From patchwork Mon Dec 11 10:51:01 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Viacheslav Galaktionov
 <viacheslav.galaktionov@arknetworks.am>
X-Patchwork-Id: 1874447
X-Patchwork-Delegate: aconole@redhat.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="key not found in DNS" header.d=arknetworks.am
 header.i=@arknetworks.am header.a=rsa-sha256 header.s=default
 header.b=ujHmW8Mm;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SpdpN0bgQz20Gd
	for <incoming@patchwork.ozlabs.org>; Mon, 11 Dec 2023 21:51:24 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp2.osuosl.org (Postfix) with ESMTP id CFDB043535;
	Mon, 11 Dec 2023 10:51:21 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org CFDB043535
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
	by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id mldvQKg4jEy9; Mon, 11 Dec 2023 10:51:20 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp2.osuosl.org (Postfix) with ESMTPS id 3E7EB41A85;
	Mon, 11 Dec 2023 10:51:19 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3E7EB41A85
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id DE845C0DD2;
	Mon, 11 Dec 2023 10:51:16 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 24EBCC0037
 for <dev@openvswitch.org>; Mon, 11 Dec 2023 10:51:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 0C56841A5B
 for <dev@openvswitch.org>; Mon, 11 Dec 2023 10:51:15 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 0C56841A5B
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 5evqlU9TSHF9 for <dev@openvswitch.org>;
 Mon, 11 Dec 2023 10:51:13 +0000 (UTC)
Received: from agw.arknetworks.am (agw.arknetworks.am [79.141.165.80])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 8988840529
 for <dev@openvswitch.org>; Mon, 11 Dec 2023 10:51:13 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 8988840529
Received: from localhost.localdomain (87-131-3.netrun.cytanet.com.cy
 [87.228.131.3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by agw.arknetworks.am (Postfix) with ESMTPSA id E5C03E00D6;
 Mon, 11 Dec 2023 14:51:10 +0400 (+04)
DKIM-Filter: OpenDKIM Filter v2.11.0 agw.arknetworks.am E5C03E00D6
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arknetworks.am;
 s=default; t=1702291871;
 bh=JDhyaZZgIHqOhHOIJdXnvL9NtU7Xdq8GfPEF2NRtEyk=;
 h=From:To:Cc:Subject:Date:From;
 b=ujHmW8MmYVnICi65Xawe5OnFqnLSFtaSp0NtFFKadrr57EGPMpU8MLfksyPYMf2By
 ZKXH1FsZ2b5dZMe9l3fPqgira/eOQBD6j5VqLmtyVc7yhK1R6k8CBym//NTg+40rcW
 lRxGfAMu8ZX2vJx8CHtPqN0vnGOdCjp+4dv/ePuCrxALiE5DRY3n4oNeWevmjShCIv
 oAvZknZe4yTM9OY0j/Gc+76c2cO8grh+ig86lrW3ZoocrUqaeYOrZ5SgN+FR8fJ39P
 SOOHsWZHK6CyrGk0Z159EsXwhxL6kyEoJIEYAI6TN0buj2ulnn/0QYzmt9WRtyyb2p
 3xeNYdOrnOr9Q==
To: dev@openvswitch.org
Date: Mon, 11 Dec 2023 12:51:01 +0200
Message-ID: <20231211105103.30812-1-viacheslav.galaktionov@arknetworks.am>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Subject: [ovs-dev] [PATCH v5 1/3] lib/conntrack: Only use given packet in
	protocol detection.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
X-Patchwork-Original-From: Viacheslav Galaktionov via dev
 <ovs-dev@openvswitch.org>
From: Viacheslav Galaktionov <viacheslav.galaktionov@arknetworks.am>
Reply-To: Viacheslav Galaktionov <viacheslav.galaktionov@arknetworks.am>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

The current protocol detection logic relies on two pieces of metadata
passed as arguments: tp_src and tp_dst, which represent the L4 source
and destination port numbers from the flow that triggered the current
flow rule first, and was responsible for creating the current DP flow.

