@@ -780,8 +780,7 @@ extract_l4_icmp(struct conn_key *key, const void *data, size_t size,
}
/* pf doesn't do this, but it seems a good idea */
- if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned
- || inner_key.dst.addr.ipv4_aligned != key->src.addr.ipv4_aligned) {
+ if (inner_key.src.addr.ipv4_aligned != key->dst.addr.ipv4_aligned) {
return false;
}
@@ -869,9 +868,7 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size,
/* pf doesn't do this, but it seems a good idea */
if (!ipv6_addr_equals(&inner_key.src.addr.ipv6_aligned,
- &key->dst.addr.ipv6_aligned)
- || !ipv6_addr_equals(&inner_key.dst.addr.ipv6_aligned,
- &key->src.addr.ipv6_aligned)) {
+ &key->dst.addr.ipv6_aligned)) {
return false;
}
An address sanity check is done on icmp error packets to check that the icmp error payload makes sense w.r.t. the packet itself. The sanity check was partially incorrect since it tried to verify the source address of the error packet against the original destination, which does not makes since the error can be generated by any intermediate node. Reported-by: wangzhike <wangzhike@jd.com> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-December/341609.html Fixes: a489b1685 ("conntrack: New userspace connection tracker.") CC: Daniele Di Proietto <diproiettod@vmware.com> Signed-off-by: Darrell Ball <dlu998@gmail.com> Signed-off-by: wangzhike <wangzhike@jd.com> Co-authored-by: wangzhike <wangzhike@jd.com> Signed-off-by: Darrell Ball <dlu998@gmail.com> --- lib/conntrack.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-)