conntrack: Fix ct-clean thread crash bug.

Conn should be removed from the connection expiry list when
the connection tracker experiences NAT resource exhaustion
and the connection needing NAT mapping cannot get it.
If this is not done, the connection tracker can crash during
cleanup of expired connections by the clean thread.

This crash will be triggered when a established flow do ct(nat)
again, like
"ip,actions=ct(table=1)
 table=1,in_port=1,ip,actions=ct(commit,nat(dst=5.5.5.5)),2
 table=1,in_port=2,ip,ct_state=+est,actions=1
 table=1,in_port=1,ip,ct_state=+est,actions=2"

Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.")
Signed-off-by: Lili Huang <huanglili.huang@huawei.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>

diff --git a/AUTHORS.rst b/AUTHORS.rst
index 9cf363801cb2970e22d985a185afb24ed6c4bd5a..1fc42b5ff0b6bde952d18689718d4e00baf56bc0 100644 (file)
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -193,6 +193,7 @@ Lei Huang                       huang.f.lei@gmail.com
 Leif Madsen                     lmadsen@redhat.com
 Leo Alterman                    lalterman@nicira.com
 Lilijun                         jerry.lilijun@huawei.com
+Lili Huang                      huanglili.huang@huawei.com
 Linda Sun                       lsun@vmware.com
 Lior Neudorfer                  lior@guardicore.com
 Lorand Jakab                    lojakab@cisco.com

diff --git a/lib/conntrack.c b/lib/conntrack.c
index c61bcd6976cdbb234b7eecce356b2b77a64a7a68..419cb1def6553938d53d4e5443db006dec32e832 100644 (file)
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -805,6 +805,7 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt,
      * against with firewall rules or a separate firewall.
      * Also using zone partitioning can limit DoS impact. */
 nat_res_exhaustion:
+    ovs_list_remove(&nc->exp_node);
     delete_conn(nc);
     /* conn_for_un_nat_copy is a local variable in process_one; this
      * memset() serves to document that conn_for_un_nat_copy is from