Since multiple network flows of many different kinds, potentially using
different protocols on all layers, can be processed by one flow rule,
using the metadata of some unrelated flow might lead to unexpected
results. For example, ICMP type and code can be interpreted as TCP
source and destination ports. This can confuse the code responsible for
the helper selection, leading to errors in traffic handling and
incorrect detection of related flows.

One of the easiest ways to fix this problem is to simply remove the
tp_src and tp_dst parameters from the picture. The current code base has
no good use for them.

The helper selection logic was based on these values and therefore needs
to be changed. Ensure that the helper specified in a flow rule is used,
given it is compatible with the L4 protocol of the packet. When a flow
rule does not specify a helper, one can still be picked using the given
packet's metadata like TCP/UDP ports.

Signed-off-by: Viacheslav Galaktionov <viacheslav.galaktionov@arknetworks.am>
---
 lib/conntrack.c        | 40 +++++++++++++++++-----------------------
 lib/conntrack.h        |  2 +-
 lib/dpif-netdev.c      |  5 ++---
 tests/test-conntrack.c |  6 +++---
 4 files changed, 23 insertions(+), 30 deletions(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 71c470661..9bb3c17f8 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -657,8 +657,7 @@ is_ftp_ctl(const enum ct_alg_ctl_type ct_alg_ctl)
 }
 
 static enum ct_alg_ctl_type
-get_alg_ctl_type(const struct dp_packet *pkt, ovs_be16 tp_src, ovs_be16 tp_dst,
-                 const char *helper)
+get_alg_ctl_type(const struct dp_packet *pkt, const char *helper)
 {
     /* CT_IPPORT_FTP/TFTP is used because IPPORT_FTP/TFTP in not defined
      * in OSX, at least in in.h. Since these values will never change, remove
@@ -668,26 +667,24 @@ get_alg_ctl_type(const struct dp_packet *pkt, ovs_be16 tp_src, ovs_be16 tp_dst,
     uint8_t ip_proto = get_ip_proto(pkt);
     struct udp_header *uh = dp_packet_l4(pkt);
     struct tcp_header *th = dp_packet_l4(pkt);
-    ovs_be16 ftp_src_port = htons(CT_IPPORT_FTP);
-    ovs_be16 ftp_dst_port = htons(CT_IPPORT_FTP);
-    ovs_be16 tftp_dst_port = htons(CT_IPPORT_TFTP);
+    ovs_be16 ftp_port = htons(CT_IPPORT_FTP);
+    ovs_be16 tftp_port = htons(CT_IPPORT_TFTP);
 
-    if (OVS_UNLIKELY(tp_dst)) {
-        if (helper && !strncmp(helper, "ftp", strlen("ftp"))) {
-            ftp_dst_port = tp_dst;
-        } else if (helper && !strncmp(helper, "tftp", strlen("tftp"))) {
-            tftp_dst_port = tp_dst;
+    if (helper) {
+        if ((ip_proto == IPPROTO_TCP) &&
+             !strncmp(helper, "ftp", strlen("ftp"))) {
+            return CT_ALG_CTL_FTP;
         }
-    } else if (OVS_UNLIKELY(tp_src)) {
-        if (helper && !strncmp(helper, "ftp", strlen("ftp"))) {
-            ftp_src_port = tp_src;
+        if ((ip_proto == IPPROTO_UDP) &&
+             !strncmp(helper, "tftp", strlen("tftp"))) {
+            return CT_ALG_CTL_TFTP;
         }
     }
 
