Commit 576a5d2b authored Apr 26, 2026 by Xin Long Committed by Jakub Kicinski Apr 28, 2026

netfilter: skip recording stale or retransmitted INIT



An INIT whose init_tag matches the peer's vtag does not provide new state
information. It indicates either:

- a stale INIT (after INIT-ACK has already been seen on the same side), or
- a retransmitted INIT (after INIT has already been recorded on the same
  side).

In both cases, the INIT must not update ct->proto.sctp.init[] state, since
it does not advance the handshake tracking and may otherwise corrupt
INIT/INIT-ACK validation logic.

Allow INIT processing only when the conntrack entry is newly created
(SCTP_CONNTRACK_NONE), or when the init_tag differs from the stored peer
vtag.

Note it skips the check for the ct with old_state SCTP_CONNTRACK_NONE in
nf_conntrack_sctp_packet(), as it is just created in sctp_new() where it
set ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag.

Fixes: 9fb9cbb1 ("[NETFILTER]: Add nf_conntrack subsystem.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/ee56c3e416452b2a40589a2a85245ac2ad5e9f4b.1777214801.git.lucien.xin@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent b718342a

net/netfilter/nf_conntrack_proto_sctp.c

+7 −3

Original line number	Diff line number	Diff line
		@@ -466,9 +466,13 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
		if (!ih)
		goto out_unlock;

		/* Do not record INIT matching peer vtag (stale or retransmitted INIT). */
		if (old_state == SCTP_CONNTRACK_NONE \|\|
		ct->proto.sctp.vtag[!dir] != ih->init_tag) {
		if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir])
		ct->proto.sctp.init[!dir] = 0;
		ct->proto.sctp.init[dir] = 1;
		}

		pr_debug("Setting vtag %x for dir %d\n", ih->init_tag, !dir);
		ct->proto.sctp.vtag[!dir] = ih->init_tag;