From patchwork Tue Dec 6 23:31:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13066358 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C785C352A1 for ; Tue, 6 Dec 2022 23:31:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229667AbiLFXbY (ORCPT ); Tue, 6 Dec 2022 18:31:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38034 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229479AbiLFXbV (ORCPT ); Tue, 6 Dec 2022 18:31:21 -0500 Received: from mail-qv1-xf33.google.com (mail-qv1-xf33.google.com [IPv6:2607:f8b0:4864:20::f33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1171042F45 for ; Tue, 6 Dec 2022 15:31:21 -0800 (PST) Received: by mail-qv1-xf33.google.com with SMTP id c14so11592271qvq.0 for ; Tue, 06 Dec 2022 15:31:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MuFGycqO6KGGXaG/l3CIzDYeGA82Mj83kPr3Jk7yWZs=; b=BMH5w5BfD1nBaTIEKmpxirKWOD+vY/2XK2AWpbv0omXearz3SVMCmOgYgEY1T3jcTM /3seYZmlQtnEQAnn00U80qdgVximRjaIjNtOtFrdRoXL/quWlATeuDgcigHcM8/Vhjok l5Zw/pqtNKTfOT5K+elbsqku05J4h4dI5ha/1tGzJ3uwhRd4/aIahiPIuyl09FWKW+M0 fqeo9oRooqFf/hzHrl1fDO7GddMPdfoywvYAluhIfNVp7Q0GR9ant/ndrDhOwOwF+uTF 09jM8fYc9QIIDKsY1LR9Tv95PaBfWWFQf7HQuhmQWFbswl7MWO3s2n8Q7yBgRQxCXP7b BiPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MuFGycqO6KGGXaG/l3CIzDYeGA82Mj83kPr3Jk7yWZs=; b=D7bAYsHAn0MUta4M7X0t09lU3YEXExEHpCB60jhcUrUPNBdxtfJTehfBoGZ45TjSHd lJHOkaa64QgEtWnsV6amegy9LOUquiibldSN67s3o922zkhnCvjvs5xDNigG6ZAeU/L9 /IMnY5c8AdHrpbcnkbrgqGesCoolCguuTdG4wPZufpevdYhUW98qf90k14NaMebZ6KNr bBSrkcCKV8on5OrydHlNhW1yl3GhX4jJpBI1tW06cC8AAeFhcpC1HyLYmNAcxt0GtX2K B1n2b4WbTkMF9Z3/L20FISPu7/V81rgOn9Atu1N3gqgF5I6REOcMrSGtB73fr8EPoCj3 9MGg== X-Gm-Message-State: ANoB5pkZ9NZG/jIi18QN2rwAPiK5u6dySIH/yqG8S977ogFOpLURYPS7 RwIhLO/LDZ0leO4S564XPqlMg9mjriyP9A== X-Google-Smtp-Source: AA0mqf6S+R7ydqg8zMZEIONKRD071p3vSc9oNYYGXvWaqbplMm/KTrfaPlmv9OfbhkBn+4ecpof37A== X-Received: by 2002:ad4:44b4:0:b0:4c6:d91c:441f with SMTP id n20-20020ad444b4000000b004c6d91c441fmr52909123qvt.118.1670369479731; Tue, 06 Dec 2022 15:31:19 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id i21-20020a05620a405500b006f8665f483fsm16590231qko.85.2022.12.06.15.31.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Dec 2022 15:31:19 -0800 (PST) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Oz Shlomo , Paul Blakey , Ilya Maximets , Eelco Chaudron , Aaron Conole , Saeed Mahameed Subject: [PATCHv3 net-next 1/5] openvswitch: delete the unncessary skb_pull_rcsum call in ovs_ct_nat_execute Date: Tue, 6 Dec 2022 18:31:12 -0500 Message-Id: <9943e5a2456c613533174115680e67c8e6d9f181.1670369327.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org The calls to ovs_ct_nat_execute() are as below: ovs_ct_execute() ovs_ct_lookup() __ovs_ct_lookup() ovs_ct_nat() ovs_ct_nat_execute() ovs_ct_commit() __ovs_ct_lookup() ovs_ct_nat() ovs_ct_nat_execute() and since skb_pull_rcsum() and skb_push_rcsum() are already called in ovs_ct_execute(), there's no need to do it again in ovs_ct_nat_execute(). Reviewed-by: Saeed Mahameed Acked-by: Aaron Conole Signed-off-by: Xin Long --- net/openvswitch/conntrack.