qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Centos-kernel-stream-9/include/linux/netfilter
History
Xin Long af2cb76e5a netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp 
JIRA: https://issues.redhat.com/browse/RHEL-14179
Tested: compile only

commit 8e56b063c86569e51eed1c5681ce6361fa97fc7a
Author: Xin Long <lucien.xin@gmail.com>
Date:   Tue Oct 3 13:17:53 2023 -0400

    netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp

    In Scenario A and B below, as the delayed INIT_ACK always changes the peer
    vtag, SCTP ct with the incorrect vtag may cause packet loss.

    Scenario A: INIT_ACK is delayed until the peer receives its own INIT_ACK

      192.168.1.2 > 192.168.1.1: [INIT] [init tag: 1328086772]
        192.168.1.1 > 192.168.1.2: [INIT] [init tag: 1414468151]
        192.168.1.2 > 192.168.1.1: [INIT ACK] [init tag: 1328086772]
      192.168.1.1 > 192.168.1.2: [INIT ACK] [init tag: 1650211246] *
      192.168.1.2 > 192.168.1.1: [COOKIE ECHO]
        192.168.1.1 > 192.168.1.2: [COOKIE ECHO]
        192.168.1.2 > 192.168.1.1: [COOKIE ACK]

    Scenario B: INIT_ACK is delayed until the peer completes its own handshake

      192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]
        192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885]
        192.168.1.2 > 192.168.1.1: sctp (1) [INIT ACK] [init tag: 3922216408]
        192.168.1.1 > 192.168.1.2: sctp (1) [COOKIE ECHO]
        192.168.1.2 > 192.168.1.1: sctp (1) [COOKIE ACK]
      192.168.1.1 > 192.168.1.2: sctp (1) [INIT ACK] [init tag: 3914796021] *

    This patch fixes it as below:

    In SCTP_CID_INIT processing:
    - clear ct->proto.sctp.init[!dir] if ct->proto.sctp.init[dir] &&
      ct->proto.sctp.init[!dir]. (Scenario E)
    - set ct->proto.sctp.init[dir].

    In SCTP_CID_INIT_ACK processing:
    - drop it if !ct->proto.sctp.init[!dir] && ct->proto.sctp.vtag[!dir] &&
      ct->proto.sctp.vtag[!dir] != ih->init_tag. (Scenario B, Scenario C)
    - drop it if ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir] &&
      ct->proto.sctp.vtag[!dir] != ih->init_tag. (Scenario A)

    In SCTP_CID_COOKIE_ACK processing:
    - clear ct->proto.sctp.init[dir] and ct->proto.sctp.init[!dir].
      (Scenario D)

    Also, it's important to allow the ct state to move forward with cookie_echo
    and cookie_ack from the opposite dir for the collision scenarios.

    There are also other Scenarios where it should allow the packet through,
    addressed by the processing above:

    Scenario C: new CT is created by INIT_ACK.

    Scenario D: start INIT on the existing ESTABLISHED ct.

    Scenario E: start INIT after the old collision on the existing ESTABLISHED
    ct.

      192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]
      192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885]
      (both side are stopped, then start new connection again in hours)
      192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 242308742]

    Fixes: 9fb9cbb108 ("[NETFILTER]: Add nf_conntrack subsystem.")
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Xin Long <lxin@redhat.com>
 		2023-10-18 16:24:28 -04:00
..
ipset
nf_conntrack_amanda.h
nf_conntrack_common.h
nf_conntrack_dccp.h
nf_conntrack_ftp.h
nf_conntrack_h323.h
nf_conntrack_h323_asn1.h
nf_conntrack_h323_types.h
nf_conntrack_irc.h
nf_conntrack_pptp.h
nf_conntrack_proto_gre.h
nf_conntrack_sane.h
nf_conntrack_sctp.h netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp 2023-10-18 16:24:28 -04:00
nf_conntrack_sip.h
nf_conntrack_snmp.h
nf_conntrack_tcp.h
nf_conntrack_tftp.h
nf_conntrack_zones_common.h
nfnetlink.h
nfnetlink_acct.h
nfnetlink_osf.h
x_tables.h