Razvan Cojocaru <rzvncj@xxxxxxxxx> wrote: > It should crash immediately. > > Maybe this is what you're trying to fix in "[PATCH nf 0/4] netfilter: > conntrack: fix obscure confirmed race"? Yes, looks like it. Reaping the entries hits the clash resolution logic, i.e. for the iperf tcp stream, it will do mid-stream pickup on multiple packets (e.g. outgoing data and incoming ack), then hits clash resolution logic. Thats not supported for TCP, so one packet gets tossed while the 'losing' conntrack entry isn't added to the hash table but has its confirmed bit set on anyway, which the module treats as 'I can delete it' signal.
