[ovs-dev] [patch v4 3/4] conntrack: Enforce conn_type for flush tuple.
Darrell Ball
dlu998 at gmail.com
Mon Dec 17 22:43:13 UTC 2018
The user should only reference a conntrack entry by the forward
direction context, as per 'conntrack_flush()', enforce this by
checking for 'default' conn_type. The likelihood of a user
not using the original tuple is low, but it should be guarded
against, logged and documented.
Signed-off-by: Darrell Ball <dlu998 at gmail.com>
---
Backport to 2.9.
v3: Move backport hint out of commit message.
Remove warning log conditional for now.
lib/conntrack.c | 3 ++-
lib/dpctl.man | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/conntrack.c b/lib/conntrack.c
index 92b2db4..41232f4 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -2572,9 +2572,10 @@ conntrack_flush_tuple(struct conntrack *ct, const struct ct_dpif_tuple *tuple,
ct_lock_lock(&ct->buckets[bucket].lock);
conn_key_lookup(&ct->buckets[bucket], &ctx, time_msec());
- if (ctx.conn) {
+ if (ctx.conn && ctx.conn->conn_type == CT_CONN_TYPE_DEFAULT) {
conn_clean(ct, ctx.conn, &ct->buckets[bucket]);
} else {
+ VLOG_WARN("Must flush tuple using the original pre-NATed tuple");
error = ENOENT;
}
ct_lock_unlock(&ct->buckets[bucket].lock);
diff --git a/lib/dpctl.man b/lib/dpctl.man
index 9b13e0d..fe0aec9 100644
--- a/lib/dpctl.man
+++ b/lib/dpctl.man
@@ -237,6 +237,8 @@ If \fBzone\fR=\fIzone\fR is specified, only flushes the connections in
.IP
If \fIct-tuple\fR is provided, flushes the connection entry specified by
\fIct-tuple\fR in \fIzone\fR. The zone defaults to 0 if it is not provided.
+The userspace connection tracker requires flushing with the original pre-NATed
+tuple and a warning log will be otherwise generated.
An example of an IPv4 ICMP \fIct-tuple\fR:
.IP
"ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=1,icmp_type=8,icmp_code=0,icmp_id=10"
--
1.9.1
More information about the dev
mailing list