-    if (ip_proto == IPPROTO_UDP && uh->udp_dst == tftp_dst_port) {
+    if (ip_proto == IPPROTO_UDP && uh->udp_dst == tftp_port) {
         return CT_ALG_CTL_TFTP;
     } else if (ip_proto == IPPROTO_TCP &&
-               (th->tcp_src == ftp_src_port || th->tcp_dst == ftp_dst_port)) {
+               (th->tcp_src == ftp_port || th->tcp_dst == ftp_port)) {
         return CT_ALG_CTL_FTP;
     }
     return CT_ALG_CTL_NONE;
@@ -1229,8 +1226,7 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
             bool force, bool commit, long long now, const uint32_t *setmark,
             const struct ovs_key_ct_labels *setlabel,
             const struct nat_action_info_t *nat_action_info,
-            ovs_be16 tp_src, ovs_be16 tp_dst, const char *helper,
-            uint32_t tp_id)
+            const char *helper, uint32_t tp_id)
 {
     /* Reset ct_state whenever entering a new zone. */
     if (pkt->md.ct_state && pkt->md.ct_zone != zone) {
@@ -1251,8 +1247,7 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
         conn = NULL;
     }
 
-    enum ct_alg_ctl_type ct_alg_ctl = get_alg_ctl_type(pkt, tp_src, tp_dst,
-                                                       helper);
+    enum ct_alg_ctl_type ct_alg_ctl = get_alg_ctl_type(pkt, helper);
 
     if (OVS_LIKELY(conn)) {
         if (OVS_LIKELY(!conn_update_state_alg(ct, pkt, ctx, conn,
@@ -1329,7 +1324,7 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch,
                   ovs_be16 dl_type, bool force, bool commit, uint16_t zone,
                   const uint32_t *setmark,
                   const struct ovs_key_ct_labels *setlabel,
-                  ovs_be16 tp_src, ovs_be16 tp_dst, const char *helper,
+                  const char *helper,
                   const struct nat_action_info_t *nat_action_info,
                   long long now, uint32_t tp_id)
 {
@@ -1345,7 +1340,7 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch,
             write_ct_md(packet, zone, NULL, NULL, NULL);
         } else if (conn &&
                    conn->key_node[CT_DIR_FWD].key.zone == zone && !force &&
-                   !get_alg_ctl_type(packet, tp_src, tp_dst, helper)) {
+                   !get_alg_ctl_type(packet, helper)) {
             process_one_fast(zone, setmark, setlabel, nat_action_info,
                              conn, packet);
         } else if (OVS_UNLIKELY(!conn_key_extract(ct, packet, dl_type, &ctx,
@@ -1354,8 +1349,7 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch,
             write_ct_md(packet, zone, NULL, NULL, NULL);
         } else {
             process_one(ct, packet, &ctx, zone, force, commit, now, setmark,
-                        setlabel, nat_action_info, tp_src, tp_dst, helper,
-                        tp_id);
+                        setlabel, nat_action_info, helper, tp_id);
         }
     }
 
diff --git a/lib/conntrack.h b/lib/conntrack.h
index 18c182f85..0a888be45 100644
--- a/lib/conntrack.h
+++ b/lib/conntrack.h
@@ -92,7 +92,7 @@ int conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch,
                       ovs_be16 dl_type, bool force, bool commit, uint16_t zone,
                       const uint32_t *setmark,
                       const struct ovs_key_ct_labels *setlabel,
-                      ovs_be16 tp_src, ovs_be16 tp_dst, const char *helper,
+                      const char *helper,
                       const struct nat_action_info_t *nat_action_info,
                       long long now, uint32_t tp_id);
 void conntrack_clear(struct dp_packet *packet);
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 9a59a1b03..db37d56b2 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -9232,9 +9232,8 @@ dp_execute_cb(void *aux_, struct dp_packet_batch *packets_,
         }
 
         conntrack_execute(dp->conntrack, packets_, aux->flow->dl_type, force,
-                          commit, zone, setmark, setlabel, aux->flow->tp_src,
-                          aux->flow->tp_dst, helper, nat_action_info_ref,
-                          pmd->ctx.now / 1000, tp_id);
+                          commit, zone, setmark, setlabel, helper,
+                          nat_action_info_ref, pmd->ctx.now / 1000, tp_id);
         break;
     }
 
