Message ID | 1500825934-21845-1-git-send-email-antonio.fischetti@intel.com |
---|---|
State | Rejected |
Delegated to: | Darrell Ball |
Headers | show |
In general, this does not even have anything to do with committed connections. You can allow packets in the forward direction without even committing, based on the rules you use. Allowance in the forward direction is typical, by the way. -----Original Message----- From: <ovs-dev-bounces@openvswitch.org> on behalf of "antonio.fischetti@intel.com" <antonio.fischetti@intel.com> Date: Sunday, July 23, 2017 at 9:05 AM To: "dev@openvswitch.org" <dev@openvswitch.org> Subject: [ovs-dev] [PATCH RFC] conntrack: Block transmission of unreplied UDP packets. Scenario: a mono-dir UDP stream is received from a port that allows new incoming connections. The 1st packet creates a new connection. The second UDP packet - even it there's no reply from the other side - will make the connection become established. So all the next packets of the same mono-dir stream will succesfully pass through the firewall. This patch allows to send the 1st initiating packet, but blocks the transmission of the next UDP packets as long as the created connection is still unreplied. Signed-off-by: Antonio Fischetti <antonio.fischetti@intel.com> --- lib/conntrack-other.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/conntrack-other.c b/lib/conntrack-other.c index 2920889..f6433fd 100644 --- a/lib/conntrack-other.c +++ b/lib/conntrack-other.c @@ -56,7 +56,15 @@ other_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, conn_update_expiration(ctb, &conn->up, other_timeouts[conn->state], now); - return CT_UPDATE_VALID; + if (conn_->key.nw_proto == IPPROTO_UDP) { + if (conn->state == OTHERS_BIDIR) { + return CT_UPDATE_VALID; + } else { + return CT_UPDATE_INVALID; + } + } else { + return CT_UPDATE_INVALID; + } } static bool -- 2.4.11 _______________________________________________ dev mailing list dev@openvswitch.org https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=rxXSMbVtJho_7b5eU0ipbdP9BUHgAUNgzuBPRX9hM_I&s=nZbrAzfTsrZnIwZ9elsjDXI2WQibGSHywtAFzVI2xsI&e=
diff --git a/lib/conntrack-other.c b/lib/conntrack-other.c index 2920889..f6433fd 100644 --- a/lib/conntrack-other.c +++ b/lib/conntrack-other.c @@ -56,7 +56,15 @@ other_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, conn_update_expiration(ctb, &conn->up, other_timeouts[conn->state], now); - return CT_UPDATE_VALID; + if (conn_->key.nw_proto == IPPROTO_UDP) { + if (conn->state == OTHERS_BIDIR) { + return CT_UPDATE_VALID; + } else { + return CT_UPDATE_INVALID; + } + } else { + return CT_UPDATE_INVALID; + } } static bool
Scenario: a mono-dir UDP stream is received from a port that allows new incoming connections. The 1st packet creates a new connection. The second UDP packet - even it there's no reply from the other side - will make the connection become established. So all the next packets of the same mono-dir stream will succesfully pass through the firewall. This patch allows to send the 1st initiating packet, but blocks the transmission of the next UDP packets as long as the created connection is still unreplied. Signed-off-by: Antonio Fischetti <antonio.fischetti@intel.com> --- lib/conntrack-other.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)