github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
7fd2df204f
linux/net/netfilter
History
Xin Long 576a5d2bad netfilter: skip recording stale or retransmitted INIT 
An INIT whose init_tag matches the peer's vtag does not provide new state
information. It indicates either:

- a stale INIT (after INIT-ACK has already been seen on the same side), or
- a retransmitted INIT (after INIT has already been recorded on the same
  side).

In both cases, the INIT must not update ct->proto.sctp.init[] state, since
it does not advance the handshake tracking and may otherwise corrupt
INIT/INIT-ACK validation logic.

Allow INIT processing only when the conntrack entry is newly created
(SCTP_CONNTRACK_NONE), or when the init_tag differs from the stored peer
vtag.

Note it skips the check for the ct with old_state SCTP_CONNTRACK_NONE in
nf_conntrack_sctp_packet(), as it is just created in sctp_new() where it
set ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag.

Fixes: 9fb9cbb108 ("[NETFILTER]: Add nf_conntrack subsystem.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/ee56c3e416452b2a40589a2a85245ac2ad5e9f4b.1777214801.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-28 17:52:19 -07:00
..
ipset netfilter: require Ethernet MAC header before using eth_hdr() 2026-04-10 12:16:27 +02:00
ipvs ipvs: fix MTU check for GSO packets in tunnel mode 2026-04-20 23:45:43 +02:00
core.c netfilter: remove nf_ipv6_ops and use direct function calls 2026-03-29 11:21:24 -07:00
Kconfig netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
Makefile netfilter: flowtable: move path discovery infrastructure to its own file 2025-11-27 23:59:43 +00:00
nf_bpf_link.c netfilter: bpf: defer hook memory release until rcu readers are done 2026-03-19 10:26:31 +01:00
nf_conncount.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_conntrack_acct.c
nf_conntrack_amanda.c netfilter: use function typedefs for __rcu NAT helper hook pointers 2026-04-08 07:51:26 +02:00
nf_conntrack_bpf.c Networking changes for 7.0 2026-02-11 19:31:52 -08:00
nf_conntrack_broadcast.c netfilter: nf_conntrack_expect: store netns and zone in expectation 2026-03-26 13:24:40 +01:00
nf_conntrack_core.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nf_conntrack_ecache.c netfilter: ctnetlink: ensure safe access to master conntrack 2026-03-26 13:18:32 +01:00
nf_conntrack_expect.c netfilter: nf_conntrack_expect: skip expectations in other netns via proc 2026-03-26 13:28:03 +01:00
nf_conntrack_extend.c netfilter: conntrack: fix extension size table 2023-09-13 21:57:50 +02:00
nf_conntrack_ftp.c netfilter: use function typedefs for __rcu NAT helper hook pointers 2026-04-08 07:51:26 +02:00
nf_conntrack_h323_asn1.c netfilter: nf_conntrack_h323: Correct indentation when H323_TRACE defined 2026-04-08 07:51:31 +02:00
nf_conntrack_h323_main.c netfilter: nf_conntrack_expect: honor expectation helper field 2026-03-26 13:18:31 +01:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: nf_conntrack_helper: pass helper to expect cleanup 2026-04-01 11:55:29 +02:00
nf_conntrack_irc.c netfilter: use function typedefs for __rcu NAT helper hook pointers 2026-04-08 07:51:26 +02:00
nf_conntrack_labels.c netfilter: conntrack: switch connlabels to atomic_t 2023-10-24 13:16:30 +02:00
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-02 11:03:13 -07:00
nf_conntrack_ovs.c net/ipv6: Introduce payload_len helpers 2026-02-06 20:50:03 -08:00
nf_conntrack_pptp.c
nf_conntrack_proto_generic.c netfilter: nf_conntrack: Add allow_clash to generic protocol handler 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_gre.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_conntrack_proto_icmp.c netfilter: nf_conntrack: enable icmp clash support 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_icmpv6.c netfilter: nf_conntrack: enable icmp clash support 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_sctp.c netfilter: skip recording stale or retransmitted INIT 2026-04-28 17:52:19 -07:00
nf_conntrack_proto_tcp.c netfilter: ctnetlink: use netlink policy range checks 2026-03-26 13:28:17 +01:00
nf_conntrack_proto_udp.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nf_conntrack_proto.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nf_conntrack_sane.c
nf_conntrack_seqadj.c
nf_conntrack_sip.c netfilter: nf_conntrack_sip: don't use simple_strtoul 2026-04-24 20:09:57 +02:00
nf_conntrack_snmp.c netfilter: use function typedefs for __rcu NAT helper hook pointers 2026-04-08 07:51:26 +02:00
nf_conntrack_standalone.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nf_conntrack_tftp.c netfilter: use function typedefs for __rcu NAT helper hook pointers 2026-04-08 07:51:26 +02:00
nf_conntrack_timeout.c
nf_conntrack_timestamp.c
nf_dup_netdev.c netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it 2026-04-08 07:51:31 +02:00
nf_flow_table_bpf.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
nf_flow_table_core.c netfilter: flowtable: dedicated slab for flow entry 2026-02-06 13:34:55 +01:00
nf_flow_table_inet.c net: netfilter: move nf flowtable bpf initialization in nf_flow_table_module_init() 2024-09-12 15:41:03 +02:00
