From patchwork Mon Oct 14 17:37:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176561 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="o1kQCC/X"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR100zgnz9sP4 for ; Tue, 15 Oct 2019 04:50:28 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 5DA4E2732; Mon, 14 Oct 2019 17:49:47 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id E91972726 for ; Mon, 14 Oct 2019 17:49:45 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pl1-f196.google.com (mail-pl1-f196.google.com [209.85.214.196]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7D4AB89D for ; Mon, 14 Oct 2019 17:49:45 +0000 (UTC) Received: by mail-pl1-f196.google.com with SMTP id u12so8301960pls.12 for ; Mon, 14 Oct 2019 10:49:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=TQ3YssQIALvb7DySDxi/BHapzu9WNUp5D9TA5ihFSSQ=; b=o1kQCC/X1Mck/j5Jck+jzAwKWGxOsayCTEYkTeyqNqNyWd2uCs6owt39zUM7PTc0cA lCSgKPnwOgd8b+rqV4WbjUa6bF91TwWF5rb9M9rtu8jOO2AlPFTx9unnRtfw6smRbAqS 0COqJ37tXRjgqRfGAZnDCR9lDLMimuSVSYiBfluEQlYBHfR5FJcP08BC2sXuijIGWQU/ zfBBL/eYSqUUnfKlq2iOhyFtoUmKrGXAateDDKqQBUG1wXRAyFLOj1yEsEu6roN0JRAf xFF5cqZTX/m6RwIo/pAMn6F/4er2X8AA3GrOl2AED2rnWRvT2F3js+CUHU533gcaKifX nBfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=TQ3YssQIALvb7DySDxi/BHapzu9WNUp5D9TA5ihFSSQ=; b=Xg7xuIXtwahIKNJT3EApfDeV1/vm/Sup8Sgxw7meI8TEx5HD4e6hkWIDieyhtbTjyn wUdRWyaZw1yGfHg7Zx6Y5nGjCq0y1g+u8CgaeXRYnu9cXomnlQWLBd0OxMGFlHL7Byxw Ul4Aa6eTw74DP/w2jnqodRDCPRAqmFwf1sO7m27FmZ8Zle8qPDxhkWOEcwi0SgMpTX4v eCM/yxrc10IYHns7EtnZ18YbgVaO84P/wI/RswZK0W0mWLsNDq+pYzz8lm2I44mkx0ym XVEYmx5UUgAq6FfeXDZRf2yhk0/9kse/4VtX2NHlXUhsoHoRAUvuWQF7zkfYHyL+Ux15 QsAQ== X-Gm-Message-State: APjAAAUd71RXS8806mp1Mhv88yDGKRmzp+3z0D9bydjejSrIfrD52MbY nWXZwaXWJui0BB7STZV5JgPiyE68GWA= X-Google-Smtp-Source: APXvYqwfQj1157t/R4BWYekFLwi465o93FqIJTchcGepCbCQ4mfAayz9haJGs8EmdBalgFsMPOyeOA== X-Received: by 2002:a17:902:8691:: with SMTP id g17mr29580376plo.231.1571075384434; Mon, 14 Oct 2019 10:49:44 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.49.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:49:43 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:41 -0700 Message-Id: <1571074671-31834-2-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 01/11] datapath: Replace nf_ct_invert_tuplepr() with nf_ct_invert_tuple() X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org After upstream net-next commit 303e0c558959 ("netfilter: conntrack: avoid unneeded nf_conntrack_l4proto lookups") nf_ct_invert_tuplepr() is no longer available in the kernel. Ideally, we should be in sync with upstream kernel by calling nf_ct_invert_tuple() directly in conntrack.c. However, nf_ct_invert_tuple() has different function signature in older kernel, and it would be hard to replace that in the compat layer. Thus, we use pl_nf_ct_invert_tuple() in conntrack.c and maintain compatibility in the compat layer so that ovs kernel module runs smoothly in both new and old kernel. Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- acinclude.m4 | 2 ++ datapath/conntrack.c | 2 +- .../linux/compat/include/net/netfilter/nf_conntrack_core.h | 14 ++++++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/acinclude.m4 b/acinclude.m4 index 52f92870eaaa..4072a7c8f58a 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -697,6 +697,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [ [nf_ct_set]) OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack.h], [nf_ct_is_untracked]) + OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack.h], + [nf_ct_invert_tuplepr]) OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_zones.h], [nf_ct_zone_init]) OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_l3proto.h], diff --git a/datapath/conntrack.c b/datapath/conntrack.c index e328afe1ad15..afdd65b4cb7c 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -668,7 +668,7 @@ ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone, if (natted) { struct nf_conntrack_tuple inverse; - if (!nf_ct_invert_tuplepr(&inverse, &tuple)) { + if (!rpl_nf_ct_invert_tuple(&inverse, &tuple)) { pr_debug("ovs_ct_find_existing: Inversion failed!\n"); return NULL; } diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h index 10158011fd4d..ad52bc9412d8 100644 --- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h +++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h @@ -113,4 +113,18 @@ rpl_nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state) #define nf_conntrack_in rpl_nf_conntrack_in #endif /* HAVE_NF_CONNTRACK_IN_TAKES_NF_HOOK_STATE */ +#ifdef HAVE_NF_CT_INVERT_TUPLEPR +static inline bool rpl_nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, + const struct nf_conntrack_tuple *orig) +{ + return nf_ct_invert_tuplepr(inverse, orig); +} +#else +static inline bool rpl_nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, + const struct nf_conntrack_tuple *orig) +{ + return nf_ct_invert_tuple(inverse, orig); +} +#endif /* HAVE_NF_CT_INVERT_TUPLEPR */ + #endif /* _NF_CONNTRACK_CORE_WRAPPER_H */ From patchwork Mon Oct 14 17:37:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176562 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="OMjFS5Em"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR1k5L1rz9sP6 for ; Tue, 15 Oct 2019 04:51:06 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 16C082744; Mon, 14 Oct 2019 17:49:51 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 74BE72737 for ; Mon, 14 Oct 2019 17:49:47 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E38568A0 for ; Mon, 14 Oct 2019 17:49:46 +0000 (UTC) Received: by mail-pl1-f194.google.com with SMTP id u20so8332529plq.4 for ; Mon, 14 Oct 2019 10:49:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=taiiT6Vv/WaocKF+EVa6Yo9ugcxj6Dtce2NKTc4Tm/U=; b=OMjFS5EmlSMv2zpezkguS/3dwJiZSwjKkzkLE77OGWPHar3Hzl931YfHPSW539u8Wi JWjBkZNDEVjRQSDQ4dgfWd+48VBYNSwtB5kJ9hqY3gkmSjVcBklq35s4sB4A/JDxYiHm ZG+CAMWSzmmGwWZdmqKaZ8dj3drwNya2HQTdjG+TIAl7PgiV4LCRnUX6dRs2RQiL1x4X Zn6ym5egMrGMolIRnEWdJbEKW0UxrRWs+9J6GbB1Jd14BPPlhBwNvuY0jF9+SmV9X+fy MCz1CvZqsT7OS/rM+PKwouVx6GAOhuxyOKRnE8OuK0s3eiApvi64kA0n7MG2sSf2S0Gr nXyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=taiiT6Vv/WaocKF+EVa6Yo9ugcxj6Dtce2NKTc4Tm/U=; b=N9//qw9pDfnSzdXrZcNdUY7vYxoA/82Pt6Ia8Lpt98z+0BKZOQXJrhlrzbptXpWieZ 0XZ+yw59uoeX22+5XjIp8KHEdir/SH1pykFLlDtKvU6Hi8qM3W0+JrvovmDYHVx7OKR3 D7sW8QdwwnTQ7SFXrPCAOG3n5nqfpNJow+S7DihUVeuSydkLVUzQu6SllTlqhjd3+ilD 1dp0K91zMziZtIFvOBfJUQtEUqzW41I8Zw4+LLEaXbfUSMs0Z6tL8n/YdLqV06b93j48 iPQoZdvpVkAeWJ+0GbqaLPyPSXdbnE9K4YfbkzLmYnmUbHPfHYR0dS2lDxOZs80Uam9G o1Vg== X-Gm-Message-State: APjAAAUQzi56loKA55RfRkpxdsh14MGEJqO1fhxMxHq1WGCB/lv7Zf7o B9t/A54FWB3gZMa5qqPcxJJAzPba1ck= X-Google-Smtp-Source: APXvYqyxbppdz4MHRBWaNfPCFJHRUrJso43f2zpveOhOb/7MsSrx7bT9Z31qyGdUUVIshPSy1XmOjg== X-Received: by 2002:a17:902:144:: with SMTP id 62mr31346084plb.283.1571075385973; Mon, 14 Oct 2019 10:49:45 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.49.