Patch "netfilter: conntrack: don't refresh sctp entries in closed state" has been added to the 5.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    netfilter: conntrack: don't refresh sctp entries in closed state

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-conntrack-don-t-refresh-sctp-entries-in-cl.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 22d2568680c0c8aa3602b9bee2e462493f81f152
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Fri Jan 28 13:13:32 2022 +0100

    netfilter: conntrack: don't refresh sctp entries in closed state
    
    [ Upstream commit 77b337196a9d87f3d6bb9b07c0436ecafbffda1e ]
    
    Vivek Thrivikraman reported:
     An SCTP server application which is accessed continuously by client
     application.
     When the session disconnects the client retries to establish a connection.
     After restart of SCTP server application the session is not established
     because of stale conntrack entry with connection state CLOSED as below.
    
     (removing this entry manually established new connection):
    
     sctp 9 CLOSED src=10.141.189.233 [..]  [ASSURED]
    
    Just skip timeout update of closed entries, we don't want them to
    stay around forever.
    
    Reported-and-tested-by: Vivek Thrivikraman <vivek.thrivikraman@xxxxxxxx>
    Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1579
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 810cca24b3990..7626f3e1c70a7 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -489,6 +489,15 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
 			pr_debug("Setting vtag %x for dir %d\n",
 				 ih->init_tag, !dir);
 			ct->proto.sctp.vtag[!dir] = ih->init_tag;
+
+			/* don't renew timeout on init retransmit so
+			 * port reuse by client or NAT middlebox cannot
+			 * keep entry alive indefinitely (incl. nat info).
+			 */
+			if (new_state == SCTP_CONNTRACK_CLOSED &&
+			    old_state == SCTP_CONNTRACK_CLOSED &&
+			    nf_ct_is_confirmed(ct))
+				ignore = true;
 		}
 
 		ct->proto.sctp.state = new_state;



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux