Skip to content

Commit

Permalink
datapath: Fix checking for new expected connections.
Browse files Browse the repository at this point in the history 
Upstream commit:
    commit 5745b0be05a0f8ccbc92a36b69f3a6bc58e91954
    Author: Jarno Rajahalme <[email protected]>
    Date:   Mon Mar 21 11:15:19 2016 -0700

    openvswitch: Fix checking for new expected connections.

    OVS should call into CT NAT for packets of new expected connections only
    when the conntrack state is persisted with the 'commit' option to the
    OVS CT action.  The test for this condition is doubly wrong, as the CT
    status field is ANDed with the bit number (IPS_EXPECTED_BIT) rather
    than the mask (IPS_EXPECTED), and due to the wrong assumption that the
    expected bit would apply only for the first (i.e., 'new') packet of a
    connection, while in fact the expected bit remains on for the lifetime of
    an expected connection.  The 'ctinfo' value IP_CT_RELATED derived from
    the ct status can be used instead, as it is only ever applicable to
    the 'new' packets of the expected connection.

    Fixes: 05752523e565 ('openvswitch: Interface with NAT.')
    Reported-by: Dan Carpenter <[email protected]>
    Signed-off-by: Jarno Rajahalme <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>

Fixes: c5f6c06b58d6 ("datapath: Interface with NAT.")
Signed-off-by: Jarno Rajahalme <[email protected]>
Acked-by: Jesse Gross <[email protected]>
  • Loading branch information
Jarno Rajahalme committed Jun 21, 2016
1 parent 70e71d2 commit d2e8b51
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions datapath/conntrack.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -714,11 +714,12 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key,

/* Determine NAT type.
* Check if the NAT type can be deduced from the tracked connection.
* Make sure expected traffic is NATted only when committing.
* Make sure new expected connections (IP_CT_RELATED) are NATted only
* when committing.
*/
if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW &&
ct->status & IPS_NAT_MASK &&
(!(ct->status & IPS_EXPECTED_BIT) || info->commit)) {
(ctinfo != IP_CT_RELATED || info->commit)) {
/* NAT an established or related connection like before. */
if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY)
/* This is the REPLY direction for a connection
Expand Down

0 comments on commit d2e8b51

Please sign in to comment.