368982cd7d1b ("netfilter: nfnetlink_queue: resolve clash for unconfirmed
conntracks") adjusts NAT again in case that packet loses race to confirm
the conntrack entry.
The reinject path triggers a route lookup again for the output hook, but
not for the postrouting hook where queue to userspace is also possible.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
I tried but I am not managing to make a selftest that runs reliable.
I can reproduce it manually and validate that this works.
./nft_queue -d 1000 helps by introducing a delay of 1000ms in the
userspace queue processing which helps trigger the race more easily,
socat needs to send several packets in the same UDP flow.
@Antonio: Could you try this patch meanwhile there is a testcase for
this.
net/netfilter/nfnetlink_queue.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index e0716da256bf..aeb354271e85 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -276,7 +276,8 @@ static int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry
#ifdef CONFIG_INET
const struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
- if (entry->state.hook == NF_INET_LOCAL_OUT) {
+ if (entry->state.hook == NF_INET_LOCAL_OUT ||
+ entry->state.hook == NF_INET_POST_ROUTING) {
const struct iphdr *iph = ip_hdr(skb);
if (!(iph->tos == rt_info->tos &&
--
2.30.2
