Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp2307445imc;
        Tue, 12 Mar 2019 11:03:49 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyBSkKarNDnOP8tduJ4amdg6vaegYxH722C/Yf9Y6iHX5nrhmYARQ2EeHLNdJa9ZFrztji1
X-Received: by 2002:a17:902:4181:: with SMTP id f1mr41544608pld.280.1552413829306;
        Tue, 12 Mar 2019 11:03:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552413829; cv=none;
        d=google.com; s=arc-20160816;
        b=feL80Lc/6VFsaQXJK6O5cxV0VPrq/JUXCL7CcUFyZKcZu5NmsKyVw2+ogUyUDRPRZl
         c92lBjviJfxwsVMbFxRGOtgDCVxSWr7xXRC0Cp/pT3aRII91kvi7dPcrtKH7edZmX7RB
         UHTTxf7w/ZFfeh0KgE6Bu8SOcPHPR2iF6mKDI8wrZwtBpKwN8BLdqWX2NfHMLa6HPCL6
         cjRy0S/iXIieDSzS8B3r6Ger8FqnDTWiokNiAFJciKA3SALUsYMuH9OSTRqaaVWqyQSk
         DHs96SmILijiZP96MiCEJD1uZmzjuxmlr8vrWu7DiN+3mbf2UMoZLPHdz+zHrdWMhLej
         znKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=f9XqzaUO81IWXZsg0kl10v4f2YSoRRrclFAtg2ZSQHU=;
        b=UxfdaTdiQLPJbwEZKutAut+iGIfVGYTLEGqbnIzBDyGyTGSikbOBZVWrt5TbDfZmp6
         d7CDmxfJOHHrbTL+Ca/LElL6cB5F2woRdrQbI8kmKD0UnsAjVYSyiEPS8/aSVH5JPXYx
         QrLxHnPlLOAIjjJqJKAnRVRXM1pjYJW2hxV6VFrmFtXWopiYsJJ/rTJD85gC+wO9pJG0
         Wt7A7hj95tQ06F9fqxCjtdchyB6EXgZ/4Gm7yO9vyaKwMCLBSDiYjuKCtiXEa1bF5pp+
         KeQZ/z+WioJFQPaHIloi5msBjuXn5rXbY1oG3pkODQFjjjFg5TeDiKThQMeEzaV/uz3+
         qPAw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=F2mn+m2p;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n189si7734465pga.46.2019.03.12.11.03.32;
        Tue, 12 Mar 2019 11:03:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=F2mn+m2p;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728482AbfCLSCh (ORCPT <rfc822;michael.k.kehoe@gmail.com>
        + 99 others); Tue, 12 Mar 2019 14:02:37 -0400
Received: from mail.kernel.org ([198.145.29.99]:49208 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727765AbfCLRNF (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Mar 2019 13:13:05 -0400
Received: from localhost (unknown [104.133.8.98])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id CBE332183E;
        Tue, 12 Mar 2019 17:13:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1552410783;
        bh=7JT0PTYvlzXrizgjVSHPQly6nBrMCYCOT0vpzabmNjI=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=F2mn+m2pcpmyKCyl/LNywNIZDh8P2eUmAlVdX4M93cnBK3tG6E3ZadjBGjnHbzCxi
         OGz1/ECgyY5pwcvLra/p09k0tIz2UU4cYJLIph5AGvyivgZINF63oq1DjA7B3fu0pJ
         gMY2/3u3EhSCu9JZ0cFSraQS09nDNuTjl25Pu758=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Martynas Pumputis <martynas@weave.works>,
        Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.20 124/171] netfilter: nf_nat: skip nat clash resolution for same-origin entries
Date:   Tue, 12 Mar 2019 10:08:24 -0700
Message-Id: <20190312170358.456497354@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190312170347.868927101@linuxfoundation.org>
References: <20190312170347.868927101@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 4e35c1cb9460240e983a01745b5f29fe3a4d8e39 ]

It is possible that two concurrent packets originating from the same
socket of a connection-less protocol (e.g. UDP) can end up having
different IP_CT_DIR_REPLY tuples which results in one of the packets
being dropped.

To illustrate this, consider the following simplified scenario:

1. Packet A and B are sent at the same time from two different threads
   by same UDP socket.  No matching conntrack entry exists yet.
   Both packets cause allocation of a new conntrack entry.
2. get_unique_tuple gets called for A.  No clashing entry found.
   conntrack entry for A is added to main conntrack table.
3. get_unique_tuple is called for B and will find that the reply
   tuple of B is already taken by A.
   It will allocate a new UDP source port for B to resolve the clash.
4. conntrack entry for B cannot be added to main conntrack table
   because its ORIGINAL direction is clashing with A and the REPLY
   directions of A and B are not the same anymore due to UDP source
   port reallocation done in step 3.

This patch modifies nf_conntrack_tuple_taken so it doesn't consider
colliding reply tuples if the IP_CT_DIR_ORIGINAL tuples are equal.

[ Florian: simplify patch to not use .allow_clash setting
  and always ignore identical flows ]

Signed-off-by: Martynas Pumputis <martynas@weave.works>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nf_conntrack_core.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index e92e749aff53..830b1328fe97 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1007,6 +1007,22 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
 		}
 
 		if (nf_ct_key_equal(h, tuple, zone, net)) {
+			/* Tuple is taken already, so caller will need to find
+			 * a new source port to use.
+			 *
+			 * Only exception:
+			 * If the *original tuples* are identical, then both
+			 * conntracks refer to the same flow.
+			 * This is a rare situation, it can occur e.g. when
+			 * more than one UDP packet is sent from same socket
+			 * in different threads.
+			 *
+			 * Let nf_ct_resolve_clash() deal with this later.
+			 */
+			if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
+					      &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple))
+				continue;
+
 			NF_CT_STAT_INC_ATOMIC(net, found);
 			rcu_read_unlock();
 			return 1;
-- 
2.19.1