Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4740315pxj; Wed, 9 Jun 2021 00:14:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxHEkqQttDJSJwpmcmUhPfmuhj7KMDA5Nr0Q/VV1U+3kiDsyJhmQyiOfxN3NmUxEQD16Fsj X-Received: by 2002:aa7:ca1a:: with SMTP id y26mr29116136eds.314.1623222840554; Wed, 09 Jun 2021 00:14:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623222840; cv=none; d=google.com; s=arc-20160816; b=giKMTeELZcCElyvWg8l+TEy91EXqatxu+MGbsVIZLi4iZeVg/UA/wYqPbEdkOWceCo Na/zP+lijOEmc2+7zCyLDTNnGKXHDyQGUa6OB9WVeHaDgE6bk33EIlI2pTe5hF/nzYbm SKtu31hoAPSCRk3yeB0fNBrweQC3GRfbyf2oW94o4qzC/1vD1V2gYFXvhf8zn1L+cls1 topHgD3HYYgK73aqHRn4xK6pUzFoyCoDcgc9563bkjgbvJMTgO/5QB7AiKfEUhN9kFy9 HG3m9Vg1tQX7+At39kJ658WpvdLQvEMh6GKZS9W5K/lJO43OV/QuWzrC1xwm2JbG8seU F3bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0X43tJ+ePcrLRAgMOZOQ4BDIyJrYCIVIci+H3pVLtlw=; b=zwQ63c7F6u/GCEodC8G/Llfy2pR8f8yHnrd/XkKAws7k41jPdCfLBN3Icrh58N0hNx 1u19K6381UlOfmXWZwtfAbHj5pBO5gPwYHcm+zIi5Ex2LmlIbuVGwMFO0qXP+vWcOp70 7xTba/SNLsajWmw4luuL/C2P5DrXN86nSboIqmVEbvYaxrSzIRSrUc2DeipzlJJXjEzV WZzVE7jR6oYt4yV5gUcs9GGJWedH+OueWRzTCiMGOkZbUBmFFvl6BPbDUrtisRE7XxGq R4S8rpri2DX7yIWPy0eLn1+uWRlM4avuinc9ygl4IQwcJCAYmn6zTuj93ieu20J15VBn J9PQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=D+w0pXH9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d23si1613075ejz.732.2021.06.09.00.13.37; Wed, 09 Jun 2021 00:14:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=D+w0pXH9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235485AbhFHSrl (ORCPT + 99 others); Tue, 8 Jun 2021 14:47:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:36508 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234611AbhFHSm4 (ORCPT ); Tue, 8 Jun 2021 14:42:56 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id DAE1B61405; Tue, 8 Jun 2021 18:35:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623177341; bh=aPwMXuNc3eZP08GGTko592fB3b3bKY4vtMGK5c4QYCA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=D+w0pXH9wMjD74fBTabUNeBWGQ8MktuM3POU4bMsbYkxh0D5gY8VQj6gJtsH8zC1Y u/Upv8XiBVvyZ1OoKS6nh4c3+2uSChcBjexydN3G7tOnrElo85iU7w7EmAqKry1Z63 DZoCmnlh+7vdPKnHrL4Fw+g/iZJUitOMAfyAsYE0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 5.4 18/78] netfilter: nft_ct: skip expectations for confirmed conntrack Date: Tue, 8 Jun 2021 20:26:47 +0200 Message-Id: <20210608175935.883122578@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175935.254388043@linuxfoundation.org> References: <20210608175935.254388043@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pablo Neira Ayuso [ Upstream commit 1710eb913bdcda3917f44d383c32de6bdabfc836 ] nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed conntrack entry. However, nf_ct_ext_add() can only be called for !nf_ct_is_confirmed(). [ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack] [ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack] [ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00 [ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202 [ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887 [ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440 [ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447 [ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440 [ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20 [ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000 [ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0 [ 1825.352508] Call Trace: [ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack] [ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct] [ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables] Add the ct helper extension only for unconfirmed conntrack. Skip rule evaluation if the ct helper extension does not exist. Thus, you can only create expectations from the first packet. It should be possible to remove this limitation by adding a new action to attach a generic ct helper to the first packet. Then, use this ct helper extension from follow up packets to create the ct expectation. While at it, add a missing check to skip the template conntrack too and remove check for IPCT_UNTRACK which is implicit to !ct. Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nft_ct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 2042c6f4629c..28991730728b 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -1218,7 +1218,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj, struct nf_conn *ct; ct = nf_ct_get(pkt->skb, &ctinfo); - if (!ct || ctinfo == IP_CT_UNTRACKED) { + if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct)) { regs->verdict.code = NFT_BREAK; return; } -- 2.30.2