This series resolves an esoteric scenario.
Given two tasks sending UDP packets to one another, NAT engine
can falsely detect a port collision if it happens to pick up
a reply packet as 'new' rather than 'reply'.
First patch adds extra code to detect this and suppress port
reallocation in this case.
Second patch extends clash resolution logic to detect such
a reverse clash (clashing conntrack is reply to existing entry).
Patch 3 adds a test case.
Since this has existed forever and hasn't been reported in two
decades I'm submitting this for -next.
Florian Westphal (3):
netfilter: nf_nat: don't try nat source port reallocation for reverse
dir clash
netfilter: conntrack: add clash resolution for reverse collisions
selftests: netfilter: add reverse-clash resolution test case
net/netfilter/nf_conntrack_core.c | 56 +++++++-
net/netfilter/nf_nat_core.c | 120 ++++++++++++++++-
.../testing/selftests/net/netfilter/Makefile | 2 +
.../net/netfilter/conntrack_reverse_clash.c | 125 ++++++++++++++++++
.../net/netfilter/conntrack_reverse_clash.sh | 51 +++++++
5 files changed, 347 insertions(+), 7 deletions(-)
create mode 100644 tools/testing/selftests/net/netfilter/conntrack_reverse_clash.c
create mode 100755 tools/testing/selftests/net/netfilter/conntrack_reverse_clash.sh
--
2.44.2
