On Mon, Jan 16, 2023 at 10:35:54AM +0100, Sriram Yagnaraman wrote:
> RFC 9260, Sec 8.5.1 states that for ABORT/SHUTDOWN_COMPLETE, the chunk
> MUST be accepted if the vtag of the packet matches its own tag and the
> T bit is not set OR if it is set to its peer's vtag and the T bit is set
> in chunk flags. Otherwise the packet MUST be silently dropped.
>
> Update vtag verification for ABORT/SHUTDOWN_COMPLETE based on the above
> description.
I suspect this is broken since the beginning? Then a good Fixes: tag
candidate it...
Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
?
