git.ipfire.org Git - thirdparty/linux.git/commit

author	Yi Chen <yiche.cy@gmail.com>
	Thu, 11 Jun 2026 14:50:13 +0000 (16:50 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 23 Jun 2026 06:11:22 +0000 (08:11 +0200)
commit	a49a8e51eebc605d5fd674ba7a451eabf553f5cb
tree	afa79c131873b902f41b767731697f5cd2a03813	tree \| snapshot
parent	11d4bc4e26fb66040a5b5d95e9abf37deac2b1fc	commit \| diff

selftests: netfilter: conntrack_sctp_collision.sh: Introduce SCTP INIT collision test

The existing test covered a scenario where a delayed INIT_ACK chunk
updates the vtag in conntrack after the association has already been
established.

A similar issue can occur with a delayed SCTP INIT chunk.

Add a new simultaneous-open test case where the client's INIT is
delayed, allowing conntrack to establish the association based on
the server-initiated handshake.

When the stale INIT arrives later, it may get recorded and cause a
following INIT_ACK from the peer to be accepted instead of dropped.
This INIT_ACK overwrites the vtag in conntrack, causing subsequent
SCTP DATA chunks to be considered as invalid and then dropped by
nft rules matching on ct state invalid.

This test verifies such stale INIT chunks do not cause problems.

Signed-off-by: Yi Chen <yiche.cy@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>