Conn should be removed from the connection expiry list when
the connection tracker experiences NAT resource exhaustion
and the connection needing NAT mapping cannot get it.
If this is not done, the connection tracker can crash during
cleanup of expired connections by the clean thread.
This crash will be triggered when a established flow do ct(nat)
again, like
"ip,actions=ct(table=1)
table=1,in_port=1,ip,actions=ct(commit,nat(dst=5.5.5.5)),2
table=1,in_port=2,ip,ct_state=+est,actions=1
table=1,in_port=1,ip,ct_state=+est,actions=2"
Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.")
Signed-off-by: Lili Huang <huanglili.huang@huawei.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Leif Madsen lmadsen@redhat.com
Leo Alterman lalterman@nicira.com
Lilijun jerry.lilijun@huawei.com
+Lili Huang huanglili.huang@huawei.com
Linda Sun lsun@vmware.com
Lior Neudorfer lior@guardicore.com
Lorand Jakab lojakab@cisco.com
* against with firewall rules or a separate firewall.
* Also using zone partitioning can limit DoS impact. */
nat_res_exhaustion:
+ ovs_list_remove(&nc->exp_node);
delete_conn(nc);
/* conn_for_un_nat_copy is a local variable in process_one; this
* memset() serves to document that conn_for_un_nat_copy is from