From patchwork Sat Nov 7 00:06:07 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jarno Rajahalme X-Patchwork-Id: 541187 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (li376-54.members.linode.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 0D6791402BF for ; Sat, 7 Nov 2015 11:07:01 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nicira_com.20150623.gappssmtp.com header.i=@nicira_com.20150623.gappssmtp.com header.b=VBAFVM2S; dkim-atps=neutral Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id EDCC5109C1; Fri, 6 Nov 2015 16:06:24 -0800 (PST) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id 4E442109AE for ; Fri, 6 Nov 2015 16:06:23 -0800 (PST) Received: from bar3.cudamail.com (localhost [127.0.0.1]) by mx3v3.cudamail.com (Postfix) with ESMTPS id D57DF162CCB for ; Fri, 6 Nov 2015 17:06:22 -0700 (MST) X-ASG-Debug-ID: 1446854782-03dd7b490c0b380001-byXFYA Received: from mx3-pf2.cudamail.com ([192.168.14.1]) by bar3.cudamail.com with ESMTP id LmKJC0ldtDFNmUnG (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 06 Nov 2015 17:06:22 -0700 (MST) X-Barracuda-Envelope-From: jrajahalme@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.1 Received: from unknown (HELO mail-pa0-f44.google.com) (209.85.220.44) by mx3-pf2.cudamail.com with ESMTPS (RC4-SHA encrypted); 7 Nov 2015 00:06:22 -0000 Received-SPF: unknown (mx3-pf2.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.44 Received: by pacdm15 with SMTP id dm15so112938481pac.3 for ; Fri, 06 Nov 2015 16:06:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nicira_com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=UWuMNlwmJaTa6vJAbbmwRrp4deloaVPG9GF1K0fBavw=; b=VBAFVM2SUL+Dj/9CEPHrx8M9q9/Yu1U2ZBxb1IKxTmByNQbk5mAQ6ZOYqSn04KSGsb KraPq9j2YjGyA7zszTxKH5AmfKBM8c5ZeGi7/CVIms0NLAGCxys+1+6+o4XlnZl7yJgP v+vxtR2inbCkyqpuefQqEPN/XdaccN4Bp4ELxgxNiVltzZLaT9UiTIr22Uj/J+/lLSMh PVSxXpuTqJ1lpGB53Xetofmq0eiSOsFMB1/u9Zu55z8uqjhgfC8s8//zcjdQKyY80Ndb Iu2SOg0zVy798ufImytnMQqeAZp/opMYb1x90yokUuVa+BeobQcoBg6sIW3T3sY4KHPT COjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=UWuMNlwmJaTa6vJAbbmwRrp4deloaVPG9GF1K0fBavw=; b=JeZ5IRGqMgLn1/Holj11FzfAMRPLjsUCxFgVVGr5oOe1D5UAjgeBX+CBLbRfWRzCgv 1N9P/lfTf7dXGgLBtdItQIMFj2Nkq6XzhNz4yjznF4hvculN7dywVLqVTL3Y/w4ajoh0 gcXLuL75mtb8ggUNLSsJVjbwL4zYR8FkEE0zXCTaFxRZnrOxXpQVbUJdFHrx6TFuIi2n 6riIwn/I0bgQBSpL+tEKrRINL8ksIfoY2NhqdsKGuPJ/ywAB0fBOq8B+tWT+ub8NWsh1 t8jtCu9HJkLXtF1EOAQ0zZcxFDFADzvcUStPBnO1wMyXJ4ekZFBqnjPqaQZUtHWENFn7 6B3g== X-Gm-Message-State: ALoCoQkIiLl6wmCUIABZd0zPkm7cmQf7QOHsik446UWJq1adQMqXIQdmsPtp/s4uJaSovpiR9SO8 X-Received: by 10.68.135.73 with SMTP id pq9mr21472570pbb.53.1446854782047; Fri, 06 Nov 2015 16:06:22 -0800 (PST) Received: from sc9-mailhost3.vmware.com ([208.91.1.34]) by smtp.gmail.com with ESMTPSA id l16sm2160090pbq.22.2015.11.06.16.06.21 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 06 Nov 2015 16:06:21 -0800 (PST) X-CudaMail-Envelope-Sender: jrajahalme@nicira.com X-Barracuda-Apparent-Source-IP: 208.91.1.34 From: Jarno Rajahalme To: netdev@vger.kernel.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V2-1105062572 X-CudaMail-DTE: 110615 X-CudaMail-Originating-IP: 209.85.220.44 Date: Fri, 6 Nov 2015 16:06:07 -0800 X-ASG-Orig-Subj: [##CM-V2-1105062572##][RFC PATCH net-next v2 7/8] openvswitch: Delay conntrack helper call for new connections. Message-Id: <1446854768-38299-8-git-send-email-jrajahalme@nicira.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1446854768-38299-1-git-send-email-jrajahalme@nicira.com> References: <1446854768-38299-1-git-send-email-jrajahalme@nicira.com> X-Barracuda-Connect: UNKNOWN[192.168.14.1] X-Barracuda-Start-Time: 1446854782 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Cc: dev@openvswitch.org, netfilter-devel@vger.kernel.org Subject: [ovs-dev] [RFC PATCH net-next v2 7/8] openvswitch: Delay conntrack helper call for new connections. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" There is no need to help connections that are not confirmed, so we can delay helping new connections to the time when they are confirmed. This change is needed for NAT support, and having this as a separate patch will make the following NAT patch a bit easier to review. Signed-off-by: Jarno Rajahalme --- net/openvswitch/conntrack.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 7aa38fa..ba44287 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -458,6 +458,7 @@ static bool skb_nfct_cached(struct net *net, /* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if * not done already. Update key with new CT state after passing the packet * through conntrack. + * Note that invalid packets are accepted while the skb->nfct remains unset! */ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, const struct ovs_conntrack_info *info, @@ -468,7 +469,11 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, * actually run the packet through conntrack twice unless it's for a * different zone. */ - if (!skb_nfct_cached(net, key, info, skb)) { + bool cached = skb_nfct_cached(net, key, info, skb); + enum ip_conntrack_info ctinfo; + struct nf_conn *ct; + + if (!cached) { struct nf_conn *tmpl = info->ct; int err; @@ -491,11 +496,16 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, return -ENOENT; ovs_ct_update_key(skb, key, true); + } - if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) { - WARN_ONCE(1, "helper rejected packet"); - return -EINVAL; - } + /* Call the helper right after nf_conntrack_in() for confirmed + * connections, but only when commiting for unconfirmed connections. + */ + ct = nf_ct_get(skb, &ctinfo); + if (ct && (nf_ct_is_confirmed(ct) ? !cached : info->commit) + && ovs_ct_helper(skb, info->family) != NF_ACCEPT) { + WARN_ONCE(1, "helper rejected packet"); + return -EINVAL; } return 0;