[ovs-dev] [PATCH v2 12/16] datapath: Fix checking for new expected connections.

Jarno Rajahalme jarno at ovn.org
Tue Jun 14 22:25:33 UTC 2016


Upstream commit:
    commit 5745b0be05a0f8ccbc92a36b69f3a6bc58e91954
    Author: Jarno Rajahalme <jarno at ovn.org>
    Date:   Mon Mar 21 11:15:19 2016 -0700

    openvswitch: Fix checking for new expected connections.

    OVS should call into CT NAT for packets of new expected connections only
    when the conntrack state is persisted with the 'commit' option to the
    OVS CT action.  The test for this condition is doubly wrong, as the CT
    status field is ANDed with the bit number (IPS_EXPECTED_BIT) rather
    than the mask (IPS_EXPECTED), and due to the wrong assumption that the
    expected bit would apply only for the first (i.e., 'new') packet of a
    connection, while in fact the expected bit remains on for the lifetime of
    an expected connection.  The 'ctinfo' value IP_CT_RELATED derived from
    the ct status can be used instead, as it is only ever applicable to
    the 'new' packets of the expected connection.

    Fixes: 05752523e565 ('openvswitch: Interface with NAT.')
    Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
    Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

Fixes: c5f6c06b58d6 ("datapath: Interface with NAT.")
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
---
 datapath/conntrack.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index adb3564..9aa5cf0 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -676,11 +676,12 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key,
 
 	/* Determine NAT type.
 	 * Check if the NAT type can be deduced from the tracked connection.
-	 * Make sure expected traffic is NATted only when committing.
+	 * Make sure new expected connections (IP_CT_RELATED) are NATted only
+	 * when committing.
 	 */
 	if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW &&
 	    ct->status & IPS_NAT_MASK &&
-	    (!(ct->status & IPS_EXPECTED_BIT) || info->commit)) {
+	    (ctinfo != IP_CT_RELATED || info->commit)) {
 		/* NAT an established or related connection like before. */
 		if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY)
 			/* This is the REPLY direction for a connection
-- 
2.1.4




More information about the dev mailing list