On Wed, Feb 01, 2023 at 02:45:22PM +0100, Florian Westphal wrote: > iptables/nftables support responding to tcp packets with tcp resets. > > The generated tcp reset packet passes through both output and postrouting > netfilter hooks, but conntrack will never see them because the generated > skb has its ->nfct pointer copied over from the packet that triggered the > reset rule. > > If the reset rule is used for established connections, this > may result in the conntrack entry to be around for a very long > time (default timeout is 5 days). > > One way to avoid this would be to not copy the nf_conn pointer > so that the rest packet passes through conntrack too. > > Problem is that output rules might not have the same conntrack > zone setup as the prerouting ones, so its possible that the > reset skb won't find the correct entry. Generating a template > entry for the skb seems error prone as well. > > Add an explicit "closing" function that switches a confirmed > conntrack entry to closed state and wire this up for tcp. > > If the entry isn't confirmed, no action is needed because > the conntrack entry will never be committed to the table. Applied to nf-next, thanks
