From patchwork Mon Dec 11 10:08:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Viacheslav Galaktionov X-Patchwork-Id: 1874429 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="key not found in DNS" header.d=arknetworks.am header.i=@arknetworks.am header.a=rsa-sha256 header.s=default header.b=AeMPLXC5; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Spd173y1Fz20Gv for ; Mon, 11 Dec 2023 21:15:39 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 3895041A71; Mon, 11 Dec 2023 10:15:35 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3895041A71 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNES_2KWTMvo; Mon, 11 Dec 2023 10:15:33 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 90C3241A63; Mon, 11 Dec 2023 10:15:32 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 90C3241A63 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2DA72C0DD2; Mon, 11 Dec 2023 10:15:30 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 650CFC0072 for ; Mon, 11 Dec 2023 10:15:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 2C455611E3 for ; Mon, 11 Dec 2023 10:15:27 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 2C455611E3 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PoPmAmwejpyw for ; Mon, 11 Dec 2023 10:15:26 +0000 (UTC) Received: from agw.arknetworks.am (agw.arknetworks.am [79.141.165.80]) by smtp3.osuosl.org (Postfix) with ESMTPS id E8CCB600C9 for ; Mon, 11 Dec 2023 10:15:25 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org E8CCB600C9 Received: from localhost.localdomain (87-131-3.netrun.cytanet.com.cy [87.228.131.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by agw.arknetworks.am (Postfix) with ESMTPSA id 064B5E00D6; Mon, 11 Dec 2023 14:08:51 +0400 (+04) DKIM-Filter: OpenDKIM Filter v2.11.0 agw.arknetworks.am 064B5E00D6 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arknetworks.am; s=default; t=1702289332; bh=U+bgiG4vV6rYVJVEaJYljaRGj/v1RhZvTui7kM0pL3Q=; h=From:To:Cc:Subject:Date:From; b=AeMPLXC5Igs9JowxFx2iyLAyRdixL95q4S5+I1ydOqd51HAP3VTCLokW9M0/7hzVV i7B8GkFCtte0Aphsccsu0wHnf7r+9QCihh2j7k73Mlbjd3jOPDw2HE0VflWAr2fCHh 6Hoq7NwoMfHDiOduFuVq//DvLmSz9QGxetTsxR7adezLrrQy3WSjZbnH9Wq2FIZD18 pnzxxSudbbnVzsC5Gta3u9mEu9Ig1VWj9DCcqp7wUayCXa5qJZQBl9s+MvtyBMzxc3 U3DVDGub2beUQHcuqgUjv4Y0OUSjYmlmHgv1ow2Ynd3mm3jrHcUs7fBlLWN6Muumgf K/C4xsdoBJKZg== To: dev@openvswitch.org Date: Mon, 11 Dec 2023 12:08:40 +0200 Message-ID: <20231211100842.8935-1-viacheslav.galaktionov@arknetworks.am> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH v4 1/3] lib/conntrack: Only use given packet in protocol detection. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Viacheslav Galaktionov via dev From: Viacheslav Galaktionov Reply-To: Viacheslav Galaktionov Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" The current protocol detection logic relies on two pieces of metadata passed as arguments: tp_src and tp_dst, which represent the L4 source and destination port numbers from the flow that triggered the current flow rule first, and was responsible for creating the current DP flow. Since multiple network flows of many different kinds, potentially using different protocols on all layers, can be processed by one flow rule, using the metadata of some unrelated flow might lead to unexpected results. For example, ICMP type and code can be interpreted as TCP source and destination ports. This can confuse the code responsible for the helper selection, leading to errors in traffic handling and incorrect detection of related flows. One of the easiest ways to fix this problem is to simply remove the tp_src and tp_dst parameters from the picture. The current code base has no good use for them. The helper selection logic was based on these values and therefore needs to be changed. Ensure that the helper specified in a flow rule is used, given it is compatible with the L4 protocol of the packet. When a flow rule does not specify a helper, one can still be picked using the given packet's metadata like TCP/UDP ports. Signed-off-by: Viacheslav Galaktionov --- lib/conntrack.c | 40 +++++++++++++++++----------------------- lib/conntrack.h | 2 +- lib/dpif-netdev.c | 5 ++--- tests/test-conntrack.c | 6 +++--- 4 files changed, 23 insertions(+), 30 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index 47a443fba..c27ac5a6f 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -655,8 +655,7 @@ is_ftp_ctl(const enum ct_alg_ctl_type ct_alg_ctl) } static enum ct_alg_ctl_type -get_alg_ctl_type(const struct dp_packet *pkt, ovs_be16 tp_src, ovs_be16 tp_dst, - const char *helper) +get_alg_ctl_type(const struct dp_packet *pkt, const char *helper) { /* CT_IPPORT_FTP/TFTP is used because IPPORT_FTP/TFTP in not defined * in OSX, at least in in.h. Since these values will never change, remove @@ -666,26 +665,24 @@ get_alg_ctl_type(const struct dp_packet *pkt, ovs_be16 tp_src, ovs_be16 tp_dst, uint8_t ip_proto = get_ip_proto(pkt); struct udp_header *uh = dp_packet_l4(pkt); struct tcp_header *th = dp_packet_l4(pkt); - ovs_be16 ftp_src_port = htons(CT_IPPORT_FTP); - ovs_be16 ftp_dst_port = htons(CT_IPPORT_FTP); - ovs_be16 tftp_dst_port = htons(CT_IPPORT_TFTP); + ovs_be16 ftp_port = htons(CT_IPPORT_FTP); + ovs_be16 tftp_port = htons(CT_IPPORT_TFTP); - if (OVS_UNLIKELY(tp_dst)) { - if (helper && !strncmp(helper, "ftp", strlen("ftp"))) { - ftp_dst_port = tp_dst; - } else if (helper && !strncmp(helper, "tftp", strlen("tftp"))) { - tftp_dst_port = tp_dst; + if (helper) { + if ((ip_proto == IPPROTO_TCP) && + !strncmp(helper, "ftp", strlen("ftp"))) { + return CT_ALG_CTL_FTP; } - } else if (OVS_UNLIKELY(tp_src)) { - if (helper && !strncmp(helper, "ftp", strlen("ftp"))) { - ftp_src_port = tp_src; + if ((ip_proto == IPPROTO_UDP) && + !strncmp(helper, "tftp", strlen("tftp"))) { + return CT_ALG_CTL_TFTP; } } - if (ip_proto == IPPROTO_UDP && uh->udp_dst == tftp_dst_port) { + if (ip_proto == IPPROTO_UDP && uh->udp_dst == tftp_port) { return CT_ALG_CTL_TFTP; } else if (ip_proto == IPPROTO_TCP && - (th->tcp_src == ftp_src_port || th->tcp_dst == ftp_dst_port)) { + (th->tcp_src == ftp_port || th->tcp_dst == ftp_port)) { return CT_ALG_CTL_FTP; } return CT_ALG_CTL_NONE; @@ -1227,8 +1224,7 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, bool force, bool commit, long long now, const uint32_t *setmark, const struct ovs_key_ct_labels *setlabel, const struct nat_action_info_t *nat_action_info, - ovs_be16 tp_src, ovs_be16 tp_dst, const char *helper, - uint32_t tp_id) + const char *helper, uint32_t tp_id) { /* Reset ct_state whenever entering a new zone. */ if (pkt->md.ct_state && pkt->md.ct_zone != zone) { @@ -1249,8 +1245,7 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, conn = NULL; } - enum ct_alg_ctl_type ct_alg_ctl = get_alg_ctl_type(pkt, tp_src, tp_dst, - helper); + enum ct_alg_ctl_type ct_alg_ctl = get_alg_ctl_type(pkt, helper); if (OVS_LIKELY(conn)) { if (OVS_LIKELY(!conn_update_state_alg(ct, pkt, ctx, conn, @@ -1327,7 +1322,7 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, ovs_be16 dl_type, bool force, bool commit, uint16_t zone, const uint32_t *setmark, const struct ovs_key_ct_labels *setlabel, - ovs_be16 tp_src, ovs_be16 tp_dst, const char *helper, + const char *helper, const struct nat_action_info_t *nat_action_info, long long now, uint32_t tp_id) { @@ -1343,7 +1338,7 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, write_ct_md(packet, zone, NULL, NULL, NULL); } else if (conn && conn->key_node[CT_DIR_FWD].key.zone == zone && !force && - !get_alg_ctl_type(packet, tp_src, tp_dst, helper)) { + !get_alg_ctl_type(packet, helper)) { process_one_fast(zone, setmark, setlabel, nat_action_info, conn, packet); } else if (OVS_UNLIKELY(!conn_key_extract(ct, packet, dl_type, &ctx, @@ -1352,8 +1347,7 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, write_ct_md(packet, zone, NULL, NULL, NULL); } else { process_one(ct, packet, &ctx, zone, force, commit, now, setmark, - setlabel, nat_action_info, tp_src, tp_dst, helper, - tp_id); + setlabel, nat_action_info, helper, tp_id); } } diff --git a/lib/conntrack.h b/lib/conntrack.h index 57d5159b6..0ef415738 100644 --- a/lib/conntrack.h +++ b/lib/conntrack.h @@ -92,7 +92,7 @@ int conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, ovs_be16 