| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0f503669-ffbb-5844-7ef5-27b87aa4c38f@mojatatu.com>
Date: Sat, 8 Jan 2022 08:23:59 -0500
From: Jamal Hadi Salim <jhs@...atatu.com>
To: Paul Blakey <paulb@...dia.com>, dev@...nvswitch.org,
netdev@...r.kernel.org, Cong Wang <xiyou.wangcong@...il.com>,
Pravin B Shelar <pshelar@....org>, davem@...emloft.net,
Jiri Pirko <jiri@...dia.com>, Jakub Kicinski <kuba@...nel.org>
Cc: Saeed Mahameed <saeedm@...dia.com>, Oz Shlomo <ozsh@...dia.com>,
Vlad Buslov <vladbu@...dia.com>, Roi Dayan <roid@...dia.com>
Subject: Re: [PATCH net v2 1/1] net: openvswitch: Fix ct_state nat flags for
conns arriving from tc
On 2022-01-06 10:38, Paul Blakey wrote:
> Netfilter conntrack maintains NAT flags per connection indicating
> whether NAT was configured for the connection. Openvswitch maintains
> NAT flags on the per packet flow key ct_state field, indicating
> whether NAT was actually executed on the packet.
>
> When a packet misses from tc to ovs the conntrack NAT flags are set.
> However, NAT was not necessarily executed on the packet because the
> connection's state might still be in NEW state. As such, openvswitch
> wrongly assumes that NAT was executed and sets an incorrect flow key
> NAT flags.
>
> Fix this, by flagging to openvswitch which NAT was actually done in
> act_ct via tc_skb_ext and tc_skb_cb to the openvswitch module, so
> the packet flow key NAT flags will be correctly set.
>
> Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
> Signed-off-by: Paul Blakey <paulb@...dia.com>
Acked-by: Jamal Hadi Salim <jhs@...atatu.com>
cheers,
jamal
Powered by blists - more mailing lists