */
 		if (ret == NF_REPEAT)
-			skb->nfct = (struct nf_conntrack *)tmpl;
+			goto repeat;
 		else
 			nf_ct_put(tmpl);
 	}
@@ -725,12 +725,8 @@
 			skb->nfctinfo = IP_CT_NEW;
 		}
  
-		/* Repeat if requested, see nf_iterate(). */
-		do {
-			err = nf_conntrack_in(net, info->family,
-					      NF_INET_PRE_ROUTING, skb);
-		} while (err == NF_REPEAT);
-
+		err = nf_conntrack_in(net, info->family,
+				      NF_INET_PRE_ROUTING, skb);
 		if (err != NF_ACCEPT)
 			return -ENOENT;
...	...	@@ -322,8 +322,6 @@
322	322	if (ret == 0)
323	323	ret = -EPERM;
324	324	return ret;
325		- case NF_REPEAT:
326		- continue;
327	325	case NF_QUEUE:
328	326	ret = nf_queue(skb, state, &entry, verdict);
329	327	if (ret == 1 && entry)
...	...	@@ -1305,7 +1305,7 @@
1305	1305	if (skb->nfct)
1306	1306	goto out;
1307	1307	}
1308		-
	1308	+repeat:
1309	1309	ct = resolve_normal_ct(net, tmpl, skb, dataoff, pf, protonum,
1310	1310	l3proto, l4proto, &set_reply, &ctinfo);
1311	1311	if (!ct) {
1312	1312
...	...	@@ -1345,11 +1345,12 @@
1345	1345	nf_conntrack_event_cache(IPCT_REPLY, ct);
1346	1346	out:
1347	1347	if (tmpl) {
1348		- /* Special case: we have to repeat this hook, assign the
1349		- * template again to this packet. We assume that this packet
1350		- * has no conntrack assigned. This is used by nf_ct_tcp. */
	1348	+ /* Special case: TCP tracker reports an attempt to reopen a
	1349	+ * closed/aborted connection. We have to go back and create a
	1350	+ * fresh conntrack.
	1351	+ */
1351	1352	if (ret == NF_REPEAT)
1352		- skb->nfct = (struct nf_conntrack *)tmpl;
	1353	+ goto repeat;
1353	1354	else
1354	1355	nf_ct_put(tmpl);
1355	1356	}
...	...	@@ -725,12 +725,8 @@
725	725	skb->nfctinfo = IP_CT_NEW;
726	726	}
727	727
728		- /* Repeat if requested, see nf_iterate(). */
729		- do {
730		- err = nf_conntrack_in(net, info->family,
731		- NF_INET_PRE_ROUTING, skb);
732		- } while (err == NF_REPEAT);
733		-
	728	+ err = nf_conntrack_in(net, info->family,
	729	+ NF_INET_PRE_ROUTING, skb);
734	730	if (err != NF_ACCEPT)
735	731	return -ENOENT;
736	732