On Mon, Mar 21, 2016 at 11:15:19AM -0700, Jarno Rajahalme wrote: > OVS should call into CT NAT for packets of new expected connections only > when the conntrack state is persisted with the 'commit' option to the > OVS CT action. The test for this condition is doubly wrong, as the CT > status field is ANDed with the bit number (IPS_EXPECTED_BIT) rather > than the mask (IPS_EXPECTED), and due to the wrong assumption that the > expected bit would apply only for the first (i.e., 'new') packet of a > connection, while in fact the expected bit remains on for the lifetime of > an expected connection. The 'ctinfo' value IP_CT_RELATED derived from > the ct status can be used instead, as it is only ever applicable to > the 'new' packets of the expected connection.
Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
