subject:"\[ovs\-dev\] \[patch v6 2\/3\] conntrack\: Lookup only 'UNNAT conns' in 'nat

Re: [ovs-dev] [patch v6 2/3] conntrack: Lookup only 'UNNAT conns' in 'nat_clean()'.

2019-03-15 Thread Ben Pfaff

On Fri, Mar 15, 2019 at 03:01:19PM -0700, Darrell Ball wrote:
> When freeing 'UNNAT conns', lookup only 'UNNAT conns' to
> protect against possible address overlap with 'default
> conns' during a DOS attempt.  This is very unlikely, but
> protection is simple.
> 
> Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT Support.")
> Signed-off-by: Darrell Ball 
> ---
> 
> This patch is targeted for earlier releases as new RCU patches
> inherently don't have this race.
> 
> Backport to 2.8.

Applied to master, 2.11, 2.10.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [patch v6 2/3] conntrack: Lookup only 'UNNAT conns' in 'nat_clean()'.

2019-03-15 Thread Darrell Ball

When freeing 'UNNAT conns', lookup only 'UNNAT conns' to
protect against possible address overlap with 'default
conns' during a DOS attempt.  This is very unlikely, but
protection is simple.

Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT Support.")
Signed-off-by: Darrell Ball 
---

This patch is targeted for earlier releases as new RCU patches
inherently don't have this race.

Backport to 2.8.

v6: Changed comment to lock annotation.
v5: Add fixes tag.
v1->v4: No changes to this patch.

 lib/conntrack.c | 25 +
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index dd6e19b..5235690 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -776,6 +776,22 @@ conn_lookup_def(const struct conn_key *key,
 return conn;
 }
 
+static struct conn *
+conn_lookup_unnat(const struct conn_key *key,
+  const struct conntrack_bucket *ctb, uint32_t hash)
+OVS_REQUIRES(ctb->lock)
+{
+struct conn *conn = NULL;
+
+HMAP_FOR_EACH_WITH_HASH (conn, node, hash, >connections) {
+if (!conn_key_cmp(>key, key)
+&& conn->conn_type == CT_CONN_TYPE_UN_NAT) {
+break;
+}
+}
+return conn;
+}
+
 static void
 conn_seq_skew_set(struct conntrack *ct, const struct conn_key *key,
   long long now, int seq_skew, bool seq_skew_dir)
@@ -799,12 +815,13 @@ nat_clean(struct conntrack *ct, struct conn *conn,
 nat_conn_keys_remove(>nat_conn_keys, >rev_key, ct->hash_basis);
 ct_rwlock_unlock(>resources_lock);
 ct_lock_unlock(>lock);
-unsigned bucket_rev_conn =
-hash_to_bucket(conn_key_hash(>rev_key, ct->hash_basis));
+uint32_t hash = conn_key_hash(>rev_key, ct->hash_basis);
+unsigned bucket_rev_conn = hash_to_bucket(hash);
 ct_lock_lock(>buckets[bucket_rev_conn].lock);
 ct_rwlock_wrlock(>resources_lock);
-long long now = time_msec();
-struct conn *rev_conn = conn_lookup(ct, >rev_key, now);
+struct conn *rev_conn = conn_lookup_unnat(>rev_key,
+  >buckets[bucket_rev_conn],
+  hash);
 struct nat_conn_key_node *nat_conn_key_node =
 nat_conn_keys_lookup(>nat_conn_keys, >rev_key,
  ct->hash_basis);
-- 
1.9.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [patch v6 2/3] conntrack: Lookup only 'UNNAT conns' in 'nat_clean()'.

[ovs-dev] [patch v6 2/3] conntrack: Lookup only 'UNNAT conns' in 'nat_clean()'.

2 matches

Site Navigation

Mail list logo

Footer information