| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aPeZ_4bano8JJigk@strlen.de>
Date: Tue, 21 Oct 2025 16:34:46 +0200
From: Florian Westphal <fw@...len.de>
To: Andrii Melnychenko <a.melnychenko@...s.io>
Cc: pablo@...filter.org, kadlec@...filter.org, phil@....cc,
davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, horms@...nel.org,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 1/1] nft_ct: Added nfct_seqadj_ext_add() for NAT'ed
conntrack.
Andrii Melnychenko <a.melnychenko@...s.io> wrote:
>
> struct nft_ct_helper_obj {
> struct nf_conntrack_helper *helper4;
> @@ -1173,6 +1174,9 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj,
> if (help) {
> rcu_assign_pointer(help->helper, to_assign);
> set_bit(IPS_HELPER_BIT, &ct->status);
> +
> + if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct))
> + nfct_seqadj_ext_add(ct);
Any reason why you removed the drop logic of earlier versions?
I think this needs something like this:
if (!nfct_seqadj_ext_add(ct))
regs->verdict.code = NF_DROP;
so client will eventually retransmit the connection request.
I can also mangle this locally, let me know.
Powered by blists - more mailing lists