lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 8 Jan 2022 08:23:59 -0500 From: Jamal Hadi Salim <jhs@...atatu.com> To: Paul Blakey <paulb@...dia.com>, dev@...nvswitch.org, netdev@...r.kernel.org, Cong Wang <xiyou.wangcong@...il.com>, Pravin B Shelar <pshelar@....org>, davem@...emloft.net, Jiri Pirko <jiri@...dia.com>, Jakub Kicinski <kuba@...nel.org> Cc: Saeed Mahameed <saeedm@...dia.com>, Oz Shlomo <ozsh@...dia.com>, Vlad Buslov <vladbu@...dia.com>, Roi Dayan <roid@...dia.com> Subject: Re: [PATCH net v2 1/1] net: openvswitch: Fix ct_state nat flags for conns arriving from tc On 2022-01-06 10:38, Paul Blakey wrote: > Netfilter conntrack maintains NAT flags per connection indicating > whether NAT was configured for the connection. Openvswitch maintains > NAT flags on the per packet flow key ct_state field, indicating > whether NAT was actually executed on the packet. > > When a packet misses from tc to ovs the conntrack NAT flags are set. > However, NAT was not necessarily executed on the packet because the > connection's state might still be in NEW state. As such, openvswitch > wrongly assumes that NAT was executed and sets an incorrect flow key > NAT flags. > > Fix this, by flagging to openvswitch which NAT was actually done in > act_ct via tc_skb_ext and tc_skb_cb to the openvswitch module, so > the packet flow key NAT flags will be correctly set. > > Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") > Signed-off-by: Paul Blakey <paulb@...dia.com> Acked-by: Jamal Hadi Salim <jhs@...atatu.com> cheers, jamal
Powered by blists - more mailing lists