Commit d9d7b489 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: nft_flow_offload: clear tcp MAXACK flag before moving to slowpath 



This state reset is racy, no locks are held here.

Since commit
8437a620 ("netfilter: nft_flow_offload: set liberal tracking mode for tcp"),
the window checks are disabled for normal data packets, but MAXACK flag
is checked when validating TCP resets.

Clear the flag so tcp reset validation checks are ignored.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 375f2228

net/netfilter/nf_flow_table_core.c

+12 −2
Original line number Diff line number Diff line
@@ -161,10 +161,20 @@ void flow_offload_route_init(struct flow_offload *flow, 
}

EXPORT_SYMBOL_GPL(flow_offload_route_init);



static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp)

static void flow_offload_fixup_tcp(struct nf_conn *ct)

{

	struct ip_ct_tcp *tcp = &ct->proto.tcp;



	spin_lock_bh(&ct->lock);

	/* Conntrack state is outdated due to offload bypass.

	 * Clear IP_CT_TCP_FLAG_MAXACK_SET, otherwise conntracks

	 * TCP reset validation will fail.

	 */

	tcp->seen[0].td_maxwin = 0;

	tcp->seen[0].flags &= ~IP_CT_TCP_FLAG_MAXACK_SET;

	tcp->seen[1].td_maxwin = 0;

	tcp->seen[1].flags &= ~IP_CT_TCP_FLAG_MAXACK_SET;

	spin_unlock_bh(&ct->lock);

}



static void flow_offload_fixup_ct(struct nf_conn *ct)
@@ -176,7 +186,7 @@ static void flow_offload_fixup_ct(struct nf_conn *ct) 
	if (l4num == IPPROTO_TCP) {

		struct nf_tcp_net *tn = nf_tcp_pernet(net);



		flow_offload_fixup_tcp(&ct->proto.tcp);

		flow_offload_fixup_tcp(ct);



		timeout = tn->timeouts[ct->proto.tcp.state];

		timeout -= tn->offload_timeout;