dl_type, bool force, bool commit, uint16_t zone, const uint32_t *setmark, const struct ovs_key_ct_labels *setlabel, - ovs_be16 tp_src, ovs_be16 tp_dst, const char *helper, + const char *helper, const struct nat_action_info_t *nat_action_info, long long now, uint32_t tp_id); void conntrack_clear(struct dp_packet *packet); diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c index b8f065d1d..06453f2db 100644 --- a/lib/dpif-netdev.c +++ b/lib/dpif-netdev.c @@ -9232,9 +9232,8 @@ dp_execute_cb(void *aux_, struct dp_packet_batch *packets_, } conntrack_execute(dp->conntrack, packets_, aux->flow->dl_type, force, - commit, zone, setmark, setlabel, aux->flow->tp_src, - aux->flow->tp_dst, helper, nat_action_info_ref, - pmd->ctx.now / 1000, tp_id); + commit, zone, setmark, setlabel, helper, + nat_action_info_ref, pmd->ctx.now / 1000, tp_id); break; } diff --git a/tests/test-conntrack.c b/tests/test-conntrack.c index 24c93e4a4..292b6c048 100644 --- a/tests/test-conntrack.c +++ b/tests/test-conntrack.c @@ -91,7 +91,7 @@ ct_thread_main(void *aux_) ovs_barrier_block(&barrier); for (i = 0; i < n_pkts; i += batch_size) { conntrack_execute(ct, pkt_batch, dl_type, false, true, 0, NULL, NULL, - 0, 0, NULL, NULL, now, 0); + NULL, NULL, now, 0); DP_PACKET_BATCH_FOR_EACH (j, pkt, pkt_batch) { pkt_metadata_init_conn(&pkt->md); } @@ -178,7 +178,7 @@ pcap_batch_execute_conntrack(struct conntrack *ct_, if (flow.dl_type != dl_type) { conntrack_execute(ct_, &new_batch, dl_type, false, true, 0, - NULL, NULL, 0, 0, NULL, NULL, now, 0); + NULL, NULL, NULL, NULL, now, 0); dp_packet_batch_init(&new_batch); } dp_packet_batch_add(&new_batch, packet); @@ -186,7 +186,7 @@ pcap_batch_execute_conntrack(struct conntrack *ct_, if (!dp_packet_batch_is_empty(&new_batch)) { conntrack_execute(ct_, &new_batch, dl_type, false, true, 0, NULL, NULL, - 0, 0, NULL, NULL, now, 0); + NULL, NULL, now, 0); } } From patchwork Mon Dec 11 10:08:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Viacheslav Galaktionov X-Patchwork-Id: 1874427 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="key not found in DNS" header.d=arknetworks.am header.i=@arknetworks.am header.a=rsa-sha256 header.s=default header.b=iK4n2O/0; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Spd120Pctz20Gc for ; Mon, 11 Dec 2023 21:15:33 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 911BC418AE; Mon, 11 Dec 2023 10:15:31 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 911BC418AE X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yq_1JthUrB9r; Mon, 11 Dec 2023 10:15:30 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTPS id 9E9AF41841; Mon, 11 Dec 2023 10:15:29 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9E9AF41841 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5142BC0072; Mon, 11 Dec 2023 10:15:29 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 55DA9C0037 for ; Mon, 11 Dec 2023 10:15:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 2ADCA80DA5 for ; Mon, 11 Dec 2023 10:15:27 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 2ADCA80DA5 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fW-GjbptzMEL for ; Mon, 11 Dec 2023 10:15:26 +0000 (UTC) X-Greylist: delayed 390 seconds by postgrey-1.37 at util1.osuosl.org; Mon, 11 Dec 2023 10:15:25 UTC DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org E1D6780D50 Received: from agw.arknetworks.am (agw.arknetworks.am [79.141.165.80]) by smtp1.osuosl.org (Postfix) with ESMTPS id E1D6780D50 for ; Mon, 11 Dec 2023 10:15:25 +0000 (UTC) Received: from localhost.localdomain (87-131-3.netrun.cytanet.com.cy [87.228.131.