On 10 June 2016 at 15:47, Daniele Di Proietto <diproiet...@vmware.com> wrote: > From the connection tracker perspective, an ICMP connection is a tuple > identified by source ip address, destination ip address and ICMP id. > > While this allows basic ICMP traffic (pings) to work, it doesn't take > into account the icmp type: the connection tracker will allow > requests/replies in any directions. > > This is improved by making the ICMP type and code part of the connection > tuple. An ICMP echo request packet from A to B, will create a > connection that matches ICMP echo request from A to B and ICMP echo > replies from B to A. The same is done for timestamp and info > request/replies, and for ICMPv6. > > A new modules conntrack-icmp is implemented, to allow only "request" > types to create new connections. > > Also, since they're tracked in both userspace and kernel > implementations, ICMP type and code are always printed in ct-dpif (a few > testcase are updated as a consequence). > > Reported-by: Subramani Paramasivam <subramani.paramasi...@wipro.com> > Signed-off-by: Daniele Di Proietto <diproiet...@vmware.com>
Subramani, have you tried out this patch since you originally reported the issue? Implementation looks fine to me. I assume the newly introduced tests validate at least the echo request/response paths. Acked-by: Joe Stringer <j...@ovn.org> _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
