@@ -2186,7 +2186,9 @@ nat_select_range_tuple(struct conntrack *ct, const struct conn *conn,
uint16_t port = first_port;
bool all_ports_tried = false;
- bool original_ports_tried = false;
+ /* For DNAT, we don't try ephemeral ports. */
+ bool ephemeral_ports_tried =
+ conn->nat_info->nat_action & NAT_ACTION_DST ? true : false;
struct ct_addr first_addr = ct_addr;
while (true) {
@@ -2232,8 +2234,8 @@ nat_select_range_tuple(struct conntrack *ct, const struct conn *conn,
ct_addr = conn->nat_info->min_addr;
}
if (!memcmp(&ct_addr, &first_addr, sizeof ct_addr)) {
- if (!original_ports_tried) {
- original_ports_tried = true;
+ if (!ephemeral_ports_tried) {
+ ephemeral_ports_tried = true;
ct_addr = conn->nat_info->min_addr;
min_port = MIN_NAT_EPHEMERAL_PORT;
max_port = MAX_NAT_EPHEMERAL_PORT;
Ephemeral port fallback is being done for DNAT and the code could be hit in some special cases, where packets are expected to be persistently dropped. At any rate, this is incorrect, so filter this out. Also, rename the variable used for checking whether ephemeral ports need to be checked. Needs backporting to 2.8. Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-August/351629.html Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT Support.") Signed-off-by: Darrell Ball <dlu998@gmail.com> --- lib/conntrack.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)