netfilter: nft_flow_offload: skip tcp rst and fin packets - linux-dev - Linux kernel development work

diff options

author	Pablo Neira Ayuso <pablo@netfilter.org>	2019-08-13 17:41:13 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-08-14 11:09:07 +0200
commit	dfe42be15fde16232340b8b2a57c359f51cc10d9 (patch)
tree	756b4324cd796f4077908b4b903cf984f7e8fc70 /tools
parent	netfilter: conntrack: Use consistent ct id hash calculation (diff)
download	linux-dev-dfe42be15fde16232340b8b2a57c359f51cc10d9.tar.xz linux-dev-dfe42be15fde16232340b8b2a57c359f51cc10d9.zip

netfilter: nft_flow_offload: skip tcp rst and fin packets

TCP rst and fin packets do not qualify to place a flow into the flowtable. Most likely there will be no more packets after connection closure. Without this patch, this flow entry expires and connection tracking picks up the entry in ESTABLISHED state using the fixup timeout, which makes this look inconsistent to the user for a connection that is actually already closed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'tools')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: