summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2020-08-18 16:15:58 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2020-09-17 13:47:45 +0200
commit59d2b1e5cb058122d53ab140831d69740034f951 (patch)
tree0d7b25d7704c76a1d1022ac3e541f0d1596f173f /include
parent444bf09f2be4afd2a73e4c8ae0a8a700e5bbe5fa (diff)
netfilter: conntrack: allow sctp hearbeat after connection re-use
[ Upstream commit cc5453a5b7e90c39f713091a7ebc53c1f87d1700 ] If an sctp connection gets re-used, heartbeats are flagged as invalid because their vtag doesn't match. Handle this in a similar way as TCP conntrack when it suspects that the endpoints and conntrack are out-of-sync. When a HEARTBEAT request fails its vtag validation, flag this in the conntrack state and accept the packet. When a HEARTBEAT_ACK is received with an invalid vtag in the reverse direction after we allowed such a HEARTBEAT through, assume we are out-of-sync and re-set the vtag info. v2: remove left-over snippet from an older incarnation that moved new_state/old_state assignments, thats not needed so keep that as-is. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'include')
-rw-r--r--include/linux/netfilter/nf_conntrack_sctp.h2
1 files changed, 2 insertions, 0 deletions
diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h
index 9a33f171aa82..625f491b95de 100644
--- a/include/linux/netfilter/nf_conntrack_sctp.h
+++ b/include/linux/netfilter/nf_conntrack_sctp.h
@@ -9,6 +9,8 @@ struct ip_ct_sctp {
enum sctp_conntrack state;
__be32 vtag[IP_CT_DIR_MAX];
+ u8 last_dir;
+ u8 flags;
};
#endif /* _NF_CONNTRACK_SCTP_H */
generated by cgit v1.2.3 (git 2.0.4) at 2024-05-28 12:26:58 +0000