From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 170DDC55179 for ; Tue, 27 Oct 2020 17:50:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BE03B24197 for ; Tue, 27 Oct 2020 17:50:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603821058; bh=8Jf+WeU3toZNUFLXDndU+jLYFdoEBcRcguOYr6hDGb8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=WwNKhZM9HILBkXApDFBStzGXa1TrMhliuxedlRTuO0ApBLZSgv4r1Jgy3+ApAKRE/ WRnPdjkqG2pe5Mgscs19/Jzk3WGefeEE+MPpfS3t7RdrGXV0ki2yN8HfAJVpGurlHp ZmUWm4HWi2u5L9miMRLV9bkd1+toViq094sJnKsc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1822621AbgJ0Ru5 (ORCPT ); Tue, 27 Oct 2020 13:50:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:50186 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S368331AbgJ0OYz (ORCPT ); Tue, 27 Oct 2020 10:24:55 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EDC4F20773; Tue, 27 Oct 2020 14:24:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603808694; bh=8Jf+WeU3toZNUFLXDndU+jLYFdoEBcRcguOYr6hDGb8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GYlhBI69cGcdvrSNSlpOi3F2y8ryQKW41QYxV7W8UR5HsLIeNZ991MnZFtu3mzoMQ u5GX4Sg2FuvHc5ABMvVcADbuXXxWtyIgnfz5O65kPdLxVZLsatR2QgeWRqpLPh876b plEdCiZx6YhVPzpib9kmdwauD0eCdmdEO5bxPRnw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Francesco Ruggeri , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.19 189/264] netfilter: conntrack: connection timeout after re-register Date: Tue, 27 Oct 2020 14:54:07 +0100 Message-Id: <20201027135439.536255486@linuxfoundation.org> X-Mailer: git-send-email 2.29.1 In-Reply-To: <20201027135430.632029009@linuxfoundation.org> References: <20201027135430.632029009@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Francesco Ruggeri [ Upstream commit 4f25434bccc28cf8a07876ef5142a2869a674353 ] If the first packet conntrack sees after a re-register is an outgoing keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to SND.NXT-1. When the peer correctly acknowledges SND.NXT, tcp_in_window fails check III (Upper bound for valid (s)ack: sack <= receiver.td_end) and returns false, which cascades into nf_conntrack_in setting skb->_nfct = 0 and in later conntrack iptables rules not matching. In cases where iptables are dropping packets that do not match conntrack rules this can result in idle tcp connections to time out. v2: adjust td_end when getting the reply rather than when sending out the keepalive packet. Fixes: f94e63801ab2 ("netfilter: conntrack: reset tcp maxwin on re-register") Signed-off-by: Francesco Ruggeri Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_conntrack_proto_tcp.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 7011ab27c4371..40f8a1252394b 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -549,13 +549,20 @@ static bool tcp_in_window(const struct nf_conn *ct, swin = win << sender->td_scale; sender->td_maxwin = (swin == 0 ? 1 : swin); sender->td_maxend = end + sender->td_maxwin; - /* - * We haven't seen traffic in the other direction yet - * but we have to tweak window tracking to pass III - * and IV until that happens. - */ - if (receiver->td_maxwin == 0) + if (receiver->td_maxwin == 0) { + /* We haven't seen traffic in the other + * direction yet but we have to tweak window + * tracking to pass III and IV until that + * happens. + */ receiver->td_end = receiver->td_maxend = sack; + } else if (sack == receiver->td_end + 1) { + /* Likely a reply to a keepalive. + * Needed for III. + */ + receiver->td_end++; + } + } } else if (((state->state == TCP_CONNTRACK_SYN_SENT && dir == IP_CT_DIR_ORIGINAL) -- 2.25.1