diff --git a/tests/test-conntrack.c b/tests/test-conntrack.c
index 24c93e4a4..292b6c048 100644
--- a/tests/test-conntrack.c
+++ b/tests/test-conntrack.c
@@ -91,7 +91,7 @@ ct_thread_main(void *aux_)
     ovs_barrier_block(&barrier);
     for (i = 0; i < n_pkts; i += batch_size) {
         conntrack_execute(ct, pkt_batch, dl_type, false, true, 0, NULL, NULL,
-                          0, 0, NULL, NULL, now, 0);
+                          NULL, NULL, now, 0);
         DP_PACKET_BATCH_FOR_EACH (j, pkt, pkt_batch) {
             pkt_metadata_init_conn(&pkt->md);
         }
@@ -178,7 +178,7 @@ pcap_batch_execute_conntrack(struct conntrack *ct_,
 
         if (flow.dl_type != dl_type) {
             conntrack_execute(ct_, &new_batch, dl_type, false, true, 0,
-                              NULL, NULL, 0, 0, NULL, NULL, now, 0);
+                              NULL, NULL, NULL, NULL, now, 0);
             dp_packet_batch_init(&new_batch);
         }
         dp_packet_batch_add(&new_batch, packet);
@@ -186,7 +186,7 @@ pcap_batch_execute_conntrack(struct conntrack *ct_,
 
     if (!dp_packet_batch_is_empty(&new_batch)) {
         conntrack_execute(ct_, &new_batch, dl_type, false, true, 0, NULL, NULL,
-                          0, 0, NULL, NULL, now, 0);
+                          NULL, NULL, now, 0);
     }
 
 }

From patchwork Mon Dec 11 10:51:02 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Viacheslav Galaktionov
 <viacheslav.galaktionov@arknetworks.am>
X-Patchwork-Id: 1874446
X-Patchwork-Delegate: aconole@redhat.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="key not found in DNS" header.d=arknetworks.am
 header.i=@arknetworks.am header.a=rsa-sha256 header.s=default
 header.b=AAT4hhuj;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.136; helo=smtp3.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SpdpL1gFWz20Gd
	for <incoming@patchwork.ozlabs.org>; Mon, 11 Dec 2023 21:51:20 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp3.osuosl.org (Postfix) with ESMTP id 5BB57613E4;
	Mon, 11 Dec 2023 10:51:18 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5BB57613E4
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
	by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ZEgABZo7zVUS; Mon, 11 Dec 2023 10:51:17 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp3.osuosl.org (Postfix) with ESMTPS id 74EB0613CC;
	Mon, 11 Dec 2023 10:51:16 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 74EB0613CC
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 4F212C0072;
	Mon, 11 Dec 2023 10:51:16 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id EC8BCC0037
 for <dev@openvswitch.org>; Mon, 11 Dec 2023 10:51:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id ABB76613DA
 for <dev@openvswitch.org>; Mon, 11 Dec 2023 10:51:14 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org ABB76613DA
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 7MCdpRJpjw5r for <dev@openvswitch.org>;
 Mon, 11 Dec 2023 10:51:14 +0000 (UTC)
Received: from agw.arknetworks.am (agw.arknetworks.am [79.141.165.80])
 by smtp3.osuosl.org (Postfix) with ESMTPS id E1196613CC
 for <dev@openvswitch.org>; Mon, 11 Dec 2023 10:51:13 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org E1196613CC
Received: from localhost.localdomain (87-131-3.netrun.cytanet.com.cy
 [87.228.131.3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by agw.arknetworks.am (Postfix) with ESMTPSA id 57E2AE0D53;
 Mon, 11 Dec 2023 14:51:11 +0400 (+04)
DKIM-Filter: OpenDKIM Filter v2.11.0 agw.arknetworks.am 57E2AE0D53
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arknetworks.am;
 s=default; t=1702291871;
 bh=S79OSUa95vKcsFgDkGX5TOJ1K9PdQT3A6NXz6JRr7dQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=AAT4hhujZK6Kl9FjtrRmP0pXJtQ84xqcIeZxHu6TzcEnQlIx6upIO1+rlJHZm0+tB
 2h0/OGhXext3kW8KIB1qOZX3oVAFegvuta5O0lkXmEiQJW+lJPhw0jDRm4eianSYIz
 mesoUIZ94SBB5bf8VjZjs2EQZEM2Bp0VUYV5HEHTRdQNzjL3a5an9gzDywB1VpIT0L
 o9741+ns1uuOe9mOrBd45rQ+aLx8UrXBCaL0OD5nk5ShyrrifI8aiA8dqUd9z87FWP
 DCqp8QH4sci2Hc8/shrg2/AvHywpkq1Ogcy8cwuLyH0Exez6/tELNRMBpY9jbTTNVs
 wgdp/HU0zS9hw==
To: dev@openvswitch.org
Date: Mon, 11 Dec 2023 12:51:02 +0200
Message-ID: <20231211105103.30812-2-viacheslav.galaktionov@arknetworks.am>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231211105103.30812-1-viacheslav.galaktionov@arknetworks.am>
References: <20231211105103.30812-1-viacheslav.galaktionov@arknetworks.am>
MIME-Version: 1.0
Subject: [ovs-dev] [PATCH v5 2/3] conntrack: Use helpers from committed
	connections.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
X-Patchwork-Original-From: Viacheslav Galaktionov via dev
 <ovs-dev@openvswitch.org>
From: Viacheslav Galaktionov <viacheslav.galaktionov@arknetworks.am>
Reply-To: Viacheslav Galaktionov <viacheslav.galaktionov@arknetworks.am>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

