[ovs-dev,v1] conntrack: Fix icmp error address sanity check.

Message ID 1512612260-97144-1-git-send-email-dlu998@gmail.com
State Accepted
Headers show
Series
  • [ovs-dev,v1] conntrack: Fix icmp error address sanity check.
Related show

Commit Message

Darrell Ball Dec. 7, 2017, 2:04 a.m.
An address sanity check is done on icmp error packets to
check that the icmp error payload makes sense w.r.t. the
packet itself.

The sanity check was partially incorrect since it tried
to verify the source address of the error packet against the
original destination, which does not makes since the error
can be generated by any intermediate node.

Reported-by: wangzhike <wangzhike@jd.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-December/341609.html
Fixes: a489b1685 ("conntrack: New userspace connection tracker.")
CC: Daniele Di Proietto <diproiettod@vmware.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: wangzhike <wangzhike@jd.com>
Co-authored-by: wangzhike <wangzhike@jd.com>
---
 lib/conntrack.c         | 7 ++-----
 tests/system-traffic.at | 6 +++---
 2 files changed, 5 insertions(+), 8 deletions(-)

Comments

Ben Pfaff Dec. 11, 2017, 10:20 p.m. | #1
On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote:
> An address sanity check is done on icmp error packets to
> check that the icmp error payload makes sense w.r.t. the
> packet itself.
> 
> The sanity check was partially incorrect since it tried
> to verify the source address of the error packet against the
> original destination, which does not makes since the error
> can be generated by any intermediate node.
> 
> Reported-by: wangzhike <wangzhike@jd.com>
> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-December/341609.html
> Fixes: a489b1685 ("conntrack: New userspace connection tracker.")
> CC: Daniele Di Proietto <diproiettod@vmware.com>
> Signed-off-by: Darrell Ball <dlu998@gmail.com>
> Signed-off-by: wangzhike <wangzhike@jd.com>
> Co-authored-by: wangzhike <wangzhike@jd.com>

Thanks Darrell and wangzhike, I applied this to master.

Let me know if this or the other series I recently applied needs
backporting.
Darrell Ball Dec. 11, 2017, 10:22 p.m. | #2
Needs to go back to 2.6; at least the changes in lib/conntrack.c

Thanks Darrell

On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote:

    On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote:
    > An address sanity check is done on icmp error packets to
    > check that the icmp error payload makes sense w.r.t. the
    > packet itself.
    > 
    > The sanity check was partially incorrect since it tried
    > to verify the source address of the error packet against the
    > original destination, which does not makes since the error
    > can be generated by any intermediate node.
    > 
    > Reported-by: wangzhike <wangzhike@jd.com>
    > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e=
    > Fixes: a489b1685 ("conntrack: New userspace connection tracker.")
    > CC: Daniele Di Proietto <diproiettod@vmware.com>
    > Signed-off-by: Darrell Ball <dlu998@gmail.com>
    > Signed-off-by: wangzhike <wangzhike@jd.com>
    > Co-authored-by: wangzhike <wangzhike@jd.com>
    
    Thanks Darrell and wangzhike, I applied this to master.
    
    Let me know if this or the other series I recently applied needs
    backporting.
    _______________________________________________
    dev mailing list
    dev@openvswitch.org
    https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e=
Ben Pfaff Dec. 11, 2017, 10:27 p.m. | #3
It fails to apply due to conflicts in system-traffic.at.  Is it safe to
drop that change and apply the rest?

On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote:
> Needs to go back to 2.6; at least the changes in lib/conntrack.c
> 
> Thanks Darrell
> 
> On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote:
> 
>     On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote:
>     > An address sanity check is done on icmp error packets to
>     > check that the icmp error payload makes sense w.r.t. the
>     > packet itself.
>     > 
>     > The sanity check was partially incorrect since it tried
>     > to verify the source address of the error packet against the
>     > original destination, which does not makes since the error
>     > can be generated by any intermediate node.
>     > 
>     > Reported-by: wangzhike <wangzhike@jd.com>
>     > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e=
>     > Fixes: a489b1685 ("conntrack: New userspace connection tracker.")
>     > CC: Daniele Di Proietto <diproiettod@vmware.com>
>     > Signed-off-by: Darrell Ball <dlu998@gmail.com>
>     > Signed-off-by: wangzhike <wangzhike@jd.com>
>     > Co-authored-by: wangzhike <wangzhike@jd.com>
>     
>     Thanks Darrell and wangzhike, I applied this to master.
>     
>     Let me know if this or the other series I recently applied needs
>     backporting.
>     _______________________________________________
>     dev mailing list
>     dev@openvswitch.org
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e=
>     
>
Darrell Ball Dec. 11, 2017, 10:28 p.m. | #4
Yes, it is Ben

Thanks Darrell

On 12/11/17, 2:27 PM, "Ben Pfaff" <blp@ovn.org> wrote:

    It fails to apply due to conflicts in system-traffic.at.  Is it safe to
    drop that change and apply the rest?
    
    On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote:
    > Needs to go back to 2.6; at least the changes in lib/conntrack.c
    > 
    > Thanks Darrell
    > 
    > On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote:
    > 
    >     On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote:
    >     > An address sanity check is done on icmp error packets to
    >     > check that the icmp error payload makes sense w.r.t. the
    >     > packet itself.
    >     > 
    >     > The sanity check was partially incorrect since it tried
    >     > to verify the source address of the error packet against the
    >     > original destination, which does not makes since the error
    >     > can be generated by any intermediate node.
    >     > 
    >     > Reported-by: wangzhike <wangzhike@jd.com>
    >     > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e=
    >     > Fixes: a489b1685 ("conntrack: New userspace connection tracker.")
    >     > CC: Daniele Di Proietto <diproiettod@vmware.com>
    >     > Signed-off-by: Darrell Ball <dlu998@gmail.com>
    >     > Signed-off-by: wangzhike <wangzhike@jd.com>
    >     > Co-authored-by: wangzhike <wangzhike@jd.com>
    >     
    >     Thanks Darrell and wangzhike, I applied this to master.
    >     
    >     Let me know if this or the other series I recently applied needs
    >     backporting.
    >     _______________________________________________
    >     dev mailing list
    >     dev@openvswitch.org
    >     https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e=
    >     
    >
Ben Pfaff Dec. 11, 2017, 10:43 p.m. | #5
OK, I made that change and applied it to branch-2.8.  It didn't apply
cleanly to 2.7 or 2.6, can you look at that?

On Mon, Dec 11, 2017 at 10:28:32PM +0000, Darrell Ball wrote:
> Yes, it is Ben
> 
> Thanks Darrell
> 
> On 12/11/17, 2:27 PM, "Ben Pfaff" <blp@ovn.org> wrote:
> 
>     It fails to apply due to conflicts in system-traffic.at.  Is it safe to
>     drop that change and apply the rest?
>     
>     On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote:
>     > Needs to go back to 2.6; at least the changes in lib/conntrack.c
>     > 
>     > Thanks Darrell
>     > 
>     > On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote:
>     > 
>     >     On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote:
>     >     > An address sanity check is done on icmp error packets to
>     >     > check that the icmp error payload makes sense w.r.t. the
>     >     > packet itself.
>     >     > 
>     >     > The sanity check was partially incorrect since it tried
>     >     > to verify the source address of the error packet against the
>     >     > original destination, which does not makes since the error
>     >     > can be generated by any intermediate node.
>     >     > 
>     >     > Reported-by: wangzhike <wangzhike@jd.com>
>     >     > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e=
>     >     > Fixes: a489b1685 ("conntrack: New userspace connection tracker.")
>     >     > CC: Daniele Di Proietto <diproiettod@vmware.com>
>     >     > Signed-off-by: Darrell Ball <dlu998@gmail.com>
>     >     > Signed-off-by: wangzhike <wangzhike@jd.com>
>     >     > Co-authored-by: wangzhike <wangzhike@jd.com>
>     >     
>     >     Thanks Darrell and wangzhike, I applied this to master.
>     >     
>     >     Let me know if this or the other series I recently applied needs
>     >     backporting.
>     >     _______________________________________________
>     >     dev mailing list
>     >     dev@openvswitch.org
>     >     https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e=
>     >     
>     > 
>     
>
Darrell Ball Dec. 12, 2017, 1:22 a.m. | #6
Ben
I sent a 2.7 patch here:

https://patchwork.ozlabs.org/patch/847308/

it should be applicable for 2.6 as well.

Thanks Darrell


On 12/11/17, 2:43 PM, "Ben Pfaff" <blp@ovn.org> wrote:

    OK, I made that change and applied it to branch-2.8.  It didn't apply
    cleanly to 2.7 or 2.6, can you look at that?
    
