• Jiri Wiesner's avatar
    netfilter: conntrack: sctp: use distinct states for new SCTP connections · ab658b9f
    Jiri Wiesner authored
    The netlink notifications triggered by the INIT and INIT_ACK chunks
    for a tracked SCTP association do not include protocol information
    for the corresponding connection - SCTP state and verification tags
    for the original and reply direction are missing. Since the connection
    tracking implementation allows user space programs to receive
    notifications about a connection and then create a new connection
    based on the values received in a notification, it makes sense that
    INIT and INIT_ACK notifications should contain the SCTP state
    and verification tags available at the time when a notification
    is sent. The missing verification tags cause a newly created
    netfilter connection to fail to verify the tags of SCTP packets
    when this connection has been created from the values previously
    received in an INIT or INIT_ACK notification.
    A PROTOINFO event is cached in sctp_packet() when the state
    of a connection changes. The CLOSED and COOKIE_WAIT state will
    be used for connections that have seen an INIT and INIT_ACK chunk,
    respectively. The distinct states will cause a connection state
    change in sctp_packet().
    Signed-off-by: default avatarJiri Wiesner <jwiesner@suse.com>
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>