Commit 40106e00 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

1) Don't refresh timeout for SCTP flows in CLOSED state.

2) Don't allow access to transport header if fragment offset is set on.

3) Reinitialize internal conntrack state for retransmitted TCP
   syn-ack packet.

4) Update MAINTAINER file to add the Netfilter group tree. Moving
   forward, Florian Westphal has access to this tree so he can also
   send pull requests.

5) Set on IPS_HELPER for entries created via ctnetlink, otherwise NAT
   might zap it.

All patches from Florian Westphal.

* git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: ctnetlink: disable helper autoassign
  MAINTAINERS: netfilter: update git links
  netfilter: conntrack: re-init state for retransmitted syn-ack
  netfilter: conntrack: move synack init code to helper
  netfilter: nft_payload: don't allow th access for fragments
  netfilter: conntrack: don't refresh sctp entries in closed state
====================

Link: https://lore.kernel.org/r/20220204151903.320786-1-pablo@netfilter.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents fe68195d d1ca60ef

MAINTAINERS

+2 −2
Original line number Diff line number Diff line
@@ -13297,8 +13297,8 @@ W: http://www.iptables.org/ 
W:	http://www.nftables.org/

Q:	http://patchwork.ozlabs.org/project/netfilter-devel/list/

C:	irc://irc.libera.chat/netfilter

T:	git git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

T:	git git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

T:	git git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

T:	git git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git

F:	include/linux/netfilter*

F:	include/linux/netfilter/

F:	include/net/netfilter/

include/uapi/linux/netfilter/nf_conntrack_common.h

+1 −1
Original line number Diff line number Diff line
@@ -106,7 +106,7 @@ enum ip_conntrack_status { 
	IPS_NAT_CLASH = IPS_UNTRACKED,

#endif



	/* Conntrack got a helper explicitly attached via CT target. */

	/* Conntrack got a helper explicitly attached (ruleset, ctnetlink). */

	IPS_HELPER_BIT = 13,

	IPS_HELPER = (1 << IPS_HELPER_BIT),

net/netfilter/nf_conntrack_netlink.c

+2 −1
Original line number Diff line number Diff line
@@ -2311,7 +2311,8 @@ ctnetlink_create_conntrack(struct net *net, 
			if (helper->from_nlattr)

				helper->from_nlattr(helpinfo, ct);



			/* not in hash table yet so not strictly necessary */

			/* disable helper auto-assignment for this entry */

			ct->status |= IPS_HELPER;

			RCU_INIT_POINTER(help->helper, helper);

		}

	} else {

net/netfilter/nf_conntrack_proto_sctp.c

+9 −0
Original line number Diff line number Diff line
@@ -489,6 +489,15 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct, 
			pr_debug("Setting vtag %x for dir %d\n",

				 ih->init_tag, !dir);

			ct->proto.sctp.vtag[!dir] = ih->init_tag;



			/* don't renew timeout on init retransmit so

			 * port reuse by client or NAT middlebox cannot

			 * keep entry alive indefinitely (incl. nat info).

			 */

			if (new_state == SCTP_CONNTRACK_CLOSED &&

			    old_state == SCTP_CONNTRACK_CLOSED &&

			    nf_ct_is_confirmed(ct))

				ignore = true;

		}



		ct->proto.sctp.state = new_state;

net/netfilter/nf_conntrack_proto_tcp.c

+41 −18
Original line number Diff line number Diff line
@@ -446,6 +446,32 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, 
	}

}



static void tcp_init_sender(struct ip_ct_tcp_state *sender,

			    struct ip_ct_tcp_state *receiver,

			    const struct sk_buff *skb,

			    unsigned int dataoff,

			    const struct tcphdr *tcph,

			    u32 end, u32 win)

{

	/* SYN-ACK in reply to a SYN

	 * or SYN from reply direction in simultaneous open.

	 */

	sender->td_end =

	sender->td_maxend = end;

	sender->td_maxwin = (win == 0 ? 1 : win);



	tcp_options(skb, dataoff, tcph, sender);

	/* RFC 1323:

	 * Both sides must send the Window Scale option

	 * to enable window scaling in either direction.

	 */

	if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE &&

	      receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE)) {

		sender->td_scale = 0;

		receiver->td_scale = 0;

	}

}



static bool tcp_in_window(struct nf_conn *ct,

			  enum ip_conntrack_dir dir,

			  unsigned int index,
@@ -499,24 +525,9 @@ static bool tcp_in_window(struct nf_conn *ct, 
		 * Initialize sender data.

		 */

		if (tcph->syn) {

			/*

			 * SYN-ACK in reply to a SYN

			 * or SYN from reply direction in simultaneous open.

			 */

			sender->td_end =

			sender->td_maxend = end;

			sender->td_maxwin = (win == 0 ? 1 : win);



			tcp_options(skb, dataoff, tcph, sender);

			/*

			 * RFC 1323:

			 * Both sides must send the Window Scale option

			 * to enable window scaling in either direction.

			 */

			if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE

			      && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE))

				sender->td_scale =

				receiver->td_scale = 0;

			tcp_init_sender(sender, receiver,

					skb, dataoff, tcph,

					end, win);

			if (!tcph->ack)

				/* Simultaneous open */

				return true;
@@ -560,6 +571,18 @@ static bool tcp_in_window(struct nf_conn *ct, 
		sender->td_maxwin = (win == 0 ? 1 : win);



		tcp_options(skb, dataoff, tcph, sender);

	} else if (tcph->syn && dir == IP_CT_DIR_REPLY &&

		   state->state == TCP_CONNTRACK_SYN_SENT) {

		/* Retransmitted syn-ack, or syn (simultaneous open).

		 *

		 * Re-init state for this direction, just like for the first

		 * syn(-ack) reply, it might differ in seq, ack or tcp options.

		 */

		tcp_init_sender(sender, receiver,

				skb, dataoff, tcph,

				end, win);

		if (!tcph->ack)

			return true;

	}



	if (!(tcph->ack)) {