]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
netfilter: xt_cluster: reject template conntracks in hash match
authorWyatt Feng <bronzed_45_vested@icloud.com>
Thu, 11 Jun 2026 07:21:42 +0000 (15:21 +0800)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 19 Jun 2026 10:22:14 +0000 (12:22 +0200)
xt_cluster_mt() treats any non-NULL nf_ct_get() result as a fully
initialized conntrack and passes it to xt_cluster_hash().

This causes a state confusion bug when the raw table CT target attaches
a template conntrack to skb->_nfct before normal conntrack processing.
Templates carry IPS_TEMPLATE status but do not have a valid tuple for
hashing yet, so xt_cluster_hash() can hit its WARN_ON() path on the
zeroed l3num field.

Reject template conntracks before hashing them. This matches existing
netfilter handling for template objects and avoids hashing incomplete
conntrack state.

Fixes: 0269ea493734 ("netfilter: xtables: add cluster match")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/xt_cluster.c

index 908fd5f2c3c84814a35390cd96e53a43e3759468..eaf2511d63f0ec9066172d6398f0f0409ac92d5f 100644 (file)
@@ -107,7 +107,7 @@ xt_cluster_mt(const struct sk_buff *skb, struct xt_action_param *par)
        }
 
        ct = nf_ct_get(skb, &ctinfo);
-       if (ct == NULL)
+       if (!ct || nf_ct_is_template(ct))
                return false;
 
        if (ct->master)