[ovs-dev] [PATCH] openvswitch: Fix checking for new expected connections.
Pablo Neira Ayuso
pablo at netfilter.org
Tue Mar 22 08:08:46 UTC 2016
On Mon, Mar 21, 2016 at 11:15:19AM -0700, Jarno Rajahalme wrote:
> OVS should call into CT NAT for packets of new expected connections only
> when the conntrack state is persisted with the 'commit' option to the
> OVS CT action. The test for this condition is doubly wrong, as the CT
> status field is ANDed with the bit number (IPS_EXPECTED_BIT) rather
> than the mask (IPS_EXPECTED), and due to the wrong assumption that the
> expected bit would apply only for the first (i.e., 'new') packet of a
> connection, while in fact the expected bit remains on for the lifetime of
> an expected connection. The 'ctinfo' value IP_CT_RELATED derived from
> the ct status can be used instead, as it is only ever applicable to
> the 'new' packets of the expected connection.
Applied, thanks.
More information about the dev
mailing list