From: Jakub Kicinski <kuba@kernel.org>
To: Yi Chen <yiche@redhat.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Florian Westphal <fw@strlen.de>, Phil Sutter <phil@nwl.cc>,
Long Xin <lxin@redhat.com>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Shuah Khan <shuah@kernel.org>,
coreteam@netfilter.org, netfilter-devel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH] selftests: netfilter: conntrack_sctp_collision.sh: Introduce SCTP INIT collision test
Date: Mon, 30 Mar 2026 07:07:37 -0700 [thread overview]
Message-ID: <20260330070737.3efec19a@kernel.org> (raw)
In-Reply-To: <20260330113509.23990-1-yiche@redhat.com>
On Mon, 30 Mar 2026 19:35:09 +0800 Yi Chen wrote:
> The existing test covered a scenario where a delayed INIT_ACK chunk
> updates the vtag in conntrack after the association has already been
> established.
>
> A similar issue can occur with a delayed SCTP INIT chunk.
>
> Add a new simultaneous-open test case where the client's INIT is
> delayed, allowing conntrack to establish the association based on
> the server-initiated handshake.
>
> When the stale INIT arrives later, it may overwirte the vtag in
> conntrack, causing subsequent SCTP DATA chunks to be considered
> as invalid and then dropped by nft rules matching on ct state invalid.
>
> This test verifies such stale INIT chunks do not corrupt conntrack
> state.
Now it fails in NIPA:
TAP version 13
1..1
# timeout set to 1800
# selftests: net/netfilter: conntrack_sctp_collision.sh
# Test for SCTP INIT_ACK Collision in nf_conntrack:
# Client: rcvd! 6
# Server: sent! 6
# PASS: The delayed INIT_ACK chunk did not disrupt sctp ct tracking.
# Test for SCTP INIT Collision in nf_conntrack:
# Failed to recv msg -1
# Failed to recv msg -1
# FAIL: The delayed INIT chunk did not disrupt sctp ct tracking.
not ok 1 selftests: net/netfilter: conntrack_sctp_collision.sh # exit=1
next prev parent reply other threads:[~2026-03-30 14:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 11:35 [PATCH] selftests: netfilter: conntrack_sctp_collision.sh: Introduce SCTP INIT collision test Yi Chen
2026-03-30 14:07 ` Jakub Kicinski [this message]
2026-03-30 14:16 ` Long Xin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260330070737.3efec19a@kernel.org \
--to=kuba@kernel.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=lxin@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
--cc=shuah@kernel.org \
--cc=yiche@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.