Re: [PATCH] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Dudu Lu <phx0fer@gmail.com>, netdev@vger.kernel.org
Cc: jhs@mojatatu.com, jiri@resnulli.us, Dudu Lu <phx0fer@gmail.com>
Subject: Re: [PATCH] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys
Date: Mon, 13 Apr 2026 11:41:37 +0200	[thread overview]
Message-ID: <874ilfdwoe.fsf@toke.dk> (raw)
In-Reply-To: <20260413084715.70169-1-phx0fer@gmail.com>

Dudu Lu <phx0fer@gmail.com> writes:

> cake_update_flowkeys() is supposed to update the flow dissector keys
> with the NAT-translated addresses and ports from conntrack, so that
> CAKE's per-flow fairness correctly identifies post-NAT flows as
> belonging to the same connection.
>
> For the source port, this works correctly:
>     keys->ports.src = port;  /* writes conntrack port into keys */
>
> But for the destination port, the assignment is reversed:
>     port = keys->ports.dst;  /* reads FROM keys into local var — no-op */

Huh, what a silly mistake - nice find!

> This means the NAT destination port is never updated in the flow keys.
> As a result, when multiple connections are NATed to the same destination
> (same IP + same port), CAKE treats them as separate flows because the
> original (pre-NAT) destination ports differ. This completely defeats
> CAKE's NAT-aware flow isolation when using the "nat" mode.
>
> The vulnerability was introduced in commit b0c19ed6088a ("sch_cake: Take advantage
> of skb->hash where appropriate")

Calling it a "vulnerability" seems perhaps a tad hyperbolic. Care to
elaborate on what you mean here?

-Toke

next prev parent reply	other threads:[~2026-04-13  9:49 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-13  8:47 [PATCH] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys Dudu Lu
2026-04-13  9:41 ` Toke Høiland-Jørgensen [this message]
     [not found]   ` <CAKvCo-yFnu3RBbiGkaVi-X5qX_hN1a-FYrBZfzB9UKz8k-PZtQ@mail.gmail.com>
2026-04-13 10:07     ` Toke Høiland-Jørgensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=874ilfdwoe.fsf@toke.dk \
    --to=toke@toke.dk \
    --cc=jhs@mojatatu.com \
    --cc=jiri@resnulli.us \
    --cc=netdev@vger.kernel.org \
    --cc=phx0fer@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox