From patchwork Wed Mar 15 23:31:21 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jarno Rajahalme <jarno@ovn.org>
X-Patchwork-Id: 739484
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3vk7PF6qMZz9ryk
	for <incoming@patchwork.ozlabs.org>;
	Thu, 16 Mar 2017 10:39:45 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id DBEEFC22;
	Wed, 15 Mar 2017 23:32:37 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp2.linuxfoundation.org (smtp2.linux-foundation.org
	[172.17.192.36])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 4EC1AC13
	for <dev@openvswitch.org>; Wed, 15 Mar 2017 23:32:35 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
	[217.70.183.195])
	by smtp2.linuxfoundation.org (Postfix) with ESMTPS id 818E41DAA8
	for <dev@openvswitch.org>; Wed, 15 Mar 2017 23:32:34 +0000 (UTC)
Received: from mfilter10-d.gandi.net (mfilter10-d.gandi.net [217.70.178.139])
	by relay3-d.mail.gandi.net (Postfix) with ESMTP id 2F6A3A80CB;
	Thu, 16 Mar 2017 00:32:33 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter10-d.gandi.net
Received: from relay3-d.mail.gandi.net ([IPv6:::ffff:217.70.183.195])
	by mfilter10-d.gandi.net (mfilter10-d.gandi.net [::ffff:10.0.15.180])
	(amavisd-new, port 10024)
	with ESMTP id ZcNccsD0H3Ly; Thu, 16 Mar 2017 00:32:31 +0100 (CET)
X-Originating-IP: 208.91.1.34
Received: from sc9-mailhost1.vmware.com (unknown [208.91.1.34])
	(Authenticated sender: jarno@ovn.org)
	by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id CEA33A80CF;
	Thu, 16 Mar 2017 00:32:30 +0100 (CET)
From: Jarno Rajahalme <jarno@ovn.org>
To: dev@openvswitch.org
Date: Wed, 15 Mar 2017 16:31:21 -0700
Message-Id: <1489620689-122370-18-git-send-email-jarno@ovn.org>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1489620689-122370-1-git-send-email-jarno@ovn.org>
References: <1489620689-122370-1-git-send-email-jarno@ovn.org>
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp2.linux-foundation.org
Subject: [ovs-dev] [PATCH branch-2.7 17/25] datapath: Do not trigger events
	for unconfirmed connections.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

Upstream commit:

    commit 193e30967897f3a8b6f9f137ac30571d832c2c5c
    Author: Jarno Rajahalme <jarno@ovn.org>
    Date:   Thu Feb 9 11:21:54 2017 -0800

    openvswitch: Do not trigger events for unconfirmed connections.
    Receiving change events before the 'new' event for the connection has
    been received can be confusing.  Avoid triggering change events for
    setting conntrack mark or labels before the conntrack entry has been
    confirmed.

    Fixes: 182e3042e15d ("openvswitch: Allow matching on conntrack mark")
    Fixes: c2ac66735870 ("openvswitch: Allow matching on conntrack label")
    Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
    Acked-by: Joe Stringer <joe@ovn.org>
    Acked-by: Pravin B Shelar <pshelar@ovn.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

Upstream commit:

    commit 2317c6b51e4249dbfa093e1b88cab0a9f0564b7f
    Author: Jarno Rajahalme <jarno@ovn.org>
    Date:   Fri Feb 17 18:11:58 2017 -0800

    openvswitch: Set event bit after initializing labels.

    Connlabels are included in conntrack netlink event messages only if
    the IPCT_LABEL bit is set in the event cache (see
    ctnetlink_conntrack_event()).  Set it after initializing labels for a
    new connection.

    Found upon further system testing, where it was noticed that labels
    were missing from the conntrack events.

    Fixes: 193e30967897 ("openvswitch: Do not trigger events for unconfirmed con
nections.")
    Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
    Acked-by: Pravin B Shelar <pshelar@ovn.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

Fixes: 372ce9737d2b ("datapath: Allow matching on conntrack mark")
Fixes: 038e34abaa31 ("datapath: Allow matching on conntrack label")
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
---
 datapath/conntrack.c | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 08e5eab..cee47b7 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -261,7 +261,8 @@ static int ovs_ct_set_mark(struct sk_buff *skb, struct sw_flow_key *key,
 	new_mark = ct_mark | (ct->mark & ~(mask));
 	if (ct->mark != new_mark) {
 		ct->mark = new_mark;
-		nf_conntrack_event_cache(IPCT_MARK, ct);
+		if (nf_ct_is_confirmed(ct))
+			nf_conntrack_event_cache(IPCT_MARK, ct);
 		key->ct.mark = new_mark;
 	}
 
@@ -278,7 +279,6 @@ static int ovs_ct_set_labels(struct sk_buff *skb, struct sw_flow_key *key,
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn_labels *cl;
 	struct nf_conn *ct;
-	int err;
 
 	/* The connection could be invalid, in which case set_label is no-op.*/
 	ct = nf_ct_get(skb, &ctinfo);
@@ -294,10 +294,31 @@ static int ovs_ct_set_labels(struct sk_buff *skb, struct sw_flow_key *key,
 	if (!cl || ovs_ct_get_labels_len(cl) < OVS_CT_LABELS_LEN)
 		return -ENOSPC;
 
-	err = nf_connlabels_replace(ct, (u32 *)labels, (u32 *)mask,
-				    OVS_CT_LABELS_LEN / sizeof(u32));
-	if (err)
-		return err;
+	if (nf_ct_is_confirmed(ct)) {
+		/* Triggers a change event, which makes sense only for
+		 * confirmed connections.
+		 */
+		int err = nf_connlabels_replace(ct, (u32 *)labels, (u32 *)mask,
+						OVS_CT_LABELS_LEN / sizeof(u32));
+		if (err)
+			return err;
+	} else {
+		u32 *dst = (u32 *)cl->bits;
+		const u32 *msk = (const u32 *)mask->ct_labels;
+		const u32 *lbl = (const u32 *)labels->ct_labels;
+		int i;
+
+		/* No-one else has access to the non-confirmed entry, copy
+		 * labels over, keeping any bits we are not explicitly setting.
+		 */
+		for (i = 0; i < OVS_CT_LABELS_LEN / sizeof(u32); i++)
+			dst[i] = (dst[i] & ~msk[i]) | (lbl[i] & msk[i]);
+
+		/* Labels are included in the IPCTNL_MSG_CT_NEW event only if
+		 * the IPCT_LABEL bit it set in the event cache.
+		 */
+		nf_conntrack_event_cache(IPCT_LABEL, ct);
+	}
 
 	ovs_ct_get_labels(ct, &key->ct.labels);
 	return 0;