[Kernel-packages] [Bug 1940448] [NEW] CT state not reset when packet redirected to different port

[Bodong Wang]

Public bug reported:

* Explain the bug(s)
 
CT state not reset when packet redirected to different port, thus
making it possible to match rules with wrong ct state on the other port.

* brief explanation of fixes
 
Reset ct state when redirecting to a different port.
The sauce fix being reverted and should apply the upstream fix to catch all 
cases correctly.
 
* How to test
 
tc qdisc add dev veth0 clsact
# The same with "action mirred egress mirror dev veth1" or "action mirred 
ingress redirect dev veth1"
tc filter add dev veth0 egress chain 1 protocol ip flower ct_state +trk action 
mirred ingress mirror dev veth1
tc filter add dev veth0 egress chain 0 protocol ip flower ct_state -inv action 
ct commit action goto chain 1
tc qdisc add dev veth1 clsact
tc filter add dev veth1 ingress chain 0 protocol ip flower ct_state +trk action 
drop

ping <remove ip via veth0> &
tc -s filter show dev veth1 ingress

With command 'tc -s filter show', we can find the pkts were dropped on veth1.
 
* What it could break.
 
Wrong matching. Traffic failure when redirecting to different ports and there 
are more
rules to match on the other port.

** Affects: linux-bluefield (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1940448

Title:
  CT state not reset when packet redirected to different port

Status in linux-bluefield package in Ubuntu:
  New

Bug description:
  * Explain the bug(s)
   
  CT state not reset when packet redirected to different port, thus
  making it possible to match rules with wrong ct state on the other port.

  * brief explanation of fixes
   
  Reset ct state when redirecting to a different port.
  The sauce fix being reverted and should apply the upstream fix to catch all 
cases correctly.
   
  * How to test
   
  tc qdisc add dev veth0 clsact
  # The same with "action mirred egress mirror dev veth1" or "action mirred 
ingress redirect dev veth1"
  tc filter add dev veth0 egress chain 1 protocol ip flower ct_state +trk 
action mirred ingress mirror dev veth1
  tc filter add dev veth0 egress chain 0 protocol ip flower ct_state -inv 
action ct commit action goto chain 1
  tc qdisc add dev veth1 clsact
  tc filter add dev veth1 ingress chain 0 protocol ip flower ct_state +trk 
action drop

  ping <remove ip via veth0> &
  tc -s filter show dev veth1 ingress

  With command 'tc -s filter show', we can find the pkts were dropped on veth1.
   
  * What it could break.
   
  Wrong matching. Traffic failure when redirecting to different ports and there 
are more
  rules to match on the other port.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1940448/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp