From patchwork Wed Mar 20 21:11:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1059558 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Vgwb5CsF"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44PjVS2tvmz9sQv for ; Thu, 21 Mar 2019 08:19:44 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727615AbfCTVTn (ORCPT ); Wed, 20 Mar 2019 17:19:43 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:43499 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727493AbfCTVTm (ORCPT ); Wed, 20 Mar 2019 17:19:42 -0400 Received: by mail-pg1-f196.google.com with SMTP id l11so2680265pgq.10 for ; Wed, 20 Mar 2019 14:19:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=ADwZKneDF0Gdq2+6BXPPyCG05ucrgVx9s6inktibzi0=; b=Vgwb5CsF6xQ/j2urvFnjog12LCWFOw76u735RRI/AIS6Bj0oPxF7oqZPw5XG9oFa6C VTpIxEZzbNCU1qMOvxXeQ4R3jq3R9ZOJjtSjUYKh1nRcaJUsMVg1VJuSTgd2Rm6jSYto rfZk4zBZs3YSkgbMJecdsmrLbTBm9m5l3DAOa+VDgE368xs1FARx5dbsaR47TtDcYN4i D0RLgJmiN2qm8k8fSghEFFiD3qzhof1lk+6NQ+t6bnjiKPOa3PrdNjZjuy/gZXRQeL+g jEJ7wQHzJY4xdq5NNbGOm1M8pW3AGqwFaDjbiDuV0pO7HcdE0xBSVrJuOE9dU5QwcmBk cCEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=ADwZKneDF0Gdq2+6BXPPyCG05ucrgVx9s6inktibzi0=; b=bUuCy/o65v3J5Llby/uTzf/jAdPvS76JcLUGikzIrbeA/xS8/2baAFlEWlbtPkgFPI W+Ao944CI5HirNIksS9OZJhV00uLNkpF9fw6uyqDYaUcdU/lQVOjRf7eE8zKG1bIffwM 4iwhLMot6KRrOj/kLGPY2LpQltyVwQNN1m/CEnaLXlPmwIzrk8DeqRb39D1aK0cIUBBW tQO8xeuXdLAgteAB6vD6SP8h5Er6a7FxSGrH+I3Uq22ZBoDBEnnMtq4HcTRMu2r+YIj7 Vh2iiQD+SLUD7iKPks+pj4Iw7AZPKnIy3eA7ldQOkzc/qMNeSAYvzHhSGmtD83iDlWWD ZJVQ== X-Gm-Message-State: APjAAAVQnJJMHKGmAsbpff4gJs6EukSiP5wWHDlUycep3O0yLm2LIO9C Se1WFYBnOqlG0Q/r0qc8Go1tra2/ X-Google-Smtp-Source: APXvYqxLJ4l/05dCYsbJd19YXegX/1P/bjv3NkKPmGMy4UVuWwwvFsiAQ6aJv3y5Zpe7inxiq1AWhQ== X-Received: by 2002:a17:902:b48d:: with SMTP id y13mr10141390plr.310.1553116781232; Wed, 20 Mar 2019 14:19:41 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id s5sm3977425pfm.184.2019.03.20.14.19.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 20 Mar 2019 14:19:40 -0700 (PDT) From: Yi-Hung Wei To: netdev@vger.kernel.org Cc: Yi-Hung Wei , Pablo Neira Ayuso Subject: [PATCH net-next 1/2] netfilter: Export nf_ct_destroy_timeout() Date: Wed, 20 Mar 2019 14:11:34 -0700 Message-Id: <1553116295-16359-1-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This patch moves xt_ct_destroy_timeout from xt_CT.c to nf_conntrack_timeout.c, renames it to nf_ct_destroy_timeout(), and exports it. It does not contain any functional change. It would be useful for other users (i.e. OVS) that utilizes the finer-grain conntrack timeout feature. CC: Pablo Neira Ayuso Signed-off-by: Yi-Hung Wei --- include/net/netfilter/nf_conntrack_timeout.h | 1 + net/netfilter/nf_conntrack_timeout.c | 21 +++++++++++++++++++++ net/netfilter/xt_CT.c | 22 +--------------------- 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h index 3394d75e1c80..5ce62fa1e1e2 100644 --- a/include/net/netfilter/nf_conntrack_timeout.h +++ b/include/net/netfilter/nf_conntrack_timeout.h @@ -105,4 +105,5 @@ extern struct nf_ct_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, con extern void (*nf_ct_timeout_put_hook)(struct nf_ct_timeout *timeout); #endif +void nf_ct_destroy_timeout(struct nf_conn *ct); #endif /* _NF_CONNTRACK_TIMEOUT_H */ diff --git a/net/netfilter/nf_conntrack_timeout.c