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by agw.arknetworks.am (Postfix) with ESMTPSA id 6E711E0D53; Mon, 11 Dec 2023 14:08:52 +0400 (+04) DKIM-Filter: OpenDKIM Filter v2.11.0 agw.arknetworks.am 6E711E0D53 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arknetworks.am; s=default; t=1702289332; bh=k7w1at+4RpyfnSvz3Dz7vCZbwEF9SSO/Ik2sxa9TYK0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iK4n2O/02abUaKgrGZ4Sv0ea03XcfLmCUr8Q8rcLLIe70wlNmwcomCiiGSzVqhQ17 +Z5Lpse7Od0y4CdteXwOc/o5/FVHcF4/LgOlMUqd60Ml3jXJaWOPxRAkGKs3mOBonc ghtLQO9Jgc7a+b30zbRhoMcpL0PdzCcw3+oqzT0cXzXuvUw2YbvEkxDhRpnEEk0tfO QVPAS1A1N4ssBS6qqlldHOpF0b0Td0M7vGCY/hX+KI4m5otjldKQGrDPN05lbLiJcU r86Cfz+GgIbdIm1MR4Fo/mXqXrsSOcg4s/jK0qniI72G5G4jF+R9RwT0OePCggDWLE qZ6fFofG8SVPA== To: dev@openvswitch.org Date: Mon, 11 Dec 2023 12:08:41 +0200 Message-ID: <20231211100842.8935-2-viacheslav.galaktionov@arknetworks.am> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231211100842.8935-1-viacheslav.galaktionov@arknetworks.am> References: <20231211100842.8935-1-viacheslav.galaktionov@arknetworks.am> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH v4 2/3] conntrack: Use helpers from committed connections. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Viacheslav Galaktionov via dev From: Viacheslav Galaktionov Reply-To: Viacheslav Galaktionov Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" When a packet hits a flow rule without an explicitly specified helper, OvS has to rely on automatic application layer gateway detection to find related connections. This works as long as services are running on their standard ports, e.g. when FTP servers use TCP port 21. However, sometimes it's necessary to run services on non-standard ports. In that case, there is no way for OvS to guess which protocol is used within a given flow. Of course, this means that no related connections can be recognized. When a connection is committed with a particular helper, it's reasonable to assume this helper will be used in subsequent CT actions, as long as they don't override it. Achieve this behaviour by using the committed connection's helper when a flow rule does not specify one. Signed-off-by: Viacheslav Galaktionov Acked-by: Ivan Malov --- Documentation/faq/releases.rst | 1 + NEWS | 4 ++++ lib/conntrack.c | 9 +++++++++ 3 files changed, 14 insertions(+) diff --git a/Documentation/faq/releases.rst b/Documentation/faq/releases.rst index 362bf4ec7..aa69eefa1 100644 --- a/Documentation/faq/releases.rst +++ b/Documentation/faq/releases.rst @@ -140,6 +140,7 @@ Q: Are all features available with all datapaths? Conntrack Zone Limit 4.18 2.10 2.13 YES Conntrack NAT 4.6 2.6 2.8 YES Conntrack NAT6 4.6 2.6 2.8 3.0 + Conntrack Helper Persist. YES YES 3.2 NO Tunnel - LISP NO 2.11 NO NO Tunnel - STT NO 2.4 NO YES Tunnel - GRE 3.11 1.0 2.4 YES diff --git a/NEWS b/NEWS index 1d9c30533..43bf7ef54 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,10 @@ Post-v3.2.0 a.k.a. 'configured' values, can be found in the 'status' column of the Interface table, i.e. with 'ovs-vsctl get interface <..> status'. Reported names adjusted accordingly. + - conntrack: + * The userspace conntrack module no longer requires the user to specify + connection helpers in all flow rules. Instead, the helper specified + during connection commit will be used by default. v3.2.0 - 17 Aug 2023 diff --git a/lib/conntrack.c b/lib/conntrack.c index c27ac5a6f..59a4a413f 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -1245,6 +1245,10 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, conn = NULL; } + if (conn && helper == NULL) { + helper = conn->alg; + } + enum ct_alg_ctl_type ct_alg_ctl = get_alg_ctl_type(pkt, helper); if (OVS_LIKELY(conn)) { @@ -1334,6 +1338,11 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, DP_PACKET_BATCH_FOR_EACH (i, packet, pkt_batch) { struct conn *conn = packet->md.conn; + + if (helper == NULL && conn != NULL) { + helper = conn->alg; + } + if (OVS_UNLIKELY(packet->md.ct_state == CS_INVALID)) { write_ct_md(packet, zone, NULL, NULL, NULL); } else if (conn && From patchwork Mon Dec 11 10:08:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Viacheslav Galaktionov X-Patchwork-Id: 1874428 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="key not found in DNS" header.d=arknetworks.am header.i=@arknetworks.am header.a=rsa-sha256 header.s=default header.b=I/GfbE9J; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Spd171P8Bz20Gc for ; Mon, 11 Dec 2023 21:15:39 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 1052F4190C; Mon, 11 Dec 2023 10:15:37 