From patchwork Fri Jul 9 05:37:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1502908 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GLhkf0z0nz9sCD for ; Fri, 9 Jul 2021 15:37:28 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 99E3660AE0; Fri, 9 Jul 2021 05:37:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ld0EXPR45rfA; Fri, 9 Jul 2021 05:37:24 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id EC06860726; Fri, 9 Jul 2021 05:37:23 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id C7347C001A; Fri, 9 Jul 2021 05:37:23 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id DD225C000E for ; Fri, 9 Jul 2021 05:37:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id C4E9D83CC4 for ; Fri, 9 Jul 2021 05:37:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PjEe_o_HH1Yt for ; Fri, 9 Jul 2021 05:37:22 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from mail-m2456.qiye.163.com (mail-m2456.qiye.163.com [220.194.24.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id EE8EA83CC2 for ; Fri, 9 Jul 2021 05:37:21 +0000 (UTC) Received: from localhost.localdomain (unknown [117.50.0.204]) by mail-m2456.qiye.163.com (Hmail) with ESMTPA id C2ECC70016E; Fri, 9 Jul 2021 13:37:12 +0800 (CST) From: wenxu@ucloud.cn To: blp@ovn.org, aconole@redhat.com, i.maximets@ovn.org Date: Fri, 9 Jul 2021 13:37:12 +0800 Message-Id: <1625809032-436-1-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZS1VLWVdZKFlBSUI3V1ktWUFJV1kPCR oVCBIfWUFZGh0dGVZMQkhDQ0oaHUpCHRhVGRETFhoSFyQUDg9ZV1kWGg8SFR0UWUFZT0tIVUpKS0 hKQ1VLWQY+ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6Nhg6Qhw6Nz0hMjkUS00rFzgR ERgaClZVSlVKTUlOQ0tCS0hIS0pKVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpKTFVO S1VLVUlLT1lXWQgBWUFISUxNNwY+ X-HM-Tid: 0a7a89c516708c15kuqtc2ecc70016e Cc: dev@openvswitch.org Subject: [ovs-dev] [PATCH v2] conntrack: fix incorrect check nat_action_info in check_orig_tuple X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: wenxu A case for client A 10.0.0.2 snat to 1.1.1.2 with following flows. rule1: ovs-ofctl add-flow manbr "table=0,ct_state=-trk,ip,in_port=dpdk2, actions=ct(table=1, nat)" rule2: ovs-ofctl add-flow manbr "table=0,table=1,ct_state=+trk+new,ip,in_port=dpdk2, actions=ct(commit, nat(src=1.1.1.2)),dpdk3" When client A tcp connect to a non-exist server 1.1.1.3 The first syn packet will create the following conntrack 1 But the second syn packet will wrongly create the conntrack 2 tcp,orig=(src=10.0.0.2,dst=1.1.1.3,sport=15690,dport=5001),reply=(src=1.1.1.3,dst=1.1.1.2,sport=5001,dport=15690),protoinfo=(state=SYN_SENT) #conntrack 1 tcp,orig=(src=1.1.1.2,dst=1.1.1.3,sport=15690,dport=5001),reply=(src=1.1.1.3,dst=1.1.1.2,sport=5001,dport=1024),protoinfo=(state=SYN_SENT) #conntrack 2 The second syn packet gothrough rule1 and find the conntrack1 and do nat. Then gothrough the rule2 will not find the only conntrack for packet nated in the rule1 The check_orig_tuple is used to fix for this situation(packet nated in the first rule). But it should't check the nat_action_info in the rule2. It should only check the CS_SRC_NAT and CS_DST_NAT. Signed-off-by: wenxu --- lib/conntrack.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index 2e803ca..ace3e9a 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -1156,15 +1156,13 @@ handle_nat(struct dp_packet *pkt, struct conn *conn, static bool check_orig_tuple(struct conntrack *ct, struct dp_packet *pkt, struct conn_lookup_ctx *ctx_in, long long now, - struct conn **conn, - const struct nat_action_info_t *nat_action_info) + struct conn **conn) { if (!(pkt->md.ct_state & (CS_SRC_NAT | CS_DST_NAT)) || (ctx_in->key.dl_type == htons(ETH_TYPE_IP) && !pkt->md.ct_orig_tuple.ipv4.ipv4_proto) || (ctx_in->key.dl_type == htons(ETH_TYPE_IPV6) && - !pkt->md.ct_orig_tuple.ipv6.ipv6_proto) || - nat_action_info) { + !pkt->md.ct_orig_tuple.ipv6.ipv6_proto)) { return false; } @@ -1343,7 +1341,7 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, handle_nat(pkt, conn, zone, ctx->reply, ctx->icmp_related); } - } else if (check_orig_tuple(ct, pkt, ctx, now, &conn, nat_action_info)) { + } else if (check_orig_tuple(ct, pkt, ctx, now, &conn)) { create_new_conn = conn_update_state(ct, pkt, ctx, conn, now); } else { if (ctx->icmp_related) {