netfilter: snat: evict closing tcp entries on reply tuple collision - kernel

diff options

author	Florian Westphal <[email protected]>	2023-06-06 20:59:30 +0000
committer	Pablo Neira Ayuso <[email protected]>	2023-06-26 06:05:57 +0000
commit	4589725502871e77d06464f731f92fd9173e2be6 (patch)
tree	42c398c71f40803b81430cb7d490f1e1a88b1771 /net/unix/af_unix.c
parent	netfilter: nf_tables: permit update of set size (diff)
download	kernel-4589725502871e77d06464f731f92fd9173e2be6.tar.gz kernel-4589725502871e77d06464f731f92fd9173e2be6.zip

netfilter: snat: evict closing tcp entries on reply tuple collision

When all tried source tuples are in use, the connection request (skb) and the new conntrack will be dropped in nf_confirm() due to the non-recoverable clash. Make it so that the last 32 attempts are allowed to evict a colliding entry if this connection is already closing and the new sequence number has advanced past the old one. Such "all tuples taken" secenario can happen with tcp-rpc workloads where same dst:dport gets queried repeatedly. Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>

Diffstat (limited to 'net/unix/af_unix.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: