Shaun Brady <brady.1345@xxxxxxxxx> wrote:
> On Wed, May 28, 2025 at 05:03:56PM +0800, Yafang Shao wrote:
> > diff --git a/net/netfilter/nf_conntrack_core.c
> > b/net/netfilter/nf_conntrack_core.c
> > index 7bee5bd22be2..3481e9d333b0 100644
> > --- a/net/netfilter/nf_conntrack_core.c
> > +++ b/net/netfilter/nf_conntrack_core.c
> > @@ -1245,9 +1245,9 @@ __nf_conntrack_confirm(struct sk_buff *skb)
> >
> > chainlen = 0;
> > hlist_nulls_for_each_entry(h, n,
> > &nf_conntrack_hash[reply_hash], hnnode) {
> > - if (nf_ct_key_equal(h, &ct->tuplehash[IP_CT_DIR_REPLY].tuple,
> > - zone, net))
> > - goto out;
> > + //if (nf_ct_key_equal(h, &ct->tuplehash[IP_CT_DIR_REPLY].tuple,
> > + // zone, net))
> > + // goto out;
> > if (chainlen++ > max_chainlen) {
> > chaintoolong:
> > NF_CT_STAT_INC(net, chaintoolong);
>
> Forgive me for jumping in with very little information, but on a hunch I
> tried something. I applied the above patch to another bug I've been
> investigating:
>
> https://bugzilla.netfilter.org/show_bug.cgi?id=1795
> and Ubuntu reference
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2109889
>
> The Ubuntu reproduction steps where easier to follow, so I mimicked
> them:
>
> # cat add_ip.sh
> ip addr add 10.0.1.200/24 dev enp1s0
> # cat nft.sh
> nft -f - <<EOF
> table ip dnat-test {
> chain prerouting {
> type nat hook prerouting priority dstnat; policy accept;
> ip daddr 10.0.1.200 udp dport 1234 counter dnat to 10.0.1.180:1234
> }
> }
> EOF
> # cat listen.sh
> echo pong|nc -l -u 10.0.1.180 1234
> # ./add_ip.sh ; ./nft.sh ; listen.sh (and then just ./listen.sh again)
We don't have a selftest for this, I'll add one.
Following patch should help, we fail to check for reverse collision
before concluding we don't need PAT to handle this.
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -248,7 +248,7 @@ static noinline bool
nf_nat_used_tuple_new(const struct nf_conntrack_tuple *tuple,
const struct nf_conn *ignored_ct)
{
- static const unsigned long uses_nat = IPS_NAT_MASK | IPS_SEQ_ADJUST_BIT;
+ static const unsigned long uses_nat = IPS_NAT_MASK | IPS_SEQ_ADJUST;
const struct nf_conntrack_tuple_hash *thash;
const struct nf_conntrack_zone *zone;
struct nf_conn *ct;
@@ -287,8 +287,14 @@ nf_nat_used_tuple_new(const struct nf_conntrack_tuple *tuple,
zone = nf_ct_zone(ignored_ct);
thash = nf_conntrack_find_get(net, zone, tuple);
- if (unlikely(!thash)) /* clashing entry went away */
- return false;
+ if (unlikely(!thash)) {
+ struct nf_conntrack_tuple reply;
+
+ nf_ct_invert_tuple(&reply, tuple);
+ thash = nf_conntrack_find_get(net, zone, &reply);
+ if (!thash) /* clashing entry went away */
+ return false;
+ }
ct = nf_ct_tuplehash_to_ctrack(thash);
