git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 18 Aug 2020 14:15:58 +0000 (16:15 +0200)
committer	Stefan Bader <stefan.bader@canonical.com>
	Mon, 9 Nov 2020 13:46:40 +0000 (14:46 +0100)
commit	69514f971dc6210989075ef92b955c13b77c66ee
tree	ed3353f87c62f589425735265c35434d85d1c543	tree
parent	58a35c0833f7ab2c0887f96c3112d284417db722	commit \| diff

netfilter: conntrack: allow sctp hearbeat after connection re-use

BugLink: https://bugs.launchpad.net/bugs/1896824
[ Upstream commit cc5453a5b7e90c39f713091a7ebc53c1f87d1700 ]

If an sctp connection gets re-used, heartbeats are flagged as invalid
because their vtag doesn't match.

Handle this in a similar way as TCP conntrack when it suspects that the
endpoints and conntrack are out-of-sync.

When a HEARTBEAT request fails its vtag validation, flag this in the
conntrack state and accept the packet.

When a HEARTBEAT_ACK is received with an invalid vtag in the reverse
direction after we allowed such a HEARTBEAT through, assume we are
out-of-sync and re-set the vtag info.

v2: remove left-over snippet from an older incarnation that moved
new_state/old_state assignments, thats not needed so keep that
as-is.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: William Breathitt Gray <william.gray@canonical.com>

include/linux/netfilter/nf_conntrack_sctp.h		diff \| blob \| blame \| history
net/netfilter/nf_conntrack_proto_sctp.c		diff \| blob \| blame \| history