On Wed, Feb 24, 2021 at 05:23:18PM +0100, Florian Westphal wrote: > Netfilter NAT collision handling + TCP edemux can cause packets to end > up with the wrong socket. > This happens since TCP early demux was added more than 8 years ago, so > this needs very rare and specific conditions to trigger. > > Patch 1 fixes the bug. > Patch 2 rewords a debug message that imlies packets are treated > as invalid while they are not. > Patch 3 adds a test case for this. On unpatched kernel this script > should error out with: > (UNKNOWN) [10.96.0.1] 443 (https) : Connection timed out > FAIL: nc cannot connect via NAT'd address Applied, thanks Florian.
