From patchwork Thu Aug 20 22:49:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory Rose X-Patchwork-Id: 1348673 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=CF0ry0X4; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BXg266n98z9sPB for ; Fri, 21 Aug 2020 08:54:22 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 5D9C0236B5; Thu, 20 Aug 2020 22:54:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V1OdByqb8Ic6; Thu, 20 Aug 2020 22:54:08 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by silver.osuosl.org (Postfix) with ESMTP id BC09D22D0D; Thu, 20 Aug 2020 22:50:48 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9BE4EC0895; Thu, 20 Aug 2020 22:50:48 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 197EBC0894 for ; Thu, 20 Aug 2020 22:50:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id EF817886A8 for ; Thu, 20 Aug 2020 22:50:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0pSWa3uiJQZm for ; Thu, 20 Aug 2020 22:50:45 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f196.google.com (mail-pg1-f196.google.com [209.85.215.196]) by hemlock.osuosl.org (Postfix) with ESMTPS id CA44288629 for ; Thu, 20 Aug 2020 22:50:35 +0000 (UTC) Received: by mail-pg1-f196.google.com with SMTP id s15so56519pgc.8 for ; Thu, 20 Aug 2020 15:50:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=+DYW+Nt9KfC6fcnYq9kMAEfZIkOO3ET86e+41oUiZzg=; b=CF0ry0X4Y5b4bTdlqvjx133zbfzR7Usu0nHZIJCgzngOxVTDqgKElkOOtWOGWx5jAc ra60b1F8jqoeky5EOhirNkNmrm6MpQvZK1U1Zct/InzT1Bh6xqTZeQ3egft5TgX/BWKw m4s+umIeH/gDFkJHN+enIhKnWNQLxXdG6qT0+L4DjFDnup4iAcHswNmiK/3dI45Zp+1N 67peMLpY7Y16dtc6MfwbAwzs3/V2EKO+1lWtsOgfZFHZqkkk6AexChFCG+X18T39c7+L DQXCse7D+zK0qXHrZLUuGpXd6IiI068OeyQQV2oOczpb8NUacSEgqJNriPXNKANWyHvK fXbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=+DYW+Nt9KfC6fcnYq9kMAEfZIkOO3ET86e+41oUiZzg=; b=T3qMtK/AXAEAJUDXxtOIV++nMdSR56fzjYqFuiLyTm+whin8daDoqR9djwDNGk8Vxi 7bfeb5Ggt097wtyYWZjQU6GxKFxa9wxvj3iJcs3geNQxo0Zy53joghZyq4vSKRwUAQak 3eJi1tolhS9NepDgRil4H02F9HypAVM7Ms/xVAKsXbrwaDCQyMq6yfRdTopIXW2Ju0oJ pCMyzUGxLaJDgHtyTm0N0FNasotzE69PvizxZCZsxurWiVAop5QOKHYhX5rKdKCY3GzP Z3+eJSbGX02f/SP7/dXjXl3c3nAQYF2rtScj6vA1LFQAVrw05lWY99Fh1rJEB03kTLKN 3tGg== X-Gm-Message-State: AOAM533UDDIx65h7tHNyNE6DzT7U1svr5rsPdKcQYqBwR2uHo9EDOMg8 8zLpKF4qbBcB2U7e2X09JtH6RViiyUFVrA== X-Google-Smtp-Source: ABdhPJy83Nfz4zkIPYfGiyBk8lXMkHVmMprXogIEYc+nLH+fz8tgPzv0rWRtZC5fkqxdVCaBLo2wwA== X-Received: by 2002:a63:fb4a:: with SMTP id w10mr247877pgj.114.1597963834609; Thu, 20 Aug 2020 15:50:34 -0700 (PDT) Received: from gizo.domain (97-115-99-106.ptld.qwest.net. [97.115.99.106]) by smtp.gmail.com with ESMTPSA id y6sm116866pfr.61.2020.08.20.15.50.33 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Aug 2020 15:50:33 -0700 (PDT) From: Greg Rose To: dev@openvswitch.org Date: Thu, 20 Aug 2020 15:49:46 -0700 Message-Id: <1597963790-12362-20-git-send-email-gvrose8192@gmail.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1597963790-12362-1-git-send-email-gvrose8192@gmail.com> References: <1597963790-12362-1-git-send-email-gvrose8192@gmail.com> Subject: [ovs-dev] [PATCH 19/23] datapath: support asymmetric conntrack X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: aaron conole Upstream commit: commit 5d50aa83e2c8e91ced2cca77c198b468ca9210f4 author: aaron conole date: tue dec 3 16:34:13 2019 -0500 openvswitch: support asymmetric conntrack the openvswitch module shares a common conntrack and nat infrastructure exposed via netfilter. it's possible that a packet needs both snat and dnat manipulation, due to e.g. tuple collision. netfilter can support this because it runs through the nat table twice - once on ingress and again after egress. the openvswitch module doesn't have such capability. like netfilter hook infrastructure, we should run through nat twice to keep the symmetry. fixes: 05752523e565 ("openvswitch: interface with nat.") signed-off-by: aaron conole signed-off-by: david s. miller Fixes: c5f6c06b58d6 ("datapath: Interface with NAT.") Cc: aaron conole Signed-off-by: Greg Rose Acked-by: Aaron Conole --- datapath/conntrack.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index 5b4d6cc..c7a318b 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -978,6 +978,17 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, } err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype); + if (err == NF_ACCEPT && + ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) { + if (maniptype == NF_NAT_MANIP_SRC) + maniptype = NF_NAT_MANIP_DST; + else + maniptype = NF_NAT_MANIP_SRC; + + err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, + maniptype); + } + /* Mark NAT done if successful and update the flow key. */ if (err == NF_ACCEPT) ovs_nat_update_key(key, skb, maniptype);