Message ID | 1512612260-97144-1-git-send-email-dlu998@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev,v1] conntrack: Fix icmp error address sanity check. | expand |
On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote: > An address sanity check is done on icmp error packets to > check that the icmp error payload makes sense w.r.t. the > packet itself. > > The sanity check was partially incorrect since it tried > to verify the source address of the error packet against the > original destination, which does not makes since the error > can be generated by any intermediate node. > > Reported-by: wangzhike <wangzhike@jd.com> > Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-December/341609.html > Fixes: a489b1685 ("conntrack: New userspace connection tracker.") > CC: Daniele Di Proietto <diproiettod@vmware.com> > Signed-off-by: Darrell Ball <dlu998@gmail.com> > Signed-off-by: wangzhike <wangzhike@jd.com> > Co-authored-by: wangzhike <wangzhike@jd.com> Thanks Darrell and wangzhike, I applied this to master. Let me know if this or the other series I recently applied needs backporting.
Needs to go back to 2.6; at least the changes in lib/conntrack.c Thanks Darrell On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote: On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote: > An address sanity check is done on icmp error packets to > check that the icmp error payload makes sense w.r.t. the > packet itself. > > The sanity check was partially incorrect since it tried > to verify the source address of the error packet against the > original destination, which does not makes since the error > can be generated by any intermediate node. > > Reported-by: wangzhike <wangzhike@jd.com> > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e= > Fixes: a489b1685 ("conntrack: New userspace connection tracker.") > CC: Daniele Di Proietto <diproiettod@vmware.com> > Signed-off-by: Darrell Ball <dlu998@gmail.com> > Signed-off-by: wangzhike <wangzhike@jd.com> > Co-authored-by: wangzhike <wangzhike@jd.com> Thanks Darrell and wangzhike, I applied this to master. Let me know if this or the other series I recently applied needs backporting. _______________________________________________ dev mailing list dev@openvswitch.org https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e=
It fails to apply due to conflicts in system-traffic.at. Is it safe to drop that change and apply the rest? On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote: > Needs to go back to 2.6; at least the changes in lib/conntrack.c > > Thanks Darrell > > On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote: > > On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote: > > An address sanity check is done on icmp error packets to > > check that the icmp error payload makes sense w.r.t. the > > packet itself. > > > > The sanity check was partially incorrect since it tried > > to verify the source address of the error packet against the > > original destination, which does not makes since the error > > can be generated by any intermediate node. > > > > Reported-by: wangzhike <wangzhike@jd.com> > > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e= > > Fixes: a489b1685 ("conntrack: New userspace connection tracker.") > > CC: Daniele Di Proietto <diproiettod@vmware.com> > > Signed-off-by: Darrell Ball <dlu998@gmail.com> > > Signed-off-by: wangzhike <wangzhike@jd.com> > > Co-authored-by: wangzhike <wangzhike@jd.com> > > Thanks Darrell and wangzhike, I applied this to master. > > Let me know if this or the other series I recently applied needs > backporting. > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e= > >
Yes, it is Ben Thanks Darrell On 12/11/17, 2:27 PM, "Ben Pfaff" <blp@ovn.org> wrote: It fails to apply due to conflicts in system-traffic.at. Is it safe to drop that change and apply the rest? On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote: > Needs to go back to 2.6; at least the changes in lib/conntrack.c > > Thanks Darrell > > On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote: > > On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote: > > An address sanity check is done on icmp error packets to > > check that the icmp error payload makes sense w.r.t. the > > packet itself. > > > > The sanity check was partially incorrect since it tried > > to verify the source address of the error packet against the > > original destination, which does not makes since the error > > can be generated by any intermediate node. > > > > Reported-by: wangzhike <wangzhike@jd.com> > > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e= > > Fixes: a489b1685 ("conntrack: New userspace connection tracker.") > > CC: Daniele Di Proietto <diproiettod@vmware.com> > > Signed-off-by: Darrell Ball <dlu998@gmail.com> > > Signed-off-by: wangzhike <wangzhike@jd.com> > > Co-authored-by: wangzhike <wangzhike@jd.com> > > Thanks Darrell and wangzhike, I applied this to master. > > Let me know if this or the other series I recently applied needs > backporting. > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e= > >
OK, I made that change and applied it to branch-2.8. It didn't apply cleanly to 2.7 or 2.6, can you look at that? On Mon, Dec 11, 2017 at 10:28:32PM +0000, Darrell Ball wrote: > Yes, it is Ben > > Thanks Darrell > > On 12/11/17, 2:27 PM, "Ben Pfaff" <blp@ovn.org> wrote: > > It fails to apply due to conflicts in system-traffic.at. Is it safe to > drop that change and apply the rest? > > On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote: > > Needs to go back to 2.6; at least the changes in lib/conntrack.c > > > > Thanks Darrell > > > > On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote: > > > > On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote: > > > An address sanity check is done on icmp error packets to > > > check that the icmp error payload makes sense w.r.t. the > > > packet itself. > > > > > > The sanity check was partially incorrect since it tried > > > to verify the source address of the error packet against the > > > original destination, which does not makes since the error > > > can be generated by any intermediate node. > > > > > > Reported-by: wangzhike <wangzhike@jd.com> > > > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e= > > > Fixes: a489b1685 ("conntrack: New userspace connection tracker.") > > > CC: Daniele Di Proietto <diproiettod@vmware.com> > > > Signed-off-by: Darrell Ball <dlu998@gmail.com> > > > Signed-off-by: wangzhike <wangzhike@jd.com> > > > Co-authored-by: wangzhike <wangzhike@jd.com> > > > > Thanks Darrell and wangzhike, I applied this to master. > > > > Let me know if this or the other series I recently applied needs > > backporting. > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e= > > > > > >
Ben I sent a 2.7 patch here: https://patchwork.ozlabs.org/patch/847308/ it should be applicable for 2.6 as well. Thanks Darrell On 12/11/17, 2:43 PM, "Ben Pfaff" <blp@ovn.org> wrote: OK, I made that change and applied it to branch-2.8. It didn't apply cleanly to 2.7 or 2.6, can you look at that? On Mon, Dec 11, 2017 at 10:28:32PM +0000, Darrell Ball wrote: > Yes, it is Ben > > Thanks Darrell > > On 12/11/17, 2:27 PM, "Ben Pfaff" <blp@ovn.org> wrote: > > It fails to apply due to conflicts in system-traffic.at. Is it safe to > drop that change and apply the rest? > > On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote: > > Needs to go back to 2.6; at least the changes in lib/conntrack.c > > > > Thanks Darrell > > > > On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote: > > > > On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote: > > > An address sanity check is done on icmp error packets to > > > check that the icmp error payload makes sense w.r.t. the > > > packet itself. > > > > > > The sanity check was partially incorrect since it tried > > > to verify the source address of the error packet against the > > > original destination, which does not makes since the error > > > can be generated by any intermediate node. > > > > > > Reported-by: wangzhike <wangzhike@jd.com> > > > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e= > > > Fixes: a489b1685 ("conntrack: New userspace connection tracker.") > > > CC: Daniele Di Proietto <diproiettod@vmware.com> > > > Signed-off-by: Darrell Ball <dlu998@gmail.com> > > > Signed-off-by: wangzhike <wangzhike@jd.com> > > > Co-authored-by: wangzhike <wangzhike@jd.com> > > > > Thanks Darrell and wangzhike, I applied this to master. > > > > Let me know if this or the other series I recently applied needs > > backporting. > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e= > > > > > >
I sent a V2 here https://patchwork.ozlabs.org/patch/847315/ an extra signoff had snuck into v1 Thanks Darrell On 12/11/17, 5:22 PM, "Darrell Ball" <dball@vmware.com> wrote: Ben I sent a 2.7 patch here: https://patchwork.ozlabs.org/patch/847308/ it should be applicable for 2.6 as well. Thanks Darrell On 12/11/17, 2:43 PM, "Ben Pfaff" <blp@ovn.org> wrote: OK, I made that change and applied it to branch-2.8. It didn't apply cleanly to 2.7 or 2.6, can you look at that? On Mon, Dec 11, 2017 at 10:28:32PM +0000, Darrell Ball wrote: > Yes, it is Ben > > Thanks Darrell > > On 12/11/17, 2:27 PM, "Ben Pfaff" <blp@ovn.org> wrote: > > It fails to apply due to conflicts in system-traffic.at. Is it safe to > drop that change and apply the rest? > > On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote: > > Needs to go back to 2.6; at least the changes in lib/conntrack.c > > > > Thanks Darrell > > > > On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote: > > > > On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote: > > > An address sanity check is done on icmp error packets to > > > check that the icmp error payload makes sense w.r.t. the > > > packet itself. > > > > > > The sanity check was partially incorrect since it tried > > > to verify the source address of the error packet against the > > > original destination, which does not makes since the error > > > can be generated by any intermediate node. > > > > > > Reported-by: wangzhike <wangzhike@jd.com> > > > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e= > > > Fixes: a489b1685 ("conntrack: New userspace connection tracker.") > > > CC: Daniele Di Proietto <diproiettod@vmware.com> > > > Signed-off-by: Darrell Ball <dlu998@gmail.com> > > > Signed-off-by: wangzhike <wangzhike@jd.com> > > > Co-authored-by: wangzhike <wangzhike@jd.com> > > > > Thanks Darrell and wangzhike, I applied this to master. > > > > Let me know if this or the other series I recently applied needs > > backporting. > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e= > > > > > >
