[PATCH v3] netfilter: conntrack: fix wrong ct->timeout value

[PATCH v3] netfilter: conntrack: fix wrong ct->timeout value

[Tzung-Bi Shih]

(struct nf_conn)->timeout is an interval before the conntrack
confirmed.  After confirmed, it becomes a timestamp[1].

It is observed that timeout of an unconfirmed conntrack:
- Set by calling ctnetlink_change_timeout().  As a result,
  `nfct_time_stamp` was wrongly added to `ct->timeout` twice[2].
- Get by calling ctnetlink_dump_timeout().  As a result,
  `nfct_time_stamp` was wrongly subtracted[3].

Separate the 2 cases in:
- Setting `ct->timeout` in __nf_ct_set_timeout().
- Getting `ct->timeout` in ctnetlink_dump_timeout().

[1]: https://elixir.bootlin.com/linux/v6.3-rc5/source/net/netfilter/nf_conntrack_core.c#L1257
[2]: https://elixir.bootlin.com/linux/v6.3-rc5/source/include/net/netfilter/nf_conntrack_core.h#L92
[3]: https://elixir.bootlin.com/linux/v6.3-rc5/source/include/net/netfilter/nf_conntrack.h#L296

Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
Changes from v2 (https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230410093454.853575-1-tzungbi@kernel.org/):
- Revert to v1 and apply partial changes per discussion thread in v1.
- Don't use WRITE_ONCE() and READ_ONCE() on unconfirmed conntrack.

Changes from v1 (https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230410060935.253503-1-tzungbi@kernel.org/):
- Just skip updating if the conntrack is unconfirmed per review comment.

 include/net/netfilter/nf_conntrack_core.h | 6 +++++-
 net/netfilter/nf_conntrack_netlink.c      | 7 ++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 71d1269fe4d4..3384859a8921 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -89,7 +89,11 @@ static inline void __nf_ct_set_timeout(struct nf_conn *ct, u64 timeout)
 {
 	if (timeout > INT_MAX)
 		timeout = INT_MAX;
-	WRITE_ONCE(ct->timeout, nfct_time_stamp + (u32)timeout);
+
+	if (nf_ct_is_confirmed(ct))
+		WRITE_ONCE(ct->timeout, nfct_time_stamp + (u32)timeout);
+	else
+		ct->timeout = (u32)timeout;
 }
 
 int __nf_ct_change_timeout(struct nf_conn *ct, u64 cta_timeout);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index fbc47e4b7bc3..9e0fd72dc166 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -176,7 +176,12 @@ static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct,
 				  bool skip_zero)
 {
-	long timeout = nf_ct_expires(ct) / HZ;
+	long timeout;
+
+	if (nf_ct_is_confirmed(ct))
+		timeout = nf_ct_expires(ct) / HZ;
+	else
+		timeout = ct->timeout / HZ;
 
 	if (skip_zero && timeout == 0)
 		return 0;
-- 
2.40.0.396.gfff15efe05-goog

Re: [PATCH v3] netfilter: conntrack: fix wrong ct->timeout value

[Pablo Neira Ayuso]

On Wed, Apr 19, 2023 at 01:15:26PM +0800, Tzung-Bi Shih wrote:
> (struct nf_conn)->timeout is an interval before the conntrack
> confirmed.  After confirmed, it becomes a timestamp[1].
> 
> It is observed that timeout of an unconfirmed conntrack:
> - Set by calling ctnetlink_change_timeout().  As a result,
>   `nfct_time_stamp` was wrongly added to `ct->timeout` twice[2].
> - Get by calling ctnetlink_dump_timeout().  As a result,
>   `nfct_time_stamp` was wrongly subtracted[3].
> 
> Separate the 2 cases in:
> - Setting `ct->timeout` in __nf_ct_set_timeout().
> - Getting `ct->timeout` in ctnetlink_dump_timeout().

Applied, thanks

Re: [PATCH v3] netfilter: conntrack: fix wrong ct->timeout value

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 855 bytes --]

On Wed, Apr 19, 2023 at 09:40:44AM +0200, Pablo Neira Ayuso wrote:
> On Wed, Apr 19, 2023 at 01:15:26PM +0800, Tzung-Bi Shih wrote:
> > (struct nf_conn)->timeout is an interval before the conntrack
> > confirmed.  After confirmed, it becomes a timestamp[1].
> > 
> > It is observed that timeout of an unconfirmed conntrack:
> > - Set by calling ctnetlink_change_timeout().  As a result,
> >   `nfct_time_stamp` was wrongly added to `ct->timeout` twice[2].
> > - Get by calling ctnetlink_dump_timeout().  As a result,
> >   `nfct_time_stamp` was wrongly subtracted[3].
> > 
> > Separate the 2 cases in:
> > - Setting `ct->timeout` in __nf_ct_set_timeout().
> > - Getting `ct->timeout` in ctnetlink_dump_timeout().
> 
> Applied, thanks

I have to amend this patch, I have to collapsed the attached chunk.
Otherwise conntrack creation via ctnetlink breaks.


[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 834 bytes --]

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index d3ee18854698..d65290646f63 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2253,9 +2253,6 @@ ctnetlink_create_conntrack(struct net *net,
 	if (!cda[CTA_TIMEOUT])
 		goto err1;
 
-	timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
-	__nf_ct_set_timeout(ct, timeout);
-
 	rcu_read_lock();
  	if (cda[CTA_HELP]) {
 		char *helpname = NULL;
@@ -2319,6 +2316,9 @@ ctnetlink_create_conntrack(struct net *net,
 	/* we must add conntrack extensions before confirmation. */
 	ct->status |= IPS_CONFIRMED;
 
+	timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
+	__nf_ct_set_timeout(ct, timeout);
+
 	if (cda[CTA_STATUS]) {
 		err = ctnetlink_change_status(ct, cda);
 		if (err < 0)