[PATCH nf] netfilter: ctnetlink: disable helper autoassign

[PATCH nf] netfilter: ctnetlink: disable helper autoassign

[Florian Westphal]

When userspace, e.g. conntrackd, inserts an entry with a specified helper,
its possible that the helper is lost immediately after its added:

ctnetlink_create_conntrack
  -> nf_ct_helper_ext_add + assign helper
    -> ctnetlink_setup_nat
      -> ctnetlink_parse_nat_setup
         -> parse_nat_setup -> nfnetlink_parse_nat_setup
	                       -> nf_nat_setup_info
                                 -> nf_conntrack_alter_reply
                                   -> __nf_ct_try_assign_helper

... and __nf_ct_try_assign_helper will zero the helper again.

Set IPS_HELPER bit to bypass auto-assign logic, its unwanted, just like
when helper is assigned via ruleset.

Dropped old 'not strictly necessary' comment, it referred to use of
rcu_assign_pointer() before it got replaced by RCU_INIT_POINTER().

NB: Fixes tag intentionally incorrect, this extends the referenced commit,
but this change won't build without IPS_HELPER introduced there.

Fixes: 6714cf5465d280 ("netfilter: nf_conntrack: fix explicit helper attachment and NAT")
Reported-by: Pham Thanh Tuyen <phamtyn@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/uapi/linux/netfilter/nf_conntrack_common.h | 2 +-
 net/netfilter/nf_conntrack_netlink.c               | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
index 4b3395082d15..26071021e986 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -106,7 +106,7 @@ enum ip_conntrack_status {
 	IPS_NAT_CLASH = IPS_UNTRACKED,
 #endif
 
-	/* Conntrack got a helper explicitly attached via CT target. */
+	/* Conntrack got a helper explicitly attached (ruleset, ctnetlink). */
 	IPS_HELPER_BIT = 13,
 	IPS_HELPER = (1 << IPS_HELPER_BIT),
 
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index ac438370f94a..7032402ffd33 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2311,7 +2311,8 @@ ctnetlink_create_conntrack(struct net *net,
 			if (helper->from_nlattr)
 				helper->from_nlattr(helpinfo, ct);
 
-			/* not in hash table yet so not strictly necessary */
+			/* disable helper auto-assignment for this entry */
+			ct->status |= IPS_HELPER;
 			RCU_INIT_POINTER(help->helper, helper);
 		}
 	} else {
-- 
2.34.1

Re: [PATCH nf] netfilter: ctnetlink: disable helper autoassign

[Pablo Neira Ayuso]

On Wed, Feb 02, 2022 at 12:00:56PM +0100, Florian Westphal wrote:
> When userspace, e.g. conntrackd, inserts an entry with a specified helper,
> its possible that the helper is lost immediately after its added:
> 
> ctnetlink_create_conntrack
>   -> nf_ct_helper_ext_add + assign helper
>     -> ctnetlink_setup_nat
>       -> ctnetlink_parse_nat_setup
>          -> parse_nat_setup -> nfnetlink_parse_nat_setup
> 	                       -> nf_nat_setup_info
>                                  -> nf_conntrack_alter_reply
>                                    -> __nf_ct_try_assign_helper
> 
> ... and __nf_ct_try_assign_helper will zero the helper again.
> 
> Set IPS_HELPER bit to bypass auto-assign logic, its unwanted, just like
> when helper is assigned via ruleset.
> 
> Dropped old 'not strictly necessary' comment, it referred to use of
> rcu_assign_pointer() before it got replaced by RCU_INIT_POINTER().
> 
> NB: Fixes tag intentionally incorrect, this extends the referenced commit,
> but this change won't build without IPS_HELPER introduced there.

Applied.