On 26 April 2017 at 13:13, Jarno Rajahalme <ja...@ovn.org> wrote:
> Upstream commit:
>
> commit cf5d70918877c6a6655dc1e92e2ebb661ce904fd
> Author: Jarno Rajahalme <ja...@ovn.org>
> Date: Fri Apr 14 14:26:38 2017 -0700
>
> openvswitch: Delete conntrack entry clashing with an expectation.
>
> Conntrack helpers do not check for a potentially clashing conntrack
> entry when creating a new expectation. Also, nf_conntrack_in() will
> check expectations (via init_conntrack()) only if a conntrack entry
> can not be found. The expectation for a packet which also matches an
> existing conntrack entry will not be removed by conntrack, and is
> currently handled inconsistently by OVS, as OVS expects the
> expectation to be removed when the connection tracking entry matching
> that expectation is confirmed.
>
> It should be noted that normally an IP stack would not allow reuse of
> a 5-tuple of an old (possibly lingering) connection for a new data
> connection, so this is somewhat unlikely corner case. However, it is
> possible that a misbehaving source could cause conntrack entries be
> created that could then interfere with new related connections.
>
> Fix this in the OVS module by deleting the clashing conntrack entry
> after an expectation has been matched. This causes the following
> nf_conntrack_in() call also find the expectation and remove it when
> creating the new conntrack entry, as well as the forthcoming reply
> direction packets to match the new related connection instead of the
> old clashing conntrack entry.
>
> Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
> Reported-by: Yang Song <yangs...@vmware.com>
> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
> Acked-by: Joe Stringer <j...@ovn.org>
> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
>
> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
> ---
Acked-by: Joe Stringer <j...@ovn.org>
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
