On Mon, 30 Mar 2026 19:35:09 +0800 Yi Chen wrote: > The existing test covered a scenario where a delayed INIT_ACK chunk > updates the vtag in conntrack after the association has already been > established. > > A similar issue can occur with a delayed SCTP INIT chunk. > > Add a new simultaneous-open test case where the client's INIT is > delayed, allowing conntrack to establish the association based on > the server-initiated handshake. > > When the stale INIT arrives later, it may overwirte the vtag in > conntrack, causing subsequent SCTP DATA chunks to be considered > as invalid and then dropped by nft rules matching on ct state invalid. > > This test verifies such stale INIT chunks do not corrupt conntrack > state.
Now it fails in NIPA: TAP version 13 1..1 # timeout set to 1800 # selftests: net/netfilter: conntrack_sctp_collision.sh # Test for SCTP INIT_ACK Collision in nf_conntrack: # Client: rcvd! 6 # Server: sent! 6 # PASS: The delayed INIT_ACK chunk did not disrupt sctp ct tracking. # Test for SCTP INIT Collision in nf_conntrack: # Failed to recv msg -1 # Failed to recv msg -1 # FAIL: The delayed INIT chunk did not disrupt sctp ct tracking. not ok 1 selftests: net/netfilter: conntrack_sctp_collision.sh # exit=1
