[ovs-git] [openvswitch/ovs] 70d4bd: conntrack: fix tcp seq adjustments when mangling c...

GitHub noreply at github.com
Sat Jan 19 00:21:43 UTC 2019


  Branch: refs/heads/branch-2.11
  Home:   https://github.com/openvswitch/ovs
  Commit: 70d4bd5760d2a01453e7d1eefd9fe1d3d0c0cd59
      https://github.com/openvswitch/ovs/commit/70d4bd5760d2a01453e7d1eefd9fe1d3d0c0cd59
  Author: David Marchand <david.marchand at redhat.com>
  Date:   2019-01-18 (Fri, 18 Jan 2019)

  Changed paths:
    M Vagrantfile
    M Vagrantfile-FreeBSD
    M lib/conntrack.c
    M tests/atlocal.in
    M tests/system-traffic.at

  Log Message:
  -----------
  conntrack: fix tcp seq adjustments when mangling commands.

The ftp alg deals with packets in two ways for the command connection:
either they are inspected and can be mangled when nat is enabled
(CT_FTP_CTL_INTEREST) or they just go through without being modified
(CT_FTP_CTL_OTHER).

For CT_FTP_CTL_INTEREST packets, we must both adjust the packet tcp seq
number by the connection current offset, then prepare for the next
packets by setting an accumulated offset in the ct object.  However,
this was not done for multiple CT_FTP_CTL_INTEREST packets for the same
connection.
This is relevant for handling multiple child data connections that also
need natting.

The tests are updated so that some ftp+NAT tests send multiple port
commands or other similar commands for a single control connection.
Wget is not able to do this, so switch to lftp.

Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.")
Co-authored-by: Darrell Ball <dlu998 at gmail.com>
Signed-off-by: Darrell Ball <dlu998 at gmail.com>
Signed-off-by: David Marchand <david.marchand at redhat.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>


  Commit: 27bb9e6e03791aa6e3112f1d9517b98844127470
      https://github.com/openvswitch/ovs/commit/27bb9e6e03791aa6e3112f1d9517b98844127470
  Author: David Marchand <david.marchand at redhat.com>
  Date:   2019-01-18 (Fri, 18 Jan 2019)

  Changed paths:
    M lib/conntrack.c
    M tests/system-traffic.at

  Log Message:
  -----------
  conntrack: fix expectations for ftp+DNAT.

When configuring the nat part of an expectation, care must be taken to
look at the master nat action and direction to properly reproduce it.

DNAT tests have been added to both active and passive modes, all
ftp/tftp tests titles have been updated to reflect they are dealing with
SNAT.

Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.")
Co-authored-by: Darrell Ball <dlu998 at gmail.com>
Signed-off-by: Darrell Ball <dlu998 at gmail.com>
Signed-off-by: David Marchand <david.marchand at redhat.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>


  Commit: 6f60056074602e37f195ecef282c067207679d80
      https://github.com/openvswitch/ovs/commit/6f60056074602e37f195ecef282c067207679d80
  Author: Darrell Ball <dlu998 at gmail.com>
  Date:   2019-01-18 (Fri, 18 Jan 2019)

  Changed paths:
    M lib/conntrack.c

  Log Message:
  -----------
  conntrack: Fix FTP seq_skew boundary adjustments.

At the same time, splice out a function and also rely on the compiler
for overflow/underflow handling.

Found by inspection.

Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.")
Signed-off-by: Darrell Ball <dlu998 at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/3c61cc7ca979...6f6005607460
      **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.


More information about the git mailing list