From patchwork Thu Mar 8 01:39:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sairam Venugopal X-Patchwork-Id: 882917 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=vmware.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zxYKM3G2zz9sbv for ; Thu, 8 Mar 2018 12:47:02 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 0EEA2122D; Thu, 8 Mar 2018 01:47:00 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 077C810E6 for ; Thu, 8 Mar 2018 01:46:59 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from EX13-EDG-OU-001.vmware.com (ex13-edg-ou-001.vmware.com [208.91.0.189]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 863975F9 for ; Thu, 8 Mar 2018 01:46:58 +0000 (UTC) Received: from sc9-mailhost2.vmware.com (10.113.161.72) by EX13-EDG-OU-001.vmware.com (10.113.208.155) with Microsoft SMTP Server id 15.0.1156.6; Wed, 7 Mar 2018 17:46:52 -0800 Received: from vsairam-w01.vmware.com (vsairam-w01.prom.eng.vmware.com [10.33.78.42]) by sc9-mailhost2.vmware.com (Postfix) with ESMTP id D0BCBB0919; Wed, 7 Mar 2018 17:46:57 -0800 (PST) From: Sairam Venugopal To: Date: Wed, 7 Mar 2018 17:39:22 -0800 Message-ID: <20180308013922.103884-1-vsairam@vmware.com> X-Mailer: git-send-email 2.9.0.windows.1 MIME-Version: 1.0 Received-SPF: None (EX13-EDG-OU-001.vmware.com: vsairam@vmware.com does not designate permitted sender hosts) X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH] datapath-windows: Block established TCP connections from creating new CT Entry X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Established TCP Connections could potentially form invalid Conntrack Entries when OVS is getting installed or the Conntrack Flows are applied. Prevent this from happening by explicitly requiring SYN packets to be present for creating new Conntrack entries. Signed-off-by: Sairam Venugopal --- datapath-windows/ovsext/Conntrack-tcp.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/datapath-windows/ovsext/Conntrack-tcp.c b/datapath-windows/ovsext/Conntrack-tcp.c index 8cbab24..ea43df1 100644 --- a/datapath-windows/ovsext/Conntrack-tcp.c +++ b/datapath-windows/ovsext/Conntrack-tcp.c @@ -455,9 +455,15 @@ OvsConntrackValidateTcpPacket(const TCPHdr *tcp) return FALSE; } + /* Block pre-established connections from going through */ + if (!(tcp_flags & TCP_SYN)) { + OVS_LOG_TRACE("Pre-established TCP packet detected, non-SYN flags not allowed," + "tcp_flags %hu", tcp_flags); + return FALSE; + } + /* A syn+ack is not allowed to create a connection. We want to allow - * totally new connections (syn) or already established, not partially - * open (syn+ack). */ + * totally new connections (syn), not partially open (syn+ack). */ if ((tcp_flags & TCP_SYN) && (tcp_flags & TCP_ACK)) { OVS_LOG_TRACE("Invalid TCP packet detected, SYN+ACK flags not allowed," "tcp_flags %hu", tcp_flags);