From patchwork Fri Sep 20 18:33:05 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Schantl <stefan.schantl@ipfire.org>
X-Patchwork-Id: 2412
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 46Zj5N3GmSz42Md
	for <patchwork@web04.haj.ipfire.org>; Fri, 20 Sep 2019 18:33:12 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 46Zj5M0dSVz2PS;
	Fri, 20 Sep 2019 18:33:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
	t=1569004391; h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=vJyUSTb/cWY3Fdf82PAq3o16PD+63+EAKbG+mrqMJ90=;
	b=onPe7u3O+ni7Zr3JEQH5HJpmzebg0rBM2a8IyNOSrZzOFhvq3aRMfjIYB/IT4Fhcc8wHUw
	5821uziHk/tvI2Z6sSDZSIYcqDRXWMpreoNHHnjSYZUQ/NwZVa0m7md7qiThnjTiqbcCfj
	jKKsK0CEKMsDa16FD6qHkZMgNRU9kxRiZtp2g4ldhtEqbU9nzuorXlorfSNMBf6uWBo36O
	Ga+MWIdAYeRkKIzP5uSkoUAoFVnFWXZ3or/ruWysiqCNVdfu8gBUBV0K9JJGYviV5zGnT3
	62SwR2XS2l4MBRP4QSbKXMT8wFyAGkTaBSrCKrwFhkNvAXY3fDBJdfw+YN+cNg==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201909ed25519; t=1569004391;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=vJyUSTb/cWY3Fdf82PAq3o16PD+63+EAKbG+mrqMJ90=;
	b=5slCXtzXXE60kMuLrIlxwjHBGe/H6+IosU3FFM3CrRr38xk9y5gjUQGk9rnayOTHXPNiMV
	hQHvEeFgqGJNscAg==
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 46Zj5L5QrYz2xrM;
	Fri, 20 Sep 2019 18:33:10 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 46Zj5J62ffz2xqs
 for <development@lists.ipfire.org>; Fri, 20 Sep 2019 18:33:08 +0000 (UTC)
Received: from tuxedo.stevee (213162073069.public.t-mobile.at [213.162.73.69])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 46Zj5J1v1Mz1jh;
 Fri, 20 Sep 2019 18:33:08 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909ed25519; t=1569004388;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=vJyUSTb/cWY3Fdf82PAq3o16PD+63+EAKbG+mrqMJ90=;
 b=GdkwjbG6Q2IMp9zZmJohVJI4+mVgMppGQvi6rzHuVZD/FQeoeSbWavGr6VB+2MrR98Obz/
 DNz8s3RzBr1Hj0Cg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
 t=1569004388;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=vJyUSTb/cWY3Fdf82PAq3o16PD+63+EAKbG+mrqMJ90=;
 b=nxlo/ZFozB8RT0cCBV0t3Fq2HqZc162ML2QnoqaiiJ3WddC+v7XpcF5GZtmGM3Kn3IyE1S
 vOLNZxlh6OQVgamN7hZ/27q6ZrGxCZUorljznEfgKdNdHhRm2DdNcUxy8LalYWwLglTea7
 CQHX/hUr4rKBeVRxzjKyn9dyTzT3Cn9R1MOrwqVrJFZH2sDu2AdcsHTjuRZ/ClgxZvPsGO
 8uw8XHitn71kH2uxBSpnubqXB0LorAR3Zs3q9PBWY0FoYZPrcZRKSreOnid2aU3vDUqAUI
 XLEQOehMUrmWbsEpQiQRdbD+iZ2eLZPmyrumrF8gUCkzxW2dUJd0Ugp1FPzgWg==
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] kernel: Backport patch to fix a netfilter contrack related
 issue.
