[ovs-dev] [PATCH] conntrack: fix inverse check nat_action_info in check_orig_tuple

wenxu at ucloud.cn wenxu at ucloud.cn
Mon Jun 21 04:51:24 UTC 2021

From: wenxu <wenxu at ucloud.cn>

When the conntrack is not be found, CT will check whether the pkt has
be NATed, get the orignal tuple and search the conntrack from orignal

If there is nat_action_info in the rule, the pkt maybe NATed.
So it should find the original tuple to find the conntrack.

Signed-off-by: wenxu <wenxu at ucloud.cn>
 lib/conntrack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 99198a6..c329acd 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -1163,7 +1163,7 @@ check_orig_tuple(struct conntrack *ct, struct dp_packet *pkt,
          !pkt->md.ct_orig_tuple.ipv4.ipv4_proto) ||
         (ctx_in->key.dl_type == htons(ETH_TYPE_IPV6) &&
          !pkt->md.ct_orig_tuple.ipv6.ipv6_proto) ||
-        nat_action_info) {
+        !nat_action_info) {
         return false;

More information about the dev mailing list