Ephemeral port fallback is being done for DNAT and the code could be hit in some special cases and testing configurations. Also good packets are expected to be persistently dropped in this case, which is not a common user goal. Regardless, this is incorrect, so filter this out. Also, rename the variable used for checking whether ephemeral ports need to be checked. Needs backporting to 2.8.
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-August/351629.html Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT Support.") Signed-off-by: Darrell Ball <[email protected]> --- lib/conntrack.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index 974f985..31fedc0 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -2172,7 +2172,9 @@ nat_select_range_tuple(struct conntrack *ct, const struct conn *conn, uint16_t port = first_port; bool all_ports_tried = false; - bool original_ports_tried = false; + /* For DNAT, we don't use ephemeral ports. */ + bool ephemeral_ports_tried = conn->nat_info->nat_action & NAT_ACTION_DST + ? true : false; struct ct_addr first_addr = ct_addr; while (true) { @@ -2218,13 +2220,13 @@ nat_select_range_tuple(struct conntrack *ct, const struct conn *conn, ct_addr = conn->nat_info->min_addr; } if (!memcmp(&ct_addr, &first_addr, sizeof ct_addr)) { - if (!original_ports_tried) { - original_ports_tried = true; + if (ephemeral_ports_tried) { + break; + } else { + ephemeral_ports_tried = true; ct_addr = conn->nat_info->min_addr; min_port = MIN_NAT_EPHEMERAL_PORT; max_port = MAX_NAT_EPHEMERAL_PORT; - } else { - break; } } first_port = min_port; -- 1.9.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