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index d78f0fc4337d..dff093a10d6d 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -735,10 +735,7 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, const struct nf_nat_range2 *range, enum nf_nat_manip_type maniptype, struct sw_flow_key *key) { - int hooknum, nh_off, err = NF_ACCEPT; - - nh_off = skb_network_offset(skb); - skb_pull_rcsum(skb, nh_off); + int hooknum, err = NF_ACCEPT; /* See HOOK2MANIP(). */ if (maniptype == NF_NAT_MANIP_SRC) @@ -755,7 +752,7 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, hooknum)) err = NF_DROP; - goto push; + goto out; } else if (IS_ENABLED(CONFIG_IPV6) && skb->protocol == htons(ETH_P_IPV6)) { __be16 frag_off; @@ -770,7 +767,7 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, hooknum, hdrlen)) err = NF_DROP; - goto push; + goto out; } } /* Non-ICMP, fall thru to initialize if needed. */ @@ -788,7 +785,7 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, ? nf_nat_setup_info(ct, range, maniptype) : nf_nat_alloc_null_binding(ct, hooknum); if (err != NF_ACCEPT) - goto push; + goto out; } break; @@ -798,13 +795,11 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, default: err = NF_DROP; - goto push; + goto out; } err = nf_nat_packet(ct, ctinfo, hooknum, skb); -push: - skb_push_rcsum(skb, nh_off); - +out: /* Update the flow key if NAT successful. */ if (err == NF_ACCEPT) ovs_nat_update_key(key, skb, maniptype); From patchwork Tue Dec 6 23:31:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13066359 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 09493C352A1 for ; Tue, 6 Dec 2022 23:31:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229749AbiLFXb3 (ORCPT ); Tue, 6 Dec 2022 18:31:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38040 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229646AbiLFXbX (ORCPT ); Tue, 6 Dec 2022 18:31:23 -0500 Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4046242F57 for ; Tue, 6 Dec 2022 15:31:22 -0800 (PST) Received: by mail-qv1-xf35.google.com with SMTP id q10so11546241qvt.10 for ; Tue, 06 Dec 2022 15:31:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ckD+oQOkvtcBW2v6IgPx3t6Z++GU5WuLf3uNigi16zU=; b=AqIeabWw/jsvI/L+7OnPLKX6PNuzQw3loQ0vCUm3uS+axFCa/0LJjDMe70Vj4/yzhs I6j5csOauADbZxMsq9vIuZYGXkJ0k+bHO4ROOcZkrXbzu+p+VoQS9UsYXg/KKuwCY358 59ZySsbw0tdCfMHeEFAvpR5ZmSGPqjqr3HEtQngQUoww0i3EhjShNTRDZAzmHSCfldV3 NhMHPr20PTJIMQxV7qYy7nhEx63QCT4wkhnnnUCR4ANTHfOW8iMv+P58AjG34LCY/tfp W2VghawXGcp2g3Qk4hSMjC++on+iMpZ/je2BxDVdQ8SWRh4Luqyj2/2JSgoV0hjPOREz QHBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ckD+oQOkvtcBW2v6IgPx3t6Z++GU5WuLf3uNigi16zU=; b=1AhxILHVn/VnrcmFsvSna9bJGo/N8Oa9R2pYhFoonGYLPjKlody6Kc/dJFSGOIvHee DZvK+mMdkeq8pts3YxYojoIC5RxP0o5tJoZokY5hisL2lA2bgn9mkiKZC0ByXTBDaZdR L6mS/xQ3wTSbFeRCDbMpk3qhMZUw9HkX5UP8X4EXkRBKWk98AoQvKkcNd/reWSRv7J6l EVfUrMLxmydYJh/o9PxoBLO4GEoagyln3y9J79OwlR5F7iFej5Hs83ibx7Fi8K4r411z a8K0c3l30plv6GXpXZerDgN3AKlje9cNxENib6H3L6YO/tKcbAETil0ksd69zBE7UkFb /8qg== X-Gm-Message-State: ANoB5pl226py4RbF/lWiTu0Wo1PGrh5E340esmNltvicG9mEMJT3+jm5 h6nWybUMqMMYuKqByHPTCdW5BVBa7+ZmKA== X-Google-Smtp-Source: AA0mqf5ru8WTJB3TdFfgIg9oA2ZO0To/PTj1qGXrnn/lJUt/lpwt/g3jO2fsF6WZVPxJ2EYvxenuCA== X-Received: by 2002:a0c:9091:0:b0:4bb:7920:eed4 with SMTP id p17-20020a0c9091000000b004bb7920eed4mr82743228qvp.90.1670369481144; Tue, 06 Dec 2022 15:31:21 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id i21-20020a05620a405500b006f8665f483fsm16590231qko.85.2022.12.06.15.31.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Dec 2022 15:31:20 -0800 (PST) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Oz Shlomo , Paul Blakey , Ilya Maximets , Eelco Chaudron , Aaron Conole , Saeed Mahameed Subject: [PATCHv3 net-next 2/5] openvswitch: return NF_ACCEPT when OVS_CT_NAT is not set in info nat Date: Tue, 6 Dec 2022 18:31:13 -0500 Message-Id: <31308d79f10fc8804941ea9acbe0844521832074.1670369327.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Either OVS_CT_SRC_NAT or OVS_CT_DST_NAT is set, OVS_CT_NAT must be set in info->nat. Thus, if OVS_CT_NAT is not set in info->nat, it will definitely not do NAT but returns NF_ACCEPT in ovs_ct_nat(). This patch changes nothing funcational but only makes this return earlier in ovs_ct_nat() to keep consistent with TC's processing in tcf_ct_act_nat(). Reviewed-by: Saeed Mahameed Acked-by: Aaron Conole Signed-off-by: Xin Long --- net/openvswitch/conntrack.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index dff093a10d6d..5ea74270da46 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -816,6 +816,9 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, enum nf_nat_manip_type maniptype; int err; + if (!(info->nat & OVS_CT_NAT)) + return NF_ACCEPT; + /* Add NAT extension if not confirmed yet. */ if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) return NF_ACCEPT; /* Can't NAT. */ @@ -825,8 +828,7 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, * Make sure new expected connections (IP_CT_RELATED) are NATted only * when committing. */ - if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW && - ct->status & IPS_NAT_MASK && + if (ctinfo != IP_CT_NEW && ct->status & IPS_NAT_MASK && (ctinfo != IP_CT_RELATED || info->commit)) { /* NAT an established or related connection like before. */ if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) From patchwork Tue Dec 6 23:31:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13066360 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D05C5C4708D for ; Tue, 6 Dec 2022 23:31:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229705AbiLFXba (ORCPT ); Tue, 6 Dec 2022 18:31:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229479AbiLFXbY (ORCPT ); Tue, 6 Dec 2022 18:31:24 -0500 Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A51204384D for ; Tue, 6 Dec 2022 15:31:23 -0800 (PST) Received: by mail-qk1-x730.google.com with SMTP id k3so2447415qki.13 for ; Tue, 06 Dec 2022 15:31:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0rll4DxwcXBCHbVSIxpnJnXVQqgF+A4qtdFp6rMMijg=; b=FUNeQB69EPIQZlQRzjHTKl7k99O9Yo6XlcLhoMJaLk4uH937Itx1apZebp3Kv/VWrw