(struct nf_conn)->timeout is an interval before the conntrack confirmed. After confirmed, it becomes a timestamp[1]. It is observed that timeout of an unconfirmed conntrack have been altered by calling ctnetlink_change_timeout(). As a result, `nfct_time_stamp` was wrongly added to `ct->timeout` twice[2]. Skip changing timeout if the conntrack is unconfirmed. [1]: https://elixir.bootlin.com/linux/v6.3-rc5/source/net/netfilter/nf_conntrack_core.c#L1257 [2]: https://elixir.bootlin.com/linux/v6.3-rc5/source/include/net/netfilter/nf_conntrack_core.h#L92 Signed-off-by: Tzung-Bi Shih <tzungbi@xxxxxxxxxx> --- Changes from v1 (https://lore.kernel.org/netfilter-devel/20230410060935.253503-1-tzungbi@xxxxxxxxxx/T/#u): - Just skip updating if the conntrack is unconfirmed per review comment. net/netfilter/nf_conntrack_netlink.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index fbc47e4b7bc3..f5abea20774c 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1986,6 +1986,10 @@ static int ctnetlink_change_helper(struct nf_conn *ct, static int ctnetlink_change_timeout(struct nf_conn *ct, const struct nlattr * const cda[]) { + /* skip changing timeout if the conntrack is unconfirmed */ + if (!nf_ct_is_confirmed(ct)) + return 0; + return __nf_ct_change_timeout(ct, (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ); } -- 2.40.0.577.gac1e443424-goog
