Patch "netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 24 Jan 2023 17:56:33 -0500

This is a note to let you know that I've just added the patch titled

    netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-conntrack-do-not-renew-entry-stuck-in-tcp-.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit b2967d800d635215dafd3784f46007161ed644e0
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Thu Jun 24 12:36:42 2021 +0200

    netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
    
    [ Upstream commit e15d4cdf27cb0c1e977270270b2cea12e0955edd ]
    
    Consider:
      client -----> conntrack ---> Host
    
    client sends a SYN, but $Host is unreachable/silent.
    Client eventually gives up and the conntrack entry will time out.
    
    However, if the client is restarted with same addr/port pair, it
    may prevent the conntrack entry from timing out.
    
    This is noticeable when the existing conntrack entry has no NAT
    transformation or an outdated one and port reuse happens either
    on client or due to a NAT middlebox.
    
    This change prevents refresh of the timeout for SYN retransmits,
    so entry is going away after nf_conntrack_tcp_timeout_syn_sent
    seconds (default: 60).
    
    Entry will be re-created on next connection attempt, but then
    nat rules will be evaluated again.
    
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index b8cc3339a249..aed967e2f30f 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1158,6 +1158,16 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
 			nf_ct_kill_acct(ct, ctinfo, skb);
 			return NF_ACCEPT;
 		}
+
+		if (index == TCP_SYN_SET && old_state == TCP_CONNTRACK_SYN_SENT) {
+			/* do not renew timeout on SYN retransmit.
+			 *
+			 * Else port reuse by client or NAT middlebox can keep
+			 * entry alive indefinitely (including nat info).
+			 */
+			return NF_ACCEPT;
+		}
+
 		/* ESTABLISHED without SEEN_REPLY, i.e. mid-connection
 		 * pickup with loose=1. Avoid large ESTABLISHED timeout.
 		 */






