Re: [ovs-dev] [PATCH] datapath: Delete conntrack entry clashing with an expectation.

Thu, 27 Apr 2017 10:48:19 -0700 

> On Apr 27, 2017, at 10:36 AM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 26 April 2017 at 13:13, Jarno Rajahalme <ja...@ovn.org> wrote:
>> Upstream commit:
>> 
>>    commit cf5d70918877c6a6655dc1e92e2ebb661ce904fd
>>    Author: Jarno Rajahalme <ja...@ovn.org>
>>    Date:   Fri Apr 14 14:26:38 2017 -0700
>> 
>>    openvswitch: Delete conntrack entry clashing with an expectation.
>> 
>>    Conntrack helpers do not check for a potentially clashing conntrack
>>    entry when creating a new expectation.  Also, nf_conntrack_in() will
>>    check expectations (via init_conntrack()) only if a conntrack entry
>>    can not be found.  The expectation for a packet which also matches an
>>    existing conntrack entry will not be removed by conntrack, and is
>>    currently handled inconsistently by OVS, as OVS expects the
>>    expectation to be removed when the connection tracking entry matching
>>    that expectation is confirmed.
>> 
>>    It should be noted that normally an IP stack would not allow reuse of
>>    a 5-tuple of an old (possibly lingering) connection for a new data
>>    connection, so this is somewhat unlikely corner case.  However, it is
>>    possible that a misbehaving source could cause conntrack entries be
>>    created that could then interfere with new related connections.
>> 
>>    Fix this in the OVS module by deleting the clashing conntrack entry
>>    after an expectation has been matched.  This causes the following
>>    nf_conntrack_in() call also find the expectation and remove it when
>>    creating the new conntrack entry, as well as the forthcoming reply
>>    direction packets to match the new related connection instead of the
>>    old clashing conntrack entry.
>> 
>>    Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
>>    Reported-by: Yang Song <yangs...@vmware.com>
>>    Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>>    Acked-by: Joe Stringer <j...@ovn.org>
>>    Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> ---
> 
> Acked-by: Joe Stringer <j...@ovn.org>

Thanks for the review, pushed to master,

  Jarno


_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to