git.dujemihanovic.xyz Git - linux.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 10 Sep 2024 09:38:15 +0000 (11:38 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 26 Sep 2024 11:01:54 +0000 (13:01 +0200)
commit	a4e6a1031e7769c63d17b8e97d79e25dd7271fd3
tree	98812776cd0449267d15a53a796b31bcc59d73bb	tree \| snapshot
parent	d8f84a9bc7c4e07fdc4edc00f9e868b8db974ccb	commit \| diff

netfilter: conntrack: add clash resolution for reverse collisions

Given existing entry:
ORIGIN: a:b -> c:d
REPLY: c:d -> a:b

And colliding entry:
ORIGIN: c:d -> a:b
REPLY: a:b -> c:d

The colliding ct (and the associated skb) get dropped on insert.
Permit this by checking if the colliding entry matches the reply
direction.

Happens when both ends send packets at same time, both requests are picked
up as NEW, rather than NEW for the 'first' and 'ESTABLISHED' for the
second packet.

This is an esoteric condition, as ruleset must permit NEW connections
in either direction and both peers must already have a bidirectional
traffic flow at the time conntrack gets enabled.

Allow the 'reverse' skb to pass and assign the existing (clashing)
entry.

While at it, also drop the extra 'dying' check, this is already
tested earlier by the calling function.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>