Re: [PATCH] netfilter: masquerade: don't flush all conntracks if only one address deleted on device

From: Pablo Neira Ayuso
Date: Fri Sep 28 2018 - 08:22:19 EST

Next message: Jarkko Sakkinen: "Re: [PATCH v14 09/19] x86/mm: x86/sgx: Signal SEGV_SGXERR for #PFs w/ PF_SGX"
Previous message: Will Deacon: "Re: [PATCH v8 5/7] iommu/arm-smmu-v3: Add support for non-strict mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Sep 07, 2018 at 04:33:33PM +0800, Tan Hu wrote:
> We configured iptables as below, which only allowed incoming data on
> established connections:
>
> iptables -t mangle -A PREROUTING -m state --state ESTABLISHED -j ACCEPT
> iptables -t mangle -P PREROUTING DROP
>
> When deleting a secondary address, current masquerade implements would
> flush all conntracks on this device. All the established connections on
> primary address also be deleted, then subsequent incoming data on the
> connections would be dropped wrongly because it was identified as NEW
> connection.
>
> So when an address was delete, it should only flush connections related
> with the address.

Applied to nf-next, thanks.

Next message: Jarkko Sakkinen: "Re: [PATCH v14 09/19] x86/mm: x86/sgx: Signal SEGV_SGXERR for #PFs w/ PF_SGX"
Previous message: Will Deacon: "Re: [PATCH v8 5/7] iommu/arm-smmu-v3: Add support for non-strict mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]