M/XMySqD49TuomQ/aa1N9hGFpB8N25TnJPrBOOh+Tx1C3CZRJm4E1JylcrIes7iJlwf9 V8ZzRAHXhviKQcIDarFOzzlxuznudxwzKOsgwBktIOFq5amGvT1M2Gi9FWZnVJ7uINbg Mg9+rJU/O/YCr2RRz2u3VV1N+qLkCARMgkoGAj2uLaasgGz8//6cm2mqLuuUgVrvin+7 WlGhQLhRFBL59zfZR7iEz+O0e5GtU7hfmUK/xI/dBzKlPuontK4gRzCm5rk4uMd7t58s ArRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0rll4DxwcXBCHbVSIxpnJnXVQqgF+A4qtdFp6rMMijg=; b=abUyjE4p3CVPag8w6lcEQUUqOoZTHrD2rOpgNQfYuHgBENqG+IVi9X8hpP7cjKE2Xo B8evCbZSb35Qj5BnIfIWO6cZw3Ji5zbp1p393E0jXZcwmykyeUWPBE5Q5dhOX2ziWD6o Z63nPeTF2POIivvAg/Cv3wKRsPF0VycfEbT3Salks3rImVY6KHerLBzkdvOwwREtWj26 MAR8Ga17pzwaMi3MUCrLyaEPcTTuIhFja/EDxVIuiS7ZN4mikLamsGm4QzASYxngNq4R GszIOAENh2aLB/5xyYy+UuibrA9G1HLd55CtBf3KgDpQ+73jJXjD43ZxEi6EZrj2wV+A 9BRQ== X-Gm-Message-State: ANoB5pmmMYypWOR2qabu2Udi+A6oSkOt9K3Fv8tyQJGWqvHlmhuBkISa iaL7zt8LOwnqHLheqwgP//kpTxYLpDcCRQ== X-Google-Smtp-Source: AA0mqf73/qlXmkyEkMspUUHLDtshd3u1a1+OtppBvVnHFrS23ETuW7KWlrn3CgvJoN9heZr4cCCnOQ== X-Received: by 2002:a05:620a:15d4:b0:6fc:a7df:5f41 with SMTP id o20-20020a05620a15d400b006fca7df5f41mr21170679qkm.694.1670369482496; Tue, 06 Dec 2022 15:31:22 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id i21-20020a05620a405500b006f8665f483fsm16590231qko.85.2022.12.06.15.31.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Dec 2022 15:31:22 -0800 (PST) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Oz Shlomo , Paul Blakey , Ilya Maximets , Eelco Chaudron , Aaron Conole , Saeed Mahameed Subject: [PATCHv3 net-next 3/5] openvswitch: return NF_DROP when fails to add nat ext in ovs_ct_nat Date: Tue, 6 Dec 2022 18:31:14 -0500 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org When it fails to allocate nat ext, the packet should be dropped, like the memory allocation failures in other places in ovs_ct_nat(). This patch changes to return NF_DROP when fails to add nat ext before doing NAT in ovs_ct_nat(), also it would keep consistent with tc action ct' processing in tcf_ct_act_nat(). Signed-off-by: Xin Long --- net/openvswitch/conntrack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 5ea74270da46..58c9f0edc3c4 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -821,7 +821,7 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, /* Add NAT extension if not confirmed yet. */ if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) - return NF_ACCEPT; /* Can't NAT. */ + return NF_DROP; /* Can't NAT. */ /* Determine NAT type. * Check if the NAT type can be deduced from the tracked connection. From patchwork Tue Dec 6 23:31:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13066361 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67A3BC3A5A7 for ; Tue, 6 Dec 2022 23:31:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229743AbiLFXbb (ORCPT ); Tue, 6 Dec 2022 18:31:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38114 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229684AbiLFXbZ (ORCPT ); Tue, 6 Dec 2022 18:31:25 -0500 Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A34343867 for ; Tue, 6 Dec 2022 15:31:25 -0800 (PST) Received: by mail-qk1-x733.google.com with SMTP id k3so2447450qki.13 for ; Tue, 06 Dec 2022 15:31:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BCSUkUl3qtx2Ug0vdO9kQ6Q3WtijYxxWczDbAdumJqo=; b=dy8muhU+bxTzpENQbLD3W/1GFMRViQLHLZYwqzrU0UMTncgGVKdFGKSibU3U5srfgF 0cNfrhOXVYsLWx5M8jwa+AhAyt2kP1gmAxQo7yWEmeGVBTd6GOBrx2RqzznFmNv36cVV YwTFZuFZoEFaMYNKtIkf+UxpoZdnjod+qhbc4P0Qq/ffibT63Z7h0gDKeilDQDi7xa4s h+JL7eXrgQtPwbsbcsdrGKizij9Hyd5qnJ5EMbeD2Ech2bJYu8+zfjJs0roIrm/rcq0n 0NQSkOjI2ovqP0tpt0mU2U2e1CcrFP8bTE+2KOYDaE1WCq272ycoIXX8p5/me85Vvp/L OGrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BCSUkUl3qtx2Ug0vdO9kQ6Q3WtijYxxWczDbAdumJqo=; b=EvOoiApfM6JNT3s+PhU5JyLypYHCDL916rMd4SlxQ1xn829+hh4AgELeoaPctZz7jX jcp24gTfW3+ZOtmN+8mar051Z8yLTglgfwZ4UljWj3CIDeNny0wXdctu38Je6FaQYadE ct9mOLWUPXkHwRst0t4hDQNMxn2If0KBpmEAMHGBqIE55/QthYVBbWU2UJ0L5x9lXIev MUcCjcTnMvNUGM5bvld9ZwfIDTcyELy2ONNHLIYrm4tblznxZLFbcX2Ebx8ZfjfvmKXd 18BZulYe400ya2eAwpVigeG36tT2QvMZ2I5jtz0oIHSGX2hJ8ZkUP5tF0NxettIoVAew 835w== X-Gm-Message-State: ANoB5pm1D/FJ9ssIKvh5o7V5VJAI3zU+3t8WnkRsDhtgi+K9MtElUcva aJS/eREpXlozs5scnRbRfeWqb+eSC+4Kww== X-Google-Smtp-Source: AA0mqf7GyUjfJpUAGWWT3ETtTvQ1+imiBjxZOEGx13Zg2kHgQ5TvGxExpfxC6cXDPwUpU+QDIi1Kdg== X-Received: by 2002:ae9:e892:0:b0:6fe:e5da:6029 with SMTP id a140-20020ae9e892000000b006fee5da6029mr618898qkg.188.1670369483888; Tue, 06 Dec 2022 15:31:23 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id i21-20020a05620a405500b006f8665f483fsm16590231qko.85.2022.12.06.15.31.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Dec 2022 15:31:23 -0800 (PST) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Oz Shlomo , Paul Blakey , Ilya Maximets , Eelco Chaudron , Aaron Conole , Saeed Mahameed Subject: [PATCHv3 net-next 4/5] net: sched: update the nat flag for icmp error packets in ct_nat_execute Date: Tue, 6 Dec 2022 18:31:15 -0500 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org In ovs_ct_nat_execute(), the packet flow key nat flags are updated when it processes ICMP(v6) error packets translation successfully. In ct_nat_execute() when processing ICMP(v6) error packets translation successfully, it should have done the same in ct_nat_execute() to set post_ct_s/dnat flag, which will be used to update flow key nat flags in OVS module later. Reviewed-by: Saeed Mahameed Signed-off-by: Xin Long --- net/sched/act_ct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index dd5ae7551956..bb87d1e910ea 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -936,13 +936,13 @@ static int ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, } err = nf_nat_packet(ct, ctinfo, hooknum, skb); +out: if (err == NF_ACCEPT) { if (maniptype == NF_NAT_MANIP_SRC) tc_skb_cb(skb)->post_ct_snat = 1; if (maniptype == NF_NAT_MANIP_DST) tc_skb_cb(skb)->post_ct_dnat = 1; } -out: return err; } #endif /* CONFIG_NF_NAT */ From patchwork Tue Dec 6 23:31:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13066362 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25054C352A1 