--- /dev/null
+From 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 Mon Sep 17 00:00:00 2001
+From: Joe Stringer <joestringer@nicira.com>
+Date: Tue, 21 Jul 2015 21:37:31 -0700
+Subject: netfilter: nf_conntrack: Support expectations in different zones
+
+From: Joe Stringer <joestringer@nicira.com>
+
+commit 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 upstream.
+
+When zones were originally introduced, the expectation functions were
+all extended to perform lookup using the zone. However, insertion was
+not modified to check the zone. This means that two expectations which
+are intended to apply for different connections that have the same tuple
+but exist in different zones cannot both be tracked.
+
+Fixes: 5d0aa2ccd4 (netfilter: nf_conntrack: add support for "conntrack zones")
+Signed-off-by: Joe Stringer <joestringer@nicira.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_expect.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_expect.c
++++ b/net/netfilter/nf_conntrack_expect.c
+@@ -202,7 +202,8 @@ static inline int expect_clash(const str
+ a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
+ }
+
+- return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
++ return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask) &&
++ nf_ct_zone(a->master) == nf_ct_zone(b->master);
+ }
+
+ static inline int expect_matches(const struct nf_conntrack_expect *a,
projects / thirdparty / kernel / stable-queue.git / commitdiff
