Netfilter-Devel Archive on
 help / color / Atom feed
From: Pablo Neira Ayuso <>
Subject: [PATCH 4/5] netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info
Date: Thu, 24 Aug 2017 16:43:30 +0200
Message-ID: <> (raw)
In-Reply-To: <>

From: Xin Long <>

Commit 4440a2ab3b9f ("netfilter: synproxy: Check oom when adding synproxy
and seqadj ct extensions") wanted to drop the packet when it fails to add
seqadj ext due to no memory by checking if nfct_seqadj_ext_add returns

But that nfct_seqadj_ext_add returns NULL can also happen when seqadj ext
already exists in a nf_conn. It will cause that userspace protocol doesn't
work when both dnat and snat are configured.

Li Shuang found this issue in the case:

   ftp client                   router                  ftp server  <-> <->

  # iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j \
    DNAT --to-destination
  # iptables -t nat -A POSTROUTING -o eth2 -p tcp -m tcp --dport 21 -j \
    SNAT --to-source

In router, when both dnat and snat are added, nf_nat_setup_info will be
called twice. The packet can be dropped at the 2nd time for DNAT due to
seqadj ext is already added at the 1st time for SNAT.

This patch is to fix it by checking for seqadj ext existence before adding
it, so that the packet will not be dropped if seqadj ext already exists.

Note that as Florian mentioned, as a long term, we should review ext_add()
behaviour, it's better to return a pointer to the existing ext instead.

Fixes: 4440a2ab3b9f ("netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions")
Reported-by: Li Shuang <>
Acked-by: Florian Westphal <>
Signed-off-by: Xin Long <>
Signed-off-by: Pablo Neira Ayuso <>
 net/netfilter/nf_nat_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index eb541786ccb7..b1d3740ae36a 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -441,7 +441,7 @@ nf_nat_setup_info(struct nf_conn *ct,
 			ct->status |= IPS_DST_NAT;
-		if (nfct_help(ct))
+		if (nfct_help(ct) && !nfct_seqadj(ct))
 			if (!nfct_seqadj_ext_add(ct))
 				return NF_DROP;

  parent reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-24 14:43 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
2017-08-24 14:43 ` [PATCH 1/5] netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry Pablo Neira Ayuso
2017-08-24 14:43 ` [PATCH 2/5] netfilter: nft_compat: check extension hook mask only if set Pablo Neira Ayuso
2017-08-24 14:43 ` [PATCH 3/5] netfilter: x_tables: Fix use-after-free in ipt_do_table Pablo Neira Ayuso
2017-08-24 14:43 ` Pablo Neira Ayuso [this message]
2017-08-24 14:43 ` [PATCH 5/5] netfilter: nf_tables: Fix nft limit burst handling Pablo Neira Ayuso
2017-08-24 18:49 ` [PATCH 0/5] Netfilter fixes for net David Miller

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Netfilter-Devel Archive on

Archives are clonable:
	git clone --mirror netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ \
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone