From: Sasha Levin <sashal@kernel.org>
Date: Tue, 24 Jan 2023 22:55:44 +0000 (-0500)
Subject: Fixes for 5.10
X-Git-Tag: v5.10.166~85
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee4648a1d8befc9291edd5197d9b2562fbd8286c;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 5.10

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.10/netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch b/queue-5.10/netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch
new file mode 100644
index 00000000000..b8216e6ac77
--- /dev/null
+++ b/queue-5.10/netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch
@@ -0,0 +1,60 @@
+From f53173793e7a5eb2aa53c85bdc0364d008d4b1f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 12:36:42 +0200
+Subject: netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit e15d4cdf27cb0c1e977270270b2cea12e0955edd ]
+
+Consider:
+  client -----> conntrack ---> Host
+
+client sends a SYN, but $Host is unreachable/silent.
+Client eventually gives up and the conntrack entry will time out.
+
+However, if the client is restarted with same addr/port pair, it
+may prevent the conntrack entry from timing out.
+
+This is noticeable when the existing conntrack entry has no NAT
+transformation or an outdated one and port reuse happens either
+on client or due to a NAT middlebox.
+
+This change prevents refresh of the timeout for SYN retransmits,
+so entry is going away after nf_conntrack_tcp_timeout_syn_sent
+seconds (default: 60).
+
+Entry will be re-created on next connection attempt, but then
+nat rules will be evaluated again.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
+index 3f785bdfa942..c1d02c0b4f00 100644
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -1158,6 +1158,16 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
+ 			nf_ct_kill_acct(ct, ctinfo, skb);
+ 			return NF_ACCEPT;
+ 		}
++
++		if (index == TCP_SYN_SET && old_state == TCP_CONNTRACK_SYN_SENT) {
++			/* do not renew timeout on SYN retransmit.
++			 *
++			 * Else port reuse by client or NAT middlebox can keep
++			 * entry alive indefinitely (including nat info).
++			 */
++			return NF_ACCEPT;
++		}
++
+ 		/* ESTABLISHED without SEEN_REPLY, i.e. mid-connection
+ 		 * pickup with loose=1. Avoid large ESTABLISHED timeout.
+ 		 */
+-- 
+2.39.0
+
diff --git a/queue-5.10/series b/queue-5.10/series
index ca4a5cd7b2c..b6e41f1c392 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -73,3 +73,4 @@ platform-x86-touchscreen_dmi-add-info-for-the-csl-pa.patch
 platform-x86-asus-nb-wmi-add-alternate-mapping-for-k.patch
 lockref-stop-doing-cpu_relax-in-the-cmpxchg-loop.patch
 revert-selftests-bpf-check-null-propagation-only-nei.patch
+netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch