Netfilter NAT collision handling + TCP edemux can cause packets to end
up with the wrong socket.
This happens since TCP early demux was added more than 8 years ago, so
this needs very rare and specific conditions to trigger.
Patch 1 fixes the bug.
Patch 2 rewords a debug message that imlies packets are treated
as invalid while they are not.
Patch 3 adds a test case for this. On unpatched kernel this script
should error out with:
(UNKNOWN) [10.96.0.1] 443 (https) : Connection timed out
FAIL: nc cannot connect via NAT'd address
Florian Westphal (3):
netfilter: nf_nat: undo erroneous tcp edemux lookup
netfilter: conntrack: avoid misleading 'invalid' in log message
selftests: netfilter: test nat port clash resolution interaction with
tcp early demux
net/netfilter/nf_conntrack_proto_tcp.c | 6 +-
net/netfilter/nf_nat_proto.c | 25 ++++-
tools/testing/selftests/netfilter/Makefile | 2 +-
.../selftests/netfilter/nf_nat_edemux.sh | 99 +++++++++++++++++++
4 files changed, 125 insertions(+), 7 deletions(-)
create mode 100755 tools/testing/selftests/netfilter/nf_nat_edemux.sh
--
2.26.2
