Skip to content

Commit f4de4c8

Browse files
kaberummakynes
kaber
authored and
ummakynes
committed
netfilter: synproxy_core: fix warning in __nf_ct_ext_add_length()
With CONFIG_NETFILTER_DEBUG we get the following warning during SYNPROXY init: [ 80.558906] WARNING: CPU: 1 PID: 4833 at net/netfilter/nf_conntrack_extend.c:80 __nf_ct_ext_add_length+0x217/0x220 [nf_conntrack]() The reason is that the conntrack template is set to confirmed before adding the extension and it is invalid to add extensions to already confirmed conntracks. Fix by adding the extensions before setting the conntrack to confirmed. Reported-by: Jesper Dangaard Brouer <jesper.brouer@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 775ada6 commit f4de4c8

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

net/netfilter/nf_synproxy_core.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -356,12 +356,12 @@ static int __net_init synproxy_net_init(struct net *net)
356356
goto err1;
357357
}
358358

359-
__set_bit(IPS_TEMPLATE_BIT, &ct->status);
360-
__set_bit(IPS_CONFIRMED_BIT, &ct->status);
361359
if (!nfct_seqadj_ext_add(ct))
362360
goto err2;
363361
if (!nfct_synproxy_ext_add(ct))
364362
goto err2;
363+
__set_bit(IPS_TEMPLATE_BIT, &ct->status);
364+
__set_bit(IPS_CONFIRMED_BIT, &ct->status);
365365

366366
snet->tmpl = ct;
367367

0 commit comments

Comments
 (0)