| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 06 Feb 2017 12:15:12 -0500 (EST) From: David Miller <davem@...emloft.net> To: pshelar@....org Cc: jarno@....org, netdev@...r.kernel.org Subject: Re: [PATCH net-next 1/7] openvswitch: Use inverted tuple in ovs_ct_find_existing() if NATted. From: Pravin Shelar <pshelar@....org> Date: Mon, 6 Feb 2017 09:06:29 -0800 > On Sun, Feb 5, 2017 at 2:28 PM, David Miller <davem@...emloft.net> wrote: >> From: Jarno Rajahalme <jarno@....org> >> Date: Thu, 2 Feb 2017 17:10:00 -0800 >> >>> This does not match either of the conntrack tuples above. Normally >>> this does not matter, as the conntrack lookup was already done using >>> the tuple (B,A), but if the current packet does not match any flow in >>> the OVS datapath, the packet is sent to userspace via an upcall, >>> during which the packet's skb is freed, and the conntrack entry >>> pointer in the skb is lost. >> >> This is the real bug. >> >> If the metadata for a packet is important, as it obviously is here, >> then upcalls should preserve that metadata across the upcall. This >> is exactly how NF_QUEUE handles this problem and so should OVS. > > OVS kernel datapath serializes skb context and sends it along with skb > during upcall via genetlink parameters. userspace echoes same > information back to kernel modules. This way OVS does maintains > metadata across upcall. Then the conntrack state looked up before the NAT operation done in the upcall should be maintained and therefore this bug should not exist.
Powered by blists - more mailing lists