Presently, alg processing is enabled by default to exercise testing. This is similar to kernels before 4.7. The recommended default behavior in the kernel is to only process algs if a helper is supplied in a conntrack rule. The behavior is changed to match the later kernels.
Signed-off-by: Darrell Ball <[email protected]> --- lib/conntrack.c | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index 7fbcfba..dea2fed 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -789,13 +789,34 @@ conn_clean(struct conntrack *ct, struct conn *conn, } } +static bool +ct_verify_helper(const char *helper, enum ct_alg_ctl_type ct_alg_ctl) +{ + if (ct_alg_ctl == CT_ALG_CTL_NONE) { + return true; + } else if (helper) { + if ((ct_alg_ctl == CT_ALG_CTL_FTP) && + !strncmp(helper, "ftp", strlen("ftp"))) { + return true; + } else if ((ct_alg_ctl == CT_ALG_CTL_TFTP) && + !strncmp(helper, "tftp", strlen("tftp"))) { + return true; + } else { + return false; + } + } else { + return false; + } +} + /* This function is called with the bucket lock held. */ static struct conn * conn_not_found(struct conntrack *ct, struct dp_packet *pkt, struct conn_lookup_ctx *ctx, bool commit, long long now, const struct nat_action_info_t *nat_action_info, struct conn *conn_for_un_nat_copy, - const char *helper, const struct alg_exp_node *alg_exp) + const char *helper, const struct alg_exp_node *alg_exp, + enum ct_alg_ctl_type ct_alg_ctl) { struct conn *nc = NULL; @@ -819,15 +840,16 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, return nc; } + if (!ct_verify_helper(helper, ct_alg_ctl)) { + return nc; + } + unsigned bucket = hash_to_bucket(ctx->hash); nc = new_conn(&ct->buckets[bucket], pkt, &ctx->key, now); ctx->conn = nc; nc->rev_key = nc->key; conn_key_reverse(&nc->rev_key); - - if (helper) { - nc->alg = xstrdup(helper); - } + nc->alg = nullable_xstrdup(helper); if (alg_exp) { nc->alg_related = true; @@ -1182,7 +1204,8 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, } ct_rwlock_unlock(&ct->resources_lock); conn = conn_not_found(ct, pkt, ctx, commit, now, nat_action_info, - &conn_for_un_nat_copy, helper, alg_exp); + &conn_for_un_nat_copy, helper, alg_exp, + ct_alg_ctl); } write_ct_md(pkt, zone, conn, &ctx->key, alg_exp); -- 1.9.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
