cc5453a5b7
If an sctp connection gets re-used, heartbeats are flagged as invalid
because their vtag doesn't match.
Handle this in a similar way as TCP conntrack when it suspects that the
endpoints and conntrack are out-of-sync.
When a HEARTBEAT request fails its vtag validation, flag this in the
conntrack state and accept the packet.
When a HEARTBEAT_ACK is received with an invalid vtag in the reverse
direction after we allowed such a HEARTBEAT through, assume we are
out-of-sync and re-set the vtag info.
v2: remove left-over snippet from an older incarnation that moved
new_state/old_state assignments, thats not needed so keep that
as-is.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
17 lines
313 B
C
17 lines
313 B
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _NF_CONNTRACK_SCTP_H
|
|
#define _NF_CONNTRACK_SCTP_H
|
|
/* SCTP tracking. */
|
|
|
|
#include <uapi/linux/netfilter/nf_conntrack_sctp.h>
|
|
|
|
struct ip_ct_sctp {
|
|
enum sctp_conntrack state;
|
|
|
|
__be32 vtag[IP_CT_DIR_MAX];
|
|
u8 last_dir;
|
|
u8 flags;
|
|
};
|
|
|
|
#endif /* _NF_CONNTRACK_SCTP_H */
|