Hello,
On 24/01/2023 19:39, Pablo Neira Ayuso wrote:
> Hi,
>
> The following patchset contains Netfilter fixes for net:
(...)
> Sriram Yagnaraman (4):
> netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE
> netfilter: conntrack: fix bug in for_each_sctp_chunk
> Revert "netfilter: conntrack: add sctp DATA_SENT state"
> netfilter: conntrack: unify established states for SCTP paths
FYI, we got a small conflict when merging -net in net-next in the MPTCP
tree due to the last two patches applied in -net:
13bd9b31a969 ("Revert "netfilter: conntrack: add sctp DATA_SENT state"")
a44b7651489f ("netfilter: conntrack: unify established states for SCTP
paths")
and this one from net-next:
f71cb8f45d09 ("netfilter: conntrack: sctp: use nf log infrastructure
for invalid packets")
The conflict has been resolved on our side[1] and the resolution we
suggest is attached to this email.
Cheers,
Matt
[1] https://github.com/multipath-tcp/mptcp_net-next/commit/4e2bc066dae4
--
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net
diff --cc net/netfilter/nf_conntrack_proto_sctp.c
index dbdfcc6cd2aa,945dd40e7077..3937cbee9418
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@@ -243,16 -238,14 +227,12 @@@ static int sctp_new_state(enum ip_connt
i = 9;
break;
case SCTP_CID_HEARTBEAT_ACK:
- pr_debug("SCTP_CID_HEARTBEAT_ACK");
i = 10;
break;
- case SCTP_CID_DATA:
- case SCTP_CID_SACK:
- i = 11;
- break;
default:
/* Other chunks like DATA or SACK do not change the state */
- pr_debug("Unknown chunk type, Will stay in %s\n",
- sctp_conntrack_names[cur_state]);
+ pr_debug("Unknown chunk type %d, Will stay in %s\n",
+ chunk_type, sctp_conntrack_names[cur_state]);
return cur_state;
}
@@@ -386,21 -381,19 +364,21 @@@ int nf_conntrack_sctp_packet(struct nf_
if (!sctp_new(ct, skb, sh, dataoff))
return -NF_ACCEPT;
- } else {
- /* Check the verification tag (Sec 8.5) */
- if (!test_bit(SCTP_CID_INIT, map) &&
- !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
- !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
- !test_bit(SCTP_CID_ABORT, map) &&
- !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
- !test_bit(SCTP_CID_HEARTBEAT, map) &&
- !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
- sh->vtag != ct->proto.sctp.vtag[dir]) {
- nf_ct_l4proto_log_invalid(skb, ct, state,
- "verification tag check failed %x vs %x for dir %d",
- sh->vtag, ct->proto.sctp.vtag[dir], dir);
- goto out;
- }
+ }
+
+ /* Check the verification tag (Sec 8.5) */
+ if (!test_bit(SCTP_CID_INIT, map) &&
+ !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
+ !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
+ !test_bit(SCTP_CID_ABORT, map) &&
+ !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
+ !test_bit(SCTP_CID_HEARTBEAT, map) &&
+ !test_bit(SCTP_CID_HEARTBEAT_ACK, map) &&
+ sh->vtag != ct->proto.sctp.vtag[dir]) {
- pr_debug("Verification tag check failed\n");
++ nf_ct_l4proto_log_invalid(skb, ct, state,
++ "verification tag check failed %x vs %x for dir %d",
++ sh->vtag, ct->proto.sctp.vtag[dir], dir);
+ goto out;
}
old_state = new_state = SCTP_CONNTRACK_NONE;