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:49:44 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:42 -0700 Message-Id: <1571074671-31834-3-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 02/11] datapath: Detect upstream nf_nat change X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org The following two upstream commits merge nf_nat_ipv4 and nf_nat_ipv6 into nf_nat core, and move some header files around. To handle these modifications, this patch detects the upstream changes, uses the header files and config symbols properly. Ideally, we should replace CONFIG_NF_NAT_IPV4 and CONFIG_NF_NAT_IPV6 with CONFIG_NF_NAT and CONFIG_IPV6. In order to keep backward compatibility, we keep the checking of CONFIG_NF_NAT_IPV4/6 as is for the old kernel, and replace them with marco for the new kernel. upstream commits: 3bf195ae6037 ("netfilter: nat: merge nf_nat_ipv4,6 into nat core") d2c5c103b133 ("netfilter: nat: remove nf_nat_l3proto.h and nf_nat_core.h") Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- acinclude.m4 | 2 ++ datapath/conntrack.c | 13 ++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/acinclude.m4 b/acinclude.m4 index 4072a7c8f58a..cc80026f2127 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -713,6 +713,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [ OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_ct_nat_ext_add]) OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_alloc_null_binding]) OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_range2]) + OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_packet], + [OVS_DEFINE([HAVE_UPSTREAM_NF_NAT])]) OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_seqadj.h], [nf_ct_seq_adjust]) OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_count.h], [nf_conncount_gc_list], [OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_count.h], diff --git a/datapath/conntrack.c b/datapath/conntrack.c index afdd65b4cb7c..291d4f4723d9 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -35,10 +35,21 @@ #include #ifdef CONFIG_NF_NAT_NEEDED +/* Starting from upstream commit 3bf195ae6037 ("netfilter: nat: merge + * nf_nat_ipv4,6 into nat core") in kernel 5.1. nf_nat_ipv4,6 are merged + * into nf_nat. In order to keep backward compatibility, we keep the config + * checking as is for the old kernel, and replace them with marco for the + * new kernel. */ +#ifdef HAVE_UPSTREAM_NF_NAT +#include +#define CONFIG_NF_NAT_IPV4 CONFIG_NF_NAT +#define CONFIG_NF_NAT_IPV6 CONFIG_IPV6 +#else #include #include #include -#endif +#endif /* HAVE_UPSTREAM_NF_NAT */ +#endif /* CONFIG_NF_NAT_NEEDED */ #include "datapath.h" #include "conntrack.h" From patchwork Mon Oct 14 17:37:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176563 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="egW3gADr"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR2R1HxKz9sP6 for ; Tue, 15 Oct 2019 04:51:43 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id A9A032747; Mon, 14 Oct 2019 17:49:51 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 374F8273B for ; Mon, 14 Oct 2019 17:49:49 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com [209.85.215.195]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id AAD1E8A0 for ; Mon, 14 Oct 2019 17:49:48 +0000 (UTC) Received: by mail-pg1-f195.google.com with SMTP id k20so3162339pgi.1 for ; Mon, 14 Oct 2019 10:49:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=5dY6U7K0qiXvpxIYjwPkC2wl4gmvpPP9pH1MC/+z5WA=; b=egW3gADrIUdcQCli0HBoZ3ktIFgtKTIB7lqJRoLoAiJYtp7ikf6o3AvwlTOihdeprH Heb8UTltxZsCsSKhKWyANK0kJNTyIPHlFtQm/FF0F9TpmYTtG52S3JtRSNMrG+nuNAbt 8ewPyrjKvL18bsPKRcGfzrIMR6FPaXHXwLAsjQF65otnACJNm2ZAtFISfGBxcs3iBI3o IFndWLBzdmkoUT01tmFTC8VKKCyyX5fRY9MLKqeGPthv7NYrHCP5X1mOOMXqg6K5iIzQ X8Sks/WdurUfOGTq+OcfhRjJYZjX29WARbo4Ch38GGdoxoOfoYAcLMMMeBdltIaPARas GoWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=5dY6U7K0qiXvpxIYjwPkC2wl4gmvpPP9pH1MC/+z5WA=; b=nQfNcDpVMabHNlnmmlOmFxJs7eZ3OueH8LXtKMia2lqH7llS6GNRi8qedfUgZrWGxD UBtBQI8CEM+4tvYjDqceaBm4ffqWOM5lzDabtlzozm8srPpg++Hp9i6nFPEG+9YvoF3I pML7p9UerXKQDJferSyEicyGmTiHfbKfbBCYv6h29/uczlcBNzaJypEeQk5MdwGhFucZ Z3sy7FDCHGwq6rntf0JvLnVvBq1dbl+PCH9Df4fkASOZk/R9g2kbE7woUk6hOz4VmtO4 95JxqDh9kJu2qq9bQ58T7npHfM7xo4WAJ+VCRD4PVBdOcD04KVjpUwiOG+qBgnwTmJjb YRdw== X-Gm-Message-State: APjAAAW3XDIule2VfH/HSeuHhTyBDbQDyuvb6ABqwS7dfP5tOP9Ugj9F xxIBk8reXDewAZ9gFW+LTR8foXkUI6M= X-Google-Smtp-Source: APXvYqzi2tdkcsxvCGHCIjdDEmMbj8+go+5ughcSb8zoF/Scq/Up262LHYO8uvWkUEH1K27R1BpiQg== X-Received: by 2002:a17:90a:de14:: with SMTP id m20mr37357604pjv.10.1571075387725; Mon, 14 Oct 2019 10:49:47 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.49.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:49:46 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:43 -0700 Message-Id: <1571074671-31834-4-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Flavio Leitner Subject: [ovs-dev] [PATCH 03/11] datapath: add seqadj extension when NAT is used. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org From: Flavio Leitner upstream patch: commit fa7e428c6b7ed3281610511a2b2ec716d9894be8 Author: Flavio Leitner Date: Mon Mar 25 15:58:31 2019 -0300 openvswitch: add seqadj extension when NAT is used. When the conntrack is initialized, there is no helper attached yet so the nat info initialization (nf_nat_setup_info) skips adding the seqadj ext. A helper is attached later when the conntrack is not confirmed but is going to be committed. In this case, if NAT is needed then adds the seqadj ext as well. Fixes: 16ec3d4fbb96 ("openvswitch: Fix cached ct with helper.") Signed-off-by: Flavio Leitner Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- datapath/conntrack.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index 291d4f4723d9..1b345a03e704 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -1063,6 +1063,12 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, GFP_ATOMIC); if (err) return err; + + /* helper installed, add seqadj if NAT is required */ + if (info->nat && !nfct_seqadj(ct)) { + if (!nfct_seqadj_ext_add(ct)) + return -EINVAL; + } } /* Call the helper only if: From patchwork Mon Oct 14 17:37:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176564 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="FKwykEKh"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR3G2P9Bz9sP4 for ; Tue, 15 Oct 2019 04:52:26 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 8598E2753; Mon, 14 Oct 2019 17:49:52 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 35DD22747 for ; Mon, 14 Oct 2019 17:49:51 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 766308A0 for ; Mon, 14 Oct 2019 17:49:50 +0000 (UTC) Received: by mail-pf1-f180.google.com with SMTP id x127so10790783pfb.7 for ; Mon, 14 Oct 2019 10:49:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Dcp9wTe1jbGDrzFyRGU2L2IHMBaEei22JmpV3GYGyO4=; b=FKwykEKhz3M0kMoXEcVN5vLYKjWPPhJlm1G6Dk7KwHluwOJ5Xdx+wT5zLNQ61vwyAR k8iSP8qPdw318sdEX7tFVPjxLXHUPT+5Ph/g+VOoO7Dkzi4Mqqk5cPkT0FoKBo13vfG7 /K7WALycgYVjr1DkjxQv202U903O+7ukcayGN+y0kK7Al8z4cfBmJBOIGdN44d6Ewuru Hg4PCHNzocs1OENIaCYrtzF4E+Z6Esnf1EkfLIyLwF0xyQYkKe97mrzIJHbLo+3tQerH /zH6J6Wlpzeb1cTSVzlxGNmsNuXUOlbwo6HTet2GyTUIyQJPmSzLfIRdH/C9cQTmp6Xu Qi8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Dcp9wTe1jbGDrzFyRGU2L2IHMBaEei22JmpV3GYGyO4=; b=pD0ZMRO0D/Xin4pf8Z/1A0OyJC9fYUK6IFUeAa9jlZAtFXsMXgb3nX6wPSBDbuP8Be cdFp6fzy/U0BMn2lC/0jPflcmJ1j+cUZWZ+ZBs1Ml5vhPFydBdgMUcOG7TCH0NuaVLtp PA+zC6zG2KfjhTXv21gUeMBdgS8pPbHQq5rssKf9xImWIMndJzmFrObCTClJmaMYGDZI S8aWEdtcopcpwkZdY9LhEDkD64ibhugcyxIpiMIY7bC/nuZ+HIm884oZJRlgg+93UTlb MVHY1yxRSruT1zvpFYc0xhGCuJHrTVfhZQg23Q5lE8DRIIbUd5YtvnPuZTM6yDAJTQMU IUDg== X-Gm-Message-State: APjAAAXgh/RS7/miKbfqKnQxOMrg/725ocwR5rk/iQV7s3pWYz1BCIxi CA6M91gKE3d9PAlejjLFm5NIW26DOyU= X-Google-Smtp-Source: APXvYqywmJNfQfuKal4TKMXHYOayc4MXOZRUnWiBa+fGDvPJ1Eifa1DaTGXDHfQ7t6NG8B8wzANqcQ== X-Received: by 2002:a63:ce51:: with SMTP id r17mr33548564pgi.16.1571075389377; Mon, 14 Oct 2019 10:49:49 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.49.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:49:48 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:44 -0700 Message-Id: <1571074671-31834-5-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 04/11] datapath: Handle NF_NAT_NEEDED replacement X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Starting from the following upstream commit, NF_NAT_NEEDED is replaced by IS_ENABLED(CONFIG_NF_NAT) in the upstream kernel. This patch makes some changes so that our in tree ovs kernel module is compatible to both old and new kernels. Upstream commit: commit 4806e975729f99c7908d1688a143f1e16d464e6c Author: Florian Westphal Date: Wed Mar 27 09:22:26 2019 +0100 netfilter: replace NF_NAT_NEEDED with IS_ENABLED(CONFIG_NF_NAT) NF_NAT_NEEDED is true whenever nat support for either ipv4 or ipv6 is enabled. Now that the af-specific nat configuration switches have been removed, IS_ENABLED(CONFIG_NF_NAT) has the same effect. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- acinclude.m4 | 1 + datapath/conntrack.c | 25 +++++++++++++++++-------- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/acinclude.m4 b/acinclude.m4 index cc80026f2127..dca09abefa96 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -676,6 +676,7 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [ OVS_FIND_FIELD_IFELSE([$KSRC/include/linux/netfilter.h], [nf_hook_ops], [owner], [OVS_DEFINE([HAVE_NF_HOOKS_OPS_OWNER])]) OVS_GREP_IFELSE([$KSRC/include/linux/netfilter.h], [NFPROTO_INET]) + OVS_GREP_IFELSE([$KSRC/include/linux/netfilter.h], [CONFIG_NF_NAT_NEEDED]) OVS_FIND_FIELD_IFELSE([$KSRC/include/linux/netfilter_ipv6.h], [nf_ipv6_ops], diff --git a/datapath/conntrack.c b/datapath/conntrack.c index 1b345a03e704..010f9af5ffd2 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -34,7 +34,16 @@ #include #include -#ifdef CONFIG_NF_NAT_NEEDED +/* Upstream commit 4806e975729f ("netfilter: replace NF_NAT_NEEDED with + * IS_ENABLED(CONFIG_NF_NAT)") replaces the config checking on NF_NAT_NEEDED + * with CONFIG_NF_NAT. We will replace the checking on NF_NAT_NEEDED for the + * newer kernel with the marco in order to keep backward compatiblity. + */ +#ifndef HAVE_CONFIG_NF_NAT_NEEDED +#define CONFIG_NF_NAT_NEEDED CONFIG_NF_NAT +#endif + +#if IS_ENABLED(CONFIG_NF_NAT_NEEDED) /* Starting from upstream commit 3bf195ae6037 ("netfilter: nat: merge * nf_nat_ipv4,6 into nat core") in kernel 5.1. nf_nat_ipv4,6 are merged * into nf_nat. In order to keep backward compatibility, we keep the config @@ -100,7 +109,7 @@ struct ovs_conntrack_info { struct md_labels labels; char timeout[CTNL_TIMEOUT_NAME_MAX]; struct nf_ct_timeout *nf_ct_timeout; -#ifdef CONFIG_NF_NAT_NEEDED +#if IS_ENABLED(CONFIG_NF_NAT_NEEDED) struct nf_nat_range2 range; /* Only present for SRC NAT and DST NAT. */ #endif }; @@ -786,7 +795,7 @@ static bool skb_nfct_cached(struct net *net, return ct_executed; } -#ifdef CONFIG_NF_NAT_NEEDED +#if IS_ENABLED(CONFIG_NF_NAT_NEEDED) /* Modelled after nf_nat_ipv[46]_fn(). * range is only used for new, uninitialized NAT state. * Returns either NF_ACCEPT or NF_DROP. @@ -1405,7 +1414,7 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, return 0; } -#ifdef CONFIG_NF_NAT_NEEDED +#if IS_ENABLED(CONFIG_NF_NAT_NEEDED) static int parse_nat(const struct nlattr *attr, struct ovs_conntrack_info *info, bool log) { @@ -1547,7 +1556,7 @@ static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = { .maxlen = sizeof(struct md_labels) }, [OVS_CT_ATTR_HELPER] = { .minlen = 1, .maxlen = NF_CT_HELPER_NAME_LEN }, -#ifdef CONFIG_NF_NAT_NEEDED +#if IS_ENABLED(CONFIG_NF_NAT_NEEDED) /* NAT length is checked when parsing the nested attributes. */ [OVS_CT_ATTR_NAT] = { .minlen = 0, .maxlen = INT_MAX }, #endif @@ -1627,7 +1636,7 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, return -EINVAL; } break; -#ifdef CONFIG_NF_NAT_NEEDED +#if IS_ENABLED(CONFIG_NF_NAT_NEEDED) case OVS_CT_ATTR_NAT: { int err = parse_nat(a, info, log); @@ -1761,7 +1770,7 @@ err_free_ct: return err; } -#ifdef CONFIG_NF_NAT_NEEDED +#if IS_ENABLED(CONFIG_NF_NAT_NEEDED) static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, struct sk_buff *skb) { @@ -1871,7 +1880,7 @@ int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info, return -EMSGSIZE; } -#ifdef CONFIG_NF_NAT_NEEDED +#if IS_ENABLED(CONFIG_NF_NAT_NEEDED) if (ct_info->nat && !ovs_ct_nat_to_attr(ct_info, skb)) return -EMSGSIZE; #endif From patchwork Mon Oct 14 17:37:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176565 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="K0ceyalA"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR3r3Trhz9sP4 for ; Tue, 15 Oct 2019 04:52:56 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 26109275F; Mon, 14 Oct 2019 17:49:55 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 22D8C274E for ; Mon, 14 Oct 2019 17:49:54 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f193.google.com (mail-pg1-f193.google.com [209.85.215.193]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7CB6B8A0 for ; Mon, 14 Oct 2019 17:49:52 +0000 (UTC) Received: by mail-pg1-f193.google.com with SMTP id p30so10521910pgl.2 for ; Mon, 14 Oct 2019 10:49:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=t2MrifBg1DPwOHeJ6wXv78wIFVMaS9A0wNfV0vyhv24=; b=K0ceyalAXuxFzbaQMOC4rR7JYF2P5BAyrjJ3BCndH1Mh+9HRwoZxM7vXjh2ufn8iq5 hEulGZ2ByIrAQUcUhjbIZ2xQk+1S9gBdRc7MG9TOPtmvpjXfu0WwzRKDxuI6r/ZuypYk uuE0uTLzgCjgEASUGgC+b//FW+mevx63fQNa0m00SLAFwNPeJ3iQyuF2t3127NDNkPc5 Nk5NP/GvL4xXa35CdWi3y8/NcK+VUSmR54U7OIJzMjS5JGut+Yfo1c/9iOnVfSBebpqi Z10MJHzHmx08fTRZqJimWxxReod/lQx458/9rq5UacwKAH9dpUyd1IVFezzwnl1u9uDG tZKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=t2MrifBg1DPwOHeJ6wXv78wIFVMaS9A0wNfV0vyhv24=; b=NlHQ49rGwQNm/x7RivTLuWLAU3Vzzf771GQ4E94f5PZOfhOdZfZRADQ5eItigqA0BN 51JhmKPy6n4l/x+nS2bg8SCZrltbcPmVvJCgR1QoYJNKcJ7LBWj1EOcf6Kq3vVhoqfnP sg/9mB6zdz5UeaoRKkMZS6CjnnR0Ktcx46wjpWApTs5M1JrVO1oh3Hx8iYXeF9O9vIlQ mMVU0wq0By26+J00/tg8VMONNJIQgOIqnHWiQ1VtpYmnqwTBZ7Dhoa4DJ6rywyjhjxb0 U07eEaU4v2FkjzjuXzMiN72NY/voXgruVutRvqwqqqywJSoNhYbjmh314JP4ZCM8YJTJ X3Iw== X-Gm-Message-State: APjAAAWj8yJ6N5Go1jUYEnhThqL7L0tlXg/Vyc00m2yolJzHgJ/MpbL3 NKk69v7U1Wpz9BnVcviD5mEfm/eNRCg= X-Google-Smtp-Source: APXvYqzQg2pkfKlN6HbzzVCSvpWdxU4qzbl51p0E3vjKtkSASjNqe6E6oBeODvaWIUlSyiECpEHxxw== X-Received: by 2002:a63:ed4b:: with SMTP id m11mr31422166pgk.24.1571075391049; Mon, 14 Oct 2019 10:49:51 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.49.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:49:49 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:45 -0700 Message-Id: <1571074671-31834-6-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 05/11] datapath: Use nla_nest_start_noflag() X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch backports the openvswitch changes and update the compat layer for the following upstream patch. commit ae0be8de9a53cda3505865c11826d8ff0640237c Author: Michal Kubecek Date: Fri Apr 26 11:13:06 2019 +0200 netlink: make nla_nest_start() add NLA_F_NESTED flag Even if the NLA_F_NESTED flag was introduced more than 11 years ago, most netlink based interfaces (including recently added ones) are still not setting it in kernel generated messages. Without the flag, message parsers not aware of attribute semantics (e.g. wireshark dissector or libmnl's mnl_nlmsg_fprintf()) cannot recognize nested attributes and won't display the structure of their contents. Unfortunately we cannot just add the flag everywhere as there may be userspace applications which check nlattr::nla_type directly rather than through a helper masking out the flags. Therefore the patch renames nla_nest_start() to nla_nest_start_noflag() and introduces nla_nest_start() as a wrapper adding NLA_F_NESTED. The calls which add NLA_F_NESTED manually are rewritten to use nla_nest_start(). Except for changes in include/net/netlink.h, the patch was generated using this semantic patch: @@ expression E1, E2; @@ -nla_nest_start(E1, E2) +nla_nest_start_noflag(E1, E2) @@ expression E1, E2; @@ -nla_nest_start_noflag(E1, E2 | NLA_F_NESTED) +nla_nest_start(E1, E2) Signed-off-by: Michal Kubecek Acked-by: Jiri Pirko Acked-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- acinclude.m4 | 1 + datapath/conntrack.c | 6 +++--- datapath/datapath.c | 7 +++--- datapath/flow_netlink.c | 33 +++++++++++++++-------------- datapath/linux/compat/include/net/netlink.h | 9 ++++++++ datapath/meter.c | 8 +++---- datapath/vport-vxlan.c | 2 +- datapath/vport.c | 2 +- 8 files changed, 40 insertions(+), 28 deletions(-) diff --git a/acinclude.m4 b/acinclude.m4 index dca09abefa96..fe121ab9126d 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -844,6 +844,7 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [ OVS_GREP_IFELSE([$KSRC/include/net/netlink.h], [nla_put_in_addr]) OVS_GREP_IFELSE([$KSRC/include/net/netlink.h], [nla_find_nested]) OVS_GREP_IFELSE([$KSRC/include/net/netlink.h], [nla_is_last]) + OVS_GREP_IFELSE([$KSRC/include/net/netlink.h], [nla_nest_start_noflag]) OVS_GREP_IFELSE([$KSRC/include/linux/netlink.h], [void.*netlink_set_err], [OVS_DEFINE([HAVE_VOID_NETLINK_SET_ERR])]) OVS_FIND_PARAM_IFELSE([$KSRC/include/net/netlink.h], diff --git a/datapath/conntrack.c b/datapath/conntrack.c index 010f9af5ffd2..b11a30965147 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -1776,7 +1776,7 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, { struct nlattr *start; - start = nla_nest_start(skb, OVS_CT_ATTR_NAT); + start = nla_nest_start_noflag(skb, OVS_CT_ATTR_NAT); if (!start) return false; @@ -1847,7 +1847,7 @@ int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info, { struct nlattr *start; - start = nla_nest_start(skb, OVS_ACTION_ATTR_CT); + start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CT); if (!start) return -EMSGSIZE; @@ -2257,7 +2257,7 @@ static int ovs_ct_limit_cmd_get(struct sk_buff *skb, struct genl_info *info) if (IS_ERR(reply)) return PTR_ERR(reply); - nla_reply = nla_nest_start(reply, OVS_CT_LIMIT_ATTR_ZONE_LIMIT); + nla_reply = nla_nest_start_noflag(reply, OVS_CT_LIMIT_ATTR_ZONE_LIMIT); if (a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) { err = ovs_ct_limit_get_zone_limit( diff --git a/datapath/datapath.c b/datapath/datapath.c index 94e4f6ffd6e9..78e2e6310529 100644 --- a/datapath/datapath.c +++ b/datapath/datapath.c @@ -475,7 +475,8 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, if (upcall_info->egress_tun_info) { - nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_EGRESS_TUN_KEY); + nla = nla_nest_start_noflag(user_skb, + OVS_PACKET_ATTR_EGRESS_TUN_KEY); if (!nla) { err = -EMSGSIZE; goto out; @@ -487,7 +488,7 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, } if (upcall_info->actions_len) { - nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_ACTIONS); + nla = nla_nest_start_noflag(user_skb, OVS_PACKET_ATTR_ACTIONS); if (!nla) { err = -EMSGSIZE; goto out; @@ -789,7 +790,7 @@ static int ovs_flow_cmd_fill_actions(const struct sw_flow *flow, * This can only fail for dump operations because the skb is always * properly sized for single flows. */ - start = nla_nest_start(skb, OVS_FLOW_ATTR_ACTIONS); + start = nla_nest_start_noflag(skb, OVS_FLOW_ATTR_ACTIONS); if (start) { const struct sw_flow_actions *sf_acts; diff --git a/datapath/flow_netlink.c b/datapath/flow_netlink.c index 0f7ab53fc141..35f13d753cec 100644 --- a/datapath/flow_netlink.c +++ b/datapath/flow_netlink.c @@ -839,7 +839,7 @@ static int vxlan_opt_to_nlattr(struct sk_buff *skb, const struct vxlan_metadata *opts = tun_opts; struct nlattr *nla; - nla = nla_nest_start(skb, OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS); + nla = nla_nest_start_noflag(skb, OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS); if (!nla) return -EMSGSIZE; @@ -926,7 +926,7 @@ static int ip_tun_to_nlattr(struct sk_buff *skb, struct nlattr *nla; int err; - nla = nla_nest_start(skb, OVS_KEY_ATTR_TUNNEL); + nla = nla_nest_start_noflag(skb, OVS_KEY_ATTR_TUNNEL); if (!nla) return -EMSGSIZE; @@ -1934,7 +1934,7 @@ static int nsh_key_to_nlattr(const struct ovs_key_nsh *nsh, bool is_mask, { struct nlattr *start; - start = nla_nest_start(skb, OVS_KEY_ATTR_NSH); + start = nla_nest_start_noflag(skb, OVS_KEY_ATTR_NSH); if (!start) return -EMSGSIZE; @@ -2017,14 +2017,15 @@ static int __ovs_nla_put_key(const struct sw_flow_key *swkey, if (swkey->eth.vlan.tci || eth_type_vlan(swkey->eth.type)) { if (ovs_nla_put_vlan(skb, &output->eth.vlan, is_mask)) goto nla_put_failure; - encap = nla_nest_start(skb, OVS_KEY_ATTR_ENCAP); + encap = nla_nest_start_noflag(skb, OVS_KEY_ATTR_ENCAP); if (!swkey->eth.vlan.tci) goto unencap; if (swkey->eth.cvlan.tci || eth_type_vlan(swkey->eth.type)) { if (ovs_nla_put_vlan(skb, &output->eth.cvlan, is_mask)) goto nla_put_failure; - in_encap = nla_nest_start(skb, OVS_KEY_ATTR_ENCAP); + in_encap = nla_nest_start_noflag(skb, + OVS_KEY_ATTR_ENCAP); if (!swkey->eth.cvlan.tci) goto unencap; } @@ -2203,7 +2204,7 @@ int ovs_nla_put_key(const struct sw_flow_key *swkey, int err; struct nlattr *nla; - nla = nla_nest_start(skb, attr); + nla = nla_nest_start_noflag(skb, attr); if (!nla) return -EMSGSIZE; err = __ovs_nla_put_key(swkey, output, is_mask, skb); @@ -3234,7 +3235,7 @@ static int sample_action_to_attr(const struct nlattr *attr, const struct sample_arg *arg; struct nlattr *actions; - start = nla_nest_start(skb, OVS_ACTION_ATTR_SAMPLE); + start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SAMPLE); if (!start) return -EMSGSIZE; @@ -3247,7 +3248,7 @@ static int sample_action_to_attr(const struct nlattr *attr, goto out; } - ac_start = nla_nest_start(skb, OVS_SAMPLE_ATTR_ACTIONS); + ac_start = nla_nest_start_noflag(skb, OVS_SAMPLE_ATTR_ACTIONS); if (!ac_start) { err = -EMSGSIZE; goto out; @@ -3273,7 +3274,7 @@ static int clone_action_to_attr(const struct nlattr *attr, struct nlattr *start; int err = 0, rem = nla_len(attr); - start = nla_nest_start(skb, OVS_ACTION_ATTR_CLONE); + start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CLONE); if (!start) return -EMSGSIZE; @@ -3295,7 +3296,7 @@ static int check_pkt_len_action_to_attr(const struct nlattr *attr, const struct nlattr *a, *cpl_arg; int err = 0, rem = nla_len(attr); - start = nla_nest_start(skb, OVS_ACTION_ATTR_CHECK_PKT_LEN); + start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_CHECK_PKT_LEN); if (!start) return -EMSGSIZE; @@ -3314,8 +3315,8 @@ static int check_pkt_len_action_to_attr(const struct nlattr *attr, * 'OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL'. */ a = nla_next(cpl_arg, &rem); - ac_start = nla_nest_start(skb, - OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL); + ac_start = nla_nest_start_noflag(skb, + OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL); if (!ac_start) { err = -EMSGSIZE; goto out; @@ -3333,8 +3334,8 @@ static int check_pkt_len_action_to_attr(const struct nlattr *attr, * OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER. */ a = nla_next(a, &rem); - ac_start = nla_nest_start(skb, - OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER); + ac_start = nla_nest_start_noflag(skb, + OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER); if (!ac_start) { err = -EMSGSIZE; goto out; @@ -3368,7 +3369,7 @@ static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb) struct ovs_tunnel_info *ovs_tun = nla_data(ovs_key); struct ip_tunnel_info *tun_info = &ovs_tun->tun_dst->u.tun_info; - start = nla_nest_start(skb, OVS_ACTION_ATTR_SET); + start = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); if (!start) return -EMSGSIZE; @@ -3400,7 +3401,7 @@ static int masked_set_action_to_set_action_attr(const struct nlattr *a, /* Revert the conversion we did from a non-masked set action to * masked set action. */ - nla = nla_nest_start(skb, OVS_ACTION_ATTR_SET); + nla = nla_nest_start_noflag(skb, OVS_ACTION_ATTR_SET); if (!nla) return -EMSGSIZE; diff --git a/datapath/linux/compat/include/net/netlink.h b/datapath/linux/compat/include/net/netlink.h index d42bf108b417..34fc3460dc81 100644 --- a/datapath/linux/compat/include/net/netlink.h +++ b/datapath/linux/compat/include/net/netlink.h @@ -165,4 +165,13 @@ static inline int rpl_nla_parse(struct nlattr **tb, int maxtype, #define nla_parse rpl_nla_parse #endif +#ifndef HAVE_NLA_NEST_START_NOFLAG +static inline struct nlattr *rpl_nla_nest_start_noflag(struct sk_buff *skb, + int attrtype) +{ + return nla_nest_start(skb, attrtype); +} +#define nla_nest_start_noflag rpl_nla_nest_start_noflag +#endif + #endif /* net/netlink.h */ diff --git a/datapath/meter.c b/datapath/meter.c index eda14682fb96..b0a92891c7c0 100644 --- a/datapath/meter.c +++ b/datapath/meter.c @@ -129,7 +129,7 @@ static int ovs_meter_cmd_reply_stats(struct sk_buff *reply, u32 meter_id, OVS_METER_ATTR_PAD)) goto error; - nla = nla_nest_start(reply, OVS_METER_ATTR_BANDS); + nla = nla_nest_start_noflag(reply, OVS_METER_ATTR_BANDS); if (!nla) goto error; @@ -138,7 +138,7 @@ static int ovs_meter_cmd_reply_stats(struct sk_buff *reply, u32 meter_id, for (i = 0; i < meter->n_bands; ++i, ++band) { struct nlattr *band_nla; - band_nla = nla_nest_start(reply, OVS_BAND_ATTR_UNSPEC); + band_nla = nla_nest_start_noflag(reply, OVS_BAND_ATTR_UNSPEC); if (!band_nla || nla_put(reply, OVS_BAND_ATTR_STATS, sizeof(struct ovs_flow_stats), &band->stats)) @@ -168,11 +168,11 @@ static int ovs_meter_cmd_features(struct sk_buff *skb, struct genl_info *info) nla_put_u32(reply, OVS_METER_ATTR_MAX_BANDS, DP_MAX_BANDS)) goto nla_put_failure; - nla = nla_nest_start(reply, OVS_METER_ATTR_BANDS); + nla = nla_nest_start_noflag(reply, OVS_METER_ATTR_BANDS); if (!nla) goto nla_put_failure; - band_nla = nla_nest_start(reply, OVS_BAND_ATTR_UNSPEC); + band_nla = nla_nest_start_noflag(reply, OVS_BAND_ATTR_UNSPEC); if (!band_nla) goto nla_put_failure; /* Currently only DROP band type is supported. */ diff --git a/datapath/vport-vxlan.c b/datapath/vport-vxlan.c index 05764467a687..70ed376e3869 100644 --- a/datapath/vport-vxlan.c +++ b/datapath/vport-vxlan.c @@ -47,7 +47,7 @@ static int vxlan_get_options(const struct vport *vport, struct sk_buff *skb) #endif struct nlattr *exts; - exts = nla_nest_start(skb, OVS_TUNNEL_ATTR_EXTENSION); + exts = nla_nest_start_noflag(skb, OVS_TUNNEL_ATTR_EXTENSION); if (!exts) return -EMSGSIZE; diff --git a/datapath/vport.c b/datapath/vport.c index ed7f23ec8933..f929282dcec1 100644 --- a/datapath/vport.c +++ b/datapath/vport.c @@ -408,7 +408,7 @@ int ovs_vport_get_options(const struct vport *vport, struct sk_buff *skb) if (!vport->ops->get_options) return 0; - nla = nla_nest_start(skb, OVS_VPORT_ATTR_OPTIONS); + nla = nla_nest_start_noflag(skb, OVS_VPORT_ATTR_OPTIONS); if (!nla) return -EMSGSIZE; From patchwork Mon Oct 14 17:37:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176566 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="GzHLEjNm"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR4Q51QLz9sP4 for ; Tue, 15 Oct 2019 04:53:26 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id C2DF22767; Mon, 14 Oct 2019 17:49:56 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1C04E2759 for ; Mon, 14 Oct 2019 17:49:55 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 680DE89D for ; Mon, 14 Oct 2019 17:49:54 +0000 (UTC) Received: by mail-pf1-f193.google.com with SMTP id y22so10803667pfr.3 for ; Mon, 14 Oct 2019 10:49:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=h+7NZlLw0aMjGM+CWMhlcIYgMjBU533Tk13johcZn4A=; b=GzHLEjNmGfKjz1MqxkZ9wyHSeEfznJubucCUtMwiDHBtzdy4ODDiLOuPiSDqL3tqLw 0bIIMFCKPTNa/8ZWCitNbwTz5/mc9npFKaa+DKPQmfZZarACjEnWGOesY8OCRSPMfrWM BjTxIxH063DR1ppHC1tev7jLUxCRqukykgYbLwZgt28sPCcQZXLgUXwl3cSK1rkBBLlb x85ktQMHVjWU4vPiOGsBqmURCuZNTgr/5Iai932dL1OQ+esqbW2So/vE9Q0m/0BiSMm9 TSNsBm0A7Rh6btDT+sFOyejwDWrabQ5c2yFhvKijHqsvqlg4YCefMEAxXL3nKVHiWazz xlOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=h+7NZlLw0aMjGM+CWMhlcIYgMjBU533Tk13johcZn4A=; b=UrAWI5jCmbJD30IUZd0ZCFcK56gyjo7I/Ezx9Cv7aNvKweb2l6Te5MoZTkqPc9r+8R jnFgwTY5Qxdt59YmhYlzfEvb1gtrPgznr175xxB+9j4p/zbjaBMnrI6OfYhA7nh4lsb5 XnV6ooXWRBSlHjlP7JwUIeMiSBKs1QjT4hyWaGVDFjr1K1rhklefbqaK4ZMuEpBhPSvY LYwXPEcIvrbNvMsmzdfJvJ2v4L7jgxXM0i0iHoHg+VzC2v3akaf9W4vB3KmrPXKi02cE oKbGb404eUI7Nvt48V1W56PcSDtdjJbH3Ohe5XbPW8j818ysOK/Ow4SF4J+PasFOwpFi YiDA== X-Gm-Message-State: APjAAAXE+W8M4QZdfJjpXwAu4Mk/EsaYrQOZaTvfzYLTLU/obOakbeGL cdzap6sObyXDNQilEKKh8h5Rxiloclg= X-Google-Smtp-Source: APXvYqyeIyHuhfAVLMDo61hMaoUOXN0+nZbbENwD4ZSPJmoOdDaepCFgX6X8yHtZnlBjWGDE8NKbkQ== X-Received: by 2002:a62:b405:: with SMTP id h5mr34349567pfn.234.1571075393467; Mon, 14 Oct 2019 10:49:53 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.49.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:49:52 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:46 -0700 Message-Id: <1571074671-31834-7-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 06/11] datapath: genetlink: optionally validate strictly/dumps X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch backports the following upstream commit within the openvswitch kernel module with some checks so that it also works in the older kernel. Upstream commit: commit ef6243acb4782df587a4d7d6c310fa5b5d82684b Author: Johannes Berg Date: Fri Apr 26 14:07:31 2019 +0200 genetlink: optionally validate strictly/dumps Add options to strictly validate messages and dump messages, sometimes perhaps validating dump messages non-strictly may be required, so add an option for that as well. Since none of this can really be applied to existing commands, set the options everwhere using the following spatch: @@ identifier ops; expression X; @@ struct genl_ops ops[] = { ..., { .cmd = X, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ... }, ... }; For new commands one should just not copy the .validate 'opt-out' flags and thus get strict validation. Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- acinclude.m4 | 1 + datapath/conntrack.c | 9 +++++++++ datapath/datapath.c | 39 +++++++++++++++++++++++++++++++++++++++ datapath/meter.c | 12 ++++++++++++ 4 files changed, 61 insertions(+) diff --git a/acinclude.m4 b/acinclude.m4 index fe121ab9126d..055f5387db19 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -817,6 +817,7 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [ OVS_GREP_IFELSE([$KSRC/include/net/genetlink.h], [genlmsg_parse]) OVS_GREP_IFELSE([$KSRC/include/net/genetlink.h], [genl_notify.*family], [OVS_DEFINE([HAVE_GENL_NOTIFY_TAKES_FAMILY])]) + OVS_GREP_IFELSE([$KSRC/include/net/genetlink.h], [genl_validate_flags]) OVS_FIND_PARAM_IFELSE([$KSRC/include/net/genetlink.h], [genl_notify], [net], [OVS_DEFINE([HAVE_GENL_NOTIFY_TAKES_NET])]) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index b11a30965147..0c0d43bec2e5 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -2283,18 +2283,27 @@ exit_err: static struct genl_ops ct_limit_genl_ops[] = { { .cmd = OVS_CT_LIMIT_CMD_SET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN * privilege. */ .policy = ct_limit_policy, .doit = ovs_ct_limit_cmd_set, }, { .cmd = OVS_CT_LIMIT_CMD_DEL, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN * privilege. */ .policy = ct_limit_policy, .doit = ovs_ct_limit_cmd_del, }, { .cmd = OVS_CT_LIMIT_CMD_GET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = ct_limit_policy, .doit = ovs_ct_limit_cmd_get, diff --git a/datapath/datapath.c b/datapath/datapath.c index 78e2e6310529..f4244ea09869 100644 --- a/datapath/datapath.c +++ b/datapath/datapath.c @@ -652,6 +652,9 @@ static const struct nla_policy packet_policy[OVS_PACKET_ATTR_MAX + 1] = { static struct genl_ops dp_packet_genl_ops[] = { { .cmd = OVS_PACKET_CMD_EXECUTE, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = packet_policy, .doit = ovs_packet_cmd_execute @@ -1440,22 +1443,34 @@ static const struct nla_policy flow_policy[OVS_FLOW_ATTR_MAX + 1] = { static struct genl_ops dp_flow_genl_ops[] = { { .cmd = OVS_FLOW_CMD_NEW, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = flow_policy, .doit = ovs_flow_cmd_new }, { .cmd = OVS_FLOW_CMD_DEL, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = flow_policy, .doit = ovs_flow_cmd_del }, { .cmd = OVS_FLOW_CMD_GET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = flow_policy, .doit = ovs_flow_cmd_get, .dumpit = ovs_flow_cmd_dump }, { .cmd = OVS_FLOW_CMD_SET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = flow_policy, .doit = ovs_flow_cmd_set, @@ -1832,22 +1847,34 @@ static const struct nla_policy datapath_policy[OVS_DP_ATTR_MAX + 1] = { static struct genl_ops dp_datapath_genl_ops[] = { { .cmd = OVS_DP_CMD_NEW, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = datapath_policy, .doit = ovs_dp_cmd_new }, { .cmd = OVS_DP_CMD_DEL, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = datapath_policy, .doit = ovs_dp_cmd_del }, { .cmd = OVS_DP_CMD_GET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = datapath_policy, .doit = ovs_dp_cmd_get, .dumpit = ovs_dp_cmd_dump }, { .cmd = OVS_DP_CMD_SET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = datapath_policy, .doit = ovs_dp_cmd_set, @@ -2277,22 +2304,34 @@ static const struct nla_policy vport_policy[OVS_VPORT_ATTR_MAX + 1] = { static struct genl_ops dp_vport_genl_ops[] = { { .cmd = OVS_VPORT_CMD_NEW, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = vport_policy, .doit = ovs_vport_cmd_new }, { .cmd = OVS_VPORT_CMD_DEL, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = vport_policy, .doit = ovs_vport_cmd_del }, { .cmd = OVS_VPORT_CMD_GET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = vport_policy, .doit = ovs_vport_cmd_get, .dumpit = ovs_vport_cmd_dump }, { .cmd = OVS_VPORT_CMD_SET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = vport_policy, .doit = ovs_vport_cmd_set, diff --git a/datapath/meter.c b/datapath/meter.c index b0a92891c7c0..7d8f51a8fcd1 100644 --- a/datapath/meter.c +++ b/datapath/meter.c @@ -538,11 +538,17 @@ bool ovs_meter_execute(struct datapath *dp, struct sk_buff *skb, static struct genl_ops dp_meter_genl_ops[] = { { .cmd = OVS_METER_CMD_FEATURES, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = meter_policy, .doit = ovs_meter_cmd_features }, { .cmd = OVS_METER_CMD_SET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN * privilege. */ @@ -550,11 +556,17 @@ static struct genl_ops dp_meter_genl_ops[] = { .doit = ovs_meter_cmd_set, }, { .cmd = OVS_METER_CMD_GET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = meter_policy, .doit = ovs_meter_cmd_get, }, { .cmd = OVS_METER_CMD_DEL, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN * privilege. */ From patchwork Mon Oct 14 17:37:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176567 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="IWYuw/+q"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR4z5mkbz9sP4 for ; Tue, 15 Oct 2019 04:53:55 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 5B8A52769; Mon, 14 Oct 2019 17:49:58 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 72DCC2765 for ; Mon, 14 Oct 2019 17:49:57 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com [209.85.215.195]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 4F4A78A0 for ; Mon, 14 Oct 2019 17:49:56 +0000 (UTC) Received: by mail-pg1-f195.google.com with SMTP id p1so10513953pgi.4 for ; Mon, 14 Oct 2019 10:49:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=dImtPSSIiC7vjvHvMoOwg6Cw3+z5hamcwyuf4T3m4UM=; b=IWYuw/+qC+pa6AECIaWpcZHdKu4l9A2rFGeHBdwIOqA5kFL15cpYPJsnVImCYuD7Wi nvlv9LcmHxJtQk85dWj99abPYRNocc0oDRCVVhFMYu2pZ8jerSkk6C/MVI6Ml4FwkH9o /5/9eOYO/6jZKKxbdWVN/BViOweb+v8mkV/QEoFqIuMVUwJfehIB2HPhaWfnrJkq/HLb e/kXQ4ceTeHZsEjlcuiJlnLUyPT8bIVVWl1zKtsu1yghbTdwLWBQIWeinfkk8gbgLtkT /Kcur7hxk/FSB1po024QJtNd7aR8OlcegGMwVl58mH9sdwAM4HVWvuMQdBVwS48ncquP qaYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dImtPSSIiC7vjvHvMoOwg6Cw3+z5hamcwyuf4T3m4UM=; b=Qlxl37jrt5SxOPgj2Uvh9iRiRICPEiS+tqvdrzKIwqCEakeoVnRy8vixjtqfAmGR96 lNwUF7jhuPe8LMnj++GzLDzlIpVv+5IPOjpgZ4JE2sRW/fm6OQSWlx1UlPlLBCtq56rl 1mclfDjxJ0+HfTDNYYgojRg5EJUDTYZQTz/9Y8fgpswUd2djpAb8AVl4/CI6r9vAmw5E GyY1OykHG7cV5dr42EWa9ZyA2W7cn/oy7q2kiD5tdKtqbcdvkhlHmH9oE4T+MR9Gzofh 0U0YDd4UoPSj0MYyOv6DqvZ2z6kQpQwg+mf3qmQI2Re4Sodn5sqvwfcJkom+hg/detlY y66w== X-Gm-Message-State: APjAAAUA6y8xU0fPYeZ9hc+C71h34FWOqPrHGbBcDTs6vWKa6ScNU4Qk HEE4dGyIf/swKyMlkfDo6BF3b/ipvfo= X-Google-Smtp-Source: APXvYqz4PvCdG0jKA14KccDRSP2wzaGpEv7GVYZVwtULOEqCcU+XeOKpUS229Nx3IrFn448SjP3TXg== X-Received: by 2002:a17:90a:cf98:: with SMTP id i24mr36461433pju.99.1571075395277; Mon, 14 Oct 2019 10:49:55 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.49.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:49:53 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:47 -0700 Message-Id: <1571074671-31834-8-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 07/11] datapath: Load and reference the NAT helper. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This commit backports the following upstream commit, and two functions in nf_conntrack_helper.h. Upstream commit: commit fec9c271b8f1bde1086be5aa415cdb586e0dc800 Author: Flavio Leitner Date: Wed Apr 17 11:46:17 2019 -0300 openvswitch: load and reference the NAT helper. This improves the original commit 17c357efe5ec ("openvswitch: load NAT helper") where it unconditionally tries to load the module for every flow using NAT, so not efficient when loading multiple flows. It also doesn't hold any references to the NAT module while the flow is active. This change fixes those problems. It will try to load the module only if it's not present. It grabs a reference to the NAT module and holds it while the flow is active. Finally, an error message shows up if either actions above fails. Fixes: 17c357efe5ec ("openvswitch: load NAT helper") Signed-off-by: Flavio Leitner Signed-off-by: Pablo Neira Ayuso Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- acinclude.m4 | 4 ++++ datapath/conntrack.c | 27 +++++++++++++++++----- .../include/net/netfilter/nf_conntrack_helper.h | 17 ++++++++++++++ 3 files changed, 42 insertions(+), 6 deletions(-) diff --git a/acinclude.m4 b/acinclude.m4 index 055f5387db19..22f92723b00d 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -904,6 +904,10 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [ OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h], [nf_conntrack_helper_put], [OVS_DEFINE(HAVE_NF_CONNTRACK_HELPER_PUT)]) + OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h], + [nf_nat_helper_try_module_get]) + OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_helper.h], + [nf_nat_helper_put]) OVS_GREP_IFELSE([$KSRC/include/linux/skbuff.h],[[[[:space:]]]SKB_GSO_UDP[[[:space:]]]], [OVS_DEFINE([HAVE_SKB_GSO_UDP])]) OVS_GREP_IFELSE([$KSRC/include/net/dst.h],[DST_NOCACHE], diff --git a/datapath/conntrack.c b/datapath/conntrack.c index 0c0d43bec2e5..9a7eab655142 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -1391,6 +1391,7 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, { struct nf_conntrack_helper *helper; struct nf_conn_help *help; + int ret = 0; helper = nf_conntrack_helper_try_module_get(name, info->family, key->ip.proto); @@ -1405,13 +1406,22 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, return -ENOMEM; } +#ifdef CONFIG_NF_NAT_NEEDED + if (info->nat) { + ret = nf_nat_helper_try_module_get(name, info->family, + key->ip.proto); + if (ret) { + nf_conntrack_helper_put(helper); + OVS_NLERR(log, "Failed to load \"%s\" NAT helper, error: %d", + name, ret); + return ret; + } + } +#endif + rcu_assign_pointer(help->helper, helper); info->helper = helper; - - if (info->nat) - request_module("ip_nat_%s", name); - - return 0; + return ret; } #if IS_ENABLED(CONFIG_NF_NAT_NEEDED) @@ -1898,8 +1908,13 @@ void ovs_ct_free_action(const struct nlattr *a) static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) { - if (ct_info->helper) + if (ct_info->helper) { +#ifdef CONFIG_NF_NAT_NEEDED + if (ct_info->nat) + nf_nat_helper_put(ct_info->helper); +#endif nf_conntrack_helper_put(ct_info->helper); + } if (ct_info->ct) { if (ct_info->timeout[0]) nf_ct_destroy_timeout(ct_info->ct); diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h index b6a3d0bf75b3..78f97375b66e 100644 --- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h +++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_helper.h @@ -19,4 +19,21 @@ rpl_nf_ct_helper_ext_add(struct nf_conn *ct, #define nf_ct_helper_ext_add rpl_nf_ct_helper_ext_add #endif /* HAVE_NF_CT_HELPER_EXT_ADD_TAKES_HELPER */ +#ifndef HAVE_NF_NAT_HELPER_TRY_MODULE_GET +static inline int rpl_nf_nat_helper_try_module_get(const