On Wed, Oct 14, 2015 at 11:10 AM, Joe Stringer <joestrin...@nicira.com> wrote:
> Currently, 0-bits are generated in ct_state where the bit position is
> undefined, and matches are accepted on these bit-positions. If userspace
> requests to match the 0-value for this bit then it may expect only a
> subset of traffic to match this value, whereas currently all packets
> will have this bit set to 0. Fix this by rejecting such masks.
>
> Signed-off-by: Joe Stringer <joestrin...@nicira.com>
> ---
> net/openvswitch/conntrack.h | 11 +++++------
> net/openvswitch/flow_netlink.c | 5 ++++-
> 2 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/net/openvswitch/conntrack.h b/net/openvswitch/conntrack.h
> index da8714942c95..2d42b3640117 100644
> --- a/net/openvswitch/conntrack.h
> +++ b/net/openvswitch/conntrack.h
> @@ -35,12 +35,9 @@ void ovs_ct_fill_key(const struct sk_buff *skb, struct
> sw_flow_key *key);
> int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb);
> void ovs_ct_free_action(const struct nlattr *a);
>
> -static inline bool ovs_ct_state_supported(u32 state)
> -{
> - return !(state & ~(OVS_CS_F_NEW | OVS_CS_F_ESTABLISHED |
> - OVS_CS_F_RELATED | OVS_CS_F_REPLY_DIR |
> - OVS_CS_F_INVALID | OVS_CS_F_TRACKED));
> -}
Can you also remove definition of ovs_ct_state_supported() in case
where conntrack is not enabled.
Otherwise looks good.
Acked-by: Pravin B Shelar <pshe...@nicira.com>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