When a packet hits a flow rule without an explicitly specified helper,
OvS has to rely on automatic application layer gateway detection to
find related connections. This works as long as services are running on
their standard ports, e.g. when FTP servers use TCP port 21.

However, sometimes it's necessary to run services on non-standard ports.
In that case, there is no way for OvS to guess which protocol is used
within a given flow. Of course, this means that no related connections
can be recognized.

When a connection is committed with a particular helper, it's reasonable
to assume this helper will be used in subsequent CT actions, as long as
they don't override it. Achieve this behaviour by using the committed
connection's helper when a flow rule does not specify one.

Signed-off-by: Viacheslav Galaktionov <viacheslav.galaktionov@arknetworks.am>
Acked-by: Ivan Malov <ivan.malov@arknetworks.am>
---
 Documentation/faq/releases.rst | 1 +
 NEWS                           | 3 +++
 lib/conntrack.c                | 9 +++++++++
 3 files changed, 13 insertions(+)

diff --git a/Documentation/faq/releases.rst b/Documentation/faq/releases.rst
index 362bf4ec7..aa69eefa1 100644
--- a/Documentation/faq/releases.rst
+++ b/Documentation/faq/releases.rst
@@ -140,6 +140,7 @@ Q: Are all features available with all datapaths?
     Conntrack Zone Limit            4.18           2.10         2.13     YES
     Conntrack NAT                   4.6            2.6          2.8      YES
     Conntrack NAT6                  4.6            2.6          2.8      3.0
+    Conntrack Helper Persist.       YES            YES          3.2      NO
     Tunnel - LISP                   NO             2.11         NO       NO
     Tunnel - STT                    NO             2.4          NO       YES
     Tunnel - GRE                    3.11           1.0          2.4      YES
diff --git a/NEWS b/NEWS
index 63f2842ae..595b5e974 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,9 @@ Post-v3.2.0
      * Added support for Generic Segmentation Offloading for the cases where
        TSO is enabled but not supported by an egress interface (except for
        tunnel interfaces).
+     * The userspace conntrack module no longer requires the user to specify
+       connection helpers in all flow rules. Instead, the helper specified
+       during connection commit will be used by default.
 
