Chieh-Min Wang <chiehmin18@xxxxxxxxx> wrote: > I think 71d8c47fc653711c4(netfilter: conntrack: introduce clash > resolution on insertion race) is doing the same logic for resolving > conntrack clashing. No, that commit dealsl with the case where two skbs have different conntrack objects but where tuples are the same. In nfqueue+bridge flood case the skbs point to the same conntrack object. Maybe one way to fix this would be to let nfqueue perform a deep copy of skb->_nfct in case conntrack is unconfirmed and skb_shared() is true. But that would of course cause drop for l4 protocols that do not support clash resolution.
