Bug 106441
Summary: | PPTP/GRE expectation entries not removed from the expectation table | ||
---|---|---|---|
Product: | Networking | Reporter: | anthony.lineham |
Component: | Netfilter/Iptables | Assignee: | networking_netfilter-iptables (networking_netfilter-iptables) |
Status: | NEW --- | ||
Severity: | normal | CC: | adobriyan, pablo, szg00000 |
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | 3.16.7 | Subsystem: | |
Regression: | No | Bisected commit-id: | |
Attachments: | Proposed fix |
please send netfilter patches to netfilter-devel@vger.kernel.org (In reply to Alexey Dobriyan from comment #1) > please send netfilter patches to netfilter-devel@vger.kernel.org Thanks for the comment, Alexey. I'm new to this process. Could you tell me if its ok to just email a link to this report with some introduction, or should I put all the content from here into the patch? Thanks Links will be ignored. Send plaintext patch (not an attachment, not a HTML) to maintainers (see MAINTAINERS file), Cc mailing list. Patch should contain Signed-off-by line (attached doesn't). When inserting patch into email make sure tabs don't turn into spaces. To speed up this submission, I can submit myself your patch to netfilter-devel@vger.kernel.org. But I'll have to add: Signed-off-by: Anthony Lineham <anthony.lineham@alliedtelesis.co.nz> to this patch. Any objection to that? You'll be Cc'ed in that submission to netfilter-devel@vger.kernel.org. Thanks. (In reply to Pablo Neira Ayuso from comment #4) Thanks Pablo, that would be a great help! Yes, please add my sign-off. |
Created attachment 190761 [details] Proposed fix The PPTP conntrack helper makes use of conntrack's expectation table to create entries for the GRE flow that will carry the tunnel traffic. Once the GRE flow begins, the expectation table entries are supposed to be removed. However, it was failing to find one of the expectation entries due to the tuple structure used for the search not being initialized. Uninitialized fields in the structure meant that hashing and matching failed. With a high number of tunnels being set up in a short space of time, this lead to an accumulation of old expectation entries. Because the expectation table is limited in size (proportional to the connection tracking table, which is proportional to the device RAM) the accumulated entries could fill the table, limiting the number of GRE flows that were able to be handled. (Note that the accumulated entries time out eventually.) Attached is a patch which initializes the structure correctly.