for ; Tue, 6 Dec 2022 23:31:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229766AbiLFXbd (ORCPT ); Tue, 6 Dec 2022 18:31:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229501AbiLFXb3 (ORCPT ); Tue, 6 Dec 2022 18:31:29 -0500 Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B03DB43ADF for ; Tue, 6 Dec 2022 15:31:26 -0800 (PST) Received: by mail-qk1-x72e.google.com with SMTP id z17so8830263qki.11 for ; Tue, 06 Dec 2022 15:31:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=v3aJN9ru7zi8SfyGB/9kW2Cxd58wGDXTGzhZD1/WOC8=; b=Md5R0eUQ8ZALJBet45kpZx+DkQeRqUwm+BViJ+rfMvHAacplhPAsoJCuMeZ2gYBR4o m07ilwGS6syyfX2gCisxuXlEAyItq0HGncT0dboqKtpzb2cHa2J45s4qdFC8JRNZfGG9 qQbGv2oMDFUG2lxHM9I1enfYFfnOSzTwPgddAXN6UujfmjIWsWRm60athbwHu2oa7pUl 4Nyz344p4fQy1AiA5qMhdBlEwCztiLoUa9duIY+o968v3MffX+q9EC4GCZJLZmzNSjh6 Jfavk+mm71YJ9IVwfKkrT1VJVH8vnbSoJ8gqacND1Q5vxX/QvRrHJVI25pAgfqgMk4Je +llw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=v3aJN9ru7zi8SfyGB/9kW2Cxd58wGDXTGzhZD1/WOC8=; b=GWeBLZ1SdaKVNpU1acsWzIY2I4nGaARsPPmp7QJoCPuI030LebGY8c9d8/ClCNudKs U0tjTpeEEjYznBdIvDqvly4axGZ9Dsbt36ZkArI1wZsEidPxHtOOFEKep7mezRNw9G6d b0mcKWTSxcjxZKKX45x0eutV7LJmzJD1QSZ2p1m+lAWbfzn2DsL9U9ByxNya6vn0adl1 jImlDnLR3/EEMV7/vIUrNw5cjcHgUx7uS1kqjnalkx6llq+C9gJIv5HSXFEttWyoNXLD hpLJzfYv+TkWS6l0hxYDm+UBM7yPQgo/N/MO5KvzYV+M0RkS3CxNeS6vVdVSUPmORcrS Y/4Q== X-Gm-Message-State: ANoB5pla1z18xxuotzymlLX+TYuV8vA2qttoZjP03JviEI4tQr6s2qJR RMwDz/o3H6D2i08CuZgnRue5CvVwm/hbWA== X-Google-Smtp-Source: AA0mqf4CSSGveYzbOWh79GQB9u4dd6UHm/0PhgGl0+uf7OeWZkhjO43hRyxhYgdz/akgp5oaHITAQQ== X-Received: by 2002:ae9:e405:0:b0:6fa:dde:394b with SMTP id q5-20020ae9e405000000b006fa0dde394bmr78723223qkc.265.1670369485270; Tue, 06 Dec 2022 15:31:25 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id i21-20020a05620a405500b006f8665f483fsm16590231qko.85.2022.12.06.15.31.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Dec 2022 15:31:24 -0800 (PST) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Oz Shlomo , Paul Blakey , Ilya Maximets , Eelco Chaudron , Aaron Conole , Saeed Mahameed Subject: [PATCHv3 net-next 5/5] net: move the nat function to nf_nat_ovs for ovs and tc Date: Tue, 6 Dec 2022 18:31:16 -0500 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org There are two nat functions are nearly the same in both OVS and TC code, (ovs_)ct_nat_execute() and ovs_ct_nat/tcf_ct_act_nat(). This patch creates nf_nat_ovs.c under netfilter and moves them there then exports nf_ct_nat() so that it can be shared by both OVS and TC, and keeps the nat (type) check and nat flag update in OVS and TC's own place, as these parts are different between OVS and TC. Note that in OVS nat function it was using skb->protocol to get the proto as it already skips vlans in key_extract(), while it doesn't in TC, and TC has to call skb_protocol() to get proto. So in nf_ct_nat_execute(), we keep using skb_protocol() which works for both OVS and TC contrack. Reviewed-by: Saeed Mahameed Signed-off-by: Xin Long --- include/net/netfilter/nf_nat.h | 4 + net/netfilter/Makefile | 6 ++ net/netfilter/nf_nat_ovs.c | 135 ++++++++++++++++++++++++++++++++ net/openvswitch/conntrack.c | 137 +++------------------------------ net/sched/act_ct.c | 136 +++----------------------------- 5 files changed, 166 insertions(+), 252 deletions(-) create mode 100644 net/netfilter/nf_nat_ovs.c diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h index e9eb01e99d2f..9877f064548a 100644 --- a/include/net/netfilter/nf_nat.h +++ b/include/net/netfilter/nf_nat.h @@ -104,6 +104,10 @@ unsigned int nf_nat_inet_fn(void *priv, struct sk_buff *skb, const struct nf_hook_state *state); +int nf_ct_nat(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo, int *action, + const struct nf_nat_range2 *range, bool commit); + static inline int nf_nat_initialized(const struct nf_conn *ct, enum nf_nat_manip_type manip) { diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 1d4db1943936..0976d34b1e5f 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -54,6 +54,12 @@ obj-$(CONFIG_NF_CONNTRACK_TFTP) += nf_conntrack_tftp.o nf_nat-y := nf_nat_core.o nf_nat_proto.o nf_nat_helper.o +ifdef CONFIG_OPENVSWITCH +nf_nat-y += nf_nat_ovs.o +else ifdef CONFIG_NET_ACT_CT +nf_nat-y += nf_nat_ovs.o +endif + obj-$(CONFIG_NF_LOG_SYSLOG) += nf_log_syslog.o obj-$(CONFIG_NF_NAT) += nf_nat.o diff --git a/net/netfilter/nf_nat_ovs.c b/net/netfilter/nf_nat_ovs.c new file mode 100644 index 000000000000..551abd2da614 --- /dev/null +++ b/net/netfilter/nf_nat_ovs.c @@ -0,0 +1,135 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* Support nat functions for openvswitch and used by OVS and TC conntrack. */ + +#include + +/* Modelled after nf_nat_ipv[46]_fn(). + * range is only used for new, uninitialized NAT state. + * Returns either NF_ACCEPT or NF_DROP. + */ +static int nf_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo, int *action, + const struct nf_nat_range2 *range, + enum nf_nat_manip_type maniptype) +{ + __be16 proto = skb_protocol(skb, true); + int hooknum, err = NF_ACCEPT; + + /* See HOOK2MANIP(). */ + if (maniptype == NF_NAT_MANIP_SRC) + hooknum = NF_INET_LOCAL_IN; /* Source NAT */ + else + hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */ + + switch (ctinfo) { + case IP_CT_RELATED: + case IP_CT_RELATED_REPLY: + if (proto == htons(ETH_P_IP) && + ip_hdr(skb)->protocol == IPPROTO_ICMP) { + if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, + hooknum)) + err = NF_DROP; + goto out; + } else if (IS_ENABLED(CONFIG_IPV6) && proto == htons(ETH_P_IPV6)) { + __be16 frag_off; + u8 nexthdr = ipv6_hdr(skb)->nexthdr; + int hdrlen = ipv6_skip_exthdr(skb, + sizeof(struct ipv6hdr), + &nexthdr, &frag_off); + + if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { + if (!nf_nat_icmpv6_reply_translation(skb, ct, + ctinfo, + hooknum, + hdrlen)) + err = NF_DROP; + goto out; + } + } + /* Non-ICMP, fall thru to initialize if needed. */ + fallthrough; + case IP_CT_NEW: + /* Seen it before? This can happen for loopback, retrans, + * or local packets. + */ + if (!nf_nat_initialized(ct, maniptype)) { + /* Initialize according