Re: Byte order for conntrack fields over netlink

Vimal Agrawal <avimalin@xxxxxxxxx> · Tue, 25 Feb 2025 10:36:10 +0530

Hi Florian,

Find below the patch:

From: Vimal Agrawal <vimal.agrawal@xxxxxxxxxx>

All conntrack fields are sent to userspace in network byte order and
hence conntrack tool is expecting id also to be in network byte order

Tested by adding pr_info in ctnetlink_dump_id()
Without fix:
root@(none):/# conntrack -L -o id
ctnetlink_dump_id: ct_id=3208799198
tcp      6 177 NONE src=1.1.1.1 dst=2.2.2.2 sport=111 dport=222 [UNREPLIED]
src=2.2.2.2 dst=1.1.1.1 sport=222 dport=111 mark=0 use=1 id=3731047103
note that ids are not matching in kernel and userspace

with fix:
root@(none):/# conntrack -L -o id
ctnetlink_dump_id: ct_id=4236436704
tcp      6 184 NONE src=1.1.1.1 dst=2.2.2.2 sport=111 dport=222 [UNREPLIED]
src=2.2.2.2 dst=1.1.1.1 sport=222 dport=111 mark=0 use=1 id=4236436704
ids are matching now in kernel and userspace

Fixes: 3c79107631db ("netfilter: ctnetlink: don't use conntrack/expect
object addresses as id")
Signed-off-by: Vimal Agrawal <vimal.agrawal@xxxxxxxxxx>
---
 net/netfilter/nf_conntrack_netlink.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c
b/net/netfilter/nf_conntrack_netlink.c
index 334db22199c1..bb963f13c2c0 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -513,7 +513,7 @@ static int ctnetlink_dump_ct_synproxy(struct
sk_buff *skb, struct nf_conn *ct)

 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
 {
-       __be32 id = (__force __be32)nf_ct_get_id(ct);
+       __be32 id = htonl(nf_ct_get_id(ct));

         if (nla_put_be32(skb, CTA_ID, id))
                 goto nla_put_failure;
@@ -1625,9 +1625,9 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
         ct = nf_ct_tuplehash_to_ctrack(h);

         if (cda[CTA_ID]) {
-               __be32 id = nla_get_be32(cda[CTA_ID]);
+               u32 id = ntohl(nla_get_be32(cda[CTA_ID]));

-               if (id != (__force __be32)nf_ct_get_id(ct)) {
+               if (id != nf_ct_get_id(ct)) {
                         nf_ct_put(ct);
                         return -ENOENT;
                 }
-- 
2.17.1

Vimal

On Mon, Feb 24, 2025 at 7:26 PM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Vimal Agrawal <avimalin@xxxxxxxxx> wrote:
> > if (nla_put_be32(skb, CTA_ID, id))
> > ...
> > }
> >
> > I don't see ntohl being done for this field.
>
> I already told you: its a random value and thus doesn't
> have a 'byte order' in the first place.
>
> You can make a patch to do the conversion, but it doesn't
> change anything.








