netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
stable inclusion from stable-v5.10.166 commit 5fb884d748e438f87ecca4694933a4fae3efe34b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I87FRA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5fb884d748e438f87ecca4694933a4fae3efe34b -------------------------------- [ Upstream commit e15d4cdf ] Consider: client -----> conntrack ---> Host client sends a SYN, but $Host is unreachable/silent. Client eventually gives up and the conntrack entry will time out. However, if the client is restarted with same addr/port pair, it may prevent the conntrack entry from timing out. This is noticeable when the existing conntrack entry has no NAT transformation or an outdated one and port reuse happens either on client or due to a NAT middlebox. This change prevents refresh of the timeout for SYN retransmits, so entry is going away after nf_conntrack_tcp_timeout_syn_sent seconds (default: 60). Entry will be re-created on next connection attempt, but then nat rules will be evaluated again. Signed-off-by:Florian Westphal <fw@strlen.de> Signed-off-by:
Loading
Please sign in to comment