lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Mar 2017 17:11:35 -0400 (EDT) From: Lance Richardson <lrichard@...hat.com> To: Numan Siddique <nusiddiq@...hat.com> Cc: netdev@...r.kernel.org, ovs dev <dev@...nvswitch.org>, Joe Stringer <joe@....org>, Andy Zhou <azhou@....org>, jarno@....org Subject: Re: [RFC] [net]openvswitch: Clear the ct flow key for the recirculated packet > From: "Numan Siddique" <nusiddiq@...hat.com> > To: netdev@...r.kernel.org, "ovs dev" <dev@...nvswitch.org> > Cc: "Joe Stringer" <joe@....org>, "Andy Zhou" <azhou@....org>, jarno@....org > Sent: Thursday, March 16, 2017 8:25:06 AM > Subject: [RFC] [net]openvswitch: Clear the ct flow key for the recirculated packet > > It is possible that the ct flow key information would have > gone stale for the packets received from the userspace due to > clone or ct_clear actions. > > In the case of OVN, it adds ping responder flows, which modifies > the original icmp4 request packet to a reply packet. It uses the > OVS actions - clone and ct_clear. When the reply packet hits the > "ovs_ct_execute" function, and since the ct flow key info is not > cleared, the connection tracker doesn't set the state to > ESTABLISHED state. > > Note: This patch is marked as RFC, as I am not sure if this is the correct > place to address this issue or it should be addressed in ovs-vswitchd > to set the OVS_KEY_ATTR_CT_STATE and other related attributes > properly for ct_clear action. > > Signed-off-by: Numan Siddique <nusiddiq@...hat.com> > --- Hi Numan, With this patch applied I'm consistently seeing failures for two of the kernel datapath unit tests (via "make check-kernel"): 16: conntrack - force commit FAILED (system-traffic.at:692) 54: conntrack - SNAT with ct_mark change on reply FAILED (system-traffic.at:2446)
Powered by blists - more mailing lists