On Mon, Apr 10, 2023 at 10:33:32AM +0200, Pablo Neira Ayuso wrote:
> Hi,
>
> On Mon, Apr 10, 2023 at 02:09:35PM +0800, Tzung-Bi Shih wrote:
> > (struct nf_conn)->timeout is an interval before the conntrack
> > confirmed. After confirmed, it becomes a timestamp[1].
> >
> > It is observed that timeout of an unconfirmed conntrack have been
> > altered by calling ctnetlink_change_timeout(). As a result,
> > `nfct_time_stamp` was wrongly added to `ct->timeout` twice[2].
> >
> > Differentiate the 2 cases in all `ct->timeout` accesses.
>
> You can just skip refreshing the timeout for unconfirmed conntrack
> entries in ctnetlink_change_timeout().
Something like this patch probably?
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index bfc3aaa2c872..6556f5f30844 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2466,7 +2466,8 @@ static int ctnetlink_new_conntrack(struct sk_buff *skb,
err = -EEXIST;
ct = nf_ct_tuplehash_to_ctrack(h);
- if (!(info->nlh->nlmsg_flags & NLM_F_EXCL)) {
+ if (!(info->nlh->nlmsg_flags & NLM_F_EXCL) &&
+ nf_ct_is_confirmed(ct)) {
err = ctnetlink_change_conntrack(ct, cda);
if (err == 0) {
nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
