Scenario: a mono-dir UDP stream is received from a port that allows new incoming connections. The 1st packet creates a new connection. The second UDP packet - even it there's no reply from the other side - will make the connection become established. So all the next packets of the same mono-dir stream will succesfully pass through the firewall.
This patch allows to send the 1st initiating packet, but blocks the transmission of the next UDP packets as long as the created connection is still unreplied. Signed-off-by: Antonio Fischetti <[email protected]> --- lib/conntrack-other.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/conntrack-other.c b/lib/conntrack-other.c index 2920889..f6433fd 100644 --- a/lib/conntrack-other.c +++ b/lib/conntrack-other.c @@ -56,7 +56,15 @@ other_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, conn_update_expiration(ctb, &conn->up, other_timeouts[conn->state], now); - return CT_UPDATE_VALID; + if (conn_->key.nw_proto == IPPROTO_UDP) { + if (conn->state == OTHERS_BIDIR) { + return CT_UPDATE_VALID; + } else { + return CT_UPDATE_INVALID; + } + } else { + return CT_UPDATE_INVALID; + } } static bool -- 2.4.11 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
