Message ID | 1571074671-31834-8-git-send-email-yihung.wei@gmail.com |
---|---|
State | Superseded |
Headers | show |
Series | Backport upstream conntrack related patches | expand |
LGTM, thanks. Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com> On Mon, Oct 14, 2019 at 10:54 AM Yi-Hung Wei <yihung.wei@gmail.com> wrote: > > This commit backports the following upstream commit, and two functions > in nf_conntrack_helper.h. > > Upstream commit: > commit fec9c271b8f1bde1086be5aa415cdb586e0dc800 > Author: Flavio Leitner <fbl@redhat.com> > Date: Wed Apr 17 11:46:17 2019 -0300 > > openvswitch: load and reference the NAT helper. > > This improves the original commit 17c357efe5ec ("openvswitch: load > NAT helper") where it unconditionally tries to load the module for > every flow using NAT, so not efficient when loading multiple flows. > It also doesn't hold any references to the NAT module while the > flow is active. > > This change fixes those problems. It will try to load the module > only if it's not present. It grabs a reference to the NAT module > and holds it while the flow is active. Finally, an error message > shows up if either actions above fails. > > Fixes: 17c357efe5ec ("openvswitch: load NAT helper") > Signed-off-by: Flavio Leitner <fbl@redhat.com> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> > --- > acinclude.m4 | 4 ++++ > datapath/conntrack.c | 27 +++++++++++++++++----- > .../include/net/netfilter/nf_conntrack_helper.h | 17 ++++++++++++++ > 3 files changed, 42 insertions(+), 6 deletions(-) > > diff --git a/acinclude.m4 b/acinclude.m4 > index 055f5387db19..22f92723b00d 100644 > --- a/acinclude.m4 > +++ b/acinclude.m4 > @@ -904,6 +904,10 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [ > OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h], > [nf_conntrack_helper_put], > [OVS_DEFINE(HAVE_NF_CONNTRACK_HELPER_PUT)]) > + OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h], > + [nf_nat_helper_try_module_get]) > + OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h], > + [nf_nat_helper_put]) > OVS_GREP_IFELSE([$KSRC/include/linux/skbuff.h],[[[[:space:]]]SKB_GSO_UDP[[[:space:]]]], > [OVS_DEFINE([HAVE_SKB_GSO_UDP])]) > OVS_GREP_IFELSE([$KSRC/include/net/dst.h],[DST_NOCACHE], > diff --git a/datapath/conntrack.c b/datapath/conntrack.c > index 0c0d43bec2e5..9a7eab655142 100644 > --- a/datapath/conntrack.c > +++ b/datapath/conntrack.c > @@ -1391,6 +1391,7 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, > { > struct nf_conntrack_helper *helper; > struct nf_conn_help *help; > + int ret = 0; > > helper = nf_conntrack_helper_try_module_get(name, info->family, > key->ip.proto); > @@ -1405,13 +1406,22 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, > return -ENOMEM; > } > > +#ifdef CONFIG_NF_NAT_NEEDED > + if (info->nat) { > + ret = nf_nat_helper_try_module_get(name, info->family, > + key->ip.proto); > + if (ret) { > + nf_conntrack_helper_put(helper); > + OVS_NLERR(log, "Failed to load \"%s\" NAT helper, error: %d", > + name, ret); > + return ret; > + } > + } > +#endif > + > rcu_assign_pointer(help->helper, helper); > info->helper = helper; > - > - if (info->nat) > - request_module("ip_nat_%s", name); > - > - return 0; > + return ret; > } > > #if IS_ENABLED(CONFIG_NF_NAT_NEEDED) > @@ -1898,8 +1908,13 @@ void ovs_ct_free_action(const struct nlattr *a) > > static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) > { > - if (ct_info->helper) > + if (ct_info->helper) { > +#ifdef CONFIG_NF_NAT_NEEDED > + if (ct_info->nat) > + nf_nat_helper_put(ct_info->helper); > +#endif > nf_conntrack_helper_put(ct_info->helper); > + } > if (ct_info->ct) { > if (ct_info->timeout[0]) > nf_ct_destroy_timeout(ct_info->ct); > diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h > index b6a3d0bf75b3..78f97375b66e 100644 > --- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h > +++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h > @@ -19,4 +19,21 @@ rpl_nf_ct_helper_ext_add(struct nf_conn *ct, > #define nf_ct_helper_ext_add rpl_nf_ct_helper_ext_add > #endif /* HAVE_NF_CT_HELPER_EXT_ADD_TAKES_HELPER */ > > +#ifndef HAVE_NF_NAT_HELPER_TRY_MODULE_GET > +static inline int rpl_nf_nat_helper_try_module_get(const char *name, u16 l3num, > + u8 protonum) > +{ > + request_module("ip_nat_%s", name); > + return 0; > +} > +#define nf_nat_helper_try_module_get rpl_nf_nat_helper_try_module_get > +#endif /* HAVE_NF_NAT_HELPER_TRY_MODULE_GET */ > + > +#ifndef HAVE_NF_NAT_HELPER_PUT > +void rpl_nf_nat_helper_put(struct nf_conntrack_helper *helper) > +{ > +} > +#define nf_nat_helper_put rpl_nf_nat_helper_put > +#endif /* HAVE_NF_NAT_HELPER_PUT */ > + > #endif /* _NF_CONNTRACK_HELPER_WRAPPER_H */ > -- > 2.7.4 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
diff --git a/acinclude.m4 b/acinclude.m4 index 055f5387db19..22f92723b00d 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -904,6 +904,10 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [ OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h], [nf_conntrack_helper_put], [OVS_DEFINE(HAVE_NF_CONNTRACK_HELPER_PUT)]) + OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h], + [nf_nat_helper_try_module_get]) + OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h], + [nf_nat_helper_put]) OVS_GREP_IFELSE([$KSRC/include/linux/skbuff.h],[[[[:space:]]]SKB_GSO_UDP[[[:space:]]]], [OVS_DEFINE([HAVE_SKB_GSO_UDP])]) OVS_GREP_IFELSE([$KSRC/include/net/dst.h],[DST_NOCACHE], diff --git a/datapath/conntrack.c b/datapath/conntrack.c index 0c0d43bec2e5..9a7eab655142 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -1391,6 +1391,7 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, { struct nf_conntrack_helper *helper; struct nf_conn_help *help; + int ret = 0; helper = nf_conntrack_helper_try_module_get(name, info->family, key->ip.proto); @@ -1405,13 +1406,22 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, return -ENOMEM; } +#ifdef CONFIG_NF_NAT_NEEDED + if (info->nat) { + ret = nf_nat_helper_try_module_get(name, info->family, + key->ip.proto); + if (ret) { + nf_conntrack_helper_put(helper); + OVS_NLERR(log, "Failed to load \"%s\" NAT helper, error: %d", + name, ret); + return ret; + } + } +#endif + rcu_assign_pointer(help->helper, helper); info->helper = helper; - - if (info->nat) - request_module("ip_nat_%s", name); - - return 0; + return ret; } #if IS_ENABLED(CONFIG_NF_NAT_NEEDED) @@ -1898,8 +1908,13 @@ void ovs_ct_free_action(const struct nlattr *a) static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) { - if (ct_info->helper) + if (ct_info->helper) { +#ifdef CONFIG_NF_NAT_NEEDED + if (ct_info->nat) + nf_nat_helper_put(ct_info->helper); +#endif nf_conntrack_helper_put(ct_info->helper); + } if (ct_info->ct) { if (ct_info->timeout[0]) nf_ct_destroy_timeout(ct_info->ct); diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h index b6a3d0bf75b3..78f97375b66e 100644 --- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h +++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h @@ -19,4 +19,21 @@ rpl_nf_ct_helper_ext_add(struct nf_conn *ct, #define nf_ct_helper_ext_add rpl_nf_ct_helper_ext_add #endif /* HAVE_NF_CT_HELPER_EXT_ADD_TAKES_HELPER */ +#ifndef HAVE_NF_NAT_HELPER_TRY_MODULE_GET +static inline int rpl_nf_nat_helper_try_module_get(const char *name, u16 l3num, + u8 protonum) +{ + request_module("ip_nat_%s", name); + return 0; +} +#define nf_nat_helper_try_module_get rpl_nf_nat_helper_try_module_get +#endif /* HAVE_NF_NAT_HELPER_TRY_MODULE_GET */ + +#ifndef HAVE_NF_NAT_HELPER_PUT +void rpl_nf_nat_helper_put(struct nf_conntrack_helper *helper) +{ +} +#define nf_nat_helper_put rpl_nf_nat_helper_put +#endif /* HAVE_NF_NAT_HELPER_PUT */ + #endif /* _NF_CONNTRACK_HELPER_WRAPPER_H */