Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch b/queue-4.19/netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch
new file mode 100644 (file)
index 0000000..a1f424e
--- /dev/null
+++ b/queue-4.19/netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch
@@ -0,0 +1,60 @@
+From 3c1cab5f8cdb499e5f0769c1c7412f65e6e2a7af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 12:36:42 +0200
+Subject: netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit e15d4cdf27cb0c1e977270270b2cea12e0955edd ]
+
+Consider:
+  client -----> conntrack ---> Host
+
+client sends a SYN, but $Host is unreachable/silent.
+Client eventually gives up and the conntrack entry will time out.
+
+However, if the client is restarted with same addr/port pair, it
+may prevent the conntrack entry from timing out.
+
+This is noticeable when the existing conntrack entry has no NAT
+transformation or an outdated one and port reuse happens either
+on client or due to a NAT middlebox.
+
+This change prevents refresh of the timeout for SYN retransmits,
+so entry is going away after nf_conntrack_tcp_timeout_syn_sent
+seconds (default: 60).
+
+Entry will be re-created on next connection attempt, but then
+nat rules will be evaluated again.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
+index 66cda5e2d6b9..955b73a9a05e 100644
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -1094,6 +1094,16 @@ static int tcp_packet(struct nf_conn *ct,
+                       nf_ct_kill_acct(ct, ctinfo, skb);
+                       return NF_ACCEPT;
+               }
++
++              if (index == TCP_SYN_SET && old_state == TCP_CONNTRACK_SYN_SENT) {
++                      /* do not renew timeout on SYN retransmit.
++                       *
++                       * Else port reuse by client or NAT middlebox can keep
++                       * entry alive indefinitely (including nat info).
++                       */
++                      return NF_ACCEPT;
++              }
++
+               /* ESTABLISHED without SEEN_REPLY, i.e. mid-connection
+                * pickup with loose=1. Avoid large ESTABLISHED timeout.
+                */
+-- 
+2.39.0
+

diff --git a/queue-4.19/series b/queue-4.19/series
index 7b6d4f9d3d926a3a368f1ceb6b74182a09daf148..f783cee2e3cd96dfe00d932752cd6b7865c426da 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -34,3 +34,4 @@ mmc-sdhci-esdhc-imx-clear-esdhc_std_tuning_en-for-ma.patch
 mmc-sdhci-esdhc-imx-clear-pending-interrupt-and-halt.patch
 mmc-sdhci-esdhc-imx-disable-the-cmd-crc-check-for-st.patch
 mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and.patch
+netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch