lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 16 Mar 2017 17:11:35 -0400 (EDT)
From:   Lance Richardson <lrichard@...hat.com>
To:     Numan Siddique <nusiddiq@...hat.com>
Cc:     netdev@...r.kernel.org, ovs dev <dev@...nvswitch.org>,
        Joe Stringer <joe@....org>, Andy Zhou <azhou@....org>,
        jarno@....org
Subject: Re: [RFC] [net]openvswitch: Clear the ct flow key for the
 recirculated packet

> From: "Numan Siddique" <nusiddiq@...hat.com>
> To: netdev@...r.kernel.org, "ovs dev" <dev@...nvswitch.org>
> Cc: "Joe Stringer" <joe@....org>, "Andy Zhou" <azhou@....org>, jarno@....org
> Sent: Thursday, March 16, 2017 8:25:06 AM
> Subject: [RFC] [net]openvswitch: Clear the ct flow key for the recirculated packet
> 
> It is possible that the ct flow key information would have
> gone stale for the packets received from the userspace due to
> clone or ct_clear actions.
> 
> In the case of OVN, it adds ping responder flows, which modifies
> the original icmp4 request packet to a reply packet. It uses the
> OVS actions - clone and ct_clear. When the reply packet hits the
> "ovs_ct_execute" function, and since the ct flow key info is not
> cleared, the connection tracker doesn't set the state to
> ESTABLISHED state.
> 
> Note: This patch is marked as RFC, as I am not sure if this is the correct
> place to address this issue or it should be addressed in ovs-vswitchd
> to set the OVS_KEY_ATTR_CT_STATE and other related attributes
> properly for ct_clear action.
> 
> Signed-off-by: Numan Siddique <nusiddiq@...hat.com>
> ---

Hi Numan,

With this patch applied I'm consistently seeing failures for two of the
kernel datapath unit tests (via "make check-kernel"):

 16: conntrack - force commit                        FAILED (system-traffic.at:692)
 54: conntrack - SNAT with ct_mark change on reply   FAILED (system-traffic.at:2446)

Powered by blists - more mailing lists