Message ID | 1526348305-111681-1-git-send-email-dlu998@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev,v2] conntrack-tcp: Handle tcp session reuse. | expand |
> On May 14, 2018, at 6:38 PM, Darrell Ball <dlu998@gmail.com> wrote: > > Fix tcp sequence tracking for cases when picking up an existing connection. > This can happen, for example, by doing VM migration and sequence tracking > should be more permissive in these cases. We don't differentiate picking > up an existing connection vs picking up a new connection; the added > complexity is not worth the benefit of the slightly more strictness in the > case of picking up a new connection. > > Fixes: a489b16854b5 ("conntrack: New userspace connection tracker") > Signed-off-by: Darrell Ball <dlu998@gmail.com> Thanks, Darrell. I pushed this to master, branch-2.9, branch-2.8, and branch-2.7. --Justin
Thanks Justin Darrell On 5/15/18, 6:05 PM, "ovs-dev-bounces@openvswitch.org on behalf of Justin Pettit" <ovs-dev-bounces@openvswitch.org on behalf of jpettit@ovn.org> wrote: > On May 14, 2018, at 6:38 PM, Darrell Ball <dlu998@gmail.com> wrote: > > Fix tcp sequence tracking for cases when picking up an existing connection. > This can happen, for example, by doing VM migration and sequence tracking > should be more permissive in these cases. We don't differentiate picking > up an existing connection vs picking up a new connection; the added > complexity is not worth the benefit of the slightly more strictness in the > case of picking up a new connection. > > Fixes: a489b16854b5 ("conntrack: New userspace connection tracker") > Signed-off-by: Darrell Ball <dlu998@gmail.com> Thanks, Darrell. I pushed this to master, branch-2.9, branch-2.8, and branch-2.7. --Justin _______________________________________________ dev mailing list dev@openvswitch.org https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=LxF6u3m0ltnTqMet5_VuapBVNuhEPthzM2O0oM0pKuA&s=vlvNzQMTdCUBGq9S7CK2xAsPidznh7BrsAxmr2f4EwM&e=
diff --git a/lib/conntrack-tcp.c b/lib/conntrack-tcp.c index 04460c3..86d313d 100644 --- a/lib/conntrack-tcp.c +++ b/lib/conntrack-tcp.c @@ -160,7 +160,6 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, uint16_t win = ntohs(tcp->tcp_winsz); uint32_t ack, end, seq, orig_seq; uint32_t p_len = tcp_payload_length(pkt); - int ackskew; if (tcp_invalid_flags(tcp_flags)) { return CT_UPDATE_INVALID; @@ -195,6 +194,7 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, */ orig_seq = seq = ntohl(get_16aligned_be32(&tcp->tcp_seq)); + bool check_ackskew = true; if (src->state < CT_DPIF_TCPS_SYN_SENT) { /* First packet from this end. Set its state */ @@ -232,6 +232,11 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, if (src->seqhi == 1 || SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) { src->seqhi = end + MAX(1, dst->max_win << dws); + /* We are either picking up a new connection or a connection which + * was already in place. We are more permissive in terms of + * ackskew checking in these cases. + */ + check_ackskew = false; } if (win > src->max_win) { src->max_win = win; @@ -265,7 +270,7 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, end = seq; } - ackskew = dst->seqlo - ack; + int ackskew = check_ackskew ? dst->seqlo - ack : 0; #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */ if (SEQ_GEQ(src->seqhi, end) /* Last octet inside other's window space */
Fix tcp sequence tracking for cases when picking up an existing connection. This can happen, for example, by doing VM migration and sequence tracking should be more permissive in these cases. We don't differentiate picking up an existing connection vs picking up a new connection; the added complexity is not worth the benefit of the slightly more strictness in the case of picking up a new connection. Fixes: a489b16854b5 ("conntrack: New userspace connection tracker") Signed-off-by: Darrell Ball <dlu998@gmail.com> --- Fix needs backporting to 2.7. lib/conntrack-tcp.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)