[ovs-dev] [patch v1 3/4] conntrack: Disable algs by default.

[Darrell Ball]

Presently, alg processing is enabled by default to exercise testing.
This is similar to kernels before 4.7.  The recommended default
behavior in the kernel is to only process algs if a helper is
supplied in a conntrack rule.  The behavior is changed to match the
later kernels.

Signed-off-by: Darrell Ball <dlu998 at gmail.com>
---
 lib/conntrack.c | 35 +++++++++++++++++++++++++++++------
 1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 7fbcfba..dea2fed 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -789,13 +789,34 @@ conn_clean(struct conntrack *ct, struct conn *conn,
     }
 }
 
+static bool
+ct_verify_helper(const char *helper, enum ct_alg_ctl_type ct_alg_ctl)
+{
+    if (ct_alg_ctl == CT_ALG_CTL_NONE) {
+        return true;
+    } else if (helper) {
+        if ((ct_alg_ctl == CT_ALG_CTL_FTP) &&
+             !strncmp(helper, "ftp", strlen("ftp"))) {
+            return true;
+        } else if ((ct_alg_ctl == CT_ALG_CTL_TFTP) &&
+                   !strncmp(helper, "tftp", strlen("tftp"))) {
+            return true;
+        } else {
+            return false;
+        }
+    } else {
+        return false;
+    }
+}
+
 /* This function is called with the bucket lock held. */
 static struct conn *
 conn_not_found(struct conntrack *ct, struct dp_packet *pkt,
                struct conn_lookup_ctx *ctx, bool commit, long long now,
                const struct nat_action_info_t *nat_action_info,
                struct conn *conn_for_un_nat_copy,
-               const char *helper, const struct alg_exp_node *alg_exp)
+               const char *helper, const struct alg_exp_node *alg_exp,
+               enum ct_alg_ctl_type ct_alg_ctl)
 {
     struct conn *nc = NULL;
 
@@ -819,15 +840,16 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt,
             return nc;
         }
 
+        if (!ct_verify_helper(helper, ct_alg_ctl)) {
+            return nc;
+        }
+
         unsigned bucket = hash_to_bucket(ctx->hash);
         nc = new_conn(&ct->buckets[bucket], pkt, &ctx->key, now);
         ctx->conn = nc;
         nc->rev_key = nc->key;
         conn_key_reverse(&nc->rev_key);
-
-        if (helper) {
-            nc->alg = xstrdup(helper);
-        }
+        nc->alg = nullable_xstrdup(helper);
 
         if (alg_exp) {
             nc->alg_related = true;
@@ -1182,7 +1204,8 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
         }
         ct_rwlock_unlock(&ct->resources_lock);
         conn = conn_not_found(ct, pkt, ctx, commit, now, nat_action_info,
-                              &conn_for_un_nat_copy, helper, alg_exp);
+                              &conn_for_un_nat_copy, helper, alg_exp,
+                              ct_alg_ctl);
     }
     write_ct_md(pkt, zone, conn, &ctx->key, alg_exp);
 
-- 
1.9.1