nf_flow_table_ip.c netfilter: nf_flow_table_ip: reset mac header before vlan push 2026-03-13 15:31:15 +01:00
nf_flow_table_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-02 11:03:13 -07:00
nf_flow_table_path.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nf_flow_table_procfs.c
nf_flow_table_xdp.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_hooks_lwtunnel.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
nf_internals.h netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core 2024-06-19 18:41:59 +02:00
nf_log_syslog.c netfilter: require Ethernet MAC header before using eth_hdr() 2026-04-10 12:16:27 +02:00
nf_log.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_nat_amanda.c netfilter: conntrack: remove sprintf usage 2026-04-20 23:27:46 +02:00
nf_nat_bpf.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
nf_nat_core.c netfilter: nat: use kfree_rcu to release ops 2026-04-20 23:45:41 +02:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_masquerade.c netfilter: remove nf_ipv6_ops and use direct function calls 2026-03-29 11:21:24 -07:00
nf_nat_ovs.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nf_nat_proto.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nf_nat_redirect.c netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses 2023-11-08 16:40:30 +01:00
nf_nat_sip.c netfilter: nf_conntrack_sip: don't use simple_strtoul 2026-04-24 20:09:57 +02:00
nf_nat_tftp.c
nf_queue.c net: Add SPDX ids to some source files 2026-03-09 18:32:45 -07:00
nf_sockopt.c
nf_synproxy_core.c netfilter: don't include xt and nftables.h in unrelated subsystems 2026-01-20 16:23:37 +01:00
nf_tables_api.c netfilter: nf_tables: add hook transactions for device deletions 2026-04-21 12:48:44 +02:00
nf_tables_core.c netfilter: nft_meta: add double-tagged vlan and pppoe support 2026-04-08 07:51:31 +02:00
nf_tables_offload.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_tables_trace.c netfilter: nf_tables: hide clash bit from userspace 2025-07-14 15:22:35 +02:00
nfnetlink_acct.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nfnetlink_cthelper.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nfnetlink_cttimeout.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nfnetlink_hook.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nfnetlink_log.c netfilter: nfnetlink: prefer skb_mac_header helpers 2026-04-10 12:16:26 +02:00
nfnetlink_osf.c netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check 2026-04-20 23:45:44 +02:00
nfnetlink_queue.c netfilter: nfnetlink: prefer skb_mac_header helpers 2026-04-10 12:16:26 +02:00
nfnetlink.c net: Add SPDX ids to some source files 2026-03-09 18:32:45 -07:00
nft_bitwise.c netfilter: reject zero shift in nft_bitwise 2026-04-24 20:09:57 +02:00
nft_byteorder.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_chain_filter.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-03-12 12:53:34 -07:00
nft_chain_nat.c netfilter: add missing module descriptions 2023-11-08 13:52:32 +01:00
nft_chain_route.c
nft_cmp.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_compat.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_connlimit.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_counter.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_ct_fast.c
nft_ct.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nft_dup_netdev.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_dynset.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_exthdr.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_fib_inet.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_fib_netdev.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_fib.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_flow_offload.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_fwd_netdev.c netfilter: nft_fwd_netdev: check ttl/hl before forwarding 2026-04-10 12:16:27 +02:00
nft_hash.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_immediate.c netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it 2026-04-08 07:51:31 +02:00
nft_inner.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_last.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-02-26 10:23:00 -08:00
nft_limit.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_log.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_lookup.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_masq.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_meta.c netfilter: nft_meta: add double-tagged vlan and pppoe support 2026-04-08 07:51:31 +02:00
nft_nat.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_numgen.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_objref.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_osf.c netfilter: nft_osf: restrict it to ipv4 2026-04-20 23:27:36 +02:00
nft_payload.c netfilter: nft_meta: add double-tagged vlan and pppoe support 2026-04-08 07:51:31 +02:00