b/net/netfilter/nf_conntrack_timeout.c index 91fbd183da2d..11b7f58e7f88 100644 --- a/net/netfilter/nf_conntrack_timeout.c +++ b/net/netfilter/nf_conntrack_timeout.c @@ -48,6 +48,27 @@ void nf_ct_untimeout(struct net *net, struct nf_ct_timeout *timeout) } EXPORT_SYMBOL_GPL(nf_ct_untimeout); +void nf_ct_destroy_timeout(struct nf_conn *ct) +{ +#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + struct nf_conn_timeout *timeout_ext; + typeof(nf_ct_timeout_put_hook) timeout_put; + + rcu_read_lock(); + timeout_put = rcu_dereference(nf_ct_timeout_put_hook); + + if (timeout_put) { + timeout_ext = nf_ct_timeout_find(ct); + if (timeout_ext) { + timeout_put(timeout_ext->timeout); + RCU_INIT_POINTER(timeout_ext->timeout, NULL); + } + } + rcu_read_unlock(); +#endif +} +EXPORT_SYMBOL_GPL(nf_ct_destroy_timeout); + static const struct nf_ct_ext_type timeout_extend = { .len = sizeof(struct nf_conn_timeout), .align = __alignof__(struct nf_conn_timeout), diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index 0fa863f57575..14600ad731ce 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c @@ -328,26 +328,6 @@ static int xt_ct_tg_check_v2(const struct xt_tgchk_param *par) return xt_ct_tg_check(par, par->targinfo); } -static void xt_ct_destroy_timeout(struct nf_conn *ct) -{ -#ifdef CONFIG_NF_CONNTRACK_TIMEOUT - struct nf_conn_timeout *timeout_ext; - typeof(nf_ct_timeout_put_hook) timeout_put; - - rcu_read_lock(); - timeout_put = rcu_dereference(nf_ct_timeout_put_hook); - - if (timeout_put) { - timeout_ext = nf_ct_timeout_find(ct); - if (timeout_ext) { - timeout_put(timeout_ext->timeout); - RCU_INIT_POINTER(timeout_ext->timeout, NULL); - } - } - rcu_read_unlock(); -#endif -} - static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par, struct xt_ct_target_info_v1 *info) { @@ -361,7 +341,7 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par, nf_ct_netns_put(par->net, par->family); - xt_ct_destroy_timeout(ct); + nf_ct_destroy_timeout(ct); nf_ct_put(info->ct); } } From patchwork Wed Mar 20 21:11:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1059559 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="ZrGfaePe"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44PjVg0MjVz9sR2 for ; Thu, 21 Mar 2019 08:19:55 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727567AbfCTVTy (ORCPT ); Wed, 20 Mar 2019 17:19:54 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:43665 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727382AbfCTVTx (ORCPT ); Wed, 20 Mar 2019 17:19:53 -0400 Received: by mail-pf1-f195.google.com with SMTP id c8so2809616pfd.10 for ; Wed, 20 Mar 2019 14:19:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=jLKtFHNgIDCm5ciO3I16LSmIWzGL8Sm/u2OULgn8cJw=; b=ZrGfaePec7dnkXghxBq98LhgxyI/OlmtcN2nBuRdjgQ74JmMpP9a+j5VtdM7y11g0l BAC82rAFD30XHcZw4XIOCK34BBwWpqk6F3uspZ7THIQxxNJNGD771vbTn1aVC9AM5C9N BU/nb7KPSJmx9nL2Q7VA9//eb/g6rntFc9tBywk6qwzxyeqnGS6NCGPqEFj20b8wpVg7 6kNhrH9tSh5XqfcmStjkbZWLK1uOl5rnZQS+5g0gIU6H1jyOsbzz290iV98ctIPe/eVD svyDYkzwDxwouoJzwebYBnTFUL4C9gyeJ+r/wdznyDjbnMTaHHnI+rhpNXaWfUKbU9UC x7nQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=jLKtFHNgIDCm5ciO3I16LSmIWzGL8Sm/u2OULgn8cJw=; b=NVOiisC3sJWyDemma6yqw0cFlRIWsLyWOjoejDi8d9mI+OKPhYR+FtoBHdxuvIZ9Oh j6SiFaARqJRfjfFqJEhHZn4bHKbSyQ2Mr2R1mvnnZMhhY1RPKaG5RnBewbD3Xz68PgFx XkjS8hif3ahai7hYD0vAEu0aDhzerEYJ3FaIpMF+2zbQzIsNCZd2+JKIVU2JtgY8MpvC 9MWSd4jz7b2833EHZtGHU5aP88F7n80N9iEndZnFGUrJb0LAESvNs1xM7XxVj0EMLbcE csYnyHAkQkCpxnwlseKZtzhOD+ZSMSkHAqNqmILqEWYZgCyf0F3ItrMSKleNZpMlXimp kkWQ== X-Gm-Message-State: APjAAAWchXQDeWNWXd38U05SorWjxwqEbViVVvxislPFG69sWhgwP7ss VYxtWSWkDcWe0YBWszIy2K2ri0nt X-Google-Smtp-Source: APXvYqwflOHyBQrcJLnR9GiGMMJcl2koQ9HOA/r/iT4welnLf5qZH+h9fvGJDipu43OiFmL3P5xUDA== X-Received: by 2002:a17:902:20eb:: with SMTP id v40mr10616329plg.20.1553116792537; Wed, 20 Mar 2019 14:19:52 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id s5sm3977425pfm.184.2019.03.20.14.19.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 20 Mar 2019 14:19:51 -0700 (PDT) From: Yi-Hung Wei To: netdev@vger.kernel.org Cc: Yi-Hung Wei , Pravin Shelar Subject: [PATCH net-next 2/2] openvswitch: Add timeout support to ct action Date: Wed, 20 Mar 2019 14:11:35 -0700 Message-Id: <1553116295-16359-2-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1553116295-16359-1-git-send-email-yihung.wei@gmail.com> References: <1553116295-16359-1-git-send-email-yihung.wei@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Add support for fine-grain timeout support to conntrack action. The new OVS_CT_ATTR_TIMEOUT attribute of the conntrack action specifies a timeout to be associated with this connection. If no timeout is specified, it acts as is, that is the default timeout for the connection will be automatically applied. Example usage: $ nfct timeout add timeout_1 inet tcp syn_sent 100 established 200 $ ovs-ofctl add-flow br0 in_port=1,ip,tcp,action=ct(commit,timeout=timeout_1) CC: Pravin Shelar Signed-off-by: Yi-Hung Wei --- include/uapi/linux/openvswitch.h | 3 ++ net/openvswitch/conntrack.c | 81 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 83 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/openvswitch.h b/include/uapi/linux/openvswitch.h index dbe0cbe4f1b7..9bccc6b9ed3d 100644 --- a/include/uapi/linux/openvswitch.h +++ b/include/uapi/linux/openvswitch.h @@ -734,6 +734,7 @@ struct ovs_action_hash { * be received on NFNLGRP_CONNTRACK_NEW and NFNLGRP_CONNTRACK_DESTROY groups, * respectively. Remaining bits control the changes for which an event is * delivered on the NFNLGRP_CONNTRACK_UPDATE group. + * @OVS_CT_ATTR_TIMEOUT: Variable length string defining conntrack timeout. */ enum ovs_ct_attr { OVS_CT_ATTR_UNSPEC, @@ -746,6 +747,8 @@ enum ovs_ct_attr { OVS_CT_ATTR_NAT, /* Nested OVS_NAT_ATTR_* */ OVS_CT_ATTR_FORCE_COMMIT, /* No argument */ OVS_CT_ATTR_EVENTMASK, /* u32 mask of IPCT_* events. */ + OVS_CT_ATTR_TIMEOUT, /* Associate timeout with this connection for + fine-grain timeout tuning. */ __OVS_CT_ATTR_MAX }; diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 1b6896896fff..10a2c73f22f2 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -73,6 +74,7 @@ struct ovs_conntrack_info { u32 eventmask; /* Mask of 1 << IPCT_*. */ struct md_mark mark; struct md_labels labels; + char timeout[CTNL_TIMEOUT_NAME_MAX]; #ifdef CONFIG_NF_NAT_NEEDED struct nf_nat_range2 range; /* Only present for SRC NAT and DST NAT. */ #endif @@ -1139,6 +1141,59 @@ static int ovs_ct_check_limit(struct net *net, } #endif +static void ovs_ct_add_timeout(struct net *net, struct nf_conn *ct, + const char *timeout_name, u16 l3num, u8 l4num) +{ +#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + typeof(nf_ct_timeout_find_get_hook) timeout_find_get; + typeof(nf_ct_timeout_put_hook) timeout_put; + struct nf_ct_timeout *timeout; + struct nf_conn_timeout *timeout_ext; + + rcu_read_lock(); + timeout_find_get = rcu_dereference(nf_ct_timeout_find_get_hook); + if (!timeout_find_get) { + net_info_ratelimited("Timeout policy base is empty"); + goto out; + } + + timeout = timeout_find_get(net, timeout_name); + if (!timeout) { + net_info_ratelimited("No such timeout policy \"%s\"\n", + timeout_name); + goto out; + } + + if (timeout->l3num != l3num) { + net_info_ratelimited("Timeout policy `%s' can only be used by " + "L3 protocol number %d\n", timeout_name, + timeout->l3num); + goto err_put_timeout; + } + + if (timeout->l4proto->l4proto != l4num) { + net_info_ratelimited("Timeout policy `%s' can only be used by " + "L4 protocol number %d\n", timeout_name, + timeout->l4proto->l4proto); + goto err_put_timeout; + } + + timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC); + if (!timeout_ext) + goto err_put_timeout; + + goto out; + +err_put_timeout: + timeout_put = rcu_dereference(nf_ct_timeout_put_hook); + if (timeout_put) + timeout_put(timeout); +out: + rcu_read_unlock(); + return; +#endif +} + /* Lookup connection and confirm if unconfirmed. */ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key, const struct ovs_conntrack_info *info, @@ -1465,6 +1520,8 @@ static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = { #endif [OVS_CT_ATTR_EVENTMASK] = { .minlen = sizeof(u32), .maxlen = sizeof(u32) }, + [OVS_CT_ATTR_TIMEOUT] = { .minlen = 1, + .maxlen = CTNL_TIMEOUT_NAME_MAX }, }; static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, @@ -1550,6 +1607,15 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, info->have_eventmask = true; info->eventmask = nla_get_u32(a); break; +#ifdef CONFIG_NF_CONNTRACK_TIMEOUT + case OVS_CT_ATTR_TIMEOUT: + memcpy(info->timeout, nla_data(a), nla_len(a)); + if (!memchr(info->timeout, '\0', nla_len(a))) { + OVS_NLERR(log, "Invalid conntrack helper"); + return -EINVAL; + } + break; +#endif default: OVS_NLERR(log, "Unknown conntrack attr (%d)", @@ -1631,6 +1697,12 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, OVS_NLERR(log, "Failed to allocate conntrack template"); return -ENOMEM; } + + if (ct_info.timeout[0]) { + ovs_ct_add_timeout(net, ct_info.ct, ct_info.timeout, family, + key->ip.proto); + } + if (helper) { err = ovs_ct_add_helper(&ct_info, helper, key, log); if (err) @@ -1751,6 +1823,10 @@ int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info, if (ct_info->have_eventmask && nla_put_u32(skb, OVS_CT_ATTR_EVENTMASK, ct_info->eventmask)) return -EMSGSIZE; + if (ct_info->timeout[0]) { + if (nla_put_string(skb, OVS_CT_ATTR_TIMEOUT, ct_info->timeout)) + return -EMSGSIZE; + } #ifdef CONFIG_NF_NAT_NEEDED if (ct_info->nat && !ovs_ct_nat_to_attr(ct_info, skb)) @@ -1772,8 +1848,11 @@ static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) { if (ct_info->helper) nf_conntrack_helper_put(ct_info->helper); - if (ct_info->ct) + if (ct_info->ct) { nf_ct_tmpl_free(ct_info->ct); + if (ct_info->timeout[0]) + xt_ct_destroy_timeout(ct_info->ct); + } } #if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)