[ovs-dev] [PATCH] datapath-windows: Block established TCP connections from creating new CT Entry

Sairam Venugopal vsairam at vmware.com
Thu Mar 8 01:39:22 UTC 2018


Established TCP Connections could potentially form invalid Conntrack
Entries when OVS is getting installed or the Conntrack Flows are applied.
Prevent this from happening by explicitly requiring SYN packets to be
present for creating new Conntrack entries.

Signed-off-by: Sairam Venugopal <vsairam at vmware.com>
---
 datapath-windows/ovsext/Conntrack-tcp.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/datapath-windows/ovsext/Conntrack-tcp.c b/datapath-windows/ovsext/Conntrack-tcp.c
index 8cbab24..ea43df1 100644
--- a/datapath-windows/ovsext/Conntrack-tcp.c
+++ b/datapath-windows/ovsext/Conntrack-tcp.c
@@ -455,9 +455,15 @@ OvsConntrackValidateTcpPacket(const TCPHdr *tcp)
         return FALSE;
     }
 
+    /* Block pre-established connections from going through */
+    if (!(tcp_flags & TCP_SYN)) {
+        OVS_LOG_TRACE("Pre-established TCP packet detected, non-SYN flags not allowed,"
+                      "tcp_flags %hu", tcp_flags);
+        return FALSE;
+    }
+
     /* A syn+ack is not allowed to create a connection.  We want to allow
-     * totally new connections (syn) or already established, not partially
-     * open (syn+ack). */
+     * totally new connections (syn), not partially open (syn+ack). */
     if ((tcp_flags & TCP_SYN) && (tcp_flags & TCP_ACK)) {
         OVS_LOG_TRACE("Invalid TCP packet detected, SYN+ACK flags not allowed,"
                       "tcp_flags %hu", tcp_flags);
-- 
2.9.0.windows.1



More information about the dev mailing list