PROBLEM: nf_conntrack tcp SYN reuse results in incorrect window scaling There is a bug in netfilter conntrack tcp behavior. Commit c7aab4f17021 ("netfilter: nf_conntrack_tcp: re-init for syn packets only") changed behavior that broke connection establishment when there is a new connection attempt on a connection currently in SYN_SENT state. The result is future packets are incorrectly considered out of window and can be dropped. This can be reproduced by enabling firewall rules for tcp and attempting to connect to a server that does not respond to SYNs. Keywords: conntrack, nf_conntrack_tcp_proto Kernel Version: 6.172 Kernel Version without bug: 5.15 Machine 1: // force connection tracking of port 9000 # sudo sysctl net.netfilter.nf_log.2=nf_log_ipv4 # sudo sysctl -w net.netfilter.nf_conntrack_log_invalid=6 # sudo iptables -A OUTPUT -p tcp --dport 9000 -j ACCEPT # sudo iptables -A INPUT -p tcp -m tcp --sport 9000 -m state --state ESTABLISHED -j ACCEPT # sudo iptables -P INPUT DROP; iptables -P OUTPUT DROP; Machine 2: // disable port 9000 on server # sudo iptables -P INPUT DROP; # socat socat OPEN:/dev/zero TCP4-LISTEN:9000,reuseaddr,fork Machine 1: // perform first connection attempt. ctrl+c after some seconds # socat OPEN:/dev/zero TCP4:10.0.85.65:9000,sourceport=55560 Machine 2: // allow next connection attempt # sudo iptables -A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT Machine 1: reattempt connection # socat OPEN:/dev/zero TCP4:10.0.85.65:9000,sourceport=55560 # dmesg | grep 9000 | grep " ACK " | tail -n1 [16690.645068] nf_ct_proto_6: SEQ is over upper bound 2624537083 (over the window of the receiver) IN=eth0 OUT= MAC=0e:6c:20:4d:61:0a:0e:ff:68:7e:1b:a6:08:00 SRC=10.0.85.65 DST=10.0.83.30 LEN=52 TOS=0x00 PREC=0x00 TTL=255 ID=11781 DF PROTO=TCP SPT=9000 DPT=55560 SEQ=2653233300 ACK=2726773975 WINDOW=24555 RES=0x00 ACK URGP=0 OPT (0101080A47F2131D2ABC62AA) The repeat socat attempt will result in re-using the same 5-tuple with the greater SEQ number and trigger the bug. This was reproduced with additional prints in tcp_init_sender() showing that the state was incorrectly reset during the SYN retransmit. The following patch below addresses the issue. >From 92d9690066be1250d8aac3215930cb222510e17b Mon Sep 17 00:00:00 2001 From: Ryan Schaefer <ryanschf@xxxxxxxxxx> Date: Fri, 19 Jan 2024 19:51:45 +0000 Subject: [PATCH] netfilter: conntrack: correct window scaling with retransmitted SYN commit c7aab4f17021 ("netfilter: nf_conntrack_tcp: re-init for syn packets only") introduces a bug where SYNs in ORIGINAL direction on reused 5- tuple result in incorrect window scale negotiation. This commit merged the SYN re-initialization and simultaneous open or SYN retransmits cases. Merging this block added the logic in tcp_init_sender() that performed window scale negotiation to the retransmitted syn case. Previously. this would only result in updating the sender's scale and flags. After the merge the additional logic results in improperly clearing the scale in ORIGINAL direction before any packets in the REPLY direction are received. This results in packets incorrectly being marked invalid for being out-of-window. This can be reproduced with the following trace: Packet Sequence: > Flags [S], seq 1687765604, win 62727, options [.. wscale 7], length 0 > Flags [S], seq 1944817196, win 62727, options [.. wscale 7], length 0 In order to fix the issue, only evaluate window negotiation for packets in the REPLY direction. This was tested with simultaneous open, fast open, and the above reproduction. Fixes: c7aab4f17021 ("netfilter: nf_conntrack_tcp: re-init for syn packets only") Signed-off-by: Ryan Schaefer <ryanschf@xxxxxxxxxx> --- net/netfilter/nf_conntrack_proto_tcp.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index e573be5afde7..3c2c70ae0b66 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -457,7 +457,8 @@ static void tcp_init_sender(struct ip_ct_tcp_state *sender, const struct sk_buff *skb, unsigned int dataoff, const struct tcphdr *tcph, - u32 end, u32 win) + u32 end, u32 win, + enum ip_conntrack_dir dir) { /* SYN-ACK in reply to a SYN * or SYN from reply direction in simultaneous open. @@ -471,7 +472,8 @@ static void tcp_init_sender(struct ip_ct_tcp_state *sender, * Both sides must send the Window Scale option * to enable window scaling in either direction. */ - if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE && + if (dir == IP_CT_DIR_REPLY && + !(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE)) { sender->td_scale = 0; receiver->td_scale = 0; -- 2.40.1