netfilter: conntrack: add clash resolution for reverse collisions - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Florian Westphal <fw@strlen.de>	2024-09-10 12:38:15 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2024-09-26 14:01:54 +0300
commit	a4e6a1031e7769c63d17b8e97d79e25dd7271fd3 (patch)
tree	98812776cd0449267d15a53a796b31bcc59d73bb /tools
parent	d8f84a9bc7c4e07fdc4edc00f9e868b8db974ccb (diff)
download	linux-a4e6a1031e7769c63d17b8e97d79e25dd7271fd3.tar.xz

netfilter: conntrack: add clash resolution for reverse collisions

Given existing entry: ORIGIN: a:b -> c:d REPLY: c:d -> a:b And colliding entry: ORIGIN: c:d -> a:b REPLY: a:b -> c:d The colliding ct (and the associated skb) get dropped on insert. Permit this by checking if the colliding entry matches the reply direction. Happens when both ends send packets at same time, both requests are picked up as NEW, rather than NEW for the 'first' and 'ESTABLISHED' for the second packet. This is an esoteric condition, as ruleset must permit NEW connections in either direction and both peers must already have a bidirectional traffic flow at the time conntrack gets enabled. Allow the 'reverse' skb to pass and assign the existing (clashing) entry. While at it, also drop the extra 'dying' check, this is already tested earlier by the calling function. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'tools')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: