* [PATCH nf] netfilter: conntrack: don't refresh sctp entries in closed state
@ 2022-01-28 12:13 Florian Westphal
2022-02-04 4:40 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2022-01-28 12:13 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal, Vivek Thrivikraman
Vivek Thrivikraman reported:
An SCTP server application which is accessed continuously by client
application.
When the session disconnects the client retries to establish a connection.
After restart of SCTP server application the session is not established
because of stale conntrack entry with connection state CLOSED as below.
(removing this entry manually established new connection):
sctp 9 CLOSED src=10.141.189.233 [..] [ASSURED]
Just skip timeout update of closed entries, we don't want them to
stay around forever.
Reported-and-tested-by: Vivek Thrivikraman <vivek.thrivikraman@est.tech>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1579
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_conntrack_proto_sctp.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 2394238d01c9..5a936334b517 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -489,6 +489,15 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
pr_debug("Setting vtag %x for dir %d\n",
ih->init_tag, !dir);
ct->proto.sctp.vtag[!dir] = ih->init_tag;
+
+ /* don't renew timeout on init retransmit so
+ * port reuse by client or NAT middlebox cannot
+ * keep entry alive indefinitely (incl. nat info).
+ */
+ if (new_state == SCTP_CONNTRACK_CLOSED &&
+ old_state == SCTP_CONNTRACK_CLOSED &&
+ nf_ct_is_confirmed(ct))
+ ignore = true;
}
ct->proto.sctp.state = new_state;
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nf] netfilter: conntrack: don't refresh sctp entries in closed state
2022-01-28 12:13 [PATCH nf] netfilter: conntrack: don't refresh sctp entries in closed state Florian Westphal
@ 2022-02-04 4:40 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-04 4:40 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel, Vivek Thrivikraman
On Fri, Jan 28, 2022 at 01:13:32PM +0100, Florian Westphal wrote:
> Vivek Thrivikraman reported:
> An SCTP server application which is accessed continuously by client
> application.
> When the session disconnects the client retries to establish a connection.
> After restart of SCTP server application the session is not established
> because of stale conntrack entry with connection state CLOSED as below.
>
> (removing this entry manually established new connection):
>
> sctp 9 CLOSED src=10.141.189.233 [..] [ASSURED]
>
> Just skip timeout update of closed entries, we don't want them to
> stay around forever.
Applied
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-04 4:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-28 12:13 [PATCH nf] netfilter: conntrack: don't refresh sctp entries in closed state Florian Westphal
2022-02-04 4:40 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.