git.proxmox.com Git - ovs.git/commit

author	Daniele Di Proietto <diproiettod@vmware.com>
	Fri, 13 May 2016 22:04:17 +0000 (15:04 -0700)
committer	Daniele Di Proietto <diproiettod@vmware.com>
	Thu, 28 Jul 2016 01:53:27 +0000 (18:53 -0700)
commit	b269a1229df2329deb3c292c22a6bdd0ce3f02ff
tree	3d1b2665fe29741f07649e1b9a6e4673444127dd	tree
parent	ed708b5d6887afa2a184c38304f2f23b96af9914	commit \| diff

conntrack: Track ICMP type and code.

From the connection tracker perspective, an ICMP connection is a tuple
identified by source ip address, destination ip address and ICMP id.

While this allows basic ICMP traffic (pings) to work, it doesn't take
into account the icmp type: the connection tracker will allow
requests/replies in any directions.

This is improved by making the ICMP type and code part of the connection
tuple. An ICMP echo request packet from A to B, will create a
connection that matches ICMP echo request from A to B and ICMP echo
replies from B to A. The same is done for timestamp and info
request/replies, and for ICMPv6.

A new modules conntrack-icmp is implemented, to allow only "request"
types to create new connections.

Also, since they're tracked in both userspace and kernel
implementations, ICMP type and code are always printed in ct-dpif (a few
testcase are updated as a consequence).

Reported-by: Subramani Paramasivam <subramani.paramasivam@wipro.com>
Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
Acked-by: Joe Stringer <joe@ovn.org>

lib/automake.mk		diff \| blob \| blame \| history
lib/conntrack-icmp.c	[new file with mode: 0644]	blob
lib/conntrack-private.h		diff \| blob \| blame \| history
lib/conntrack.c		diff \| blob \| blame \| history
lib/conntrack.h		diff \| blob \| blame \| history
lib/ct-dpif.c		diff \| blob \| blame \| history
lib/ct-dpif.h		diff \| blob \| blame \| history
lib/netlink-conntrack.c		diff \| blob \| blame \| history
tests/system-traffic.at		diff \| blob \| blame \| history