On Mon, Mar 25, 2019 at 11:11:53PM +0100, Florian Westphal wrote: > When an icmp error such as pkttoobig is received, conntrack checks > if the "inner" header (header of packet that did not fit link mtu) > is matches an existing connection, and, if so, sets that packet as > being related to the conntrack entry it found. > > It was recently reported that this "related" setting also works > if the inner header is from another, different connection (i.e., > artificial/forged icmp error). > > Add a test, followup patch will add additional "inner dst matches > outer dst in reverse direction" check before setting related state. Applied, thanks.