char *name, u16 l3num, + u8 protonum) +{ + request_module("ip_nat_%s", name); + return 0; +} +#define nf_nat_helper_try_module_get rpl_nf_nat_helper_try_module_get +#endif /* HAVE_NF_NAT_HELPER_TRY_MODULE_GET */ + +#ifndef HAVE_NF_NAT_HELPER_PUT +void rpl_nf_nat_helper_put(struct nf_conntrack_helper *helper) +{ +} +#define nf_nat_helper_put rpl_nf_nat_helper_put +#endif /* HAVE_NF_NAT_HELPER_PUT */ + #endif /* _NF_CONNTRACK_HELPER_WRAPPER_H */ From patchwork Mon Oct 14 17:37:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176568 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="hXoHjIiO"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR5X1R0Rz9sP4 for ; Tue, 15 Oct 2019 04:54:24 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id E6F2D2777; Mon, 14 Oct 2019 17:50:01 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id BF101276C for ; Mon, 14 Oct 2019 17:50:00 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id F044C8A0 for ; Mon, 14 Oct 2019 17:49:58 +0000 (UTC) Received: by mail-pl1-f194.google.com with SMTP id t10so8320708plr.8 for ; Mon, 14 Oct 2019 10:49:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=I2MIjbcFG3rAaxzcOC/Cmzsa5gWJoWN2gJt2A//XVC4=; b=hXoHjIiOvp2meRTQxzsBG1MJemsTbT7vS35bESIyxECikkdgvRJr5wMG1zSCg1C+DZ tun6nlkML5a9OYZmVMKxHcpClQM3xo98x7IWVcWpL8Btdjazi/JhNigC+WYTeoygWD9Q i34fJUG2XPXGWvPt09wwsX0hPvy7cWCArYmpz7HNC0U8sVNl16eVd2mox3mVWRrxt4Io 9lkseCEewjkalz/Hr0mCK0ATc6xHUndJ/d9D5fwDDaWxEak8fwCXUlH1HMWdLR6+VpSF loIRy9cQ1140HynzxBFZaxDa8FZfxvlJAHe/bnLKCuXDyWaTnUyNGgrpB87CNY6vfV+h aGYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=I2MIjbcFG3rAaxzcOC/Cmzsa5gWJoWN2gJt2A//XVC4=; b=Q8t864IkP5yBudXutE7Zk2XWrHVtErlAJG07L9ZQrUIEQ4ligCZ4FfpK3V61eXKdhT XBhnJum+oQe4Gw93y42qpPADprjymnIgslsq9GOVZeXSrozZEuJfQA2hX/qQtps5PJVr aBF0NW+S699xr+qEfBIlKyj1G3Kj1yWkYN5KaaMBUubIVuB8NdgQs8m6w6n8Y1iti1Fk 7961IvvYcGSDcu2vZ7O6vGYBb6jnEIsO4WEvcYS8MYzviw1HaR/LpocRtjhWnwAh5s2e d5rzawumn5lDmid+hRSTLaNIAQF4Aa4uHstfvcnaddtCljmy5Dt4L7vvAQzwwUkh5nXh VUZw== X-Gm-Message-State: APjAAAXxfEwIgCx8GgaAnoa11ewRe4wVcp/S/QT0YK/EBxzaidZJCFe/ cb3Gd2fR31nUm76U5ViwTMlt6s0lrhg= X-Google-Smtp-Source: APXvYqw49ULmDV+6JAaq8qNVn1kdVUB6yqsQjpGM/yAZsym9ZHyUbE1CfKi4a3/LKZoSIAyMMelcAQ== X-Received: by 2002:a17:902:123:: with SMTP id 32mr31758402plb.258.1571075398166; Mon, 14 Oct 2019 10:49:58 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.49.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:49:55 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:48 -0700 Message-Id: <1571074671-31834-9-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Colin Ian King Subject: [ovs-dev] [PATCH 08/11] datapath: Check for null pointer return from nla_nest_start_noflag X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org From: Colin Ian King upstream commit: commit ca96534630e2edfd73121c487c957b17eca3b7d7 Author: Colin Ian King Date: Wed May 1 14:41:58 2019 +0100 openvswitch: check for null pointer return from nla_nest_start_noflag The call to nla_nest_start_noflag can return null in the unlikely event that nla_put returns -EMSGSIZE. Check for this condition to avoid a null pointer dereference on pointer nla_reply. Addresses-Coverity: ("Dereference null return value") Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") Signed-off-by: Colin Ian King Acked-by: Yi-Hung Wei Signed-off-by: David S. Miller Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- datapath/conntrack.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index 9a7eab655142..86e7dd24bb9b 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -2273,6 +2273,10 @@ static int ovs_ct_limit_cmd_get(struct sk_buff *skb, struct genl_info *info) return PTR_ERR(reply); nla_reply = nla_nest_start_noflag(reply, OVS_CT_LIMIT_ATTR_ZONE_LIMIT); + if (!nla_reply) { + err = -EMSGSIZE; + goto exit_err; + } if (a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) { err = ovs_ct_limit_get_zone_limit( From patchwork Mon Oct 14 17:37:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176569 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="EDQqAzz0"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR661Nw2z9sP4 for ; Tue, 15 Oct 2019 04:54:53 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 916932783; Mon, 14 Oct 2019 17:50:03 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8AEA42774 for ; Mon, 14 Oct 2019 17:50:01 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com [209.85.215.195]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 8AA938AF for ; Mon, 14 Oct 2019 17:50:00 +0000 (UTC) Received: by mail-pg1-f195.google.com with SMTP id w3so3599605pgt.5 for ; Mon, 14 Oct 2019 10:50:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=rQ4UDKe+1nUdDRaTyh5rdR461VPibC2pbLU1o1juKLQ=; b=EDQqAzz0GCKaUJ5tUPazngQuTk4GV25p0NcTqGXdm0QuVuRvR2hNnb0MXvJg7RQk41 PNv2/jOBF/Hyf48VItNmIEnWUjCBe680B8d6z8uidSFX0X8LnpX5Y57HASynyLWNSyA6 02d0HOohEnmrHzS4gacV+2RxLn+BNfXQU1QEIxfLKHz26Zxtz0MqB1QCl/FXl/qxffLF JWw1H9H6Qznw+CahyXp0VNCAqZS7KTxhSyH5f++G602aXPqqJ5rE5XmZgHkVbP8cgW51 rMjZD/QlY+7VURYi3JD2yxOIvji4yw4iVVDjv+CHe6Hq159TsGXDu9uJcFkcxv+KaZoR sRwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=rQ4UDKe+1nUdDRaTyh5rdR461VPibC2pbLU1o1juKLQ=; b=m1rKCa+SlqTpBxDF1IbCiZ9DLvyGtA/QBZI2Us7DPYOfFWw4NwVXVz+CQlDYw/2wae zkkGhAyxl3zz75gnODCoySkaGTMTVyx49LT2QtPikHP/5Jlfal+tviZh9jmAOTQtspDT wBA8bJ1NIUOJsN3+bJQAIMNKRG2J/10oS52QUAX5XAPY02B1jhOec5g0Amyn41XG8wIo tthlfErAqwXoOruk1v9ysequwz4bJ+J7PyTlSIwYtUJf4t050UONrkHYg7ImLDzYqGNh jW3cVOXbeYtuz93FCwR/Vk3gpQ8m37xsWcWYecNaaxKvk5qOMODyhJ3nU/6mAAJ0tpWZ 800w== X-Gm-Message-State: APjAAAVQUqd8A7mS0B35XIqLXt9+QJ7JE7Pt+ZQ/TOpeTSqYGrZ5FaN0 tGD1QOlKLkwYWbQNlGPqI2CklGe2K+M= X-Google-Smtp-Source: APXvYqx6WqsBzVZpwXiJxlFD5uM2CybBD16vjHQgcAaiTWA7V+X0xyOWD1ozIfuhAssfs87A7A9T0A== X-Received: by 2002:a62:d408:: with SMTP id a8mr33453797pfh.15.1571075399667; Mon, 14 Oct 2019 10:49:59 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.49.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:49:58 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:49 -0700 Message-Id: <1571074671-31834-10-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 09/11] datapath: Replace removed NF_NAT_NEEDED with IS_ENABLED(CONFIG_NF_NAT) X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Backports the following upstream commit with some backward compatibility change. commit f319ca6557c10a711facc4dd60197470796d3ec1 Author: Geert Uytterhoeven Date: Wed May 8 08:52:32 2019 +0200 openvswitch: Replace removed NF_NAT_NEEDED with IS_ENABLED(CONFIG_NF_NAT) Commit 4806e975729f99c7 ("netfilter: replace NF_NAT_NEEDED with IS_ENABLED(CONFIG_NF_NAT)") removed CONFIG_NF_NAT_NEEDED, but a new user popped up afterwards. Fixes: fec9c271b8f1bde1 ("openvswitch: load and reference the NAT helper.") Signed-off-by: Geert Uytterhoeven Acked-by: Florian Westphal Acked-by: Flavio Leitner Signed-off-by: David S. Miller Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- datapath/conntrack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index 86e7dd24bb9b..ba73962b2214 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -1406,7 +1406,7 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, return -ENOMEM; } -#ifdef CONFIG_NF_NAT_NEEDED +#if IS_ENABLED(CONFIG_NF_NAT_NEEDED) if (info->nat) { ret = nf_nat_helper_try_module_get(name, info->family, key->ip.proto); @@ -1909,7 +1909,7 @@ void ovs_ct_free_action(const struct nlattr *a) static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) { if (ct_info->helper) { -#ifdef CONFIG_NF_NAT_NEEDED +#if IS_ENABLED(CONFIG_NF_NAT_NEEDED) if (ct_info->nat) nf_nat_helper_put(ct_info->helper); #endif From patchwork Mon Oct 14 17:37:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176570 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="CGqjBjD+"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR6m2TLTz9sP4 for ; Tue, 15 Oct 2019 04:55:28 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 