[ovs-dev,RFC] conntrack: Block transmission of unreplied UDP packets.
diff mbox

Message ID 1500825934-21845-1-git-send-email-antonio.fischetti@intel.com
State Rejected
Delegated to: Darrell Ball
Headers show

Commit Message

Fischetti, Antonio July 23, 2017, 4:05 p.m. UTC
Scenario: a mono-dir UDP stream is received from a port that allows new
incoming connections. The 1st packet creates a new connection.
The second UDP packet - even it there's no reply from the other side - will
make the connection become established. So all the next packets of the
same mono-dir stream will succesfully pass through the firewall.

This patch allows to send the 1st initiating packet, but blocks the
transmission of the next UDP packets as long as the created connection
is still unreplied.

Signed-off-by: Antonio Fischetti <antonio.fischetti@intel.com>
---
 lib/conntrack-other.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Comments

Darrell Ball July 23, 2017, 5:30 p.m. UTC | #1
In general, this does not even have anything to do with committed connections. You can allow packets
in the forward direction without even committing, based on the rules you use. Allowance in the forward
direction is typical, by the way.


-----Original Message-----
From: <ovs-dev-bounces@openvswitch.org> on behalf of "antonio.fischetti@intel.com" <antonio.fischetti@intel.com>
Date: Sunday, July 23, 2017 at 9:05 AM
To: "dev@openvswitch.org" <dev@openvswitch.org>
Subject: [ovs-dev] [PATCH RFC] conntrack: Block transmission of unreplied	UDP packets.

    Scenario: a mono-dir UDP stream is received from a port that allows new
    incoming connections. The 1st packet creates a new connection.
    The second UDP packet - even it there's no reply from the other side - will
    make the connection become established. So all the next packets of the
    same mono-dir stream will succesfully pass through the firewall.
    
    This patch allows to send the 1st initiating packet, but blocks the
    transmission of the next UDP packets as long as the created connection
    is still unreplied.
    
    Signed-off-by: Antonio Fischetti <antonio.fischetti@intel.com>
    ---
     lib/conntrack-other.c | 10 +++++++++-
     1 file changed, 9 insertions(+), 1 deletion(-)
    
    diff --git a/lib/conntrack-other.c b/lib/conntrack-other.c
    index 2920889..f6433fd 100644
    --- a/lib/conntrack-other.c
    +++ b/lib/conntrack-other.c
    @@ -56,7 +56,15 @@ other_conn_update(struct conn *conn_, struct conntrack_bucket *ctb,
     
         conn_update_expiration(ctb, &conn->up, other_timeouts[conn->state], now);
     
    -    return CT_UPDATE_VALID;
    +    if (conn_->key.nw_proto == IPPROTO_UDP) {
    +        if (conn->state == OTHERS_BIDIR) {
    +            return CT_UPDATE_VALID;
    +        } else {
    +            return CT_UPDATE_INVALID;
    +        }
    +    } else {
    +        return CT_UPDATE_INVALID;
    +    }
     }
     
     static bool
    -- 
    2.4.11
    
    _______________________________________________
    dev mailing list
    dev@openvswitch.org
    https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=rxXSMbVtJho_7b5eU0ipbdP9BUHgAUNgzuBPRX9hM_I&s=nZbrAzfTsrZnIwZ9elsjDXI2WQibGSHywtAFzVI2xsI&e=

Patch
diff mbox

diff --git a/lib/conntrack-other.c b/lib/conntrack-other.c
index 2920889..f6433fd 100644
--- a/lib/conntrack-other.c
+++ b/lib/conntrack-other.c
@@ -56,7 +56,15 @@  other_conn_update(struct conn *conn_, struct conntrack_bucket *ctb,
 
     conn_update_expiration(ctb, &conn->up, other_timeouts[conn->state], now);
 
-    return CT_UPDATE_VALID;
+    if (conn_->key.nw_proto == IPPROTO_UDP) {
+        if (conn->state == OTHERS_BIDIR) {
+            return CT_UPDATE_VALID;
+        } else {
+            return CT_UPDATE_INVALID;
+        }
+    } else {
+        return CT_UPDATE_INVALID;
+    }
 }
 
 static bool