PROBLEM: nf_conntrack tcp SYN reuse results in incorrect window scaling
There is a bug in netfilter conntrack tcp behavior. Commit c7aab4f17021
("netfilter: nf_conntrack_tcp: re-init for syn packets only") changed
behavior that broke connection establishment when there is a new
connection attempt on a connection currently in SYN_SENT state. The
result is future packets are incorrectly considered out of window and
can be dropped. This can be reproduced by enabling firewall rules for
tcp and attempting to connect to a server that does not respond to
SYNs.
Keywords: conntrack, nf_conntrack_tcp_proto
Kernel Version: 6.172
Kernel Version without bug: 5.15
Machine 1: // force connection tracking of port 9000
# sudo sysctl net.netfilter.nf_log.2=nf_log_ipv4
# sudo sysctl -w net.netfilter.nf_conntrack_log_invalid=6
# sudo iptables -A OUTPUT -p tcp --dport 9000 -j ACCEPT
# sudo iptables -A INPUT -p tcp -m tcp --sport 9000 -m state --state
ESTABLISHED -j ACCEPT
# sudo iptables -P INPUT DROP; iptables -P OUTPUT DROP;
Machine 2: // disable port 9000 on server
# sudo iptables -P INPUT DROP;
# socat socat OPEN:/dev/zero TCP4-LISTEN:9000,reuseaddr,fork
Machine 1: // perform first connection attempt. ctrl+c after some
seconds
# socat OPEN:/dev/zero TCP4:10.0.85.65:9000,sourceport=55560
Machine 2: // allow next connection attempt
# sudo iptables -A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
Machine 1: reattempt connection
# socat OPEN:/dev/zero TCP4:10.0.85.65:9000,sourceport=55560
# dmesg | grep 9000 | grep " ACK " | tail -n1
[16690.645068] nf_ct_proto_6: SEQ is over upper bound 2624537083 (over
the window of the receiver) IN=eth0 OUT=
MAC=0e:6c:20:4d:61:0a:0e:ff:68:7e:1b:a6:08:00 SRC=10.0.85.65
DST=10.0.83.30 LEN=52 TOS=0x00 PREC=0x00 TTL=255 ID=11781 DF PROTO=TCP
SPT=9000 DPT=55560 SEQ=2653233300 ACK=2726773975 WINDOW=24555 RES=0x00
ACK URGP=0 OPT (0101080A47F2131D2ABC62AA)
The repeat socat attempt will result in re-using the same 5-tuple with
the greater SEQ number and trigger the bug. This was reproduced with
additional prints in tcp_init_sender() showing that the state was
incorrectly reset during the SYN retransmit.
The following patch below addresses the issue.
>From 92d9690066be1250d8aac3215930cb222510e17b Mon Sep 17 00:00:00 2001
From: Ryan Schaefer <ryanschf@xxxxxxxxxx>
Date: Fri, 19 Jan 2024 19:51:45 +0000
Subject: [PATCH] netfilter: conntrack: correct window scaling with
retransmitted SYN
commit c7aab4f17021 ("netfilter: nf_conntrack_tcp: re-init for syn
packets
only") introduces a bug where SYNs in ORIGINAL direction on reused 5-
tuple
result in incorrect window scale negotiation. This commit merged the
SYN
re-initialization and simultaneous open or SYN retransmits cases.
Merging
this block added the logic in tcp_init_sender() that performed window
scale
negotiation to the retransmitted syn case. Previously. this would only
result in updating the sender's scale and flags. After the merge the
additional logic results in improperly clearing the scale in ORIGINAL
direction before any packets in the REPLY direction are received. This
results in packets incorrectly being marked invalid for being
out-of-window.
This can be reproduced with the following trace:
Packet Sequence:
> Flags [S], seq 1687765604, win 62727, options [.. wscale 7], length 0
> Flags [S], seq 1944817196, win 62727, options [.. wscale 7], length 0
In order to fix the issue, only evaluate window negotiation for packets
in the REPLY direction. This was tested with simultaneous open, fast
open, and the above reproduction.
Fixes: c7aab4f17021 ("netfilter: nf_conntrack_tcp: re-init for syn
packets only")
Signed-off-by: Ryan Schaefer <ryanschf@xxxxxxxxxx>
---
net/netfilter/nf_conntrack_proto_tcp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c
b/net/netfilter/nf_conntrack_proto_tcp.c
index e573be5afde7..3c2c70ae0b66 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -457,7 +457,8 @@ static void tcp_init_sender(struct ip_ct_tcp_state
*sender,
const struct sk_buff *skb,
unsigned int dataoff,
const struct tcphdr *tcph,
- u32 end, u32 win)
+ u32 end, u32 win,
+ enum ip_conntrack_dir dir)
{
/* SYN-ACK in reply to a SYN
* or SYN from reply direction in simultaneous open.
@@ -471,7 +472,8 @@ static void tcp_init_sender(struct ip_ct_tcp_state
*sender,
* Both sides must send the Window Scale option
* to enable window scaling in either direction.
*/
- if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE &&
+ if (dir == IP_CT_DIR_REPLY &&
+ !(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE &&
receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE)) {
sender->td_scale = 0;
receiver->td_scale = 0;
--
2.40.1
