From patchwork Mon Oct 14 17:37:47 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yi-Hung Wei <yihung.wei@gmail.com>
X-Patchwork-Id: 1176567
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="IWYuw/+q"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46sR4z5mkbz9sP4
	for <incoming@patchwork.ozlabs.org>;
	Tue, 15 Oct 2019 04:53:55 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 5B8A52769;
	Mon, 14 Oct 2019 17:49:58 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 72DCC2765
	for <dev@openvswitch.org>; Mon, 14 Oct 2019 17:49:57 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com
	[209.85.215.195])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 4F4A78A0
	for <dev@openvswitch.org>; Mon, 14 Oct 2019 17:49:56 +0000 (UTC)
Received: by mail-pg1-f195.google.com with SMTP id p1so10513953pgi.4
	for <dev@openvswitch.org>; Mon, 14 Oct 2019 10:49:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=dImtPSSIiC7vjvHvMoOwg6Cw3+z5hamcwyuf4T3m4UM=;
	b=IWYuw/+qC+pa6AECIaWpcZHdKu4l9A2rFGeHBdwIOqA5kFL15cpYPJsnVImCYuD7Wi
	nvlv9LcmHxJtQk85dWj99abPYRNocc0oDRCVVhFMYu2pZ8jerSkk6C/MVI6Ml4FwkH9o
	/5/9eOYO/6jZKKxbdWVN/BViOweb+v8mkV/QEoFqIuMVUwJfehIB2HPhaWfnrJkq/HLb
	e/kXQ4ceTeHZsEjlcuiJlnLUyPT8bIVVWl1zKtsu1yghbTdwLWBQIWeinfkk8gbgLtkT
	/Kcur7hxk/FSB1po024QJtNd7aR8OlcegGMwVl58mH9sdwAM4HVWvuMQdBVwS48ncquP
	qaYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=dImtPSSIiC7vjvHvMoOwg6Cw3+z5hamcwyuf4T3m4UM=;
	b=Qlxl37jrt5SxOPgj2Uvh9iRiRICPEiS+tqvdrzKIwqCEakeoVnRy8vixjtqfAmGR96
	lNwUF7jhuPe8LMnj++GzLDzlIpVv+5IPOjpgZ4JE2sRW/fm6OQSWlx1UlPlLBCtq56rl
	1mclfDjxJ0+HfTDNYYgojRg5EJUDTYZQTz/9Y8fgpswUd2djpAb8AVl4/CI6r9vAmw5E
	GyY1OykHG7cV5dr42EWa9ZyA2W7cn/oy7q2kiD5tdKtqbcdvkhlHmH9oE4T+MR9Gzofh
	0U0YDd4UoPSj0MYyOv6DqvZ2z6kQpQwg+mf3qmQI2Re4Sodn5sqvwfcJkom+hg/detlY
	y66w==
X-Gm-Message-State: APjAAAUA6y8xU0fPYeZ9hc+C71h34FWOqPrHGbBcDTs6vWKa6ScNU4Qk
	HEE4dGyIf/swKyMlkfDo6BF3b/ipvfo=
X-Google-Smtp-Source: 
 APXvYqz4PvCdG0jKA14KccDRSP2wzaGpEv7GVYZVwtULOEqCcU+XeOKpUS229Nx3IrFn448SjP3TXg==
X-Received: by 2002:a17:90a:cf98:: with SMTP id
	i24mr36461433pju.99.1571075395277;
	Mon, 14 Oct 2019 10:49:55 -0700 (PDT)
Received: from Husky.eng.vmware.com ([66.170.99.1])
	by smtp.gmail.com with ESMTPSA id
	n23sm16849700pff.137.2019.10.14.10.49.53
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 14 Oct 2019 10:49:53 -0700 (PDT)
From: Yi-Hung Wei <yihung.wei@gmail.com>
To: dev@openvswitch.org
Date: Mon, 14 Oct 2019 10:37:47 -0700
Message-Id: <1571074671-31834-8-git-send-email-yihung.wei@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com>
References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com>
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [ovs-dev] [PATCH 07/11] datapath: Load and reference the NAT helper.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

This commit backports the following upstream commit, and two functions
in nf_conntrack_helper.h.

Upstream commit:
commit fec9c271b8f1bde1086be5aa415cdb586e0dc800
Author: Flavio Leitner <fbl@redhat.com>
Date:   Wed Apr 17 11:46:17 2019 -0300

    openvswitch: load and reference the NAT helper.