3B5362791; Mon, 14 Oct 2019 17:50:06 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 446E12771 for ; Mon, 14 Oct 2019 17:50:03 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f196.google.com (mail-pf1-f196.google.com [209.85.210.196]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3B3F68AD for ; Mon, 14 Oct 2019 17:50:02 +0000 (UTC) Received: by mail-pf1-f196.google.com with SMTP id h195so10800262pfe.5 for ; Mon, 14 Oct 2019 10:50:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=jEQWEs8VF9oy23PtblP8LpgiJKyzpSofG9lspi2q1ZU=; b=CGqjBjD+SgZtrGcRVmA1ye7nryxTODKP+/e/QGoFMtbZEysdPRSvzHBYERS4NbHC+J VFDB6/9MZjHr5VIXhuCg/d09NYNuTtHT5K8pHkTXM5wuTRjFTBujJch0oKSl0CyrddzE W9pNCX/eYsvN6QFbneL8ZIsfl0ALE4k8gAz4AwMs2flaGffMBIpRyCXm7/o2KPkIYP1Q fx3khH6GEY/hOzoi1bTXkQ87wOh/h1oX6ISkKSog7rzKUaApc4zRSozBoAlEUM2+yMPP z4COdhdCspfQt3Zs5QMm9QOiHsfy/giX98OKJBbcIVsi3BrUZ+PX21x8wNDcIOwvgulM rklg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=jEQWEs8VF9oy23PtblP8LpgiJKyzpSofG9lspi2q1ZU=; b=pNH130F6BoK8UNSKVNXd8KnxgNLlyNBFPF5qrFxNp11oKPccefbGEyGf90tdej2Tn1 1AtQCrfPz7i4la60o/xo0IPCFINpWOJThSKw/EIJDNGO/bCh/CEl8q/xXkmeJipLZjze RUQZNW35kERzQ728VdJLz6z2erGFahnmSOiL4RofbSMz6+ERClrsKkwTmIxo1vzudc8k J7iU7hkRS6GTJ6Yqy3/E4Dqm+qEorF4K9ewRlCvm2vibncc+90rHn/2OL5DbHoyVw/a1 uxfBx8CkccDv/6QfpaybZyATAGFrxK3dCXugRbsKIzsSZF9ZBfywzr+IpNAceY/hQDgD uTWw== X-Gm-Message-State: APjAAAW+u/wqrrrxgFWuHYsm4lHthISv83AfSSPlgh5JIlCUUwpSMTOq bdl9Ci6L9A+fuoYBfWfHer9I8AtAlVA= X-Google-Smtp-Source: APXvYqy9cxsjU2mSNdEkYRvZ8uE92W41hKY4iejx1L4kdE6ZkvLqDMfvAHYskldWJnQTcufKq9vykA== X-Received: by 2002:a17:90a:a6c:: with SMTP id o99mr36773229pjo.139.1571075401278; Mon, 14 Oct 2019 10:50:01 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.49.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:50:00 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:50 -0700 Message-Id: <1571074671-31834-11-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 10/11] datapath: Fix log message in ovs conntrack X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Upstream commit: commit 12c6bc38f99bb168b7f16bdb5e855a51a23ee9ec Author: Yi-Hung Wei Date: Wed Aug 21 17:16:10 2019 -0700 openvswitch: Fix log message in ovs conntrack Fixes: 06bd2bdf19d2 ("openvswitch: Add timeout support to ct action") Signed-off-by: Yi-Hung Wei Signed-off-by: David S. Miller Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- datapath/conntrack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index ba73962b2214..f6e9386f4707 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -1663,7 +1663,7 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, case OVS_CT_ATTR_TIMEOUT: memcpy(info->timeout, nla_data(a), nla_len(a)); if (!memchr(info->timeout, '\0', nla_len(a))) { - OVS_NLERR(log, "Invalid conntrack helper"); + OVS_NLERR(log, "Invalid conntrack timeout"); return -EINVAL; } break; From patchwork Mon Oct 14 17:37:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176572 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Kff1qM6c"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR7L5lFMz9sP6 for ; Tue, 15 Oct 2019 04:55:58 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id D72452796; Mon, 14 Oct 2019 17:50:06 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id DE7AC26CE for ; Mon, 14 Oct 2019 17:50:04 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com [209.85.215.195]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D61CF8A0 for ; Mon, 14 Oct 2019 17:50:03 +0000 (UTC) Received: by mail-pg1-f195.google.com with SMTP id t3so10505849pga.8 for ; Mon, 14 Oct 2019 10:50:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=MT3VFFr46OBQEAtorJso0JJgXCmKtZt8Vp0REWBYda8=; b=Kff1qM6c5nNQvrVdIg1KjLwmEPpmmUARVirSLld9r0ziFiAM59PbjvbK2eEmjM84ue d6QxZtjn8sx3L00kt39bXq19EWcH7aItOlqssMJaZoKCq5vkIP+BQAiF/5bKb9Dfy60f YjRESpUzbt/dDYLzK3uY7uIXws9Aul7XkrCJLV53rnb1GlqTEiUM1wEiFb93mdjLYWtV cNnhGG3AWIqNq8IUNtei7qGWzYgS0AP/e1/qOPQYxwbfqOlIlAD0H4g6fa8m61kc3vzq td5AOLK6i+sHRz8ntK28sg7IMb7HZQ3CYYoY3txwtoPmSumoP3Fl8XJzrQFexZ0s9PCZ 9j0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=MT3VFFr46OBQEAtorJso0JJgXCmKtZt8Vp0REWBYda8=; b=fttNWfzDBT+FB/T0GEDPEzFbWGLnrEDhf7Fk+UZut3cMXBz5Wd4ea6BjSMAYGfl4JT YlRplrXQJ0nqgWKmRHZhBTrPLQ+qtsuC43xx4uG0ImxG+oDO711/Ju9o/QcsCor7eW0w dM7rJPy6fM+BwjnYi49F3dYj/+8OEVTmUQqJ+YVXn5z+fDWnYnxDKXGVbmk0j4Xaz4gZ 4IdzHYcM+S++eY4+cCjtTOcZ4+R2QlPCMvFEMQU8JSD8qz/kiaofjp3GAhSexK+WvtfD AuHdvroYnbj8te1KRMBFnb5Lpv/R6/Eqbv9vzONBlnKpOH14huVScEp6FUWoCD26qzYm 7iIQ== X-Gm-Message-State: APjAAAWINMTQoi52JrWM6VkNaaD+i99BoYPY/rIUswo0PJC62Ba+8lEQ UQFx1lx+ZRAZpFRq6oU+kxTX81gZHpY= X-Google-Smtp-Source: APXvYqwN+RX3nYD9UrSBt2ZZLPbIL+x+npRPS8Ykxmh/aHQQ8mv31i1D/LVbwO9IeWdEDjzx6OYSRA== X-Received: by 2002:a62:a50b:: with SMTP id v11mr34084145pfm.164.1571075402701; Mon, 14 Oct 2019 10:50:02 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.50.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:50:01 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:51 -0700 Message-Id: <1571074671-31834-12-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 11/11] datapath: Allow attaching helper in later commit X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Upstream commit: commit 248d45f1e1934f7849fbdc35ef1e57151cf063eb Author: Yi-Hung Wei Date: Fri Oct 4 09:26:44 2019 -0700 openvswitch: Allow attaching helper in later commit This patch allows to attach conntrack helper to a confirmed conntrack entry. Currently, we can only attach alg helper to a conntrack entry when it is in the unconfirmed state. This patch enables an use case that we can firstly commit a conntrack entry after it passed some initial conditions. After that the processing pipeline will further check a couple of packets to determine if the connection belongs to a particular application, and attach alg helper to the connection in a later stage. Signed-off-by: Yi-Hung Wei Signed-off-by: David S. Miller Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- datapath/conntrack.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index f6e9386f4707..838cf63c908f 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -1045,6 +1045,8 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, ct = nf_ct_get(skb, &ctinfo); if (ct) { + bool add_helper = false; + /* Packets starting a new connection must be NATted before the * helper, so that the helper knows about the NAT. We enforce * this by delaying both NAT and helper calls for unconfirmed @@ -1062,16 +1064,17 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, } /* Userspace may decide to perform a ct lookup without a helper - * specified followed by a (recirculate and) commit with one. - * Therefore, for unconfirmed connections which we will commit, - * we need to attach the helper here. + * specified followed by a (recirculate and) commit with one, + * or attach a helper in a later commit. Therefore, for + * connections which we will commit, we may need to attach + * the helper here. */ - if (!nf_ct_is_confirmed(ct) && info->commit && - info->helper && !nfct_help(ct)) { + if (info->commit && info->helper && !nfct_help(ct)) { int err = __nf_ct_try_assign_helper(ct, info->ct, GFP_ATOMIC); if (err) return err; + add_helper = true; /* helper installed, add seqadj if NAT is required */ if (info->nat && !nfct_seqadj(ct)) { @@ -1081,11 +1084,13 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, } /* Call the helper only if: - * - nf_conntrack_in() was executed above ("!cached") for a - * confirmed connection, or + * - nf_conntrack_in() was executed above ("!cached") or a + * helper was just attached ("add_helper") for a confirmed + * connection, or * - When committing an unconfirmed connection. */ - if ((nf_ct_is_confirmed(ct) ? !cached : info->commit) && + if ((nf_ct_is_confirmed(ct) ? !cached || add_helper : + info->commit) && ovs_ct_helper(skb, info->family) != NF_ACCEPT) { return -EINVAL; }