 
 v3.2.0 - 17 Aug 2023
diff --git a/lib/conntrack.c b/lib/conntrack.c
index 9bb3c17f8..013709bd6 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -1247,6 +1247,10 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
         conn = NULL;
     }
 
+    if (conn && helper == NULL) {
+        helper = conn->alg;
+    }
+
     enum ct_alg_ctl_type ct_alg_ctl = get_alg_ctl_type(pkt, helper);
 
     if (OVS_LIKELY(conn)) {
@@ -1336,6 +1340,11 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch,
 
     DP_PACKET_BATCH_FOR_EACH (i, packet, pkt_batch) {
         struct conn *conn = packet->md.conn;
+
+        if (helper == NULL && conn != NULL) {
+            helper = conn->alg;
+        }
+
         if (OVS_UNLIKELY(packet->md.ct_state == CS_INVALID)) {
             write_ct_md(packet, zone, NULL, NULL, NULL);
         } else if (conn &&

From patchwork Mon Dec 11 10:51:03 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Viacheslav Galaktionov
 <viacheslav.galaktionov@arknetworks.am>
X-Patchwork-Id: 1874449
X-Patchwork-Delegate: aconole@redhat.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="key not found in DNS" header.d=arknetworks.am
 header.i=@arknetworks.am header.a=rsa-sha256 header.s=default
 header.b=UmsLxWOU;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SpdpR1ttxz20Gv
	for <incoming@patchwork.ozlabs.org>; Mon, 11 Dec 2023 21:51:27 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp4.osuosl.org (Postfix) with ESMTP id 5F9234193F;
	Mon, 11 Dec 2023 10:51:24 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 5F9234193F
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
	by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ye0ewNQ8I3MY; Mon, 11 Dec 2023 10:51:21 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
 [IPv6:2605:bc80:3010:104::8cd3:938])
	by smtp4.osuosl.org (Postfix) with ESMTPS id 87ACA418F4;
	Mon, 11 Dec 2023 10:51:20 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 87ACA418F4
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 9FAAEC0DDA;
	Mon, 11 Dec 2023 10:51:17 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 994ADC0037
 for <dev@openvswitch.org>; Mon, 11 Dec 2023 10:51:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 67D048194C
 for <dev@openvswitch.org>; Mon, 11 Dec 2023 10:51:15 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 67D048194C
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 8QulYcfZOCGa for <dev@openvswitch.org>;
 Mon, 11 Dec 2023 10:51:14 +0000 (UTC)
Received: from agw.arknetworks.am (agw.arknetworks.am [79.141.165.80])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 74EF8817A3
 for <dev@openvswitch.org>; Mon, 11 Dec 2023 10:51:14 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 74EF8817A3
Received: from localhost.localdomain (87-131-3.netrun.cytanet.com.cy
 [87.228.131.3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by agw.arknetworks.am (Postfix) with ESMTPSA id C18DBE1191;
 Mon, 11 Dec 2023 14:51:11 +0400 (+04)
DKIM-Filter: OpenDKIM Filter v2.11.0 agw.arknetworks.am C18DBE1191
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arknetworks.am;
 s=default; t=1702291872;
 bh=bUtMzGh7BJQ232+zNrQ1KpHuF8eH+Igz2z7El2yav1w=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=UmsLxWOUeZ3v9fPNvuacRFsAJ75INLepJqMkE8w8BFXR1JgQanw8trhnUnY24cs+L
 wKPzbUfd7l8zW5C2+4dMpMSt7D6Ggn2kbU05eOlcJrquq6B8oBU3k1RUhEvCyAuMEs
 WJLrUXMN7DuA928gxQdwzB2Q7205dpgiR+Vo/VGYb9uKKZ+bvXqybcOSY2tQDdHcON
 UBi+QU/7Bjd6kD8386C1guXVeN8cRcmzt4JuLdSe1kUhkHeIvKth6MyIdxkCTb7Zud
 QcnIEqYdF0t1OUFLaJCoa/P3xzZ948yJGWzdBC1RraCNwql/8tHHe3JAI3gj6ng2dj
 67EzrZ9JeWPow==
To: dev@openvswitch.org
Date: Mon, 11 Dec 2023 12:51:03 +0200
Message-ID: <20231211105103.30812-3-viacheslav.galaktionov@arknetworks.am>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231211105103.30812-1-viacheslav.galaktionov@arknetworks.am>
References: <20231211105103.30812-1-viacheslav.galaktionov@arknetworks.am>
MIME-Version: 1.0
Subject: [ovs-dev] [PATCH v5 3/3] system-traffic.at: Test conntrack + FTP
	server running on a non-standard port.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
X-Patchwork-Original-From: Viacheslav Galaktionov via dev
 <ovs-dev@openvswitch.org>
From: Viacheslav Galaktionov <viacheslav.galaktionov@arknetworks.am>
Reply-To: Viacheslav Galaktionov <viacheslav.galaktionov@arknetworks.am>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