    On Mon, Dec 11, 2017 at 10:28:32PM +0000, Darrell Ball wrote:
    > Yes, it is Ben
    > 
    > Thanks Darrell
    > 
    > On 12/11/17, 2:27 PM, "Ben Pfaff" <blp@ovn.org> wrote:
    > 
    >     It fails to apply due to conflicts in system-traffic.at.  Is it safe to
    >     drop that change and apply the rest?
    >     
    >     On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote:
    >     > Needs to go back to 2.6; at least the changes in lib/conntrack.c
    >     > 
    >     > Thanks Darrell
    >     > 
    >     > On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote:
    >     > 
    >     >     On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote:
    >     >     > An address sanity check is done on icmp error packets to
    >     >     > check that the icmp error payload makes sense w.r.t. the
    >     >     > packet itself.
    >     >     > 
    >     >     > The sanity check was partially incorrect since it tried
    >     >     > to verify the source address of the error packet against the
    >     >     > original destination, which does not makes since the error
    >     >     > can be generated by any intermediate node.
    >     >     > 
    >     >     > Reported-by: wangzhike <wangzhike@jd.com>
    >     >     > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e=
    >     >     > Fixes: a489b1685 ("conntrack: New userspace connection tracker.")
    >     >     > CC: Daniele Di Proietto <diproiettod@vmware.com>
    >     >     > Signed-off-by: Darrell Ball <dlu998@gmail.com>
    >     >     > Signed-off-by: wangzhike <wangzhike@jd.com>
    >     >     > Co-authored-by: wangzhike <wangzhike@jd.com>
    >     >     
    >     >     Thanks Darrell and wangzhike, I applied this to master.
    >     >     
    >     >     Let me know if this or the other series I recently applied needs
    >     >     backporting.
    >     >     _______________________________________________
    >     >     dev mailing list
    >     >     dev@openvswitch.org
    >     >     https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e=
    >     >     
    >     > 
    >     
    >
Darrell Ball Dec. 12, 2017, 2:13 a.m. | #7
I sent a V2 here
https://patchwork.ozlabs.org/patch/847315/

an extra signoff had snuck into v1

Thanks Darrell

On 12/11/17, 5:22 PM, "Darrell Ball" <dball@vmware.com> wrote:

    Ben
    I sent a 2.7 patch here:
    
    https://patchwork.ozlabs.org/patch/847308/
    
    it should be applicable for 2.6 as well.
    
    Thanks Darrell
    
    
    On 12/11/17, 2:43 PM, "Ben Pfaff" <blp@ovn.org> wrote:
    
        OK, I made that change and applied it to branch-2.8.  It didn't apply
        cleanly to 2.7 or 2.6, can you look at that?
        
        On Mon, Dec 11, 2017 at 10:28:32PM +0000, Darrell Ball wrote:
        > Yes, it is Ben
        > 
        > Thanks Darrell
        > 
        > On 12/11/17, 2:27 PM, "Ben Pfaff" <blp@ovn.org> wrote:
        > 
        >     It fails to apply due to conflicts in system-traffic.at.  Is it safe to
        >     drop that change and apply the rest?
        >     
        >     On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote:
        >     > Needs to go back to 2.6; at least the changes in lib/conntrack.c
        >     > 
        >     > Thanks Darrell
        >     > 
        >     > On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote:
        >     > 
        >     >     On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote:
        >     >     > An address sanity check is done on icmp error packets to
        >     >     > check that the icmp error payload makes sense w.r.t. the
        >     >     > packet itself.
        >     >     > 
        >     >     > The sanity check was partially incorrect since it tried
        >     >     > to verify the source address of the error packet against the
        >     >     > original destination, which does not makes since the error
        >     >     > can be generated by any intermediate node.
        >     >     > 
        >     >     > Reported-by: wangzhike <wangzhike@jd.com>
        >     >     > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e=
        >     >     > Fixes: a489b1685 ("conntrack: New userspace connection tracker.")
        >     >     > CC: Daniele Di Proietto <diproiettod@vmware.com>
        >     >     > Signed-off-by: Darrell Ball <dlu998@gmail.com>
        >     >     > Signed-off-by: wangzhike <wangzhike@jd.com>
        >     >     > Co-authored-by: wangzhike <wangzhike@jd.com>
        >     >     
        >     >     Thanks Darrell and wangzhike, I applied this to master.
        >     >     
        >     >     Let me know if this or the other series I recently applied needs
        >     >     backporting.
        >     >     _______________________________________________
        >     >     dev mailing list
        >     >     dev@openvswitch.org
        >     >     https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e=
        >     >     
        >     > 
        >     
        >
Ben Pfaff Dec. 12, 2017, 7:41 p.m. | #8
Thanks, applied.

