On Thu, 12 Sept 2024 at 20:58, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> 368982cd7d1b ("netfilter: nfnetlink_queue: resolve clash for unconfirmed
> conntracks") adjusts NAT again in case that packet loses race to confirm
> the conntrack entry.
>
> The reinject path triggers a route lookup again for the output hook, but
> not for the postrouting hook where queue to userspace is also possible.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> I tried but I am not managing to make a selftest that runs reliable.
> I can reproduce it manually and validate that this works.
>
> ./nft_queue -d 1000 helps by introducing a delay of 1000ms in the
> userspace queue processing which helps trigger the race more easily,
> socat needs to send several packets in the same UDP flow.
>
> @Antonio: Could you try this patch meanwhile there is a testcase for
> this.
Let me test it and report back
> net/netfilter/nfnetlink_queue.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index e0716da256bf..aeb354271e85 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -276,7 +276,8 @@ static int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry
> #ifdef CONFIG_INET
> const struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
>
> - if (entry->state.hook == NF_INET_LOCAL_OUT) {
> + if (entry->state.hook == NF_INET_LOCAL_OUT ||
> + entry->state.hook == NF_INET_POST_ROUTING) {
> const struct iphdr *iph = ip_hdr(skb);
>
> if (!(iph->tos == rt_info->tos &&
> --
> 2.30.2
>
