]> git.ipfire.org Git - thirdparty/linux.git/commit
netfilter: xt_cluster: reject template conntracks in hash match
authorWyatt Feng <bronzed_45_vested@icloud.com>
Thu, 11 Jun 2026 07:21:42 +0000 (15:21 +0800)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 19 Jun 2026 10:22:14 +0000 (12:22 +0200)
commit5feba91006ec92da57acc1cc2e34df623b98541e
tree4c9a0589c86a32c5d9b6116f6526e1a9864f8512
parentc9c9b37f8c5505224e8d206184df3bb668ee00cf
netfilter: xt_cluster: reject template conntracks in hash match

xt_cluster_mt() treats any non-NULL nf_ct_get() result as a fully
initialized conntrack and passes it to xt_cluster_hash().

This causes a state confusion bug when the raw table CT target attaches
a template conntrack to skb->_nfct before normal conntrack processing.
Templates carry IPS_TEMPLATE status but do not have a valid tuple for
hashing yet, so xt_cluster_hash() can hit its WARN_ON() path on the
zeroed l3num field.

Reject template conntracks before hashing them. This matches existing
netfilter handling for template objects and avoids hashing incomplete
conntrack state.

Fixes: 0269ea493734 ("netfilter: xtables: add cluster match")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/xt_cluster.c