From 4542148a7e3f976f7ea6fe4a6b819fd58004b4f2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 12 Oct 2023 10:03:45 +0000 Subject: [PATCH] Reapply "netfilter: conntrack: don't refresh sctp entries in closed state" This reverts commit 2867afd6471fd2dabbf445b6d8c8c430517dda9d as it causes merge conflicts with 5.4.258. It will be added back after the merge. Change-Id: Ibe09c3b147ba00fb3978f0b7372c5fbdbf1bc93d Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_conntrack_proto_sctp.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 8eaa0d15a5a7..21cbaf6dac33 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c @@ -485,6 +485,15 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct, pr_debug("Setting vtag %x for dir %d\n", ih->init_tag, !dir); ct->proto.sctp.vtag[!dir] = ih->init_tag; + + /* don't renew timeout on init retransmit so + * port reuse by client or NAT middlebox cannot + * keep entry alive indefinitely (incl. nat info). + */ + if (new_state == SCTP_CONNTRACK_CLOSED && + old_state == SCTP_CONNTRACK_CLOSED && + nf_ct_is_confirmed(ct)) + ignore = true; } ct->proto.sctp.state = new_state;