On Wed, Apr 19, 2023 at 09:40:44AM +0200, Pablo Neira Ayuso wrote:
> On Wed, Apr 19, 2023 at 01:15:26PM +0800, Tzung-Bi Shih wrote:
> > (struct nf_conn)->timeout is an interval before the conntrack
> > confirmed. After confirmed, it becomes a timestamp[1].
> >
> > It is observed that timeout of an unconfirmed conntrack:
> > - Set by calling ctnetlink_change_timeout(). As a result,
> > `nfct_time_stamp` was wrongly added to `ct->timeout` twice[2].
> > - Get by calling ctnetlink_dump_timeout(). As a result,
> > `nfct_time_stamp` was wrongly subtracted[3].
> >
> > Separate the 2 cases in:
> > - Setting `ct->timeout` in __nf_ct_set_timeout().
> > - Getting `ct->timeout` in ctnetlink_dump_timeout().
>
> Applied, thanks
I have to amend this patch, I have to collapsed the attached chunk.
Otherwise conntrack creation via ctnetlink breaks.
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index d3ee18854698..d65290646f63 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2253,9 +2253,6 @@ ctnetlink_create_conntrack(struct net *net,
if (!cda[CTA_TIMEOUT])
goto err1;
- timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
- __nf_ct_set_timeout(ct, timeout);
-
rcu_read_lock();
if (cda[CTA_HELP]) {
char *helpname = NULL;
@@ -2319,6 +2316,9 @@ ctnetlink_create_conntrack(struct net *net,
/* we must add conntrack extensions before confirmation. */
ct->status |= IPS_CONFIRMED;
+ timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
+ __nf_ct_set_timeout(ct, timeout);
+
if (cda[CTA_STATUS]) {
err = ctnetlink_change_status(ct, cda);
if (err < 0)
