From patchwork Tue Oct 15 17:27:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1177258 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="EMQqIpKc"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46t2rq4dR1z9sPF for ; Wed, 16 Oct 2019 04:45:31 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 9CD3FF29; Tue, 15 Oct 2019 17:39:40 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 45A13EB6 for ; Tue, 15 Oct 2019 17:39:38 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com [209.85.215.195]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D75E36CE for ; Tue, 15 Oct 2019 17:39:37 +0000 (UTC) Received: by mail-pg1-f195.google.com with SMTP id k20so5214660pgi.1 for ; Tue, 15 Oct 2019 10:39:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=qbYiYCZ5NCZRy37oEe+ew0/Us0Bkl/uDAyzggh3G+2E=; b=EMQqIpKcnq7Z3xpYE6hAobEG73HHi0+EI3GV+e6rdXVgtH6r2LMk4HfF7F8QWkb2Se rW2IZsh2dhxr1nnMwWmyHP4WEt+AThX6Vl8Cb9gImAZk3yBFQhK4K7IsOcuashvcD58M 1Gpn8HLrZmT1OkJKMJ+m6Hh5jg1bZqoCyZHTUTtdfBKx0JvWbMf19wDUAo9nbWoOMHOo vEH/DZ5XLKSBIQMqMWav/JE1qoJ+SFy5AhQfDZGzPYmEtNMqaID+AOrLUna7AIuzBXQu hun9amr6+XVX4i1xG49zegE8MzmXiAzFNjgxOwI7+4LVjZS0YpFMwkg/6V2DZyrnck+k 0MCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=qbYiYCZ5NCZRy37oEe+ew0/Us0Bkl/uDAyzggh3G+2E=; b=EVDV653avDYPhDYkvPKLZ9V4ay6uvYSywfEdJ8XxwqReIQ1Pzu3QKfOrznYDsxWkos Ui08TvEDMP0l1JZjU8vkg5/ApK40TWiVG4LaIgzd7jejVht086sAtNc8HuTq7SvZddhm WOCh+gN9PVvnfYluMA56H5B1CqZWbO4HY2pw/kg5e6nkwVcQYl694sT8s+fMRxc7zsD5 3LNcc4TfBdrvfl0mlzgXQ1p5CzdaXFdAtEoeI9aqWgrYcrgAC245u19IpBX7g8odYU8a Z/dGbYX6BM2tgwOIT5Cilno8oG1oOJ0E4dcQoZka75F7dme8ZnOFbhqSVZDgbf86ZfOK iD2w== X-Gm-Message-State: APjAAAUdsdn+GZKQ8X8d6VIK4eHfZKfxCw2JjdWtsVNG5b6CoHm/tV8H 4nKHfnJ1kaSFINcRQtb/mT0FwSBg3JQ= X-Google-Smtp-Source: APXvYqzfvLCzUrz8oJyXCmf4A4nXUBaOASyWQY3SlGM9PDzYQggx3jHfcezjA1qrM6PucI11aEp/Gg== X-Received: by 2002:a17:90a:ba86:: with SMTP id t6mr29977798pjr.56.1571161176729; Tue, 15 Oct 2019 10:39:36 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id q204sm25590311pfc.11.2019.10.15.10.39.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 15 Oct 2019 10:39:35 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Tue, 15 Oct 2019 10:27:53 -0700 Message-Id: <1571160473-46132-13-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571160473-46132-1-git-send-email-yihung.wei@gmail.com> References: <1571160473-46132-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v2 12/12] datapath: Allow attaching helper in later commit X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Upstream commit: commit 248d45f1e1934f7849fbdc35ef1e57151cf063eb Author: Yi-Hung Wei Date: Fri Oct 4 09:26:44 2019 -0700 openvswitch: Allow attaching helper in later commit This patch allows to attach conntrack helper to a confirmed conntrack entry. Currently, we can only attach alg helper to a conntrack entry when it is in the unconfirmed state. This patch enables an use case that we can firstly commit a conntrack entry after it passed some initial conditions. After that the processing pipeline will further check a couple of packets to determine if the connection belongs to a particular application, and attach alg helper to the connection in a later stage. Signed-off-by: Yi-Hung Wei Signed-off-by: David S. Miller Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- datapath/conntrack.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index f6e9386f4707..838cf63c908f 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -1045,6 +1045,8 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, ct = nf_ct_get(skb, &ctinfo); if (ct) { + bool add_helper = false; + /* Packets starting a new connection must be NATted before the * helper, so that the helper knows about the NAT. We enforce * this by delaying both NAT and helper calls for unconfirmed @@ -1062,16 +1064,17 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, } /* Userspace may decide to perform a ct lookup without a helper - * specified followed by a (recirculate and) commit with one. - * Therefore, for unconfirmed connections which we will commit, - * we need to attach the helper here. + * specified followed by a (recirculate and) commit with one, + * or attach a helper in a later commit. Therefore, for + * connections which we will commit, we may need to attach + * the helper here. */ - if (!nf_ct_is_confirmed(ct) && info->commit && - info->helper && !nfct_help(ct)) { + if (info->commit && info->helper && !nfct_help(ct)) { int err = __nf_ct_try_assign_helper(ct, info->ct, GFP_ATOMIC); if (err) return err; + add_helper = true; /* helper installed, add seqadj if NAT is required */ if (info->nat && !nfct_seqadj(ct)) { @@ -1081,11 +1084,13 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, } /* Call the helper only if: - * - nf_conntrack_in() was executed above ("!cached") for a - * confirmed connection, or + * - nf_conntrack_in() was executed above ("!cached") or a + * helper was just attached ("add_helper") for a confirmed + * connection, or * - When committing an unconfirmed connection. */ - if ((nf_ct_is_confirmed(ct) ? !cached : info->commit) && + if ((nf_ct_is_confirmed(ct) ? !cached || add_helper : + info->commit) && ovs_ct_helper(skb, info->family) != NF_ACCEPT) { return -EINVAL; }