From patchwork Wed Sep 16 17:33:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory Rose X-Patchwork-Id: 1365682 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=HRoWlmA8; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BsJ9L38dhzB41m for ; Thu, 17 Sep 2020 10:43:18 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 19F1487475; Wed, 16 Sep 2020 17:35:02 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1xe-sWrYO+W9; Wed, 16 Sep 2020 17:34:58 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by whitealder.osuosl.org (Postfix) with ESMTP id 7F15387594; Wed, 16 Sep 2020 17:34:03 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 43CD7C1818; Wed, 16 Sep 2020 17:34:03 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id B05D6C08A8 for ; Wed, 16 Sep 2020 17:33:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 9668386E92 for ; Wed, 16 Sep 2020 17:33:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wk_SkVPUnELu for ; Wed, 16 Sep 2020 17:33:58 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f194.google.com (mail-pf1-f194.google.com [209.85.210.194]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 9BE0D86D08 for ; Wed, 16 Sep 2020 17:33:36 +0000 (UTC) Received: by mail-pf1-f194.google.com with SMTP id x123so4384701pfc.7 for ; Wed, 16 Sep 2020 10:33:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=LVxVEKhce76HNGd/mLVBHOi02hTkjeBKJTsRuBzpBio=; b=HRoWlmA85KmtJC/OPEW0d1vpeOAs7nQGgIOIuuck5SR2CCP4dnu/QQwr5ZOgMqbW0L K+k7PJev3x/ESnCkzcnBS9norOpEgUjqCHQ5hUiJlQYowceIBdlUVQGDZc6iZ+u8mNq4 7dCtqLF10JeiRllYKpldKG/WXI1WYsWOWQlzr1MJR0iFZXkZcd7VGpzapldoOp9FxMkK cXE+BmOeztXliX12TCNETekBxhfUwBVRUOX0GxyYt5lhmKBDTIUGbUrp4A7FQWFa8tbW FC6836NL2eJ2Xrv2Zt6O1MqUGMkvMfTBQePrI+FLbPZme07kJ42S4V0VS9So/EKGjuX7 PIYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=LVxVEKhce76HNGd/mLVBHOi02hTkjeBKJTsRuBzpBio=; b=KBbfmpjKFwWviL5HSPjA0XoNz3htfR/YFPwKTLAInREUidmaOSBE/TFm2E0b5yophr DXvFRupKjeiiSBm2fVa8oKt46N8mURsUGHRp+1NK4hrbxu9V2xIb/kqRkRRnys1/QSuM Zm1sSyh1x6x6M4CpzMb1z5STBhYkIOfL6mVnF47ghrDMcdCf6gNPQPs73xvnljmhp0yY yKySSNdFk06drLDWljX4lBQ9soZ7WYSK7b/uNPCP5r7mzd3Ew5r0GJ5H29MnfYJoIXJD UcfhzI6vnqTCkT2egHdVXXAkUBthdgCRnSwMS+val3KAVQz3WjIgDqF3WhOIXH0eipjf LVww== X-Gm-Message-State: AOAM530jwwAZkDxy1v44QQ7NW4b9CJzyZIfnqNK6+oQk5UXJ2J3jSOYb 3wG3U7QU0mD7rv5lYv0SAVfA3KmcKFuaiA== X-Google-Smtp-Source: ABdhPJwBwCPa/q0fWRZ7CDHNonwfMlNXxmxCD0HN/DWZ34BsrcH6phNByl4sr+B7LDFjIaVT4sqZsA== X-Received: by 2002:aa7:9f99:0:b029:13e:d13d:a134 with SMTP id z25-20020aa79f990000b029013ed13da134mr23449588pfr.28.1600277615906; Wed, 16 Sep 2020 10:33:35 -0700 (PDT) Received: from VMware-box.domain ([97.115.183.169]) by smtp.googlemail.com with ESMTPSA id o20sm16248519pgh.63.2020.09.16.10.33.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Sep 2020 10:33:35 -0700 (PDT) From: Greg Rose To: dev@openvswitch.org Date: Wed, 16 Sep 2020 10:33:05 -0700 Message-Id: <20200916173311.30956-19-gvrose8192@gmail.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200916173311.30956-1-gvrose8192@gmail.com> References: <20200916173311.30956-1-gvrose8192@gmail.com> Subject: [ovs-dev] [PATCH V3 18/24] datapath: support asymmetric conntrack X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: aaron conole Upstream commit: commit 5d50aa83e2c8e91ced2cca77c198b468ca9210f4 author: aaron conole date: tue dec 3 16:34:13 2019 -0500 openvswitch: support asymmetric conntrack the openvswitch module shares a common conntrack and nat infrastructure exposed via netfilter. it's possible that a packet needs both snat and dnat manipulation, due to e.g. tuple collision. netfilter can support this because it runs through the nat table twice - once on ingress and again after egress. the openvswitch module doesn't have such capability. like netfilter hook infrastructure, we should run through nat twice to keep the symmetry. fixes: 05752523e565 ("openvswitch: interface with nat.") signed-off-by: aaron conole signed-off-by: david s. miller Fixes: c5f6c06b58d6 ("datapath: Interface with NAT.") Cc: aaron conole Acked-by: Aaron Conole Signed-off-by: Greg Rose Acked-by: Yi-Hung Wei --- datapath/conntrack.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index 5b4d6cce0..c7a318baf 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -978,6 +978,17 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, } err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype); + if (err == NF_ACCEPT && + ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) { + if (maniptype == NF_NAT_MANIP_SRC) + maniptype = NF_NAT_MANIP_DST; + else + maniptype = NF_NAT_MANIP_SRC; + + err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, + maniptype); + } + /* Mark NAT done if successful and update the flow key. */ if (err == NF_ACCEPT) ovs_nat_update_key(key, skb, maniptype);