From patchwork Tue Jun 28 12:12:17 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Samuel Gauthier X-Patchwork-Id: 641516 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (archives.nicira.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 3rf4Xm5lshz9sCp for ; Tue, 28 Jun 2016 22:16:23 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id C8B5810703; Tue, 28 Jun 2016 05:16:21 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx1e3.cudamail.com (mx1.cudamail.com [69.90.118.67]) by archives.nicira.com (Postfix) with ESMTPS id 71F6E10672 for ; Tue, 28 Jun 2016 05:16:20 -0700 (PDT) Received: from bar5.cudamail.com (localhost [127.0.0.1]) by mx1e3.cudamail.com (Postfix) with ESMTPS id C33F34203E8 for ; Tue, 28 Jun 2016 06:16:19 -0600 (MDT) X-ASG-Debug-ID: 1467116178-09eadd17ac2f340001-byXFYA Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar5.cudamail.com with ESMTP id GT1kfAvDw3jpCSl1 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 28 Jun 2016 06:16:18 -0600 (MDT) X-Barracuda-Envelope-From: samuel.gauthier@6wind.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2 Received: from unknown (HELO proxy.6wind.com) (62.23.145.76) by mx1-pf2.cudamail.com with SMTP; 28 Jun 2016 12:16:18 -0000 Received-SPF: none (mx1-pf2.cudamail.com: domain at 6wind.com does not designate permitted sender hosts) X-Barracuda-Apparent-Source-IP: 62.23.145.76 X-Barracuda-RBL-IP: 62.23.145.76 Received: from 6wind.com (unknown [10.16.0.200]) by proxy.6wind.com (Postfix) with SMTP id C406C24F13; Tue, 28 Jun 2016 14:16:15 +0200 (CEST) Received: by 6wind.com (sSMTP sendmail emulation); Tue, 28 Jun 2016 14:16:16 +0200 X-CudaMail-Envelope-Sender: samuel.gauthier@6wind.com From: Samuel Gauthier To: pshelar@nicira.com, davem@davemloft.net X-CudaMail-MID: CM-E2-627011622 X-CudaMail-DTE: 062816 X-CudaMail-Originating-IP: 62.23.145.76 Date: Tue, 28 Jun 2016 14:12:17 +0200 X-ASG-Orig-Subj: [##CM-E2-627011622##][PATCH net] openvswitch: fix conntrack netlink event delivery Message-Id: <1467115937-16197-1-git-send-email-samuel.gauthier@6wind.com> X-Mailer: git-send-email 2.2.1.62.g3f15098 X-GBUdb-Analysis: 0, 62.23.145.76, Ugly c=0 p=0 Source New X-MessageSniffer-Rules: 0-0-0-5531-c X-Barracuda-Connect: UNKNOWN[192.168.24.2] X-Barracuda-Start-Time: 1467116178 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: 0.60 X-Barracuda-Spam-Status: No, SCORE=0.60 using global scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.0 tests=BSF_SC0_MISMATCH_TO, BSF_SC5_MJ1963, RDNS_NONE X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.30829 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 BSF_SC0_MISMATCH_TO Envelope rcpt doesn't match header 0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS 0.50 BSF_SC5_MJ1963 Custom Rule MJ1963 Cc: dev@openvswitch.org, netdev@vger.kernel.org, Joe Stringer , netfilter-devel@vger.kernel.org, Justin Pettit Subject: [ovs-dev] [PATCH net] openvswitch: fix conntrack netlink event delivery X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" Only the first and last netlink message for a particular conntrack are actually sent. The first message is sent through nf_conntrack_confirm when the conntrack is committed. The last one is sent when the conntrack is destroyed on timeout. The other conntrack state change messages are not advertised. When the conntrack subsystem is used from netfilter, nf_conntrack_confirm is called for each packet, from the postrouting hook, which in turn calls nf_ct_deliver_cached_events to send the state change netlink messages. This commit fixes the problem by calling nf_conntrack_confirm all the time, i.e not only in the commit case. Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action") CC: Joe Stringer CC: Justin Pettit CC: Andy Zhou CC: Thomas Graf Signed-off-by: Samuel Gauthier --- This patch was tested against the net tree, checking the notifications with conntrack -E. David, this patch conflicts with the patch 7d904c7bcd51 ("openvswitch: Only set mark and labels with a commit flag.") from net-next. I can help solving the conflict if you need to. net/openvswitch/conntrack.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 3d5feede962d..4ea97f1c3861 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -834,9 +834,6 @@ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key, err = __ovs_ct_lookup(net, key, info, skb); if (err) return err; - /* This is a no-op if the connection has already been confirmed. */ - if (nf_conntrack_confirm(skb) != NF_ACCEPT) - return -EINVAL; return 0; } @@ -888,6 +885,11 @@ int ovs_ct_execute(struct net *net, struct sk_buff *skb, if (labels_nonzero(&info->labels.mask)) err = ovs_ct_set_labels(skb, key, &info->labels.value, &info->labels.mask); + + /* This is a no-op if the connection has already been confirmed. */ + if (nf_conntrack_confirm(skb) != NF_ACCEPT) + return -EINVAL; + err: skb_push(skb, nh_ofs); if (err)