Thanks, applied. On Tue, Dec 12, 2017 at 02:13:31AM +0000, Darrell Ball wrote: > I sent a V2 here > https://patchwork.ozlabs.org/patch/847315/ > > an extra signoff had snuck into v1 > > Thanks Darrell > > On 12/11/17, 5:22 PM, "Darrell Ball" <dball@vmware.com> wrote: > > Ben > I sent a 2.7 patch here: > > https://patchwork.ozlabs.org/patch/847308/ > > it should be applicable for 2.6 as well. > > Thanks Darrell > > > On 12/11/17, 2:43 PM, "Ben Pfaff" <blp@ovn.org> wrote: > > OK, I made that change and applied it to branch-2.8. It didn't apply > cleanly to 2.7 or 2.6, can you look at that? > > On Mon, Dec 11, 2017 at 10:28:32PM +0000, Darrell Ball wrote: > > Yes, it is Ben > > > > Thanks Darrell > > > > On 12/11/17, 2:27 PM, "Ben Pfaff" <blp@ovn.org> wrote: > > > > It fails to apply due to conflicts in system-traffic.at. Is it safe to > > drop that change and apply the rest? > > > > On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote: > > > Needs to go back to 2.6; at least the changes in lib/conntrack.c > > > > > > Thanks Darrell > > > > > > On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote: > > > > > > On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote: > > > > An address sanity check is done on icmp error packets to > > > > check that the icmp error payload makes sense w.r.t. the > > > > packet itself. > > > > > > > > The sanity check was partially incorrect since it tried > > > > to verify the source address of the error packet against the > > > > original destination, which does not makes since the error > > > > can be generated by any intermediate node. > > > > > > > > Reported-by: wangzhike <wangzhike@jd.com> > > > > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e= > > > > Fixes: a489b1685 ("conntrack: New userspace connection tracker.") > > > > CC: Daniele Di Proietto <diproiettod@vmware.com> > > > > Signed-off-by: Darrell Ball <dlu998@gmail.com> > > > > Signed-off-by: wangzhike <wangzhike@jd.com> > > > > Co-authored-by: wangzhike <wangzhike@jd.com> > > > > > > Thanks Darrell and wangzhike, I applied this to master. > > > > > > Let me know if this or the other series I recently applied needs > > > backporting. > > > _______________________________________________ > > > dev mailing list > > > dev@openvswitch.org > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e= > > > > > > > > > > > > > >
diff --git a/lib/conntrack.c b/lib/conntrack.c index cd54ba7..6d078f5 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -1782,8 +1782,7 @@ extract_l4_icmp(struct conn_key *key, const void *data, size_t size, return false; } - if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned - || inner_key.dst.addr.ipv4_aligned != key->src.addr.ipv4_aligned) { + if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned) { return false; } @@ -1871,9 +1870,7 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size, /* pf doesn't do this, but it seems a good idea */ if (!ipv6_addr_equals(&inner_key.src.addr.ipv6_aligned, - &key->dst.addr.ipv6_aligned) - || !ipv6_addr_equals(&inner_key.dst.addr.ipv6_aligned, - &key->src.addr.ipv6_aligned)) { + &key->dst.addr.ipv6_aligned)) { return false; } diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 4551c5c..4e7a1cd 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -1584,8 +1584,8 @@ AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'f64c473528c9c dnl 2. Send and UDP packet to port 5555 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) -dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) +dnl 3. Send an ICMP port unreach reply from a path midpoint for port 5555, related to the first packet +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f354ac100003ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) dnl Check this output. We only see the latter two packets, not the first. AT_CHECK([cat ofctl_monitor.log], [0], [dnl @@ -1594,7 +1594,7 @@ icmp,vlan_tci=0x0000,dl_src=c6:f5:4e:cb:72:db,dl_dst=f6:4c:47:35:28:c9,nw_src=17 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=1 (via action) data_len=47 (unbuffered) udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=2 (via action) data_len=75 (unbuffered) -icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f +icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.3,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f ]) AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.1)], [0], [dnl