From patchwork Sat Nov 7 00:06:07 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jarno Rajahalme X-Patchwork-Id: 541178 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 8404D1402D4 for ; Sat, 7 Nov 2015 11:06:48 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nicira_com.20150623.gappssmtp.com header.i=@nicira_com.20150623.gappssmtp.com header.b=VBAFVM2S; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1033911AbbKGAGf (ORCPT ); Fri, 6 Nov 2015 19:06:35 -0500 Received: from mail-pa0-f42.google.com ([209.85.220.42]:34648 "EHLO mail-pa0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757828AbbKGAGW (ORCPT ); Fri, 6 Nov 2015 19:06:22 -0500 Received: by padhx2 with SMTP id hx2so128995389pad.1 for ; Fri, 06 Nov 2015 16:06:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nicira_com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=UWuMNlwmJaTa6vJAbbmwRrp4deloaVPG9GF1K0fBavw=; b=VBAFVM2SUL+Dj/9CEPHrx8M9q9/Yu1U2ZBxb1IKxTmByNQbk5mAQ6ZOYqSn04KSGsb KraPq9j2YjGyA7zszTxKH5AmfKBM8c5ZeGi7/CVIms0NLAGCxys+1+6+o4XlnZl7yJgP v+vxtR2inbCkyqpuefQqEPN/XdaccN4Bp4ELxgxNiVltzZLaT9UiTIr22Uj/J+/lLSMh PVSxXpuTqJ1lpGB53Xetofmq0eiSOsFMB1/u9Zu55z8uqjhgfC8s8//zcjdQKyY80Ndb Iu2SOg0zVy798ufImytnMQqeAZp/opMYb1x90yokUuVa+BeobQcoBg6sIW3T3sY4KHPT COjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=UWuMNlwmJaTa6vJAbbmwRrp4deloaVPG9GF1K0fBavw=; b=RfD5OvjFDNUloV1d7wb4YqE217rLnt+rt7jTAKHAWghyJjDFDuG5Mh8HCx0fIvcjKm E0G4MPp/HIcMOel/evvBjmoFTZSh5yUvm/yIUZTfn2CDYQFhwD1kJBv+mSvcrl862DTW g/KUylbiS3WL6d9glJfG2FsVAnsgsoKTm8PsDNMQGaw2dgE2GscwZAKjN6RBDQYhOu1b FIGZybPw239M+WsTKglCV/Z1yzump44kVYk49pwaadIUqwp9CDNIvP1hWi/8DHRJ4hMe W63ycA74CQSkPkn7L7L+dGW7Ku933aJ/BWlOdFlZlWi1W0tpXB1ttWyU4WXbH7WVEDQo h1cg== X-Gm-Message-State: ALoCoQlna8CCkWbRmK7cgtLD9e/5c08UpA81aukRZRswF/UPmRGmFHoI68vSNJnlgfxqPmHvnvYP X-Received: by 10.68.135.73 with SMTP id pq9mr21472570pbb.53.1446854782047; Fri, 06 Nov 2015 16:06:22 -0800 (PST) Received: from sc9-mailhost3.vmware.com ([208.91.1.34]) by smtp.gmail.com with ESMTPSA id l16sm2160090pbq.22.2015.11.06.16.06.21 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 06 Nov 2015 16:06:21 -0800 (PST) From: Jarno Rajahalme To: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org, dev@openvswitch.org, jrajahalme@nicira.com Subject: [RFC PATCH net-next v2 7/8] openvswitch: Delay conntrack helper call for new connections. Date: Fri, 6 Nov 2015 16:06:07 -0800 Message-Id: <1446854768-38299-8-git-send-email-jrajahalme@nicira.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1446854768-38299-1-git-send-email-jrajahalme@nicira.com> References: <1446854768-38299-1-git-send-email-jrajahalme@nicira.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org There is no need to help connections that are not confirmed, so we can delay helping new connections to the time when they are confirmed. This change is needed for NAT support, and having this as a separate patch will make the following NAT patch a bit easier to review. Signed-off-by: Jarno Rajahalme --- net/openvswitch/conntrack.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 7aa38fa..ba44287 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -458,6 +458,7 @@ static bool skb_nfct_cached(struct net *net, /* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if * not done already. Update key with new CT state after passing the packet * through conntrack. + * Note that invalid packets are accepted while the skb->nfct remains unset! */ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, const struct ovs_conntrack_info *info, @@ -468,7 +469,11 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, * actually run the packet through conntrack twice unless it's for a * different zone. */ - if (!skb_nfct_cached(net, key, info, skb)) { + bool cached = skb_nfct_cached(net, key, info, skb); + enum ip_conntrack_info ctinfo; + struct nf_conn *ct; + + if (!cached) { struct nf_conn *tmpl = info->ct; int err; @@ -491,11 +496,16 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, return -ENOENT; ovs_ct_update_key(skb, key, true); + } - if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) { - WARN_ONCE(1, "helper rejected packet"); - return -EINVAL; - } + /* Call the helper right after nf_conntrack_in() for confirmed + * connections, but only when commiting for unconfirmed connections. + */ + ct = nf_ct_get(skb, &ctinfo); + if (ct && (nf_ct_is_confirmed(ct) ? !cached : info->commit) + && ovs_ct_helper(skb, info->family) != NF_ACCEPT) { + WARN_ONCE(1, "helper rejected packet"); + return -EINVAL; } return 0;