netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: ze wang <wangze712@gmail.com>
To: pablo@netfilter.org, netfilter-devel@vger.kernel.org
Cc: npl_nad@ucloud.cn
Subject: [issue] conntrack: lack of lock during nat
Date: Tue, 13 Jul 2021 18:07:31 +0800	[thread overview]
Message-ID: <CANS1P8EzXbrYXzLpLS+sFv1vDz=NNUiyaWqOZHCaeZ23tfCSNw@mail.gmail.com> (raw)

Hi Pablo,
         I'm doing CPS testing for conntrack,and I think there may be an issue
in some scenarios. Here is the example:

iptables -t nat -A POSTROUTING -d 10.0.0.5 -p tcp -j SNAT --to 10.0.0.1

pkt from p1: IP(src="10.0.0.2",dst="10.0.0.5")/TCP(sport=5555,dport=8888,seq=100)
pkt from p2: IP(src="10.0.0.3",dst="10.0.0.5")/TCP(sport=5555,dport=8888,seq=100)

        If the number of attempts is large enough, there is a chance that the
conntracks generated by the two packets will conflict, because their tuples
in the reply direction have the same ip and port.
        The reason for this phenomenon may be in the process of executing
nat,there are two small locks in choosing nat tuple(ip and port) and
confirming ct, but there is no lock between them(before confirm and
after choose), which may cause kernel threads choosing the same
reply tuple and confirming them, then go to clash resolve.
        I’m not sure if my thoughts are correct, or there is any other
mechanism in
the kernel to prevent this and I didn't find it. Can this be
considered an issue?

Thank you,
wangze

                 reply	other threads:[~2021-07-13 10:08 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CANS1P8EzXbrYXzLpLS+sFv1vDz=NNUiyaWqOZHCaeZ23tfCSNw@mail.gmail.com' \
    --to=wangze712@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=npl_nad@ucloud.cn \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).