All existing test iterations assume that the FTP server is running on a
standard port, which may not always be the case. These tests helped find
problems in conntrack alg processing with non-standard ports.

Perform the necessary adjustments to ensure the test suite can start the
L7 server on a user-provided port.

Signed-off-by: Viacheslav Galaktionov <viacheslav.galaktionov@arknetworks.am>
---
 tests/system-common-macros.at |  15 +++--
 tests/system-traffic.at       | 106 ++++++++++++++++++++++++++++++++++
 tests/test-l7.py              |   4 ++
 3 files changed, 120 insertions(+), 5 deletions(-)

diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at
index 0113aae8b..91c928cca 100644
--- a/tests/system-common-macros.at
+++ b/tests/system-common-macros.at
@@ -276,18 +276,23 @@ m4_define([NETNS_DAEMONIZE],
 m4_define([OVS_CHECK_FIREWALL],
     [AT_SKIP_IF([systemctl status firewalld 2>&1 | grep running > /dev/null])])
 
-# OVS_START_L7([namespace], [protocol])
+# OVS_START_L7([namespace], [protocol], [port])
 #
-# Start a server serving 'protocol' within 'namespace'. The server will exit
-# when the test finishes.
+# Start a server serving 'protocol' on port 'port' within 'namespace'.
+# If 'port' is not specified, the standard one for 'protocol' will be used.
+# The server will exit when the test finishes.
 #
 m4_define([OVS_START_L7],
    [PIDFILE=$(mktemp $2XXX.pid)
-    NETNS_DAEMONIZE([$1], [[$PYTHON3 $srcdir/test-l7.py $2]], [$PIDFILE])
+    NETNS_DAEMONIZE([$1], [[$PYTHON3 $srcdir/test-l7.py $2 $3]], [$PIDFILE])
 
     dnl netstat doesn't print http over IPv6 as "http6"; drop the number.
     PROTO=$(echo $2 | sed -e 's/\([[a-zA-Z]]*\).*/\1/')
-    OVS_WAIT_UNTIL([NS_EXEC([$1], [netstat -l | grep $PROTO])])
+    if test -z "$3"; then
+        OVS_WAIT_UNTIL([NS_EXEC([$1], [netstat -l | grep $PROTO])])
+    else
+        OVS_WAIT_UNTIL([NS_EXEC([$1], [netstat -ln | grep :$3])])
+    fi
    ]
 )
 
