Message ID | 1597963790-12362-20-git-send-email-gvrose8192@gmail.com |
---|---|
State | Superseded |
Headers | show |
Series | Add support for Linux kernels up to 5.9.x | expand |
Greg Rose <gvrose8192@gmail.com> writes: > From: aaron conole <aconole@redhat.com> > > Upstream commit: > commit 5d50aa83e2c8e91ced2cca77c198b468ca9210f4 > author: aaron conole <aconole@redhat.com> > date: tue dec 3 16:34:13 2019 -0500 > > openvswitch: support asymmetric conntrack > > the openvswitch module shares a common conntrack and nat infrastructure > exposed via netfilter. it's possible that a packet needs both snat and > dnat manipulation, due to e.g. tuple collision. netfilter can support > this because it runs through the nat table twice - once on ingress and > again after egress. the openvswitch module doesn't have such capability. > > like netfilter hook infrastructure, we should run through nat twice to > keep the symmetry. > > fixes: 05752523e565 ("openvswitch: interface with nat.") > signed-off-by: aaron conole <aconole@redhat.com> > signed-off-by: david s. miller <davem@davemloft.net> > > Fixes: c5f6c06b58d6 ("datapath: Interface with NAT.") > Cc: aaron conole <aconole@redhat.com> > Signed-off-by: Greg Rose <gvrose8192@gmail.com> > --- Acked-by: Aaron Conole <aconole@redhat.com>
diff --git a/datapath/conntrack.c b/datapath/conntrack.c index 5b4d6cc..c7a318b 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -978,6 +978,17 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, } err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype); + if (err == NF_ACCEPT && + ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) { + if (maniptype == NF_NAT_MANIP_SRC) + maniptype = NF_NAT_MANIP_DST; + else + maniptype = NF_NAT_MANIP_SRC; + + err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, + maniptype); + } + /* Mark NAT done if successful and update the flow key. */ if (err == NF_ACCEPT) ovs_nat_update_key(key, skb, maniptype);