lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 16 Mar 2017 17:55:06 +0530
From:   Numan Siddique <nusiddiq@...hat.com>
To:     netdev@...r.kernel.org, ovs dev <dev@...nvswitch.org>
Cc:     Joe Stringer <joe@....org>, Andy Zhou <azhou@....org>,
        jarno@....org
Subject: [RFC] [net]openvswitch: Clear the ct flow key for the recirculated
 packet

It is possible that the ct flow key information would have
gone stale for the packets received from the userspace due to
clone or ct_clear actions.

In the case of OVN, it adds ping responder flows, which modifies
the original icmp4 request packet to a reply packet. It uses the
OVS actions - clone and ct_clear. When the reply packet hits the
"ovs_ct_execute" function, and since the ct flow key info is not
cleared, the connection tracker doesn't set the state to
ESTABLISHED state.

Note: This patch is marked as RFC, as I am not sure if this is the correct
place to address this issue or it should be addressed in ovs-vswitchd
to set the OVS_KEY_ATTR_CT_STATE and other related attributes
properly for ct_clear action.

Signed-off-by: Numan Siddique <nusiddiq@...hat.com>
---
 net/openvswitch/flow.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 9d4bb8e..72b73db 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -836,6 +836,11 @@ int ovs_flow_key_extract_userspace(struct net *net, const struct nlattr *attr,
 	if (err)
 		return err;
 
+	/* Clear the ct flow key after key_extract to avoid using
+	 * stale ct key information.
+	*/
+	ovs_ct_fill_key(skb, key);
+
 	/* Check that we have conntrack original direction tuple metadata only
 	 * for packets for which it makes sense.  Otherwise the key may be
 	 * corrupted due to overlapping key fields.
-- 
2.9.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