netfilter: conntrack: don't refresh sctp entries in closed state

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Vivek Thrivikraman reported:
An SCTP server application which is accessed continuously by client
application.
When the session disconnects the client retries to establish a connection.
After restart of SCTP server application the session is not established
because of stale conntrack entry with connection state CLOSED as below.

(removing this entry manually established new connection):

sctp 9 CLOSED src=10.141.189.233 [..] [ASSURED]

Just skip timeout update of closed entries, we don't want them to
stay around forever.

Reported-and-tested-by: Vivek Thrivikraman <vivek.thrivikraman@est.tech>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1579
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by

Pablo Neira Ayuso 4 years ago 77b33719 ed14fc7a

1 changed file

expand all

net

netfilter

nf_conntrack_proto_sctp.c

net/netfilter/nf_conntrack_proto_sctp.c

··· 489 489 pr_debug("Setting vtag %x for dir %d\n", 490 490 ih->init_tag, !dir); 491 491 ct->proto.sctp.vtag[!dir] = ih->init_tag; 492 + 493 + /* don't renew timeout on init retransmit so 494 + * port reuse by client or NAT middlebox cannot 495 + * keep entry alive indefinitely (incl. nat info). 496 + */ 497 + if (new_state == SCTP_CONNTRACK_CLOSED && 498 + old_state == SCTP_CONNTRACK_CLOSED && 499 + nf_ct_is_confirmed(ct)) 500 + ignore = true; 492 501 } 493 502 494 503 ct->proto.sctp.state = new_state;