On Tue, Jan 29, 2019 at 03:51:42PM +0100, Florian Westphal wrote: > From: Martynas Pumputis <martynas@weave.works> > > It is possible that two concurrent packets originating from the same > socket of a connection-less protocol (e.g. UDP) can end up having > different IP_CT_DIR_REPLY tuples which results in one of the packets > being dropped. > > To illustrate this, consider the following simplified scenario: > > 1. Packet A and B are sent at the same time from two different threads > by same UDP socket. No matching conntrack entry exists yet. > Both packets cause allocation of a new conntrack entry. > 2. get_unique_tuple gets called for A. No clashing entry found. > conntrack entry for A is added to main conntrack table. > 3. get_unique_tuple is called for B and will find that the reply > tuple of B is already taken by A. > It will allocate a new UDP source port for B to resolve the clash. > 4. conntrack entry for B cannot be added to main conntrack table > because its ORIGINAL direction is clashing with A and the REPLY > directions of A and B are not the same anymore due to UDP source > port reallocation done in step 3. > > This patch modifies nf_conntrack_tuple_taken so it doesn't consider > colliding reply tuples if the IP_CT_DIR_ORIGINAL tuples are equal. > > [ Florian: simplify patch to not use .allow_clash setting > and always ignore identical flows ] I prefer this band aid remains small indeed. Applied, thanks Florian.