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 69ba6a18a..a627342a7 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -5585,6 +5585,112 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
+AT_SETUP([conntrack - FTP non-standard port])
+AT_SKIP_IF([test $HAVE_FTP = no])
+CHECK_CONNTRACK()
+CHECK_CONNTRACK_ALG()
+OVS_TRAFFIC_VSWITCHD_START()
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+
+ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
+ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
+
+dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
+AT_DATA([flows1.txt], [dnl
+table=0,priority=1,action=drop
+table=0,priority=10,arp,action=normal
+table=0,priority=10,icmp,action=normal
+table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
+table=0,priority=100,in_port=2,tcp,action=ct(table=1)
+table=1,in_port=2,tcp,ct_state=+trk+est,action=1
+table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
+])
+
+dnl Similar policy but without allowing all traffic from ns0->ns1.
+AT_DATA([flows2.txt], [dnl
+table=0,priority=1,action=drop
+table=0,priority=10,arp,action=normal
+table=0,priority=10,icmp,action=normal
+
+dnl Allow outgoing TCP connections, and treat them as FTP
+table=0,priority=100,in_port=1,tcp,action=ct(table=1)
+table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
+table=1,in_port=1,tcp,ct_state=+trk+est,action=2
+
+dnl Allow incoming FTP data connections and responses to existing connections
+table=0,priority=100,in_port=2,tcp,action=ct(table=1)
+table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
+table=1,in_port=2,tcp,ct_state=+trk+est,action=1
+table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
+])
+
+dnl flows3 is same as flows1, except no ALG is specified.
+AT_DATA([flows3.txt], [dnl
+table=0,priority=1,action=drop
+table=0,priority=10,arp,action=normal
+table=0,priority=10,icmp,action=normal
+table=0,priority=100,in_port=1,tcp,action=ct(commit),2
+table=0,priority=100,in_port=2,tcp,action=ct(table=1)
+table=1,in_port=2,tcp,ct_state=+trk+est,action=1
+table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
+])
+
+AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
+
+OVS_START_L7([at_ns0], [ftp], [11111])
+OVS_START_L7([at_ns1], [ftp], [11111])
+
+dnl FTP requests from p1->p0 should fail due to network failure.
+dnl Try 3 times, in 1 second intervals.
+NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1:11111 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
+])
+
+dnl FTP requests from p0->p1 should work fine.
+NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2:11111 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
+tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
+])
+
+dnl Try the second set of flows.
+AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
+AT_CHECK([ovs-appctl dpctl/flush-conntrack])
+
+dnl FTP requests from p1->p0 should fail due to network failure.
+dnl Try 3 times, in 1 second intervals.
+NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1:11111 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
+])
+
+dnl Active FTP requests from p0->p1 should work fine.
+NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2:11111 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
+tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
+tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
+])
+
+AT_CHECK([ovs-appctl dpctl/flush-conntrack])
+
+dnl Passive FTP requests from p0->p1 should work fine.
+NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2:11111 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
+tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
+])
+
+dnl Try the third set of flows, without alg specifier.
+AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt])
+AT_CHECK([ovs-appctl dpctl/flush-conntrack])
+
+dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned.
+NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2:11111 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-3.log], [4])
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
+tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
 AT_SETUP([conntrack - FTP with expectation dump])
 AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
diff --git a/tests/test-l7.py b/tests/test-l7.py
index 32a77392c..97cd4f29a 100755
--- a/tests/test-l7.py
+++ b/tests/test-l7.py
@@ -86,6 +86,8 @@ def main():
         description='Run basic application servers.')
     parser.add_argument('proto', default='http', nargs='?',
                         help='protocol to serve (%s)' % protocols)
+    parser.add_argument('port', default=0, nargs='?',
+                        help='server port number')
     args = parser.parse_args()
 
     if args.proto not in protocols:
@@ -95,6 +97,8 @@ def main():
     constructor = SERVERS[args.proto][0]
     handler = SERVERS[args.proto][1]
     port = SERVERS[args.proto][2]
+    if args.port != 0:
+        port = args.port
     srv = constructor(('', port), handler)
     srv.serve_forever()