From patchwork Thu Jan 21 09:12:47 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tonghao Zhang <xiangxia.m.yue@gmail.com>
X-Patchwork-Id: 1429693
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.137; helo=fraxinus.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=K5mpZyxv;
	dkim-atps=neutral
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DLxYx5YBGz9sW4
	for <incoming@patchwork.ozlabs.org>; Thu, 21 Jan 2021 20:15:15 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id B2A0886149;
	Thu, 21 Jan 2021 09:15:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Oq96-u409PXk; Thu, 21 Jan 2021 09:15:09 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 5FD4E86119;
	Thu, 21 Jan 2021 09:15:09 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 330BAC088B;
	Thu, 21 Jan 2021 09:15:09 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 3A4B2C013A
 for <ovs-dev@openvswitch.org>; Thu, 21 Jan 2021 09:15:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by whitealder.osuosl.org (Postfix) with ESMTP id 218D185C50
 for <ovs-dev@openvswitch.org>; Thu, 21 Jan 2021 09:15:07 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ah1P56+GeHhg for <ovs-dev@openvswitch.org>;
 Thu, 21 Jan 2021 09:15:06 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-vs1-f44.google.com (mail-vs1-f44.google.com
 [209.85.217.44])
 by whitealder.osuosl.org (Postfix) with ESMTPS id 1E04186193
 for <ovs-dev@openvswitch.org>; Thu, 21 Jan 2021 09:15:06 +0000 (UTC)
Received: by mail-vs1-f44.google.com with SMTP id e15so688813vsa.0
 for <ovs-dev@openvswitch.org>; Thu, 21 Jan 2021 01:15:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id;
 bh=ZaByWNAt+9XIZ0+OPbfTIXWWzf6+ra0p5d3Y6YwTMTk=;
 b=K5mpZyxvMf62OaOWamUysneC+GpPLilUUHSJcat2hOI/d/kweiLLJvTMInxirv8xyE
 QS05Rn+UlOZtyRP23mf0jCJI45up1zr0eetQOHxnkQEm+8KP93me+vEvfgefmI4GcfGj
 3rTiC8kjHnF+qVpQoDm4/0py9ElUMsu05vtympQK5THE80vFwDh8MZ7IUWbtmUxsiwI+
 A2GVc2gbuU+02fhI76KDV/Xy7DymRvF+PD04ZTe5o/F2MgOjeS54yT0enkN9/v1U4w7U
 6ywFxnKMVYQ/FxNGxi7Vo4rW+2sioFI9968MubOZmdpSY9j0q6Kkj9DOGx3qkkdrqa03
 TyMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id;
 bh=ZaByWNAt+9XIZ0+OPbfTIXWWzf6+ra0p5d3Y6YwTMTk=;
 b=Q7kcU6cqI+ahOXdZ+4AKzsn0x8lFhivpncC/RjKTLrS0mp2GVQ6ZMouSVbMirSqY1R
 5tqA/kXMMXY8FFjfuvneYzI849qq/5/vPxJEbzz3qu8s470fAxxAcnGhW8Hw0R6dO6Qg
 jFGYlRovkGF4eES36WRj2Cqn6eU8LksOPxbNCPl8+4aN5fHvd6feNnuTR+a361HiL7/3
 4g+3JBzCvBgzSXAarmdg+qPD40vmQoQbEvFEgxPm6Gb/D+SIwX6kpeoY2eISMs3dJBfL
 jDImXxtyQ/4C5gxIM4zheG1gq6toFXCXSbhKDI5a4ROkASuqH2E1A4DiOST16D6KHiDp
 e9rg==
X-Gm-Message-State: AOAM533dWaNuEHaRlkxAo73OpGOEprjRIRyUwRXj8dstWkxsbmpgH/jT
 AEDZn47cxYNdA3A4IgfmS0k=
X-Google-Smtp-Source: 
 ABdhPJx7UwRgNKHKi6bx0mg3ufpc2VOFcVhI2CCatsqvWzmq5i79T2t5FSeYNjBdKLbS2b5oPSFzkg==
X-Received: by 2002:a05:6102:511:: with SMTP id
 l17mr9916219vsa.40.1611220504928;
 Thu, 21 Jan 2021 01:15:04 -0800 (PST)
Received: from localhost.localdomain ([50.236.19.102])
 by smtp.gmail.com with ESMTPSA id 30sm641769uab.18.2021.01.21.01.14.58
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 21 Jan 2021 01:15:04 -0800 (PST)
From: xiangxia.m.yue@gmail.com
To: aconole@redhat.com, i.maximets@ovn.org, blp@ovn.org, yihung.wei@gmail.com
Date: Thu, 21 Jan 2021 17:12:47 +0800
Message-Id: <20210121091247.53292-1-xiangxia.m.yue@gmail.com>
X-Mailer: git-send-email 2.15.0
Cc: ovs-dev@openvswitch.org
Subject: [ovs-dev] [PATCH ovs v2] conntrack: Fix the icmp conntrack new
	state.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

From: Tonghao Zhang <xiangxia.m.yue@gmail.com>

The same icmp packet may traverse conntrack module more than once.
Or same icmp packets traverse contranck module in orderly.