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 1052F4190C X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeOKkv62Wz6W; Mon, 11 Dec 2023 10:15:35 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTPS id B1F9D418DE; Mon, 11 Dec 2023 10:15:33 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org B1F9D418DE Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id AE947C0DDB; Mon, 11 Dec 2023 10:15:30 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 71438C0DCE for ; Mon, 11 Dec 2023 10:15:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 2B3074183B for ; Mon, 11 Dec 2023 10:15:27 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 2B3074183B X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kSrgFTTQ4BDs for ; Mon, 11 Dec 2023 10:15:26 +0000 (UTC) Received: from agw.arknetworks.am (agw.arknetworks.am [79.141.165.80]) by smtp4.osuosl.org (Postfix) with ESMTPS id 0A34941811 for ; Mon, 11 Dec 2023 10:15:25 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 0A34941811 Received: from localhost.localdomain (87-131-3.netrun.cytanet.com.cy [87.228.131.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by agw.arknetworks.am (Postfix) with ESMTPSA id EBB56E1191; Mon, 11 Dec 2023 14:08:52 +0400 (+04) DKIM-Filter: OpenDKIM Filter v2.11.0 agw.arknetworks.am EBB56E1191 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arknetworks.am; s=default; t=1702289333; bh=RlVV+imTo7RCLxea2JDxqZ/KOmTgXzE57QiEV74bbqA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=I/GfbE9Jyml9veeLPCTHnk2njnUL6mwuk/BMLWTK24PhkKG1wL49L4lbHtjqLxpZ9 g5Ny45rFujfENADiL0ABMkPpIk8bFuH2CFBsurWz9gfQ6sxrNVVD45BBS0IE0dIcHO VzD298Z5xrvYcSx6c6j6SXbCRuCz1IJzkxcNvCf0VnF6Ai3vq1k37IO0Z7Y6MCoEWG HJS0QT5htljeXvrHUJbUV7KorAdt40mjSRGvSHcmOakrobLWfdVqB2jho0X/06KTSF f57hLtNJEVlEOln2Pyyo14/1lUQvHxc1IhxSHgsiHc1Pgy5lWI2Kmz71koEJx52rQB HS2g167+b4rvw== To: dev@openvswitch.org Date: Mon, 11 Dec 2023 12:08:42 +0200 Message-ID: <20231211100842.8935-3-viacheslav.galaktionov@arknetworks.am> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231211100842.8935-1-viacheslav.galaktionov@arknetworks.am> References: <20231211100842.8935-1-viacheslav.galaktionov@arknetworks.am> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH v4 3/3] system-traffic.at: Test conntrack + FTP server running on a non-standard port. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Viacheslav Galaktionov via dev From: Viacheslav Galaktionov Reply-To: Viacheslav Galaktionov Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" All existing test iterations assume that the FTP server is running on a standard port, which may not always be the case. These tests helped find problems in conntrack alg processing with non-standard ports. Perform the necessary adjustments to ensure the test suite can start the L7 server on a user-provided port. Signed-off-by: Viacheslav Galaktionov --- tests/system-common-macros.at | 15 +++-- tests/system-traffic.at | 106 ++++++++++++++++++++++++++++++++++ tests/test-l7.py | 4 ++ 3 files changed, 120 insertions(+), 5 deletions(-) diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at index 0113aae8b..91c928cca 100644 --- a/tests/system-common-macros.at +++ b/tests/system-common-macros.at @@ -276,18 +276,23 @@ m4_define([NETNS_DAEMONIZE], m4_define([OVS_CHECK_FIREWALL], [AT_SKIP_IF([systemctl status firewalld 2>&1 | grep running > /dev/null])]) -# OVS_START_L7([namespace], [protocol]) +# OVS_START_L7([namespace], [protocol], [port]) # -# Start a server serving 'protocol' within 'namespace'. The server will exit -# when the test finishes. +# Start a server serving 'protocol' on port 'port' within 'namespace'. +# If 'port' is not specified, the standard one for 'protocol' will be used. +# The server will exit when the test finishes. # m4_define([OVS_START_L7], [PIDFILE=$(mktemp $2XXX.pid) - NETNS_DAEMONIZE([$1], [[$PYTHON3 $srcdir/test-l7.py $2]], [$PIDFILE]) + NETNS_DAEMONIZE([$1], [[$PYTHON3 $srcdir/test-l7.py $2 $3]], [$PIDFILE]) dnl netstat doesn't print http over IPv6 as "http6"; drop the number. PROTO=$(echo $2 | sed -e 's/\([[a-zA-Z]]*\).