git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 24 Jun 2021 10:36:42 +0000 (12:36 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 2 Jul 2021 00:05:59 +0000 (02:05 +0200)
commit	da678759a8d1b63e40c595ba81e1f527fe57bdef
tree	75066635f40862251ce8e4cdd70f6085b3425aea	tree \| snapshot
parent	3f0a16b084df2939faf129a007f1cb3af34a67b9	commit \| diff

netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state

Consider:
client -----> conntrack ---> Host

client sends a SYN, but $Host is unreachable/silent.
Client eventually gives up and the conntrack entry will time out.

However, if the client is restarted with same addr/port pair, it
may prevent the conntrack entry from timing out.

This is noticeable when the existing conntrack entry has no NAT
transformation or an outdated one and port reuse happens either
on client or due to a NAT middlebox.

This change prevents refresh of the timeout for SYN retransmits,
so entry is going away after nf_conntrack_tcp_timeout_syn_sent
seconds (default: 60).

Entry will be re-created on next connection attempt, but then
nat rules will be evaluated again.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>