git.baikalelectronics.ru Git - kernel.git/commit

author	Jarno Rajahalme <jarno@ovn.org>
	Mon, 21 Mar 2016 18:15:19 +0000 (11:15 -0700)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 28 Mar 2016 15:58:51 +0000 (17:58 +0200)
commit	de4e6d7ec867beb5724630000783bdfdb781f1c2
tree	90a34624e8f665170cb9aa17a937ab9373177f82	tree \| snapshot
parent	fcdd40a9f1029e05751c3438a404c29d51ea35b5	commit \| diff

openvswitch: Fix checking for new expected connections.

OVS should call into CT NAT for packets of new expected connections only
when the conntrack state is persisted with the 'commit' option to the
OVS CT action. The test for this condition is doubly wrong, as the CT
status field is ANDed with the bit number (IPS_EXPECTED_BIT) rather
than the mask (IPS_EXPECTED), and due to the wrong assumption that the
expected bit would apply only for the first (i.e., 'new') packet of a
connection, while in fact the expected bit remains on for the lifetime of
an expected connection. The 'ctinfo' value IP_CT_RELATED derived from
the ct status can be used instead, as it is only ever applicable to
the 'new' packets of the expected connection.

Fixes: 12c019f65748 ('openvswitch: Interface with NAT.')
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>