From patchwork Fri Dec 20 17:51:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1214247 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="bDYr90v1"; dkim-atps=neutral Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47fbs20BQXz9sPW for ; Sat, 21 Dec 2019 04:51:17 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 7DA7E872FD; Fri, 20 Dec 2019 17:51:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 88UdEieA2I2i; Fri, 20 Dec 2019 17:51:15 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by fraxinus.osuosl.org (Postfix) with ESMTP id B4BF5872EA; Fri, 20 Dec 2019 17:51:15 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id AA81BC18DC; Fri, 20 Dec 2019 17:51:15 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id D13CCC077D for ; Fri, 20 Dec 2019 17:51:14 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id BD9F2872FD for ; Fri, 20 Dec 2019 17:51:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TxJ5SKibmdJb for ; Fri, 20 Dec 2019 17:51:14 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 10771872EA for ; Fri, 20 Dec 2019 17:51:14 +0000 (UTC) Received: by mail-pl1-f195.google.com with SMTP id bd4so4398832plb.8 for ; Fri, 20 Dec 2019 09:51:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=UOSX8ritrgFSP6/kFH1cfheLqWFpaSXcGJpeK2TKzqI=; b=bDYr90v1Sx7wHeRLchL4K0dy0oboS0FqjEY0uAh49GKvWquze7ovxXSDDM/FcjE5vl ELp4DaAFKSyIiX3/kcL29pXa8zlQTwjXAmSueC9ywLQHd1RFK3RdVWEnc0YufYf6up3k LleYYTZDm22Mu8ftI7aGml00lwp00CoTOlvU2djpfW/TN8urinDwnHjgJwNe9mWphlyV ShCNBPA7WfCTMBFTfia9xnQYECb6EDEtNSQUlcWtgK+BrgfImbet0foUQuZ3W3E1GjQ9 8H+1IGJXYpmBSm5pdqMgGBh0nQAiKDFS0U1hivqLv2qF0uzvwAb32RPvsgUwutuISACH syxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=UOSX8ritrgFSP6/kFH1cfheLqWFpaSXcGJpeK2TKzqI=; b=rE8ffDGv/BcjGm02obCc9aD/asFRFk6kaOvaX9LF2rYOPMimRk6UaxQKLUMs2oekEV H3sDU6mCeBojcif6A+HJnSt+75hocGZIl860j9HMXm8JG08daUk0uefZiEI/hG1TNj/0 6APRz5qgj4ZGrT7Ey6MwQ8iYACeiKHOhqSIi7jq6GWMxWcZF/jE9Jau8GQwM+lGVVMCi lzSI3Sf0R5Q+S6HeaKPlKeDJtEnMMl4SgkcNM8+iULN2MydJYCR/xLV9gLdHWy6hBxlV OlOhdzHjmD3DYCRm+wLy0DnWDtkg1xSG2sx5fr4vQjaRQy/hXzOcuAIFqDBfxBHD4iHk rcvQ== X-Gm-Message-State: APjAAAVt+NvL9IMud6wCx20/UK6RET/v2FW8SGrkfl2i0KvoTi/FRnos Z5/3Ef5vOOFS9ZYVGQH0/0wyoPHB X-Google-Smtp-Source: APXvYqw3/mXZGWyeiBrAY1CvzqXsSUfrDYnLh4i/r86tofUQueqsc4mDqb5504jkaSXDn29BULlpcQ== X-Received: by 2002:a17:902:ab84:: with SMTP id f4mr17072797plr.35.1576864273033; Fri, 20 Dec 2019 09:51:13 -0800 (PST) Received: from vm-main.eng.vmware.com ([66.170.99.2]) by smtp.gmail.com with ESMTPSA id e16sm13360449pfn.59.2019.12.20.09.51.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 20 Dec 2019 09:51:11 -0800 (PST) From: Yi-Hung Wei To: dev@openvswitch.org Date: Fri, 20 Dec 2019 09:51:08 -0800 Message-Id: <1576864268-130410-1-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 Subject: [ovs-dev] [PATCH] conntrack: Fix conntrack new state X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" In connection tracking system, a connection is established if we see packets from both directions. However, in userspace datapath's conntrack, if we send a connection setup packet in one direction twice, it will make the connection to be in established state. This patch fixes the aforementioned issue, and adds a system traffic test for UDP and TCP traffic to avoid regression. Fixes: a489b16854b59 ("conntrack: New userspace connection tracker.") Signed-off-by: Yi-Hung Wei --- Travis CI: https://travis-ci.org/YiHungWei/ovs/builds/627518780 --- lib/conntrack-other.c | 4 +++- lib/conntrack-private.h | 1 + lib/conntrack-tcp.c | 15 ++++++++++----- lib/conntrack.c | 3 +++ tests/system-traffic.at | 41 +++++++++++++++++++++++++++++++++++++++++ 5 files changed, 58 insertions(+), 6 deletions(-) diff --git a/lib/conntrack-other.c b/lib/conntrack-other.c index 932f2f4ad9c6..de22ef87cc19 