Public bug reported:
SRU Justification:
Act_ct is mishandling CT action in zone 0 which can cause the inner actions
(commit, nat) to be skipped
* Explain the bug(s)
Currently act_ct action init is skipping ct template allocation for zone 0.
Skipping the allocation may cause the datapath ct code to ignore the
entire ct action with all its attributes (commit, nat) in case the ct
action in zone 0 was preceded by a ct clear action.
The ct clear action sets the ct_state to untracked and resets the
skb->_nfct pointer. Under these conditions and without an allocated
ct template, the skb->_nfct pointer will remain NULL which will
cause the tc ct action handler to exit without handling commit and nat
actions, if such exist.
* brief explanation of fixes
Remove skipping of ct template allocation for zone 0. Treat it as all other
zones.
* How to test
Create a tc rule (with skip_hw to make sure it is not offloaded by HW) with an
actions list
that includes the following sequence:
Actions: ct_clear, ct(commit, nat(src=10.0.12.1)), …
* What it could break.
Ct action in zone 0 will not be performed (i.e - ct(commit, nat(src=10.0.12.1)).
This means the connection will not get committed to zone 0 and src nat will not
be performed
Which means the packet will pass this rule and maintain it’s original src IP.
** Affects: linux-bluefield (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1929460
Title:
CT: Fix CT template allocation for zone 0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1929460/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