nft_queue.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_quota.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_range.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_redir.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_reject_inet.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_reject_netdev.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_reject.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_rt.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_set_bitmap.c netfilter: nft_set_bitmap: fix lockdep splat due to missing annotation 2025-09-10 20:28:24 +02:00
nft_set_hash.c netfilter: nf_tables: clone set on flush only 2026-03-05 13:22:37 +01:00
nft_set_pipapo_avx2.c netfilter: nft_set_pipapo_avx2: remove redundant loop in lookup_slow 2026-04-08 07:51:31 +02:00
nft_set_pipapo_avx2.h netfilter: nft_set_pipapo: use avx2 algorithm for insertions too 2025-08-20 13:52:37 +02:00
nft_set_pipapo.c netfilter: nft_set_pipapo: increment data in one step 2026-04-08 07:51:31 +02:00
nft_set_pipapo.h netfilter: nft_set_pipapo: increment data in one step 2026-04-08 07:51:31 +02:00
nft_set_rbtree.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-03-26 12:09:57 -07:00
nft_socket.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_synproxy.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_tproxy.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_tunnel.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_xfrm.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
utils.c netfilter: remove nf_ipv6_ops and use direct function calls 2026-03-29 11:21:24 -07:00
x_tables.c netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings 2026-04-10 12:16:27 +02:00
xt_addrtype.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_AUDIT.c audit: add audit_log_nf_skb helper function 2025-12-16 11:04:14 -05:00
xt_bpf.c
xt_cgroup.c netfilter: x_tables: ensure names are nul-terminated 2026-04-01 11:55:29 +02:00
xt_CHECKSUM.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_CLASSIFY.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_cluster.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_comment.c
xt_connbytes.c net: Add SPDX ids to some source files 2026-03-09 18:32:45 -07:00
xt_connlabel.c
xt_connlimit.c net: Add SPDX ids to some source files 2026-03-09 18:32:45 -07:00
xt_connmark.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_CONNSECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_conntrack.c
xt_cpu.c
xt_CT.c netfilter: xt_CT: drop pending enqueued packets on template removal 2026-03-13 15:31:15 +01:00
xt_dccp.c netfilter: add deprecation warning for dccp support 2026-04-08 07:51:27 +02:00
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_helper.c
xt_hl.c netfilter: xt_HL: add pr_fmt and checkentry validation 2026-04-10 12:16:26 +02:00
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels 2026-03-10 14:10:43 +01:00
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_LED.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_length.c
xt_limit.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_LOG.c
xt_mac.c netfilter: xtables: restrict several matches to inet family 2026-04-20 23:27:52 +02:00
xt_mark.c netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds 2025-05-22 17:16:02 +02:00
xt_MASQUERADE.c
xt_multiport.c netfilter: xt_multiport: validate range encoding in checkentry 2026-04-08 13:33:38 +02:00
xt_nat.c
xt_NETMAP.c
xt_nfacct.c netfilter: xt_nfacct: don't assume acct name is null-terminated 2025-07-25 18:40:43 +02:00
xt_NFLOG.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-10-21 11:31:26 +02:00
xt_NFQUEUE.c
xt_osf.c
xt_owner.c netfilter: xtables: restrict several matches to inet family 2026-04-20 23:27:52 +02:00
xt_physdev.c netfilter: xtables: restrict several matches to inet family 2026-04-20 23:27:52 +02:00
xt_pkttype.c
xt_policy.c netfilter: xt_policy: fix strict mode inbound policy matching 2026-04-24 20:04:56 +02:00
xt_quota.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_rateest.c netfilter: x_tables: ensure names are nul-terminated 2026-04-01 11:55:29 +02:00
xt_RATEEST.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_realm.c netfilter: xtables: restrict several matches to inet family 2026-04-20 23:27:52 +02:00
xt_recent.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_REDIRECT.c
xt_repldata.h netfilter: xtables: Use strscpy() instead of strscpy_pad() 2025-03-23 10:53:47 +01:00
xt_sctp.c
xt_SECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_set.c
xt_socket.c netfilter: xt_socket: enable defrag after all other checks 2026-04-10 12:16:26 +02:00
xt_state.c
xt_statistic.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_string.c
xt_tcpmss.c netfilter: xt_tcpmss: check remaining length before reading optlen 2026-01-20 16:23:38 +01:00
xt_TCPMSS.c
xt_TCPOPTSTRIP.c netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds 2025-05-22 17:16:02 +02:00
xt_tcpudp.c netfilter: x_tables: guard option walkers against 1-byte tail reads 2026-03-10 14:10:42 +01:00
xt_TEE.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_time.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-03-19 14:16:00 -07:00
xt_TPROXY.c
xt_TRACE.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-10-21 11:31:26 +02:00
xt_u32.c