mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
995,460 Commits 103 Branches 5,016 Tags 5.4 GiB
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%
Go to file
Florian Westphal 03a3ca37e4 netfilter: nf_nat: undo erroneous tcp edemux lookup 
Under extremely rare conditions TCP early demux will retrieve the wrong
socket.

1. local machine establishes a connection to a remote server, S, on port
   p.

   This gives:
   laddr:lport -> S:p
   ... both in tcp and conntrack.

2. local machine establishes a connection to host H, on port p2.
   2a. TCP stack choses same laddr:lport, so we have
   laddr:lport -> H:p2 from TCP point of view.
   2b). There is a destination NAT rewrite in place, translating
        H:p2 to S:p.  This results in following conntrack entries:

   I)  laddr:lport -> S:p  (origin)  S:p -> laddr:lport (reply)
   II) laddr:lport -> H:p2 (origin)  S:p -> laddr:lport2 (reply)

   NAT engine has rewritten laddr:lport to laddr:lport2 to map
   the reply packet to the correct origin.

   When server sends SYN/ACK to laddr:lport2, the PREROUTING hook
   will undo-the SNAT transformation, rewriting IP header to
   S:p -> laddr:lport

   This causes TCP early demux to associate the skb with the TCP socket
   of the first connection.

   The INPUT hook will then reverse the DNAT transformation, rewriting
   the IP header to H:p2 -> laddr:lport.

Because packet ends up with the wrong socket, the new connection
never completes: originator stays in SYN_SENT and conntrack entry
remains in SYN_RECV until timeout, and responder retransmits SYN/ACK
until it gives up.

To resolve this, orphan the skb after the input rewrite:
Because the source IP address changed, the socket must be incorrect.
We can't move the DNAT undo to prerouting due to backwards
compatibility, doing so will make iptables/nftables rules to no longer
match the way they did.

After orphan, the packet will be handed to the next protocol layer
(tcp, udp, ...) and that will repeat the socket lookup just like as if
early demux was disabled.

Fixes: 41063e9dd1 ("ipv4: Early TCP socket demux.")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1427
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 		2021-02-28 00:25:16 +01:00
Documentation pwm: Changes for v5.12-rc1 2021-02-25 12:23:49 -08:00
LICENSES LICENSES: Add the CC-BY-4.0 license 2020-12-08 10:33:27 -07:00
arch Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 2021-02-26 13:16:31 -08:00
block for-5.12/block-ipi-2021-02-21 2021-02-22 10:53:05 -08:00
certs certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID 2021-01-21 16:16:10 +00:00
crypto Keyrings miscellany 2021-02-23 16:09:23 -08:00
drivers bnxt_en: reliably allocate IRQ table on reset to avoid crash 2021-02-26 15:50:23 -08:00
fs Miscellaneous ext4 cleanups and bug fixes. Pretty boring this 2021-02-25 10:06:55 -08:00
include uapi: nfnetlink_cthelper.h: fix userspace compilation error 2021-02-28 00:24:41 +01:00
init Kbuild updates for v5.12 2021-02-25 10:17:31 -08:00
ipc fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
kernel Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 2021-02-26 13:16:31 -08:00
lib Kbuild updates for v5.12 2021-02-25 10:17:31 -08:00
mm mm/hugetlb: change hugetlb_reserve_pages() to type bool 2021-02-24 13:38:35 -08:00
net netfilter: nf_nat: undo erroneous tcp edemux lookup 2021-02-28 00:25:16 +01:00
samples Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
scripts Kbuild updates for v5.12 2021-02-25 10:17:31 -08:00
security Keyrings miscellany 2021-02-23 16:09:23 -08:00
sound ARM updates for 5.12-rc1: 2021-02-22 14:27:07 -08:00
tools selftests: forwarding: Fix race condition in mirror installation 2021-02-26 15:47:52 -08:00
usr Kbuild updates for v5.12 2021-02-25 10:17:31 -08:00
virt KVM/arm64 fixes for 5.11, take #2 2021-02-12 14:07:39 +00:00
.clang-format cxl for 5.12 2021-02-24 09:38:36 -08:00
.cocciconfig
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl 2019-05-16 10:53:40 -07:00
.gitattributes .gitattributes: use 'dts' diff driver for dts files 2019-12-04 19:44:11 -08:00
.gitignore clang-lto series for v5.12-rc1 2021-02-23 09:28:51 -08:00
.mailmap Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2021-02-21 17:23:56 -08:00
COPYING COPYING: state that all contributions really are covered by this file 2020-02-10 13:32:20 -08:00
CREDITS CREDITS: update email address and home address 2021-01-27 21:03:50 +02:00
Kbuild kbuild: rename hostprogs-y/always to hostprogs/always-y 2020-02-04 01:53:07 +09:00
Kconfig kbuild: ensure full rebuild when the compiler is updated 2020-05-12 13:28:33 +09:00
MAINTAINERS wireless-drivers fixes for v5.12 2021-02-26 13:17:44 -08:00
Makefile Kbuild updates for v5.12 2021-02-25 10:17:31 -08:00
README Drop all 00-INDEX files from Documentation/ 2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.