Re: [PATCH nf-next] netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options

[Pablo Neira Ayuso <pablo@netfilter.org>]

[-- Attachment #1: Type: text/plain, Size: 952 bytes --]

On Mon, Mar 21, 2022 at 10:46:36AM +0100, Pablo Neira Ayuso wrote:
> On Mon, Mar 21, 2022 at 10:44:39AM +0100, Pablo Neira Ayuso wrote:
> > On Mon, Mar 21, 2022 at 10:42:05AM +0100, Pablo Neira Ayuso wrote:
> > > When tcp_options is called all flags are cleared.
> > > When the IP_CT_TCP_FLAG_BE_LIBERAL is set it should be preserved
> > > otherwise such connections will fail in the window check.
> > 
> > 
> > This patch completes 8437a6209f76 ("netfilter: nft_flow_offload: set liberal tracking mode for tcp")
> > 
> > I'm going to send v2 to add a wrapper function to update these flags,
> > so we do not accidentally reset IP_CT_TCP_FLAG_BE_LIBERAL.
> 
> Hm. Actually I don't see a clear way to add such wrapper function, so
> patch LGTM as is.

Maybe something like this patch that is attached by adding a more
explicit function that resets the window tracking without touch the
liberal flag, it might help to make it more evident to the reader.

[-- Attachment #2: 0001-netfilter-nf_conntrack_tcp-preserve-liberal-flag-in-.patch --]
[-- Type: text/x-diff, Size: 2000 bytes --]

From 4c42d6ca218a9b3da324224a027b753f6acb72c3 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 21 Mar 2022 10:40:07 +0100
Subject: [PATCH] netfilter: nf_conntrack_tcp: preserve liberal flag in tcp
 options

When tcp_options is called all flags are cleared.
When the IP_CT_TCP_FLAG_BE_LIBERAL is set it should be preserved
otherwise such connections will fail in the window check.

Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_proto_tcp.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index d1582b888c0d..8ec55cd72572 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -341,8 +341,8 @@ static void tcp_options(const struct sk_buff *skb,
 	if (!ptr)
 		return;
 
-	state->td_scale =
-	state->flags = 0;
+	state->td_scale = 0;
+	state->flags &= IP_CT_TCP_FLAG_BE_LIBERAL;
 
 	while (length > 0) {
 		int opcode=*ptr++;
@@ -862,6 +862,16 @@ static bool tcp_can_early_drop(const struct nf_conn *ct)
 	return false;
 }
 
+static void nf_ct_tcp_state_reset(struct ip_ct_tcp_state *state)
+{
+	state->td_end		= 0;
+	state->td_maxend	= 0;
+	state->td_maxwin	= 0;
+	state->td_maxack	= 0;
+	state->td_scale		= 0;
+	state->flags		&= IP_CT_TCP_FLAG_BE_LIBERAL;
+}
+
 /* Returns verdict for packet, or -1 for invalid. */
 int nf_conntrack_tcp_packet(struct nf_conn *ct,
 			    struct sk_buff *skb,
@@ -968,8 +978,7 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
 			ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
 			ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
 				ct->proto.tcp.last_flags;
-			memset(&ct->proto.tcp.seen[dir], 0,
-			       sizeof(struct ip_ct_tcp_state));
+			nf_ct_tcp_state_reset(&ct->proto.tcp.seen[dir]);
 			break;
 		}
 		ct->proto.tcp.last_index = index;
-- 
2.30.2