[ovs-dev] [PATCH] lib/conntrack: remove unnecessary addr check for ICMP.

wang zhike wangzhike at jd.com
Sat Dec 2 19:25:52 UTC 2017


From: wangzhike <wangzhike at jd.com>

ICMP response (Unreachable/fragmentationRequired/...) may be created
at devices in the middle, and such packets are tagged as invalid in
user space conntrack. In fact it does not make sense to validate the
src and dest address.

Signed-off-by: wang zhike <wangzhike at jd.com>
---
 lib/conntrack.c | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index f5a3aa9..c44ad0f 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -1702,11 +1702,6 @@ extract_l4_icmp(struct conn_key *key, const void *data, size_t size,
             return false;
         }
 
-        if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned
-            || inner_key.dst.addr.ipv4_aligned != key->src.addr.ipv4_aligned) {
-            return false;
-        }
-
         key->src = inner_key.src;
         key->dst = inner_key.dst;
         key->nw_proto = inner_key.nw_proto;
@@ -1789,14 +1784,6 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size,
             return false;
         }
 
-        /* pf doesn't do this, but it seems a good idea */
-        if (!ipv6_addr_equals(&inner_key.src.addr.ipv6_aligned,
-                              &key->dst.addr.ipv6_aligned)
-            || !ipv6_addr_equals(&inner_key.dst.addr.ipv6_aligned,
-                                 &key->src.addr.ipv6_aligned)) {
-            return false;
-        }
-
         key->src = inner_key.src;
         key->dst = inner_key.dst;
         key->nw_proto = inner_key.nw_proto;
-- 
1.8.3.1



More information about the dev mailing list