Skip to content

Commit

Permalink
openvswitch: return NF_DROP when fails to add nat ext in ovs_ct_nat
Browse files Browse the repository at this point in the history 
When it fails to allocate nat ext, the packet should be dropped, like
the memory allocation failures in other places in ovs_ct_nat().

This patch changes to return NF_DROP when fails to add nat ext before
doing NAT in ovs_ct_nat(), also it would keep consistent with tc
action ct' processing in tcf_ct_act_nat().

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Xin Long authored and David S. Miller committed Dec 12, 2022
1 parent 7795928 commit 2b85144
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion net/openvswitch/conntrack.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -821,7 +821,7 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key,

/* Add NAT extension if not confirmed yet. */
if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct))
return NF_ACCEPT; /* Can't NAT. */
return NF_DROP; /* Can't NAT. */

/* Determine NAT type.
* Check if the NAT type can be deduced from the tracked connection.
Expand Down

0 comments on commit 2b85144

Please sign in to comment.