From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>,
Vivek Thrivikraman <vivek.thrivikraman@est.tech>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>,
kadlec@netfilter.org, davem@davemloft.net, kuba@kernel.org,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 04/11] netfilter: conntrack: don't refresh sctp entries in closed state
Date: Tue, 15 Feb 2022 10:30:57 -0500 [thread overview]
Message-ID: <20220215153104.581786-4-sashal@kernel.org> (raw)
In-Reply-To: <20220215153104.581786-1-sashal@kernel.org>
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 77b337196a9d87f3d6bb9b07c0436ecafbffda1e ]
Vivek Thrivikraman reported:
An SCTP server application which is accessed continuously by client
application.
When the session disconnects the client retries to establish a connection.
After restart of SCTP server application the session is not established
because of stale conntrack entry with connection state CLOSED as below.
(removing this entry manually established new connection):
sctp 9 CLOSED src=10.141.189.233 [..] [ASSURED]
Just skip timeout update of closed entries, we don't want them to
stay around forever.
Reported-and-tested-by: Vivek Thrivikraman <vivek.thrivikraman@est.tech>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1579
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_proto_sctp.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index a937d4f75613f..8cb62805fd684 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -394,6 +394,15 @@ static int sctp_packet(struct nf_conn *ct,
pr_debug("Setting vtag %x for dir %d\n",
ih->init_tag, !dir);
ct->proto.sctp.vtag[!dir] = ih->init_tag;
+
+ /* don't renew timeout on init retransmit so
+ * port reuse by client or NAT middlebox cannot
+ * keep entry alive indefinitely (incl. nat info).
+ */
+ if (new_state == SCTP_CONNTRACK_CLOSED &&
+ old_state == SCTP_CONNTRACK_CLOSED &&
+ nf_ct_is_confirmed(ct))
+ ignore = true;
}
ct->proto.sctp.state = new_state;
--
2.34.1
next prev parent reply other threads:[~2022-02-15 15:36 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-15 15:30 [PATCH AUTOSEL 4.19 01/11] ARM: OMAP2+: hwmod: Add of_node_put() before break Sasha Levin
2022-02-15 15:30 ` Sasha Levin
2022-02-15 15:30 ` [PATCH AUTOSEL 4.19 02/11] usb: usb251xb: add boost-up property support Sasha Levin
2022-02-15 15:30 ` [PATCH AUTOSEL 4.19 03/11] irqchip/sifive-plic: Add missing thead, c900-plic match string Sasha Levin
2022-02-15 15:30 ` [PATCH AUTOSEL 4.19 03/11] irqchip/sifive-plic: Add missing thead,c900-plic " Sasha Levin
2022-02-20 9:54 ` Pavel Machek
2022-02-20 9:54 ` Pavel Machek
2022-02-20 11:05 ` Marc Zyngier
2022-02-20 11:05 ` Marc Zyngier
2022-02-15 15:30 ` Sasha Levin [this message]
2022-02-15 15:30 ` [PATCH AUTOSEL 4.19 05/11] arm64: dts: meson-gx: add ATF BL32 reserved-memory region Sasha Levin
2022-02-15 15:30 ` Sasha Levin
2022-02-15 15:30 ` Sasha Levin
2022-02-15 15:30 ` [PATCH AUTOSEL 4.19 06/11] kconfig: let 'shell' return enough output for deep path names Sasha Levin
2022-02-20 10:01 ` Pavel Machek
2022-02-15 15:31 ` [PATCH AUTOSEL 4.19 07/11] ata: libata-core: Disable TRIM on M88V29 Sasha Levin
2022-02-15 15:31 ` [PATCH AUTOSEL 4.19 08/11] tracing: Fix tp_printk option related with tp_printk_stop_on_boot Sasha Levin
2022-02-15 15:31 ` [PATCH AUTOSEL 4.19 09/11] NFSD: Fix offset type in I/O trace points Sasha Levin
2022-02-20 10:00 ` Pavel Machek
2022-02-15 15:31 ` [PATCH AUTOSEL 4.19 10/11] net: usb: qmi_wwan: Add support for Dell DW5829e Sasha Levin
2022-02-15 15:31 ` [PATCH AUTOSEL 4.19 11/11] net: macb: Align the dma and coherent dma masks Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220215153104.581786-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
--cc=vivek.thrivikraman@est.tech \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.