The ftp alg deals with packets in two ways for the command connection: either they are inspected (CT_FTP_CTL_INTEREST) or they just go through without being modified (CT_FTP_CTL_OTHER).
In both cases, the tcp seq/ack must be adjusted by the current offset that has been introduced in previous mangle operations and prepare for the next packets by setting an accumulated offset. Signed-off-by: David Marchand <david.march...@redhat.com> --- lib/conntrack.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index 974f985..d08d0ea 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -3185,11 +3185,9 @@ handle_ftp_ctl(struct conntrack *ct, const struct conn_lookup_ctx *ctx, } struct ovs_16aligned_ip6_hdr *nh6 = dp_packet_l3(pkt); - int64_t seq_skew = 0; + int64_t seq_skew = conn_for_expectation->seq_skew; - if (ftp_ctl == CT_FTP_CTL_OTHER) { - seq_skew = conn_for_expectation->seq_skew; - } else if (ftp_ctl == CT_FTP_CTL_INTEREST) { + if (ftp_ctl == CT_FTP_CTL_INTEREST) { enum ftp_ctl_pkt rc; if (ctx->key.dl_type == htons(ETH_TYPE_IPV6)) { rc = process_ftp_ctl_v6(ct, pkt, conn_for_expectation, @@ -3208,35 +3206,36 @@ handle_ftp_ctl(struct conntrack *ct, const struct conn_lookup_ctx *ctx, return; } else if (rc == CT_FTP_CTL_INTEREST) { uint16_t ip_len; + int64_t new_skew; if (ctx->key.dl_type == htons(ETH_TYPE_IPV6)) { - seq_skew = repl_ftp_v6_addr(pkt, v6_addr_rep, ftp_data_start, + new_skew = repl_ftp_v6_addr(pkt, v6_addr_rep, ftp_data_start, addr_offset_from_ftp_data_start, addr_size, mode); - if (seq_skew) { + if (new_skew) { ip_len = ntohs(nh6->ip6_ctlun.ip6_un1.ip6_un1_plen); - ip_len += seq_skew; + ip_len += new_skew; nh6->ip6_ctlun.ip6_un1.ip6_un1_plen = htons(ip_len); conn_seq_skew_set(ct, &conn_for_expectation->key, now, - seq_skew, ctx->reply); + new_skew + seq_skew, ctx->reply); } } else { - seq_skew = repl_ftp_v4_addr(pkt, v4_addr_rep, ftp_data_start, + new_skew = repl_ftp_v4_addr(pkt, v4_addr_rep, ftp_data_start, addr_offset_from_ftp_data_start); ip_len = ntohs(l3_hdr->ip_tot_len); - if (seq_skew) { - ip_len += seq_skew; + if (new_skew) { + ip_len += new_skew; l3_hdr->ip_csum = recalc_csum16(l3_hdr->ip_csum, l3_hdr->ip_tot_len, htons(ip_len)); l3_hdr->ip_tot_len = htons(ip_len); conn_seq_skew_set(ct, &conn_for_expectation->key, now, - seq_skew, ctx->reply); + new_skew + seq_skew, ctx->reply); } } } else { OVS_NOT_REACHED(); } - } else { + } else if (ftp_ctl == CT_FTP_CTL_INVALID) { OVS_NOT_REACHED(); } -- 1.8.3.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev