From patchwork Thu Mar  1 07:25:50 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Darrell Ball <dlu998@gmail.com>
X-Patchwork-Id: 879593
X-Patchwork-Delegate: jpettit@nicira.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="Xpor3ve3"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3zsP9r43cTz9s12
	for <incoming@patchwork.ozlabs.org>;
	Thu,  1 Mar 2018 18:26:08 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 625FE14FC;
	Thu,  1 Mar 2018 07:26:05 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 1ACB914F9
	for <dev@openvswitch.org>; Thu,  1 Mar 2018 07:26:04 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pg0-f66.google.com (mail-pg0-f66.google.com
	[74.125.83.66])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C61E4110
	for <dev@openvswitch.org>; Thu,  1 Mar 2018 07:26:03 +0000 (UTC)
Received: by mail-pg0-f66.google.com with SMTP id l4so1982232pgp.11
	for <dev@openvswitch.org>; Wed, 28 Feb 2018 23:26:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:subject:date:message-id;
	bh=xBVzXjcuFEzaU9R1/Z7vXCuidBxPppUFPKyg8qA+PKI=;
	b=Xpor3ve3pAlgn4HjVnI3+NrvdWMS68bxW6N87/PdE+KVGnwvpP/odX3ltDen6fz0t3
	28HPfU30WAAGVcc/90fuJ9qHUrr0y9em5aiPaBapE84IMqAU2nC/L1FEJDpdAGNtP1lt
	EdyYmvA5X2ZnLLuyUYGqrlYhhGJss1mDkSxRQbS//2hiyEm/W36MhbqiDZom/x1JLTOA
	v29NF3WI9R3L2ZmSqsSeBQh6PWU9Hz89Mw+FJOhMhhOZTVzj3Pih9uZWV1OU6otLs4VZ
	RIjAbVObvwyWD/AHEdYPo5+wLnkDtLtxBa2CuCqI4NyeMsubyu4Qe1zqTnUvhsejV3e6
	Y9Ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=xBVzXjcuFEzaU9R1/Z7vXCuidBxPppUFPKyg8qA+PKI=;
	b=q3fbEPFASJu4p9ZkiJGTQ3STu1HAAenerIa+yWZMDJl5A4jcq07sbzaEGMKiEYWpOw
	lgK1uQSfiYVa3p6jsEVq0pf5MjNenSmRrOOSoOrcdsWP//xga4KVmBnfmJiWW2XOGo/f
	ASt+Za7zCSkZnSC0ieVOUUFT+HKiy6XbquD7RBHny13N0SqjDu9YG53gFaEjWlvsILuU
	ljR4Qs9Dc5eFXUus+NiNcYDv2mYyPvJns5XuOy05yE87Kv3lJO8+kTczDE9Ixbz1C7Uj
	acrGTF/5vnxQDNvAiOupoomFeX/LQgWnqqK22nMHNTBRyC3SxG2M20o/o2C3Md9tTa+a
	W9TQ==
X-Gm-Message-State: APf1xPBV27p2PKYk5loWtMvrHXbXX9oVC+vhZua220wli0Vcq5GuetmK
	0UhAoKk1Rt+gIjnP5QWSghTJiA==
X-Google-Smtp-Source: 
 AG47ELvO3ai1xZF57SAGDfJNiVAUb7Z22tECtrd3lG77rG237UieV0T17SoSyER6DDuERt/0/CbA6A==
X-Received: by 10.99.94.197 with SMTP id s188mr757497pgb.363.1519889163392;
	Wed, 28 Feb 2018 23:26:03 -0800 (PST)
Received: from ubuntu.localdomain (c-73-162-236-45.hsd1.ca.comcast.net.
	[73.162.236.45]) by smtp.gmail.com with ESMTPSA id
	j185sm5387156pgc.79.2018.02.28.23.26.02
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 28 Feb 2018 23:26:02 -0800 (PST)
From: Darrell Ball <dlu998@gmail.com>
To: dlu998@gmail.com,
	dev@openvswitch.org
Date: Wed, 28 Feb 2018 23:25:50 -0800
Message-Id: <1519889150-113512-1-git-send-email-dlu998@gmail.com>
X-Mailer: git-send-email 1.9.1
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [ovs-dev] [patch v1] conntrack-tcp: Handle tcp session reuse.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

Fix tcp sequence tracking for session reuse cases.  This can happen,
for example by doing VM migration, where sequence tracking needs to
be more permissive.  The solution is to be more permissive for
session restart and session start only.  We don't differentiate
session start here where we could be more strict, although we could,
because the gain in protection is almost zero and the code modularity
would be lessened and code complexity increased.
This issue originates in release 2.7.

Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>
---
 lib/conntrack-tcp.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/conntrack-tcp.c b/lib/conntrack-tcp.c
index 04460c3..a0ddd65 100644
--- a/lib/conntrack-tcp.c
+++ b/lib/conntrack-tcp.c
@@ -160,7 +160,6 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb,
     uint16_t win = ntohs(tcp->tcp_winsz);
     uint32_t ack, end, seq, orig_seq;
     uint32_t p_len = tcp_payload_length(pkt);
-    int ackskew;
 
     if (tcp_invalid_flags(tcp_flags)) {
         return CT_UPDATE_INVALID;
@@ -195,11 +194,11 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb,
      */
 
     orig_seq = seq = ntohl(get_16aligned_be32(&tcp->tcp_seq));
+    bool check_ackskew = true;
     if (src->state < CT_DPIF_TCPS_SYN_SENT) {
         /* First packet from this end. Set its state */
 
         ack = ntohl(get_16aligned_be32(&tcp->tcp_ack));
-
         end = seq + p_len;
         if (tcp_flags & TCP_SYN) {
             end++;
@@ -232,6 +231,7 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb,
         if (src->seqhi == 1
                 || SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) {
             src->seqhi = end + MAX(1, dst->max_win << dws);
+            check_ackskew = false;
         }
         if (win > src->max_win) {
             src->max_win = win;
@@ -265,7 +265,13 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb,
         end = seq;
     }
 
-    ackskew = dst->seqlo - ack;
+    int ackskew;
+    if (check_ackskew) {
+        ackskew = dst->seqlo - ack;
+    } else {
+        ackskew = 0;
+    }
+
 #define MAXACKWINDOW (0xffff + 1500)    /* 1500 is an arbitrary fudge factor */
     if (SEQ_GEQ(src->seqhi, end)
         /* Last octet inside other's window space */