Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp1801349imj; Fri, 8 Feb 2019 07:34:08 -0800 (PST) X-Google-Smtp-Source: AHgI3IafogaC+Hnq+pqngUiBXDiPD3p1d7BSEl0mUQXlxqD5Xs2yK+4ZYdsGksTK73235Rnd4SAe X-Received: by 2002:a62:8c11:: with SMTP id m17mr22777062pfd.224.1549640048826; Fri, 08 Feb 2019 07:34:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549640048; cv=none; d=google.com; s=arc-20160816; b=pkf3L2OB8/0YaCkwDDMoPVu35p8+f7Ks7LA8SnNRk/BDhAfUHW6T89upbV5ZwZo0yx JARkJTWtHzjqmE1hH66Wc5twhSKtntMc1ir7WCozd8Q2/uLIV+AsNTiZINvdDm+WpLog NE/MjeBu7SqzNdOHM8V+HkM7V0UnpR+3ZuwFnHNwBX6k5iBaRsTSgTXL+g8np2Z/1qtY OgnojOYtTohK4+mOs8U8uVnOMq2krRSaQtxWXVsx5gGA3tPQGr74V6sNAoAOmsWS+jot 8uC4Voxf31ToQHFbBsvb+u/Kg7uQgzLQlW8aitC7CNrapuPFhbEG3NK2iw9TxGI5JM2I zjqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=a+OpJxZRO+pZCvmCwVP6MsG1qT6x9GUJjySewCeTQB0=; b=tZ8pwGA0kds54j7ZowRmuwaRojYOmu25xxliGqQRbgf0JoHZ7vbSH/CTOU/QTfVqCy sE+qt4XZR2aKq5ofZhB9GhOzi3CFJNOC26q2tU4KPTcxXZ4xH9TAC8C6hrMOwwkM8Vw+ hynEQmLV8jTSciZubHC50mVdkIDaV1aVsK88/XnQj2hoyPLhYu92tM8Qu+y1AoEDe5bT NwvGsHPTS+ahjnQyepINbRwFw3Afc+IaG5Y5BZcgxzJpI+Z5fByAWKp5p06XK1+fhx6w EHt4cTsMbBtiJvLbbAbwxPeoS6rSt1XUVbON+xJqMTnbyuBxiRBelSHoshdeT+CPf3rH NE+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@eikelenboom.it header.s=20180706 header.b="UjlJNL7/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=eikelenboom.it Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 34si2367925pgt.455.2019.02.08.07.33.52; Fri, 08 Feb 2019 07:34:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@eikelenboom.it header.s=20180706 header.b="UjlJNL7/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=eikelenboom.it Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728027AbfBHPc5 (ORCPT + 99 others); Fri, 8 Feb 2019 10:32:57 -0500 Received: from server.eikelenboom.it ([91.121.65.215]:38012 "EHLO server.eikelenboom.it" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727681AbfBHPc5 (ORCPT ); Fri, 8 Feb 2019 10:32:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eikelenboom.it; s=20180706; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=a+OpJxZRO+pZCvmCwVP6MsG1qT6x9GUJjySewCeTQB0=; b=UjlJNL7/s7N5OFYwlEqEmuF0Y1 l5Xq8I50DIx94hn2OO5CKUfkh3CM/A3AJwU+FUuv+zI1KSSy0no4kCnak5QwqC2f89zxtKMvxJJ+O PiKI23nwVPVEkwxbEHeTYEoQPQvnCt2vzZsjHVNMOoyX+75i7Li8X4YSRs3Ek/Cc3f24=; Received: from ip4da85049.direct-adsl.nl ([77.168.80.73]:53794 helo=[172.16.1.50]) by server.eikelenboom.it with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1gs89I-0004MB-LE; Fri, 08 Feb 2019 16:33:04 +0100 Subject: Re: Kernel 5.0-rc5 regression with NAT, bisected to: netfilter: nat: remove l4proto->manip_pkt To: Florian Westphal Cc: Pablo Neira Ayuso , "David S. Miller" , netdev , linux-kernel References: <40b70892-daf5-28d7-28b5-869911faf2bb@eikelenboom.it> <20190208070710.rcbj6exqwz6m2o7o@breakpoint.cc> <20190208115447.ojyfhenf44kqs3w4@breakpoint.cc> From: Sander Eikelenboom Message-ID: <0c5ac167-7682-a945-d402-19f2e023fc5f@eikelenboom.it> Date: Fri, 8 Feb 2019 16:34:32 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <20190208115447.ojyfhenf44kqs3w4@breakpoint.cc> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/02/2019 12:54, Florian Westphal wrote: > Florian Westphal wrote: >> Sander Eikelenboom wrote: >>> L.S., >>> >>> While trying out a 5.0-RC5 kernel I seem to have stumbled over a regression with NAT. >>> (using an nftables firewall with NAT and connection tracking). >>> >>> Unfortunately it isn't too obvious since no errors are logged, but on clients it >>> causes symptoms like firefox intermittently not being able to load pages with: >>> Network Protocol Error >>> An error occurred during a connection to www.example.com >>> The page you are trying to view cannot be shown because an error in the network protocol was detected. >>> Please contact the website owners to inform them of this problem. >>> >>> But it's only intermittently, so i can still visit some webpages with clients, >>> could be that packet size and or fragments are at play ? >>> >>> So I tried testing with git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git with >>> e8c32c32b48c2e889704d8ca0872f92eb027838e as last commit, to be sure to have the latest netdev has to offer, >>> but to no avail. >>> >>> After that I tried to git bisect and ended up with: >>> >>> faec18dbb0405c7d4dda025054511dc3a6696918 is the first bad commit >>> commit faec18dbb0405c7d4dda025054511dc3a6696918 >>> Author: Florian Westphal >>> Date: Thu Dec 13 16:01:33 2018 +0100 >>> >>> netfilter: nat: remove l4proto->manip_pkt >> >> Thanks, this is immensely helpful. >> >> I think I see the bug, we can't use target->dst.protonum in >> nf_nat_l4proto_manip_pkt(), it will be TCP in case we're dealing >> with a related icmp packet. >> >> I will send a patch in a few hours when I get back. > > Sander, does this patch fix things for you? Hi Florian, You may stick on a reported/tested-by if you like. Thanks for the swift fix ! -- Sander > > Thanks! > > diff --git a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c > --- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c > +++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c > @@ -215,6 +215,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, > > /* Change outer to look like the reply to an incoming packet */ > nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple); > + target.dst.protonum = IPPROTO_ICMP; > if (!nf_nat_ipv4_manip_pkt(skb, 0, &target, manip)) > return 0; > > diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c > --- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c > +++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c > @@ -226,6 +226,7 @@ int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, > } > > nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple); > + target.dst.protonum = IPPROTO_ICMPV6; > if (!nf_nat_ipv6_manip_pkt(skb, 0, &target, manip)) > return 0; > >