lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 3 Apr 2022 00:02:20 +0200 From: Jaco Kroon <jaco@....co.za> To: Eric Dumazet <edumazet@...gle.com> Cc: Neal Cardwell <ncardwell@...gle.com>, Florian Westphal <fw@...len.de>, LKML <linux-kernel@...r.kernel.org>, Netdev <netdev@...r.kernel.org>, Yuchung Cheng <ycheng@...gle.com>, Wei Wang <weiwan@...gle.com>, Pablo Neira Ayuso <pablo@...filter.org>, Sven Auhagen <sven.auhagen@...eatech.de> Subject: Re: linux 5.17.1 disregarding ACK values resulting in stalled TCP connections Hi, On 2022/04/02 15:20, Eric Dumazet wrote: > Great. This confirms our suspicions. > > Please try the following patch that landed in 5.18-rc > > f2dd495a8d589371289981d5ed33e6873df94ecc netfilter: nf_conntrack_tcp: > preserve liberal flag in tcp options Will track this down and deploy in the next day or two. Thank you, Neal and Florian for all the assistance! As an aside, would really like to engage with someone that can assist on the known congestion w.r.t. Google services in JHB, so if you're willing - or can get me in contact with the right people, please do contact me direct off-list (we've alleviated the issue by upgrading out IPT but would like to understand what is going on, can provide ticket references). Kind Regards, Jaco > > CC netfilter folks. > > Condition triggering the bug : > before(seq, sender->td_maxend + 1), > > I took a look at the code, and it is not clear if td_maxend is > properly setup (or if td_scale is cleared at some point while it > should not) > > Alternatively, if conntracking does not know if the connection is > using wscale (or what is the scale), the "before(seq, > sender->td_maxend + 1)," > should not be evaluated/used. > > Also, I do not see where td_maxend is extended in tcp_init_sender() > > Probably wrong patch, just to point to the code I do not understand yet. > > diff --git a/net/netfilter/nf_conntrack_proto_tcp.c > b/net/netfilter/nf_conntrack_proto_tcp.c > index 8ec55cd72572e0cca076631e2cc1c11f0c2b86f6..950082785d61b7a2768559c7500d3aee3aaea7c2 > 100644 > --- a/net/netfilter/nf_conntrack_proto_tcp.c > +++ b/net/netfilter/nf_conntrack_proto_tcp.c > @@ -456,9 +456,10 @@ static void tcp_init_sender(struct ip_ct_tcp_state *sender, > /* SYN-ACK in reply to a SYN > * or SYN from reply direction in simultaneous open. > */ > - sender->td_end = > - sender->td_maxend = end; > - sender->td_maxwin = (win == 0 ? 1 : win); > + sender->td_end = end; > + sender->td_maxwin = max(win, 1U); > + /* WIN in SYN & SYNACK is not scaled */ > + sender->td_maxend = end + sender->td_maxwin; > > tcp_options(skb, dataoff, tcph, sender); > /* RFC 1323:
Powered by blists - more mailing lists