CT: Fix CT template allocation for zone 0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-bluefield (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
SRU Justification:
Act_ct is mishandling CT action in zone 0 which can cause the inner actions (commit, nat) to be skipped
* Explain the bug(s)
Currently act_ct action init is skipping ct template allocation for zone 0.
Skipping the allocation may cause the datapath ct code to ignore the
entire ct action with all its attributes (commit, nat) in case the ct
action in zone 0 was preceded by a ct clear action.
The ct clear action sets the ct_state to untracked and resets the
skb->_nfct pointer. Under these conditions and without an allocated
ct template, the skb->_nfct pointer will remain NULL which will
cause the tc ct action handler to exit without handling commit and nat
actions, if such exist.
* brief explanation of fixes
Remove skipping of ct template allocation for zone 0. Treat it as all other zones.
* How to test
Create a tc rule (with skip_hw to make sure it is not offloaded by HW) with an actions list
that includes the following sequence:
Actions: ct_clear, ct(commit, nat(src=
* What it could break.
Ct action in zone 0 will not be performed (i.e - ct(commit, nat(src=
This means the connection will not get committed to zone 0 and src nat will not be performed
Which means the packet will pass this rule and maintain it’s original src IP.
CVE References
Changed in linux-bluefield (Ubuntu): | |
status: | New → Invalid |
Changed in linux-bluefield (Ubuntu Focal): | |
status: | New → In Progress |
Changed in linux-bluefield (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-focal removed: verification-needed-focal |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- focal' to 'verification- done-focal' . If the problem still exists, change the tag 'verification- needed- focal' to 'verification- failed- focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!