On Fri, Feb 05, 2021 at 12:56:43PM +0100, Florian Westphal wrote:
> The origin skip check needs to re-test the zone. Else, we might skip
> a colliding tuple in the reply direction.
>
> This only occurs when using 'directional zones' where origin tuples
> reside in different zones but the reply tuples share the same zone.
>
> This causes the new conntrack entry to be dropped at confirmation time
> because NAT clash resolution was elided.
Applied, thanks Florian.
>
> Fixes: 4e35c1cb9460240 ("netfilter: nf_nat: skip nat clash resolution for same-origin entries")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> I have a selftest to trigger this bug, but it depends on
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210203165707.21781-4-fw@xxxxxxxxx/
> and
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210203165707.21781-5-fw@xxxxxxxxx/
>
> so I will only send it once a new nft release with those patches is
> out.
Looking into these patches now.
