From: Sasha Levin <sashal@kernel.org>
Date: Tue, 24 Jan 2023 22:55:46 +0000 (-0500)
Subject: Fixes for 4.19
X-Git-Tag: v5.10.166~83
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=59f864cbae228ffb57f7b2efc6b0dc30b1fe44d3;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.19/netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch b/queue-4.19/netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch
new file mode 100644
index 00000000000..a1f424ee6f3
--- /dev/null
+++ b/queue-4.19/netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch
@@ -0,0 +1,60 @@
+From 3c1cab5f8cdb499e5f0769c1c7412f65e6e2a7af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 12:36:42 +0200
+Subject: netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit e15d4cdf27cb0c1e977270270b2cea12e0955edd ]
+
+Consider:
+  client -----> conntrack ---> Host
+
+client sends a SYN, but $Host is unreachable/silent.
+Client eventually gives up and the conntrack entry will time out.
+
+However, if the client is restarted with same addr/port pair, it
+may prevent the conntrack entry from timing out.
+
+This is noticeable when the existing conntrack entry has no NAT
+transformation or an outdated one and port reuse happens either
+on client or due to a NAT middlebox.
+
+This change prevents refresh of the timeout for SYN retransmits,
+so entry is going away after nf_conntrack_tcp_timeout_syn_sent
+seconds (default: 60).
+
+Entry will be re-created on next connection attempt, but then
+nat rules will be evaluated again.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
+index 66cda5e2d6b9..955b73a9a05e 100644
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -1094,6 +1094,16 @@ static int tcp_packet(struct nf_conn *ct,
+ 			nf_ct_kill_acct(ct, ctinfo, skb);
+ 			return NF_ACCEPT;
+ 		}
++
++		if (index == TCP_SYN_SET && old_state == TCP_CONNTRACK_SYN_SENT) {
++			/* do not renew timeout on SYN retransmit.
++			 *
++			 * Else port reuse by client or NAT middlebox can keep
++			 * entry alive indefinitely (including nat info).
++			 */
++			return NF_ACCEPT;
++		}
++
+ 		/* ESTABLISHED without SEEN_REPLY, i.e. mid-connection
+ 		 * pickup with loose=1. Avoid large ESTABLISHED timeout.
+ 		 */
+-- 
+2.39.0
+
diff --git a/queue-4.19/series b/queue-4.19/series
index 7b6d4f9d3d9..f783cee2e3c 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -34,3 +34,4 @@ mmc-sdhci-esdhc-imx-clear-esdhc_std_tuning_en-for-ma.patch
 mmc-sdhci-esdhc-imx-clear-pending-interrupt-and-halt.patch
 mmc-sdhci-esdhc-imx-disable-the-cmd-crc-check-for-st.patch
 mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and.patch
+netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch