projects / cascardo / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 596cf3f) | patch
openvswitch: Fix checking for new expected connections.
authorJarno Rajahalme <jarno@ovn.org>
Mon, 21 Mar 2016 18:15:19 +0000 (11:15 -0700)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 28 Mar 2016 15:58:51 +0000 (17:58 +0200)
commit5745b0be05a0f8ccbc92a36b69f3a6bc58e91954
tree90a34624e8f665170cb9aa17a937ab9373177f82tree | snapshot
parent596cf3fe5854fe2b1703b0466ed6bf9cfb83c91ecommit | diff
openvswitch: Fix checking for new expected connections.

OVS should call into CT NAT for packets of new expected connections only
when the conntrack state is persisted with the 'commit' option to the
OVS CT action.  The test for this condition is doubly wrong, as the CT
status field is ANDed with the bit number (IPS_EXPECTED_BIT) rather
than the mask (IPS_EXPECTED), and due to the wrong assumption that the
expected bit would apply only for the first (i.e., 'new') packet of a
connection, while in fact the expected bit remains on for the lifetime of
an expected connection.  The 'ctinfo' value IP_CT_RELATED derived from
the ct status can be used instead, as it is only ever applicable to
the 'new' packets of the expected connection.

Fixes: 05752523e565 ('openvswitch: Interface with NAT.')
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/openvswitch/conntrack.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.