Date: Fri, 20 Sep 2019 20:33:05 +0200
Message-Id: <20190920183305.2752-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This fixes the packet drop issue when using suricata on IPFire.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 lfs/linux                                     |  3 +
 ....0-netfilter-conntrack-resolve-clash.patch | 75 +++++++++++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch

diff --git a/lfs/linux b/lfs/linux
index a9e30714f..a0b28652d 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -146,6 +146,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Fix uevent PHYSDEVDRIVER
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-2.6.32.27_mcs7830-fix-driver-name.patch
 
+	# Fix for netfilter nf_conntrack: resolve clash for matching conntracks
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch
+
 ifeq "$(KCFG)" "-kirkwood"
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14.40-kirkwood-dtb.patch
 endif
diff --git a/src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch b/src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch
new file mode 100644
index 000000000..914cd0675
--- /dev/null
+++ b/src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch
@@ -0,0 +1,75 @@
+commit ed07d9a021df6da53456663a76999189badc432a
+Author: Martynas Pumputis <martynas@weave.works>
+Date:   Mon Jul 2 16:52:14 2018 +0200
+
+    netfilter: nf_conntrack: resolve clash for matching conntracks
+    
+    This patch enables the clash resolution for NAT (disabled in
+    "590b52e10d41") if clashing conntracks match (i.e. both tuples are equal)
+    and a protocol allows it.
+    
+    The clash might happen for a connections-less protocol (e.g. UDP) when
+    two threads in parallel writes to the same socket and consequent calls
+    to "get_unique_tuple" return the same tuples (incl. reply tuples).
+    
+    In this case it is safe to perform the resolution, as the losing CT
+    describes the same mangling as the winning CT, so no modifications to
+    the packet are needed, and the result of rules traversal for the loser's
+    packet stays valid.
+    
+    Signed-off-by: Martynas Pumputis <martynas@weave.works>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 5123e91b1982..4ced7c7102b6 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -632,6 +632,18 @@ nf_ct_key_equal(struct nf_conntrack_tuple_hash *h,
+ 	       net_eq(net, nf_ct_net(ct));
+ }
+ 
++static inline bool
++nf_ct_match(const struct nf_conn *ct1, const struct nf_conn *ct2)
++{
++	return nf_ct_tuple_equal(&ct1->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
++				 &ct2->tuplehash[IP_CT_DIR_ORIGINAL].tuple) &&
++	       nf_ct_tuple_equal(&ct1->tuplehash[IP_CT_DIR_REPLY].tuple,
++				 &ct2->tuplehash[IP_CT_DIR_REPLY].tuple) &&
++	       nf_ct_zone_equal(ct1, nf_ct_zone(ct2), IP_CT_DIR_ORIGINAL) &&
++	       nf_ct_zone_equal(ct1, nf_ct_zone(ct2), IP_CT_DIR_REPLY) &&
++	       net_eq(nf_ct_net(ct1), nf_ct_net(ct2));
++}
++
+ /* caller must hold rcu readlock and none of the nf_conntrack_locks */
+ static void nf_ct_gc_expired(struct nf_conn *ct)
+ {
+@@ -825,19 +837,21 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb,
+ 	/* This is the conntrack entry already in hashes that won race. */
+ 	struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
+ 	const struct nf_conntrack_l4proto *l4proto;
++	enum ip_conntrack_info oldinfo;
++	struct nf_conn *loser_ct = nf_ct_get(skb, &oldinfo);
+ 
+ 	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
+ 	if (l4proto->allow_clash &&
+-	    ((ct->status & IPS_NAT_DONE_MASK) == 0) &&
+ 	    !nf_ct_is_dying(ct) &&
+ 	    atomic_inc_not_zero(&ct->ct_general.use)) {
+-		enum ip_conntrack_info oldinfo;
+-		struct nf_conn *loser_ct = nf_ct_get(skb, &oldinfo);
+-
+-		nf_ct_acct_merge(ct, ctinfo, loser_ct);
+-		nf_conntrack_put(&loser_ct->ct_general);
+-		nf_ct_set(skb, ct, oldinfo);
+-		return NF_ACCEPT;
++		if (((ct->status & IPS_NAT_DONE_MASK) == 0) ||
++		    nf_ct_match(ct, loser_ct)) {
++			nf_ct_acct_merge(ct, ctinfo, loser_ct);
++			nf_conntrack_put(&loser_ct->ct_general);
++			nf_ct_set(skb, ct, oldinfo);
++			return NF_ACCEPT;
++		}
++		nf_ct_put(ct);
+ 	}
+ 	NF_CT_STAT_INC(net, drop);
+ 	return NF_DROP;