An address sanity check is done on icmp error packets to check that the icmp error payload makes sense w.r.t. the packet itself.
The sanity check was partially incorrect since it tried to verify the source address of the error packet against the original destination, which does not makes since the error can be generated by any intermediate node. Reported-by: wangzhike <[email protected]> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-December/341609.html Fixes: a489b1685 ("conntrack: New userspace connection tracker.") CC: Daniele Di Proietto <[email protected]> Signed-off-by: Darrell Ball <[email protected]> Signed-off-by: wangzhike <[email protected]> Co-authored-by: wangzhike <[email protected]> --- lib/conntrack.c | 7 ++----- tests/system-traffic.at | 6 +++--- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index cd54ba7..6d078f5 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -1782,8 +1782,7 @@ extract_l4_icmp(struct conn_key *key, const void *data, size_t size, return false; } - if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned - || inner_key.dst.addr.ipv4_aligned != key->src.addr.ipv4_aligned) { + if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned) { return false; } @@ -1871,9 +1870,7 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size, /* pf doesn't do this, but it seems a good idea */ if (!ipv6_addr_equals(&inner_key.src.addr.ipv6_aligned, - &key->dst.addr.ipv6_aligned) - || !ipv6_addr_equals(&inner_key.dst.addr.ipv6_aligned, - &key->src.addr.ipv6_aligned)) { + &key->dst.addr.ipv6_aligned)) { return false; } diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 4551c5c..4e7a1cd 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -1584,8 +1584,8 @@ AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'f64c473528c9c dnl 2. Send and UDP packet to port 5555 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) -dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) +dnl 3. Send an ICMP port unreach reply from a path midpoint for port 5555, related to the first packet +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f354ac100003ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) dnl Check this output. We only see the latter two packets, not the first. AT_CHECK([cat ofctl_monitor.log], [0], [dnl @@ -1594,7 +1594,7 @@ icmp,vlan_tci=0x0000,dl_src=c6:f5:4e:cb:72:db,dl_dst=f6:4c:47:35:28:c9,nw_src=17 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=1 (via action) data_len=47 (unbuffered) udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=2 (via action) data_len=75 (unbuffered) -icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f +icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.3,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f ]) AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.1)], [0], [dnl -- 1.9.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
