Yafang Shao <laoar.shao@xxxxxxxxx> wrote: > > And I don't see how you can encounter a DNS reply before at least one > > request has been committed to the table -- i.e., the conntrack being > > confirmed here should not exist -- the packet should have been picked up > > as a reply packet. > > We've been able to consistently reproduce this behavior. Would you > have any recommended debugging approaches we could try? Can you figure out why nf_ct_resolve_clash_harder() doesn't handle the clash? AFAIU reply tuple is identical while original isn't. It would be good to confirm. If they were the same, I'd have expected nf_ct_resolve_clash_harder() to merge the conntracks (nf_ct_can_merge() branch in __nf_ct_resolve_clash). Could you also dump/show the origin and reply tuples for the existing entry and the clashing (new) entry?
