netfilter: snat: evict closing tcp entries on reply tuple collision - pm24.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Florian Westphal <fw@strlen.de>	2023-06-06 22:59:30 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2023-06-26 08:05:57 +0200
commit	4589725502871e77d06464f731f92fd9173e2be6 (patch)
tree	42c398c71f40803b81430cb7d490f1e1a88b1771 /net/netfilter/nft_limit.c
parent	96b2ef9b16cb302d0b47c5670d30a05963e0e1e3 (diff)

netfilter: snat: evict closing tcp entries on reply tuple collision

When all tried source tuples are in use, the connection request (skb) and the new conntrack will be dropped in nf_confirm() due to the non-recoverable clash. Make it so that the last 32 attempts are allowed to evict a colliding entry if this connection is already closing and the new sequence number has advanced past the old one. Such "all tuples taken" secenario can happen with tcp-rpc workloads where same dst:dport gets queried repeatedly. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'net/netfilter/nft_limit.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: