[PATCH nf-next 0/2] netfilter: conntrack: do not renew timeout while in tcp SYN_SENT state

[Florian Westphal <fw@strlen.de>]

Antonio Ojea reported a problem with a container environment where
connection retries prevent expiry of a SYN_SENT conntrack entry.

This in turn prevents a NAT rule from becoming active.

Consider:
  client -----> conntrack ---> Host

client sends a SYN, but $Host is unreachable/silent.

In the reported case, $host address doesn't exist at all --
its a 'virtual' ip that is made accessible via dnat/redirect.

The routing table even passes the packet back via the same interface
it arrived on.

In the mean time, a NAT rule has been added to the conntrack
namespace, but it has no effect until the existing conntrack
entry times out.

Unfortunately, in the above scenario, the client retries reconnects
faster than the SYN default timeout (60 seconds), i.e. the entry
never expires and the 'virtual' ip never becomes active.

First patch adds a test case:
 3 namespaces, one sender, one receiver.
 sender connects to non-existent/virtual ip.
 Then a dnat rule gets added.

 The test case succeeds once conntrack tool shows that the nat rule
 was evaluated.

Second patch prevents timeout refresh for entries stuck in
SYN_SENT state.

Without second patch the test case doesn't pass even though syn
timeout is set to 10 seconds.

Florian Westphal (2):
  selftest: netfilter: add test case for unreplied tcp connections
  netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state

 net/netfilter/nf_conntrack_proto_tcp.c        |  10 ++
 tools/testing/selftests/netfilter/Makefile    |   2 +-
 .../netfilter/conntrack_tcp_unreplied.sh      | 167 ++++++++++++++++++
 3 files changed, 178 insertions(+), 1 deletion(-)
 create mode 100755 tools/testing/selftests/netfilter/conntrack_tcp_unreplied.sh

-- 
2.31.1