summaryrefslogtreecommitdiffstats
path: root/include/linux/netfilter
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2020-08-18 16:15:58 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2020-08-20 14:13:49 +0200
commitcc5453a5b7e90c39f713091a7ebc53c1f87d1700 (patch)
tree631ff062cc6b96c5b2cc723a395e79864656580a /include/linux/netfilter
parentcf96d977381d4a23957bade2ddf1c420b74a26b6 (diff)
downloadlinux-cc5453a5b7e90c39f713091a7ebc53c1f87d1700.tar.gz
linux-cc5453a5b7e90c39f713091a7ebc53c1f87d1700.tar.bz2
linux-cc5453a5b7e90c39f713091a7ebc53c1f87d1700.zip
netfilter: conntrack: allow sctp hearbeat after connection re-use
If an sctp connection gets re-used, heartbeats are flagged as invalid because their vtag doesn't match. Handle this in a similar way as TCP conntrack when it suspects that the endpoints and conntrack are out-of-sync. When a HEARTBEAT request fails its vtag validation, flag this in the conntrack state and accept the packet. When a HEARTBEAT_ACK is received with an invalid vtag in the reverse direction after we allowed such a HEARTBEAT through, assume we are out-of-sync and re-set the vtag info. v2: remove left-over snippet from an older incarnation that moved new_state/old_state assignments, thats not needed so keep that as-is. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/linux/netfilter')
-rw-r--r--include/linux/netfilter/nf_conntrack_sctp.h2
1 files changed, 2 insertions, 0 deletions
diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h
index 9a33f171aa82..625f491b95de 100644
--- a/include/linux/netfilter/nf_conntrack_sctp.h
+++ b/include/linux/netfilter/nf_conntrack_sctp.h
@@ -9,6 +9,8 @@ struct ip_ct_sctp {
enum sctp_conntrack state;
__be32 vtag[IP_CT_DIR_MAX];
+ u8 last_dir;
+ u8 flags;
};
#endif /* _NF_CONNTRACK_SCTP_H */
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-20 04:40:06 +0000