diff options
| author | Daniele Di Proietto <diproiettod@vmware.com> | 2016-12-19 14:03:58 -0800 |
|---|---|---|
| committer | Daniele Di Proietto <diproiettod@vmware.com> | 2016-12-23 17:11:52 -0800 |
| commit | 5c2e106b334423e8471d122f70c05d54dd41904c (patch) | |
| tree | bf72a27fb37c3d8ad070ec1d74df67fe1137fe26 /lib | |
| parent | 34aa9cf97e2c5c937296012183dea5862a2b6190 (diff) | |
| download | openvswitch-5c2e106b334423e8471d122f70c05d54dd41904c.tar.gz | |
conntrack: Do not create new connections from ICMP errors.
ICMP error packets (e.g. destination unreachable messages) are
considered 'related' to another connection and are treated as part of
that.
However:
* We shouldn't create new entries in the connection table if the
original connection is not found. This is consistent with what the
kernel does.
* We certainly shouldn't call valid_new() on the packet, because
valid_new() assumes the packet l4 type (might be TCP, UDP or ICMP)
to be consistent with the conn_key nw_proto type.
Found by inspection.
Fixes: a489b16854b5("conntrack: New userspace connection tracker.")
Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
Acked-by: Darrell Ball <dlu998@gmail.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/conntrack.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/conntrack.c b/lib/conntrack.c index 7c50a289c..9bea3d93e 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -247,7 +247,11 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, } } } else { - conn = conn_not_found(ct, pkt, ctx, &state, commit, now); + if (ctx->related) { + state |= CS_INVALID; + } else { + conn = conn_not_found(ct, pkt, ctx, &state, commit, now); + } } write_ct_md(pkt, state, zone, conn ? conn->mark : 0, |