From patchwork Sun Jul 23 16:05:34 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Fischetti, Antonio" X-Patchwork-Id: 792571 X-Patchwork-Delegate: dlu998@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xFq9M0Sxxz9s81 for ; Mon, 24 Jul 2017 02:05:41 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 1B178902; Sun, 23 Jul 2017 16:05:38 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 293628D4 for ; Sun, 23 Jul 2017 16:05:37 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 97CC0CE for ; Sun, 23 Jul 2017 16:05:36 +0000 (UTC) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Jul 2017 09:05:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.40,402,1496127600"; d="scan'208";a="114527415" Received: from sivswdev01.ir.intel.com (HELO localhost.localdomain) ([10.237.217.45]) by orsmga002.jf.intel.com with ESMTP; 23 Jul 2017 09:05:35 -0700 From: antonio.fischetti@intel.com To: dev@openvswitch.org Date: Sun, 23 Jul 2017 17:05:34 +0100 Message-Id: <1500825934-21845-1-git-send-email-antonio.fischetti@intel.com> X-Mailer: git-send-email 1.7.0.7 X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH RFC] conntrack: Block transmission of unreplied UDP packets. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Scenario: a mono-dir UDP stream is received from a port that allows new incoming connections. The 1st packet creates a new connection. The second UDP packet - even it there's no reply from the other side - will make the connection become established. So all the next packets of the same mono-dir stream will succesfully pass through the firewall. This patch allows to send the 1st initiating packet, but blocks the transmission of the next UDP packets as long as the created connection is still unreplied. Signed-off-by: Antonio Fischetti --- lib/conntrack-other.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/conntrack-other.c b/lib/conntrack-other.c index 2920889..f6433fd 100644 --- a/lib/conntrack-other.c +++ b/lib/conntrack-other.c @@ -56,7 +56,15 @@ other_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, conn_update_expiration(ctb, &conn->up, other_timeouts[conn->state], now); - return CT_UPDATE_VALID; + if (conn_->key.nw_proto == IPPROTO_UDP) { + if (conn->state == OTHERS_BIDIR) { + return CT_UPDATE_VALID; + } else { + return CT_UPDATE_INVALID; + } + } else { + return CT_UPDATE_INVALID; + } } static bool