| Message ID | 1543250920-115500-2-git-send-email-dlu998@gmail.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [ovs-dev,v3,1/4] conntrack: Skip ephemeral ports fallback for DNAT. | expand |
On Mon, Nov 26, 2018 at 08:48:38AM -0800, Darrell Ball wrote: > When fallback to ephemeral ports triggers to find a NAT translation, > it may happen that the full address range is not explored; i.e. if > all ephemeral ports are being used for the address range >= the > first address checked and there are other addresses in the > available range, then they would not be explored for availability. > The likelihood of hitting this condition is rare. The fix is to > reset the first address to the minimum address when starting to > search ephemeral ports. Found by inspection. > > Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT Support.") > Signed-off-by: Darrell Ball <dlu998@gmail.com> Looks good, thanks. Can't be applied without that other series.
On Mon, Dec 10, 2018 at 5:39 PM Ben Pfaff <blp@ovn.org> wrote: > On Mon, Nov 26, 2018 at 08:48:38AM -0800, Darrell Ball wrote: > > When fallback to ephemeral ports triggers to find a NAT translation, > > it may happen that the full address range is not explored; i.e. if > > all ephemeral ports are being used for the address range >= the > > first address checked and there are other addresses in the > > available range, then they would not be explored for availability. > > The likelihood of hitting this condition is rare. The fix is to > > reset the first address to the minimum address when starting to > > search ephemeral ports. Found by inspection. > > > > Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT Support.") > > Signed-off-by: Darrell Ball <dlu998@gmail.com> > > Looks good, thanks. > > Can't be applied without that other series. > The other series is meant to be rebased after this long pending series; I had added comments to the other series cover letter. "These patches presently include an updated version of the changes for this series https://patchwork.ozlabs.org/project/openvswitch/list/?series=78059 but those parts (approx 20 lines) will be later dropped from this series and handled with the above mentioned series."
diff --git a/lib/conntrack.c b/lib/conntrack.c index 31fedc0..bb3eeca 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -2225,6 +2225,7 @@ nat_select_range_tuple(struct conntrack *ct, const struct conn *conn, } else { ephemeral_ports_tried = true; ct_addr = conn->nat_info->min_addr; + first_addr = ct_addr; min_port = MIN_NAT_EPHEMERAL_PORT; max_port = MAX_NAT_EPHEMERAL_PORT; }
When fallback to ephemeral ports triggers to find a NAT translation, it may happen that the full address range is not explored; i.e. if all ephemeral ports are being used for the address range >= the first address checked and there are other addresses in the available range, then they would not be explored for availability. The likelihood of hitting this condition is rare. The fix is to reset the first address to the minimum address when starting to search ephemeral ports. Found by inspection. Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT Support.") Signed-off-by: Darrell Ball <dlu998@gmail.com> --- Backport to 2.8. v3: Move backport hint out of commit message. Fix wording. lib/conntrack.c | 1 + 1 file changed, 1 insertion(+)