*/\1/') - OVS_WAIT_UNTIL([NS_EXEC([$1], [netstat -l | grep $PROTO])]) + if test -z "$3"; then + OVS_WAIT_UNTIL([NS_EXEC([$1], [netstat -l | grep $PROTO])]) + else + OVS_WAIT_UNTIL([NS_EXEC([$1], [netstat -ln | grep :$3])]) + fi ] ) diff --git a/tests/system-traffic.at b/tests/system-traffic.at index a7d4ed83b..62f7bd04f 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -5335,6 +5335,112 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_SETUP([conntrack - FTP non-standard port]) +AT_SKIP_IF([test $HAVE_FTP = no]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_ALG() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. +AT_DATA([flows1.txt], [dnl +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal +table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 +table=0,priority=100,in_port=2,tcp,action=ct(table=1) +table=1,in_port=2,tcp,ct_state=+trk+est,action=1 +table=1,in_port=2,tcp,ct_state=+trk+rel,action=1 +]) + +dnl Similar policy but without allowing all traffic from ns0->ns1. +AT_DATA([flows2.txt], [dnl +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal + +dnl Allow outgoing TCP connections, and treat them as FTP +table=0,priority=100,in_port=1,tcp,action=ct(table=1) +table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 +table=1,in_port=1,tcp,ct_state=+trk+est,action=2 + +dnl Allow incoming FTP data connections and responses to existing connections +table=0,priority=100,in_port=2,tcp,action=ct(table=1) +table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 +table=1,in_port=2,tcp,ct_state=+trk+est,action=1 +table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1 +]) + +dnl flows3 is same as flows1, except no ALG is specified. +AT_DATA([flows3.txt], [dnl +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal +table=0,priority=100,in_port=1,tcp,action=ct(commit),2 +table=0,priority=100,in_port=2,tcp,action=ct(table=1) +table=1,in_port=2,tcp,ct_state=+trk+est,action=1 +table=1,in_port=2,tcp,ct_state=+trk+rel,action=1 +]) + +AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt]) + +OVS_START_L7([at_ns0], [ftp], [11111]) +OVS_START_L7([at_ns1], [ftp], [11111]) + +dnl FTP requests from p1->p0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1:11111 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl +]) + +dnl FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2:11111 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp +]) + +dnl Try the second set of flows. +AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt]) +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +dnl FTP requests from p1->p0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1:11111 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl +]) + +dnl Active FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2:11111 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),protoinfo=(state=) +]) + +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +dnl Passive FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2:11111 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp +]) + +dnl Try the third set of flows, without alg specifier. +AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2:11111 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-3.log], [4]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=) +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + AT_SETUP([conntrack - FTP with expectation dump]) AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() diff --git a/tests/test-l7.py b/tests/test-l7.py index 32a77392c..97cd4f29a 100755 --- a/tests/test-l7.py +++ b/tests/test-l7.py @@ -86,6 +86,8 @@ def main(): description='Run basic application servers.') parser.add_argument('proto', default='http', nargs='?', help='protocol to serve (%s)' % protocols) + parser.add_argument('port', default=0, nargs='?', + help='server port number') args = parser.parse_args() if args.proto not in protocols: @@ -95,6 +97,8 @@ def main(): constructor = SERVERS[args.proto][0] handler = SERVERS[args.proto][1] port = SERVERS[args.proto][2] + if args.port != 0: + port = args.port srv = constructor(('', port), handler) srv.serve_forever()