On Tue, Dec 12, 2017 at 02:13:31AM +0000, Darrell Ball wrote:
> I sent a V2 here
> https://patchwork.ozlabs.org/patch/847315/
> 
> an extra signoff had snuck into v1
> 
> Thanks Darrell
> 
> On 12/11/17, 5:22 PM, "Darrell Ball" <dball@vmware.com> wrote:
> 
>     Ben
>     I sent a 2.7 patch here:
>     
>     https://patchwork.ozlabs.org/patch/847308/
>     
>     it should be applicable for 2.6 as well.
>     
>     Thanks Darrell
>     
>     
>     On 12/11/17, 2:43 PM, "Ben Pfaff" <blp@ovn.org> wrote:
>     
>         OK, I made that change and applied it to branch-2.8.  It didn't apply
>         cleanly to 2.7 or 2.6, can you look at that?
>         
>         On Mon, Dec 11, 2017 at 10:28:32PM +0000, Darrell Ball wrote:
>         > Yes, it is Ben
>         > 
>         > Thanks Darrell
>         > 
>         > On 12/11/17, 2:27 PM, "Ben Pfaff" <blp@ovn.org> wrote:
>         > 
>         >     It fails to apply due to conflicts in system-traffic.at.  Is it safe to
>         >     drop that change and apply the rest?
>         >     
>         >     On Mon, Dec 11, 2017 at 10:22:39PM +0000, Darrell Ball wrote:
>         >     > Needs to go back to 2.6; at least the changes in lib/conntrack.c
>         >     > 
>         >     > Thanks Darrell
>         >     > 
>         >     > On 12/11/17, 2:20 PM, "ovs-dev-bounces@openvswitch.org on behalf of Ben Pfaff" <ovs-dev-bounces@openvswitch.org on behalf of blp@ovn.org> wrote:
>         >     > 
>         >     >     On Wed, Dec 06, 2017 at 06:04:20PM -0800, Darrell Ball wrote:
>         >     >     > An address sanity check is done on icmp error packets to
>         >     >     > check that the icmp error payload makes sense w.r.t. the
>         >     >     > packet itself.
>         >     >     > 
>         >     >     > The sanity check was partially incorrect since it tried
>         >     >     > to verify the source address of the error packet against the
>         >     >     > original destination, which does not makes since the error
>         >     >     > can be generated by any intermediate node.
>         >     >     > 
>         >     >     > Reported-by: wangzhike <wangzhike@jd.com>
>         >     >     > Reported-at: https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_pipermail_ovs-2Ddev_2017-2DDecember_341609.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=1wKg_9t4kVTzgXsNG4PwRgPDVzKsu1POFWnH6x-eX-U&e=
>         >     >     > Fixes: a489b1685 ("conntrack: New userspace connection tracker.")
>         >     >     > CC: Daniele Di Proietto <diproiettod@vmware.com>
>         >     >     > Signed-off-by: Darrell Ball <dlu998@gmail.com>
>         >     >     > Signed-off-by: wangzhike <wangzhike@jd.com>
>         >     >     > Co-authored-by: wangzhike <wangzhike@jd.com>
>         >     >     
>         >     >     Thanks Darrell and wangzhike, I applied this to master.
>         >     >     
>         >     >     Let me know if this or the other series I recently applied needs
>         >     >     backporting.
>         >     >     _______________________________________________
>         >     >     dev mailing list
>         >     >     dev@openvswitch.org
>         >     >     https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=C2QYD5JosF5j-X3I7nmikMajbKHF9WqhgGQZdigkYP8&s=DzvbErqrp1sqYj50u5y8oMwBgVZVFjUdhRitCukx98c&e=
>         >     >     
>         >     > 
>         >     
>         > 
>         
>     
>     
>

Patch

diff --git a/lib/conntrack.c b/lib/conntrack.c
index cd54ba7..6d078f5 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -1782,8 +1782,7 @@  extract_l4_icmp(struct conn_key *key, const void *data, size_t size,
             return false;
         }
 
-        if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned
-            || inner_key.dst.addr.ipv4_aligned != key->src.addr.ipv4_aligned) {
+        if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned) {
             return false;
         }
 
@@ -1871,9 +1870,7 @@  extract_l4_icmp6(struct conn_key *key, const void *data, size_t size,
 
         /* pf doesn't do this, but it seems a good idea */
         if (!ipv6_addr_equals(&inner_key.src.addr.ipv6_aligned,
-                              &key->dst.addr.ipv6_aligned)
-            || !ipv6_addr_equals(&inner_key.dst.addr.ipv6_aligned,
-                                 &key->src.addr.ipv6_aligned)) {
+                              &key->dst.addr.ipv6_aligned)) {
             return false;
         }
 
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 4551c5c..4e7a1cd 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -1584,8 +1584,8 @@  AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'f64c473528c9c
 dnl 2. Send and UDP packet to port 5555
 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
 
-dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
-AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
+dnl 3. Send an ICMP port unreach reply from a path midpoint for port 5555, related to the first packet
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f354ac100003ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
 
 dnl Check this output. We only see the latter two packets, not the first.
 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
@@ -1594,7 +1594,7 @@  icmp,vlan_tci=0x0000,dl_src=c6:f5:4e:cb:72:db,dl_dst=f6:4c:47:35:28:c9,nw_src=17
 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=1 (via action) data_len=47 (unbuffered)
 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=2 (via action) data_len=75 (unbuffered)
-icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
+icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.3,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
 ])
 
 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.1)], [0], [dnl