    This improves the original commit 17c357efe5ec ("openvswitch: load
    NAT helper") where it unconditionally tries to load the module for
    every flow using NAT, so not efficient when loading multiple flows.
    It also doesn't hold any references to the NAT module while the
    flow is active.

    This change fixes those problems. It will try to load the module
    only if it's not present. It grabs a reference to the NAT module
    and holds it while the flow is active. Finally, an error message
    shows up if either actions above fails.

    Fixes: 17c357efe5ec ("openvswitch: load NAT helper")
    Signed-off-by: Flavio Leitner <fbl@redhat.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
---
 acinclude.m4                                       |  4 ++++
 datapath/conntrack.c                               | 27 +++++++++++++++++-----
 .../include/net/netfilter/nf_conntrack_helper.h    | 17 ++++++++++++++
 3 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/acinclude.m4 b/acinclude.m4
index 055f5387db19..22f92723b00d 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -904,6 +904,10 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h],
                   [nf_conntrack_helper_put],
                   [OVS_DEFINE(HAVE_NF_CONNTRACK_HELPER_PUT)])
+  OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h],
+                  [nf_nat_helper_try_module_get])
+  OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h],
+                  [nf_nat_helper_put])
   OVS_GREP_IFELSE([$KSRC/include/linux/skbuff.h],[[[[:space:]]]SKB_GSO_UDP[[[:space:]]]],
                   [OVS_DEFINE([HAVE_SKB_GSO_UDP])])
   OVS_GREP_IFELSE([$KSRC/include/net/dst.h],[DST_NOCACHE],
diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 0c0d43bec2e5..9a7eab655142 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -1391,6 +1391,7 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name,
 {
 	struct nf_conntrack_helper *helper;
 	struct nf_conn_help *help;
+	int ret = 0;
 
 	helper = nf_conntrack_helper_try_module_get(name, info->family,
 						    key->ip.proto);
@@ -1405,13 +1406,22 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name,
 		return -ENOMEM;
 	}
 
+#ifdef CONFIG_NF_NAT_NEEDED
+	if (info->nat) {
+		ret = nf_nat_helper_try_module_get(name, info->family,
+						   key->ip.proto);
+		if (ret) {
+			nf_conntrack_helper_put(helper);
+			OVS_NLERR(log, "Failed to load \"%s\" NAT helper, error: %d",
+				  name, ret);
+			return ret;
+		}
+	}
+#endif
+
 	rcu_assign_pointer(help->helper, helper);
 	info->helper = helper;
-
-	if (info->nat)
-		request_module("ip_nat_%s", name);
-
-	return 0;
+	return ret;
 }
 
 #if IS_ENABLED(CONFIG_NF_NAT_NEEDED)
@@ -1898,8 +1908,13 @@ void ovs_ct_free_action(const struct nlattr *a)
 
 static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
 {
-	if (ct_info->helper)
+	if (ct_info->helper) {
+#ifdef CONFIG_NF_NAT_NEEDED
+		if (ct_info->nat)
+			nf_nat_helper_put(ct_info->helper);
+#endif
 		nf_conntrack_helper_put(ct_info->helper);
+	}
 	if (ct_info->ct) {
 		if (ct_info->timeout[0])
 			nf_ct_destroy_timeout(ct_info->ct);
diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h
index b6a3d0bf75b3..78f97375b66e 100644
--- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h
@@ -19,4 +19,21 @@ rpl_nf_ct_helper_ext_add(struct nf_conn *ct,
 #define nf_ct_helper_ext_add rpl_nf_ct_helper_ext_add
 #endif /* HAVE_NF_CT_HELPER_EXT_ADD_TAKES_HELPER */
 
+#ifndef HAVE_NF_NAT_HELPER_TRY_MODULE_GET
+static inline int rpl_nf_nat_helper_try_module_get(const char *name, u16 l3num,
+						   u8 protonum)
+{
+	request_module("ip_nat_%s", name);
+	return 0;
+}
+#define nf_nat_helper_try_module_get rpl_nf_nat_helper_try_module_get
+#endif /* HAVE_NF_NAT_HELPER_TRY_MODULE_GET */
+
+#ifndef HAVE_NF_NAT_HELPER_PUT
+void rpl_nf_nat_helper_put(struct nf_conntrack_helper *helper)
+{
+}
+#define nf_nat_helper_put rpl_nf_nat_helper_put
+#endif /* HAVE_NF_NAT_HELPER_PUT */
+
 #endif /* _NF_CONNTRACK_HELPER_WRAPPER_H */