c46172147ebb brought the logic that never setting ASSURED to drop NAT_CLASH replies
in case server is very busy and early_drop logic kicks in.
However, this will drop all subsequent UDP packets that sent through multiple threads
of application, we already had a customer reported this issue that impacts their business,
so deleting this logic to avoid this issue at the moment.
Fixes: c46172147ebb ("netfilter: conntrack: do not auto-delete clash entries on reply")
Signed-off-by: Yadan Fan <ydfan@xxxxxxxx>
---
net/netfilter/nf_conntrack_proto_udp.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 0030fbe8885c..def3e06430eb 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -116,10 +116,6 @@ int nf_conntrack_udp_packet(struct nf_conn *ct,
nf_ct_refresh_acct(ct, ctinfo, skb, extra);
- /* never set ASSURED for IPS_NAT_CLASH, they time out soon */
- if (unlikely((status & IPS_NAT_CLASH)))
- return NF_ACCEPT;
-
/* Also, more likely to be important, and not a probe */
if (stream && !test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
nf_conntrack_event_cache(IPCT_ASSURED, ct);
--
2.34.1
