1 files changed, 9 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index a937d4f75613..8cb62805fd68 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -394,6 +394,15 @@ static int sctp_packet(struct nf_conn *ct,
                        pr_debug("Setting vtag %x for dir %d\n",
                                 ih->init_tag, !dir);
                        ct->proto.sctp.vtag[!dir] = ih->init_tag;
+                        /* don't renew timeout on init retransmit so
+                         * port reuse by client or NAT middlebox cannot
+                         * keep entry alive indefinitely (incl. nat info).
+                         */
+                        if (new_state == SCTP_CONNTRACK_CLOSED &&
+                            old_state == SCTP_CONNTRACK_CLOSED &&
+                            nf_ct_is_confirmed(ct))
+                                ignore = true;
                }
                ct->proto.sctp.state = new_state;

diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index a937d4f75613..8cb62805fd68 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -394,6 +394,15 @@ static int sctp_packet(struct nf_conn *ct,
394	pr_debug("Setting vtag %x for dir %d\n",	394	pr_debug("Setting vtag %x for dir %d\n",
395	ih->init_tag, !dir);	395	ih->init_tag, !dir);
396	ct->proto.sctp.vtag[!dir] = ih->init_tag;	396	ct->proto.sctp.vtag[!dir] = ih->init_tag;
		397
		398	/* don't renew timeout on init retransmit so
		399	* port reuse by client or NAT middlebox cannot
		400	* keep entry alive indefinitely (incl. nat info).
		401	*/
		402	if (new_state == SCTP_CONNTRACK_CLOSED &&
		403	old_state == SCTP_CONNTRACK_CLOSED &&
		404	nf_ct_is_confirmed(ct))
		405	ignore = true;
397	}	406	}
398		407
399	ct->proto.sctp.state = new_state;	408	ct->proto.sctp.state = new_state;