Re: [PATCH net] netfilter: nft_synproxy: stop bypassing the priv->info snapshot

Next message: Jerome Brunet: "Re: [PATCH v2 2/4] ASoC: meson: aiu-encoder-i2s: prepare for multiple streams"
Previous message: Chen-Yu Yeh: "[PATCH] staging: rtl8723bs: remove unused channel format/arg macros"
In reply to: Runyu Xiao: "[PATCH net] netfilter: nft_synproxy: stop bypassing the priv-&gt;info snapshot"
Next in thread: Pablo Neira Ayuso: "Re: [PATCH net] netfilter: nft_synproxy: stop bypassing the priv-&gt;info snapshot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Fernando Fernandez Mancera

Date: Thu Jun 11 2026 - 04:17:26 EST

On 6/11/26 6:21 AM, Runyu Xiao wrote:

nft_synproxy_eval_v4() and nft_synproxy_eval_v6() already take a
whole-object READ_ONCE() snapshot of the shared priv->info state before
building the SYNACK reply, but nft_synproxy_tcp_options() still masks
opts->options with priv->info.options from the live shared object.

When a named synproxy object is updated concurrently with SYN traffic,
the eval path can then mix mss and timestamp handling from the local
snapshot with an options mask taken from a newer configuration, so one
SYNACK no longer reflects a coherent synproxy configuration.

Use info->options so nft_synproxy_tcp_options() stays on the same local
snapshot that the eval path already copied from priv->info.

Fixes: ee394f96ad75 ("netfilter: nft_synproxy: add synproxy stateful object support")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Runyu Xiao <runyu.xiao@xxxxxxxxxx>

Reviewed-by: Fernando Fernandez Mancera <fmancera@xxxxxxx>

Thanks!