netfilter: nf_conntrack: Add allow_clash to generic protocol handler

yuhamag · Sasha Levin · commit 89f50775d883 · 2026-03-04T07:20:46.000-05:00
[ Upstream commit 8a49fc8 ] The upstream commit, 71d8c47 ("netfilter: conntrack: introduce clash resolution on insertion race"), sets allow_clash=true in the UDP/UDPLITE protocol handler but does not set it in the generic protocol handler. As a result, packets composed of connectionless protocols at each layer, such as UDP over IP-in-IP, still drop packets due to conflicts during conntrack insertion. To resolve this, this patch sets allow_clash in the nf_conntrack_l4proto_generic. Signed-off-by: Yuto Hamaguchi <Hamaguchi.Yuto@da.MitsubishiElectric.co.jp> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
@@ -67,6 +67,7 @@ void nf_conntrack_generic_init_net(struct net *net)
 const struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =
 {
 	.l4proto		= 255,
+	.allow_clash            = true,
 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 	.ctnl_timeout		= {
 		.nlattr_to_obj	= generic_timeout_nlattr_to_obj,

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,7 @@ void nf_conntrack_generic_init_net(struct net *net)`
`67`	`67`	`const struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =`
`68`	`68`	`{`
`69`	`69`	`.l4proto = 255,`
	`70`	`+ .allow_clash = true,`
`70`	`71`	`#ifdef CONFIG_NF_CONNTRACK_TIMEOUT`
`71`	`72`	`.ctnl_timeout = {`
`72`	`73`	`.nlattr_to_obj = generic_timeout_nlattr_to_obj,`