Don't change state to CS_ESTABLISHED before receiving reply or related packets.

Fixes: a867c010ee91 ("conntrack: Fix conntrack new state")
Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
Acked-by: Aaron Conole <aconole@redhat.com>
---
v2:
1. add test case
2. change the commit message, and title
3. change the fix tag
---
 lib/conntrack-icmp.c          |  5 +++-
 tests/system-common-macros.at |  6 +++++
 tests/system-traffic.at       | 44 +++++++++++++++++++++++++++++++++++
 3 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/lib/conntrack-icmp.c b/lib/conntrack-icmp.c
index bf49f9a9fa93..b4029703988d 100644
--- a/lib/conntrack-icmp.c
+++ b/lib/conntrack-icmp.c
@@ -51,13 +51,16 @@ icmp_conn_update(struct conntrack *ct, struct conn *conn_,
                  struct dp_packet *pkt OVS_UNUSED, bool reply, long long now)
 {
     struct conn_icmp *conn = conn_icmp_cast(conn_);
+    enum ct_update_res ret = CT_UPDATE_VALID;
 
     if (reply && conn->state == ICMPS_FIRST) {
        conn->state = ICMPS_REPLY;
+    } else if (conn->state == ICMPS_FIRST) {
+        ret = CT_UPDATE_VALID_NEW;
     }
 
     conn_update_expiration(ct, &conn->up, icmp_timeouts[conn->state], now);
-    return CT_UPDATE_VALID;
+    return ret;
 }
 
 static bool
diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at
index 68c8774d1ac6..9d5e24a2922b 100644
--- a/tests/system-common-macros.at
+++ b/tests/system-common-macros.at
@@ -275,6 +275,12 @@ m4_define([OVS_START_L7],
    ]
 )
 
+# OFPROTO_CLEAR_DURATION_IDLE([])
+#
+# Clear the duration from the piped input which would differ from test to test
+#
+m4_define([OFPROTO_CLEAR_DURATION_IDLE], [[sed -e 's/duration=.*s,/duration=<cleared>,/g' -e 's/idle_age=[0-9]*,/idle_age=<cleared>,/g']])
+
 # OVS_CHECK_VXLAN()
 #
 # Do basic check for vxlan functionality, skip the test if it's not there.
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index d2a4dbffecbe..fb5b9a36d283 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -5927,6 +5927,50 @@ ovs-appctl dpif/dump-flows br0
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
+AT_SETUP([conntrack - Multiple ICMP traverse])
+dnl This tracks sending ICMP packets via conntrack multiple times for the
+dnl same packet
+CHECK_CONNTRACK()
+OVS_TRAFFIC_VSWITCHD_START()
+OVS_CHECK_CT_CLEAR()
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01")
+ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02")
+dnl setup ct flows
+AT_DATA([flows.txt], [dnl
+table=0,priority=10  ip,icmp,ct_state=-trk action=ct(zone=1,table=1)
+table=0,priority=0   action=drop
+table=1,priority=10  ct_state=-est+trk+new,ip,ct_zone=1,in_port=1 action=ct(commit,table=2)
+table=1,priority=10  ct_state=+est-new+trk,ct_zone=1,in_port=1 action=resubmit(,2)
+table=1,priority=0   action=drop
+table=2,priority=10  ct_state=+trk+new,in_port=1 action=drop
+table=2,priority=10  ct_state=+trk+est action=drop
+])
+
+AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
+
+# sending icmp pkts, first and second
+NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 1c 00 01 00 00 40 01 64 dc 0a 01 01 01 0a 01 01 02 08 00 f7 ff ff ff ff ff > /dev/null])
+
+NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 1c 00 01 00 00 40 01 64 dc 0a 01 01 01 0a 01 01 02 08 00 f7 ff ff ff ff ff > /dev/null])
+
+sleep 1
+
+dnl ensure CT picked up the packet
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl
+icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
+])
+
+AT_CHECK([ovs-ofctl dump-flows br0 | grep table=2, | OFPROTO_CLEAR_DURATION_IDLE],
+         [0], [dnl
+ cookie=0x0, duration=<cleared>, table=2, n_packets=2, n_bytes=84, idle_age=<cleared>, priority=10,ct_state=+new+trk,in_port=1 actions=drop
+ cookie=0x0, duration=<cleared>, table=2, n_packets=0, n_bytes=0, idle_age=<cleared>, priority=10,ct_state=+est+trk actions=drop
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
 AT_BANNER([802.1ad])
 
 AT_SETUP([802.1ad - vlan_limit])