releases/5.4.160/netfilter-conntrack-set-on-ips_assured-if-flows-ente.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From daaffffed403e601acf4842000604ab1178f80cd Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Mon, 25 Oct 2021 11:26:49 +0200
 Subject: netfilter: conntrack: set on IPS_ASSURED if flows enters internal
  stream state
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 From: Pablo Neira Ayuso <pablo@netfilter.org>

 [ Upstream commit b7b1d02fc43925a4d569ec221715db2dfa1ce4f5 ]

 The internal stream state sets the timeout to 120 seconds 2 seconds
 after the creation of the flow, attach this internal stream state to the
 IPS_ASSURED flag for consistent event reporting.

 Before this patch:

       [NEW] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
    [UPDATE] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
    [UPDATE] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
   [DESTROY] udp      17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]

 Note IPS_ASSURED for the flow not yet in the internal stream state.

 after this update:

       [NEW] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
    [UPDATE] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
    [UPDATE] udp      17 120 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
   [DESTROY] udp      17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]

 Before this patch, short-lived UDP flows never entered IPS_ASSURED, so
 they were already candidate flow to be deleted by early_drop under
 stress.

 Before this patch, IPS_ASSURED is set on regardless the internal stream
 state, attach this internal stream state to IPS_ASSURED.

 packet #1 (original direction) enters NEW state
 packet #2 (reply direction) enters ESTABLISHED state, sets on IPS_SEEN_REPLY
 paclet #3 (any direction) sets on IPS_ASSURED (if 2 seconds since the
           creation has passed by).

 Reported-by: Maciej Żenczykowski <zenczykowski@gmail.com>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  net/netfilter/nf_conntrack_proto_udp.c | 7 +++++--
  1 file changed, 5 insertions(+), 2 deletions(-)

 diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
 index 7365b43f8f980..e3a2d018f4ec5 100644
 --- a/net/netfilter/nf_conntrack_proto_udp.c
 +++ b/net/netfilter/nf_conntrack_proto_udp.c
 @@ -105,15 +105,18 @@ int nf_conntrack_udp_packet(struct nf_conn *ct,
  	 */
  	if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
  		unsigned long extra = timeouts[UDP_CT_UNREPLIED];
 +		bool stream = false;

  		/* Still active after two seconds? Extend timeout. */
 -		if (time_after(jiffies, ct->proto.udp.stream_ts))
 +		if (time_after(jiffies, ct->proto.udp.stream_ts)) {
  			extra = timeouts[UDP_CT_REPLIED];
 +			stream = true;
 +		}

  		nf_ct_refresh_acct(ct, ctinfo, skb, extra);

  		/* Also, more likely to be important, and not a probe */
 -		if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
 +		if (stream && !test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
  			nf_conntrack_event_cache(IPCT_ASSURED, ct);
  	} else {
  		nf_ct_refresh_acct(ct, ctinfo, skb,
 --
 2.33.0
	From daaffffed403e601acf4842000604ab1178f80cd Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Mon, 25 Oct 2021 11:26:49 +0200
	Subject: netfilter: conntrack: set on IPS_ASSURED if flows enters internal
	stream state
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	From: Pablo Neira Ayuso <pablo@netfilter.org>

	[ Upstream commit b7b1d02fc43925a4d569ec221715db2dfa1ce4f5 ]

	The internal stream state sets the timeout to 120 seconds 2 seconds
	after the creation of the flow, attach this internal stream state to the
	IPS_ASSURED flag for consistent event reporting.

	Before this patch:

	[NEW] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
	[UPDATE] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
	[UPDATE] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
	[DESTROY] udp 17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]

	Note IPS_ASSURED for the flow not yet in the internal stream state.

	after this update:

	[NEW] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
	[UPDATE] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
	[UPDATE] udp 17 120 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
	[DESTROY] udp 17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]

	Before this patch, short-lived UDP flows never entered IPS_ASSURED, so
	they were already candidate flow to be deleted by early_drop under
	stress.

	Before this patch, IPS_ASSURED is set on regardless the internal stream
	state, attach this internal stream state to IPS_ASSURED.

	packet #1 (original direction) enters NEW state
	packet #2 (reply direction) enters ESTABLISHED state, sets on IPS_SEEN_REPLY
	paclet #3 (any direction) sets on IPS_ASSURED (if 2 seconds since the
	creation has passed by).

	Reported-by: Maciej Żenczykowski <zenczykowski@gmail.com>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	net/netfilter/nf_conntrack_proto_udp.c \| 7 +++++--
	1 file changed, 5 insertions(+), 2 deletions(-)

	diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
	index 7365b43f8f980..e3a2d018f4ec5 100644
	--- a/net/netfilter/nf_conntrack_proto_udp.c
	+++ b/net/netfilter/nf_conntrack_proto_udp.c
	@@ -105,15 +105,18 @@ int nf_conntrack_udp_packet(struct nf_conn *ct,
	*/
	if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
	unsigned long extra = timeouts[UDP_CT_UNREPLIED];
	+ bool stream = false;

	/* Still active after two seconds? Extend timeout. */
	- if (time_after(jiffies, ct->proto.udp.stream_ts))
	+ if (time_after(jiffies, ct->proto.udp.stream_ts)) {
	extra = timeouts[UDP_CT_REPLIED];
	+ stream = true;
	+ }

	nf_ct_refresh_acct(ct, ctinfo, skb, extra);

	/* Also, more likely to be important, and not a probe */
	- if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
	+ if (stream && !test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
	nf_conntrack_event_cache(IPCT_ASSURED, ct);
	} else {
	nf_ct_refresh_acct(ct, ctinfo, skb,
	--
	2.33.0