From patchwork Thu Dec 7 02:04:20 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Darrell Ball X-Patchwork-Id: 845407 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="nIP02MJY"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ysf1d10VBz9rxl for ; Thu, 7 Dec 2017 13:04:36 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 640D5D1B; Thu, 7 Dec 2017 02:04:33 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C2DA6D00 for ; Thu, 7 Dec 2017 02:04:31 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg0-f43.google.com (mail-pg0-f43.google.com [74.125.83.43]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id EAA05413 for ; Thu, 7 Dec 2017 02:04:30 +0000 (UTC) Received: by mail-pg0-f43.google.com with SMTP id y6so3359241pgp.4 for ; Wed, 06 Dec 2017 18:04:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=WNrgD4TxwaFabLwhwrkLgkiFh7ifRGpaKVZAWxDFzLI=; b=nIP02MJYoxg0ymS9dQBTrkywDmY0sde1PilUuKtbcB/FJZXPDYG216ZhUXAJwibt3R lhyan7r46VIfxz/hklazHtcQfGsx4aL9iOJ9flGmg/5TMwcCmgYhX1AvcIB1bYILRUos AEiHkTGyvqyIRBLSNKN56ntnCSFeftkM0pj9z961/YxgEmJmZM8gPlj0nZZ17OQDFe4H s0EThMnOaXdeiqiXJSNoph/PE3icLRu+WV2HzLLOcXxIqjT14D0xMgHKxq6PIQnvzbIp 44mIU5B5OALeD+vUs9tSCqnEKgYRyCUDgGC0qQkQwRVJiPIyZC5EL9f/GE7SYTFVXjYV lPYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=WNrgD4TxwaFabLwhwrkLgkiFh7ifRGpaKVZAWxDFzLI=; b=QLzFD/CxSc/kG2+qtLMvnuef7YYpQ+7VCTqFoIq8UZsi0Kem/Z+rxdkbq1l6t3Qtnr R7V+yYkmndyRU52a5R8oTkRpQ74zOjpIUPouMknGIUU61v8h7Z3gguFN3n6hEVv1iVwX 5D0IrR4y7kUVDhRKo4lo8CtOmOlle1d7li4ZWbf2ArGWYy7iSYFJDPvJIVv5hP3Xol4s RQZiPDA1zEIX4CprlTuwJv7R2rBC97MU6vFaRIc+pnfRnKd0fccEkW4fxWIzDdrpz/U4 XL4Iw1fJveH6iUobTIYMozVIfJcr4hq+2pLUsqtM0m+i2nd5E5IL5YZ93TccPgq0Y71s VSmw== X-Gm-Message-State: AJaThX4ajpVyUPBRRRNobAOwqPh/uau9nppMnN1KaKlcPbPjx5bNeR8Y 5dHPTXTajBIF2Brc3dCU2aQ= X-Google-Smtp-Source: AGs4zMaJBdPXxY1g4jUiR4F3FyGDeK/9ntC228aWny4YDsPvjbfM91Gr/9VbxBPqibA8wP65SEtUww== X-Received: by 10.99.154.17 with SMTP id o17mr23813968pge.238.1512612270525; Wed, 06 Dec 2017 18:04:30 -0800 (PST) Received: from ubuntu.localdomain (c-73-162-236-45.hsd1.ca.comcast.net. [73.162.236.45]) by smtp.gmail.com with ESMTPSA id 10sm6574141pfi.72.2017.12.06.18.04.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 06 Dec 2017 18:04:29 -0800 (PST) From: Darrell Ball To: dlu998@gmail.com, dev@openvswitch.org Date: Wed, 6 Dec 2017 18:04:20 -0800 Message-Id: <1512612260-97144-1-git-send-email-dlu998@gmail.com> X-Mailer: git-send-email 1.9.1 X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Daniele Di Proietto , wangzhike Subject: [ovs-dev] [patch v1] conntrack: Fix icmp error address sanity check. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org An address sanity check is done on icmp error packets to check that the icmp error payload makes sense w.r.t. the packet itself. The sanity check was partially incorrect since it tried to verify the source address of the error packet against the original destination, which does not makes since the error can be generated by any intermediate node. Reported-by: wangzhike Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-December/341609.html Fixes: a489b1685 ("conntrack: New userspace connection tracker.") CC: Daniele Di Proietto Signed-off-by: Darrell Ball Signed-off-by: wangzhike Co-authored-by: wangzhike --- lib/conntrack.c | 7 ++----- tests/system-traffic.at | 6 +++--- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index cd54ba7..6d078f5 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -1782,8 +1782,7 @@ extract_l4_icmp(struct conn_key *key, const void *data, size_t size, return false; } - if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned - || inner_key.dst.addr.ipv4_aligned != key->src.addr.ipv4_aligned) { + if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned) { return false; } @@ -1871,9 +1870,7 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size, /* pf doesn't do this, but it seems a good idea */ if (!ipv6_addr_equals(&inner_key.src.addr.ipv6_aligned, - &key->dst.addr.ipv6_aligned) - || !ipv6_addr_equals(&inner_key.dst.addr.ipv6_aligned, - &key->src.addr.ipv6_aligned)) { + &key->dst.addr.ipv6_aligned)) { return false; } diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 4551c5c..4e7a1cd 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -1584,8 +1584,8 @@ AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'f64c473528c9c dnl 2. Send and UDP packet to port 5555 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) -dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) +dnl 3. Send an ICMP port unreach reply from a path midpoint for port 5555, related to the first packet +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f354ac100003ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) dnl Check this output. We only see the latter two packets, not the first. AT_CHECK([cat ofctl_monitor.log], [0], [dnl @@ -1594,7 +1594,7 @@ icmp,vlan_tci=0x0000,dl_src=c6:f5:4e:cb:72:db,dl_dst=f6:4c:47:35:28:c9,nw_src=17 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=1 (via action) data_len=47 (unbuffered) udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=2 (via action) data_len=75 (unbuffered) -icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f +icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.3,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f ]) AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.1)], [0], [dnl