On Wed, Aug 26, 2020 at 12:07:18AM +0200, Florian Westphal wrote: > Its possible that we have more than one packet with the same ct tuple > simultaneously, e.g. when an application emits n packets on same UDP > socket from multiple threads. > > NAT rules might be applied to those packets. With the right set of rules, > n packets will be mapped to m destinations, where at least two packets end > up with the same destination. > > When this happens, the existing clash resolution may merge the skb that > is processed after the first has been received with the identical tuple > already in hash table. > > However, its possible that this identical tuple is a NAT_CLASH tuple. > In that case the second skb will be sent, but no reply can be received > since the reply that is processed first removes the NAT_CLASH tuple. > > Do not auto-delete, this gives a 1 second window for replies to be passed > back to originator. > > Packets that are coming later (udp stream case) will not be affected: > they match the original ct entry, not a NAT_CLASH one. > > Also prevent NAT_CLASH entries from getting offloaded. Applied, thanks.
