Revision a82c25c366b0963d33ddf699196e6cf57f6d89b1 authored by Florian Westphal on 08 March 2022, 12:52:11 UTC, committed by Florian Westphal on 08 March 2022, 12:52:11 UTC
This reverts commit 878aed8db324bec64f3c3f956e64d5ae7375a5de. This change breaks existing setups where conntrack is used with asymmetric paths. In these cases, the NAT transformation occurs on the syn-ack instead of the syn: 1. SYN x:12345 -> y -> 443 // sent by initiator, receiverd by responder 2. SYNACK y:443 -> x:12345 // First packet seen by conntrack, as sent by responder 3. tuple_force_port_remap() gets called, sees: 'tcp from 443 to port 12345 NAT' -> pick a new source port, inititor receives 4. SYNACK y:$RANDOM -> x:12345 // connection is never established While its possible to avoid the breakage with NOTRACK rules, a kernel update should not break working setups. An alternative to the revert is to augment conntrack to tag mid-stream connections plus more code in the nat core to skip NAT for such connections, however, this leads to more interaction/integration between conntrack and NAT. Therefore, revert, users will need to add explicit nat rules to avoid port shadowing. Link: https://lore.kernel.org/netfilter-devel/20220302105908.GA5852@breakpoint.cc/#R Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2051413 Signed-off-by: Florian Westphal <fw@strlen.de>
1 parent f8e9bd3
| File | Mode | Size |
|---|---|---|
| irq | ||
| assoc_array.rst | -rw-r--r-- | 20.8 KB |
| boot-time-mm.rst | -rw-r--r-- | 1.4 KB |
| bus-virt-phys-mapping.rst | -rw-r--r-- | 8.0 KB |
| cachetlb.rst | -rw-r--r-- | 16.8 KB |
| circular-buffers.rst | -rw-r--r-- | 8.2 KB |
| cpu_hotplug.rst | -rw-r--r-- | 29.3 KB |
| debug-objects.rst | -rw-r--r-- | 11.3 KB |
| debugging-via-ohci1394.rst | -rw-r--r-- | 7.5 KB |
| dma-api-howto.rst | -rw-r--r-- | 32.8 KB |
| dma-api.rst | -rw-r--r-- | 30.2 KB |
| dma-attributes.rst | -rw-r--r-- | 5.7 KB |
| dma-isa-lpc.rst | -rw-r--r-- | 5.1 KB |
| errseq.rst | -rw-r--r-- | 6.4 KB |
| genalloc.rst | -rw-r--r-- | 5.7 KB |
| generic-radix-tree.rst | -rw-r--r-- | 323 bytes |
| genericirq.rst | -rw-r--r-- | 12.5 KB |
| gfp_mask-from-fs-io.rst | -rw-r--r-- | 3.0 KB |
| idr.rst | -rw-r--r-- | 2.8 KB |
| index.rst | -rw-r--r-- | 2.1 KB |
| kernel-api.rst | -rw-r--r-- | 8.0 KB |
| kobject.rst | -rw-r--r-- | 18.8 KB |
| kref.rst | -rw-r--r-- | 9.1 KB |
| librs.rst | -rw-r--r-- | 5.9 KB |
| local_ops.rst | -rw-r--r-- | 7.2 KB |
| memory-allocation.rst | -rw-r--r-- | 8.5 KB |
| memory-hotplug.rst | -rw-r--r-- | 4.5 KB |
| mm-api.rst | -rw-r--r-- | 1.9 KB |
| packing.rst | -rw-r--r-- | 7.3 KB |
| padata.rst | -rw-r--r-- | 7.5 KB |
| pin_user_pages.rst | -rw-r--r-- | 12.1 KB |
| printk-basics.rst | -rw-r--r-- | 4.9 KB |
| printk-formats.rst | -rw-r--r-- | 17.3 KB |
| protection-keys.rst | -rw-r--r-- | 3.4 KB |
| rbtree.rst | -rw-r--r-- | 14.8 KB |
| refcount-vs-atomic.rst | -rw-r--r-- | 5.6 KB |
| symbol-namespaces.rst | -rw-r--r-- | 6.8 KB |
| this_cpu_ops.rst | -rw-r--r-- | 11.2 KB |
| timekeeping.rst | -rw-r--r-- | 7.2 KB |
| tracepoint.rst | -rw-r--r-- | 1.5 KB |
| unaligned-memory-access.rst | -rw-r--r-- | 10.4 KB |
| workqueue.rst | -rw-r--r-- | 15.8 KB |
| xarray.rst | -rw-r--r-- | 20.6 KB |
Computing file changes ...