100644 --- a/lib/conntrack-other.c +++ b/lib/conntrack-other.c @@ -47,16 +47,18 @@ other_conn_update(struct conntrack *ct, struct conn *conn_, struct dp_packet *pkt OVS_UNUSED, bool reply, long long now) { struct conn_other *conn = conn_other_cast(conn_); + enum ct_update_res ret = CT_UPDATE_VALID; if (reply && conn->state != OTHERS_BIDIR) { conn->state = OTHERS_BIDIR; } else if (conn->state == OTHERS_FIRST) { conn->state = OTHERS_MULTIPLE; + ret = CT_UPDATE_VALID_NEW; } conn_update_expiration(ct, &conn->up, other_timeouts[conn->state], now); - return CT_UPDATE_VALID; + return ret; } static bool diff --git a/lib/conntrack-private.h b/lib/conntrack-private.h index b04e4cd77542..9a8ca3910157 100644 --- a/lib/conntrack-private.h +++ b/lib/conntrack-private.h @@ -124,6 +124,7 @@ enum ct_update_res { CT_UPDATE_INVALID, CT_UPDATE_VALID, CT_UPDATE_NEW, + CT_UPDATE_VALID_NEW, }; /* Timeouts: all the possible timeout states passed to update_expiration() diff --git a/lib/conntrack-tcp.c b/lib/conntrack-tcp.c index 47eb8e20346f..416cb769d22f 100644 --- a/lib/conntrack-tcp.c +++ b/lib/conntrack-tcp.c @@ -181,11 +181,16 @@ tcp_conn_update(struct conntrack *ct, struct conn *conn_, return CT_UPDATE_INVALID; } - if (((tcp_flags & (TCP_SYN | TCP_ACK)) == TCP_SYN) - && dst->state >= CT_DPIF_TCPS_FIN_WAIT_2 - && src->state >= CT_DPIF_TCPS_FIN_WAIT_2) { - src->state = dst->state = CT_DPIF_TCPS_CLOSED; - return CT_UPDATE_NEW; + if ((tcp_flags & (TCP_SYN | TCP_ACK)) == TCP_SYN) { + if (dst->state >= CT_DPIF_TCPS_FIN_WAIT_2 + && src->state >= CT_DPIF_TCPS_FIN_WAIT_2) { + src->state = dst->state = CT_DPIF_TCPS_CLOSED; + return CT_UPDATE_NEW; + } else if (src->state <= CT_DPIF_TCPS_SYN_SENT) { + src->state = CT_DPIF_TCPS_SYN_SENT; + conn_update_expiration(ct, &conn->up, CT_TM_TCP_FIRST_PACKET, now); + return CT_UPDATE_NEW; + } } if (src->wscale & CT_WSCALE_FLAG diff --git a/lib/conntrack.c b/lib/conntrack.c index b80080e72bf8..eb3790a9aecb 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -1110,6 +1110,9 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, ovs_mutex_unlock(&ct->ct_lock); create_new_conn = true; break; + case CT_UPDATE_VALID_NEW: + pkt->md.ct_state |= CS_NEW; + break; default: OVS_NOT_REACHED(); } diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 0fb7aacfa14e..4a39c929c207 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -2290,6 +2290,47 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_SETUP([conntrack - new connections]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +AT_DATA([flows1.txt], [dnl +table=0, priority=1,action=drop +table=0, priority=10,arp,action=normal +table=0, priority=100,tcp,action=ct(table=1) +table=0, priority=100,udp,action=ct(table=1) +table=1, priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit) +table=1, priority=100,in_port=1,udp,ct_state=+trk+new,action=ct(commit) +table=1, priority=100,in_port=1,ct_state=+trk+est,action=2 +table=1, priority=100,in_port=2,ct_state=+trk+est,action=1 +]) + +ovs-appctl vlog/set dbg + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows1.txt]) + +dnl TCP traffic from ns0 to ns1 should fail. +OVS_START_L7([at_ns1], [http]) +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4]) + +dnl Send UDP packet on port 1 twice. +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"]) +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"]) + +dnl There should not be any packet that matches the established ct_state. +AT_CHECK([ovs-ofctl dump-flows br0 "table=1 in_port=1,ct_state=+trk+est" | ofctl_strip], [0], [dnl +NXST_FLOW reply: + table=1, priority=100,ct_state=+est+trk,in_port=1 actions=output:2 +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + AT_SETUP([conntrack - ICMP related]) AT_SKIP_IF([test $HAVE_NC = no]) CHECK_CONNTRACK()