diff mbox series

[ovs-dev,2/7,v2] datapath: Pass nf_hook_state to nf_conntrack_in()

Message ID 1557359946-29077-1-git-send-email-pkusunyifeng@gmail.com
State Superseded
Headers show
Series None | expand

Commit Message

Yifeng Sun May 8, 2019, 11:59 p.m. UTC 
From: Florian Westphal <fw@strlen.de>

Upstream Commit:
    commit 93e66024b0249cec81e91328c55a754efd3192e0
    Author: Florian Westphal <fw@strlen.de>
    Date:   Wed Sep 12 15:19:07 2018 +0200

    netfilter: conntrack: pass nf_hook_state to packet and error handlers

    nf_hook_state contains all the hook meta-information: netns, protocol family,
    hook location, and so on.

    Instead of only passing selected information, pass a pointer to entire
    structure.

    This will allow to merge the error and the packet handlers and remove
    the ->new() function in followup patches.

    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

This patch backports the above upstream patch to OVS and fixes compiling
errors on RHEL kernels.

Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
---
v1->v2: Fixed by YiHung's comments, thanks YiHung.

 acinclude.m4                                          |  5 +++++
 datapath/conntrack.c                                  |  8 ++++++--
 datapath/linux/Modules.mk                             |  1 +
 datapath/linux/compat/include/linux/netfilter.h       | 19 +++++++++++++++++++
 .../compat/include/net/netfilter/nf_conntrack_core.h  |  9 +++++++++
 5 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 datapath/linux/compat/include/linux/netfilter.h

Comments

Yi-Hung Wei May 10, 2019, 6:19 p.m. UTC | #1 
On Wed, May 8, 2019 at 4:59 PM Yifeng Sun <pkusunyifeng@gmail.com> wrote:
>
> From: Florian Westphal <fw@strlen.de>
>
> Upstream Commit:
>     commit 93e66024b0249cec81e91328c55a754efd3192e0
>     Author: Florian Westphal <fw@strlen.de>
>     Date:   Wed Sep 12 15:19:07 2018 +0200
>
>     netfilter: conntrack: pass nf_hook_state to packet and error handlers
>
>     nf_hook_state contains all the hook meta-information: netns, protocol family,
>     hook location, and so on.
>
>     Instead of only passing selected information, pass a pointer to entire
>     structure.
>
>     This will allow to merge the error and the packet handlers and remove
>     the ->new() function in followup patches.
>
>     Signed-off-by: Florian Westphal <fw@strlen.de>
>     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>
> This patch backports the above upstream patch to OVS and fixes compiling
> errors on RHEL kernels.
>
> Cc: Florian Westphal <fw@strlen.de>
> Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
> ---
Thanks for the update.

Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
diff mbox series

Patch

diff --git a/acinclude.m4 b/acinclude.m4
index c9b744db0b94..372be5f4dccd 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -603,6 +603,8 @@  AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
                         [ndo_change_mtu], [OVS_DEFINE([HAVE_RHEL7_MAX_MTU])])
 
   OVS_GREP_IFELSE([$KSRC/include/linux/netfilter.h], [nf_hook_state])
+  OVS_FIND_FIELD_IFELSE([$KSRC/include/linux/netfilter.h], [nf_hook_state],
+                        [struct net ], [OVS_DEFINE([HAVE_NF_HOOK_STATE_NET])])
   OVS_GREP_IFELSE([$KSRC/include/linux/netfilter.h], [nf_register_net_hook])
   OVS_GREP_IFELSE([$KSRC/include/linux/netfilter.h], [nf_hookfn.*nf_hook_ops],
                   [OVS_DEFINE([HAVE_NF_HOOKFN_ARG_OPS])])
@@ -929,6 +931,9 @@  AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_l3proto.h],
                   [nf_conntrack_l3proto],
                   [OVS_DEFINE([HAVE_NF_CONNTRACK_L3PROATO_H])])
+  OVS_FIND_PARAM_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_core.h],
+                        [nf_conntrack_in], [nf_hook_state],
+                        [OVS_DEFINE([HAVE_NF_CONNTRACK_IN_TAKES_NF_HOOK_STATE])])
 
   if cmp -s datapath/linux/kcompat.h.new \
             datapath/linux/kcompat.h >/dev/null 2>&1; then
diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 52208bad3029..8c1a80308d6a 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -987,6 +987,11 @@  static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
 	struct nf_conn *ct;
 
 	if (!cached) {
+		struct nf_hook_state state = {
+			.hook = NF_INET_PRE_ROUTING,
+			.pf = info->family,
+			.net = net,
+		};
 		struct nf_conn *tmpl = info->ct;
 		int err;
 
@@ -998,8 +1003,7 @@  static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
 			nf_ct_set(skb, tmpl, IP_CT_NEW);
 		}
 
-		err = nf_conntrack_in(net, info->family,
-				      NF_INET_PRE_ROUTING, skb);
+		err = nf_conntrack_in(skb, &state);
 		if (err != NF_ACCEPT)
 			return -ENOENT;
 
diff --git a/datapath/linux/Modules.mk b/datapath/linux/Modules.mk
index caa2525ff0ab..ae63e3653b41 100644
--- a/datapath/linux/Modules.mk
+++ b/datapath/linux/Modules.mk
@@ -114,5 +114,6 @@  openvswitch_headers += \
 	linux/compat/include/net/erspan.h \
 	linux/compat/include/uapi/linux/netfilter.h \
 	linux/compat/include/linux/mm.h \
+	linux/compat/include/linux/netfilter.h \
 	linux/compat/include/linux/overflow.h
 EXTRA_DIST += linux/compat/build-aux/export-check-whitelist
diff --git a/datapath/linux/compat/include/linux/netfilter.h b/datapath/linux/compat/include/linux/netfilter.h
new file mode 100644
index 000000000000..a6ed6172d49f
--- /dev/null
+++ b/datapath/linux/compat/include/linux/netfilter.h
@@ -0,0 +1,19 @@ 
+#ifndef __NETFILTER_WRAPPER_H
+#define __NETFILTER_WRAPPER_H
+
+#include_next <linux/netfilter.h>
+
+#if !defined(HAVE_NF_HOOK_STATE) || !defined(HAVE_NF_HOOK_STATE_NET)
+struct rpl_nf_hook_state {
+	unsigned int hook;
+	u_int8_t pf;
+	struct net_device *in;
+	struct net_device *out;
+	struct sock *sk;
+	struct net *net;
+	int (*okfn)(struct net *, struct sock *, struct sk_buff *);
+};
+#define nf_hook_state rpl_nf_hook_state
+#endif
+
+#endif /* __NETFILTER_WRAPPER_H */
diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
index 7834c8c25f79..10158011fd4d 100644
--- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
@@ -104,4 +104,13 @@  static inline bool rpl_nf_ct_delete(struct nf_conn *ct, u32 portid, int report)
 #define nf_ct_delete rpl_nf_ct_delete
 #endif /* HAVE_NF_CONN_TIMER */
 
+#ifndef HAVE_NF_CONNTRACK_IN_TAKES_NF_HOOK_STATE
+static inline unsigned int
+rpl_nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state)
+{
+	return nf_conntrack_in(state->net, state->pf, state->hook, skb);
+}
+#define nf_conntrack_in rpl_nf_conntrack_in
+#endif /* HAVE_NF_CONNTRACK_IN_TAKES_NF_HOOK_STATE */
+
 #endif /* _NF_CONNTRACK_CORE_WRAPPER_H */