Revision - 0799828 - netfilter: conntrack: skip identical origin tuple in same zone only

Revision 07998281c268592963e1cd623fe6ab0270b65ae4 authored by Florian Westphal on 05 February 2021, 11:56:43 UTC, committed by Pablo Neira Ayuso on 08 February 2021, 23:04:14 UTC

netfilter: conntrack: skip identical origin tuple in same zone only

The origin skip check needs to re-test the zone. Else, we might skip
a colliding tuple in the reply direction.

This only occurs when using 'directional zones' where origin tuples
reside in different zones but the reply tuples share the same zone.

This causes the new conntrack entry to be dropped at confirmation time
because NAT clash resolution was elided.

Fixes: 4e35c1cb9460240 ("netfilter: nf_nat: skip nat clash resolution for same-origin entries")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 parent ce7536b

Files
Changes

Permalinks

ia64.rst

===========================================
Linux kernel release for the IA-64 Platform
===========================================

   These are the release notes for Linux since version 2.4 for IA-64
   platform.  This document provides information specific to IA-64
   ONLY, to get additional information about the Linux kernel also
   read the original Linux README provided with the kernel.

Installing the Kernel
=====================

 - IA-64 kernel installation is the same as the other platforms, see
   original README for details.


Software Requirements
=====================

   Compiling and running this kernel requires an IA-64 compliant GCC
   compiler.  And various software packages also compiled with an
   IA-64 compliant GCC compiler.


Configuring the Kernel
======================

   Configuration is the same, see original README for details.


Compiling the Kernel:

 - Compiling this kernel doesn't differ from other platform so read
   the original README for details BUT make sure you have an IA-64
   compliant GCC compiler.

IA-64 Specifics
===============

 - General issues:

    * Hardly any performance tuning has been done. Obvious targets
      include the library routines (IP checksum, etc.). Less
      obvious targets include making sure we don't flush the TLB
      needlessly, etc.

    * SMP locks cleanup/optimization

    * IA32 support.  Currently experimental.  It mostly works.

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...