to the NAT action. */ + err = (range && range->flags & NF_NAT_RANGE_MAP_IPS) + /* Action is set up to establish a new + * mapping. + */ + ? nf_nat_setup_info(ct, range, maniptype) + : nf_nat_alloc_null_binding(ct, hooknum); + if (err != NF_ACCEPT) + goto out; + } + break; + + case IP_CT_ESTABLISHED: + case IP_CT_ESTABLISHED_REPLY: + break; + + default: + err = NF_DROP; + goto out; + } + + err = nf_nat_packet(ct, ctinfo, hooknum, skb); + if (err == NF_ACCEPT) + *action |= BIT(maniptype); +out: + return err; +} + +int nf_ct_nat(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo, int *action, + const struct nf_nat_range2 *range, bool commit) +{ + enum nf_nat_manip_type maniptype; + int err, ct_action = *action; + + *action = 0; + + /* Add NAT extension if not confirmed yet. */ + if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) + return NF_DROP; /* Can't NAT. */ + + if (ctinfo != IP_CT_NEW && (ct->status & IPS_NAT_MASK) && + (ctinfo != IP_CT_RELATED || commit)) { + /* NAT an established or related connection like before. */ + if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) + /* This is the REPLY direction for a connection + * for which NAT was applied in the forward + * direction. Do the reverse NAT. + */ + maniptype = ct->status & IPS_SRC_NAT + ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC; + else + maniptype = ct->status & IPS_SRC_NAT + ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST; + } else if (ct_action & BIT(NF_NAT_MANIP_SRC)) { + maniptype = NF_NAT_MANIP_SRC; + } else if (ct_action & BIT(NF_NAT_MANIP_DST)) { + maniptype = NF_NAT_MANIP_DST; + } else { + return NF_ACCEPT; + } + + err = nf_ct_nat_execute(skb, ct, ctinfo, action, range, maniptype); + if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { + if (ct->status & IPS_SRC_NAT) { + if (maniptype == NF_NAT_MANIP_SRC) + maniptype = NF_NAT_MANIP_DST; + else + maniptype = NF_NAT_MANIP_SRC; + + err = nf_ct_nat_execute(skb, ct, ctinfo, action, range, + maniptype); + } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { + err = nf_ct_nat_execute(skb, ct, ctinfo, action, NULL, + NF_NAT_MANIP_SRC); + } + } + return err; +} +EXPORT_SYMBOL_GPL(nf_ct_nat); diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 58c9f0edc3c4..c8b137649ca4 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -726,144 +726,27 @@ static void ovs_nat_update_key(struct sw_flow_key *key, } } -/* Modelled after nf_nat_ipv[46]_fn(). - * range is only used for new, uninitialized NAT state. - * Returns either NF_ACCEPT or NF_DROP. - */ -static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, - enum ip_conntrack_info ctinfo, - const struct nf_nat_range2 *range, - enum nf_nat_manip_type maniptype, struct sw_flow_key *key) -{ - int hooknum, err = NF_ACCEPT; - - /* See HOOK2MANIP(). */ - if (maniptype == NF_NAT_MANIP_SRC) - hooknum = NF_INET_LOCAL_IN; /* Source NAT */ - else - hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */ - - switch (ctinfo) { - case IP_CT_RELATED: - case IP_CT_RELATED_REPLY: - if (IS_ENABLED(CONFIG_NF_NAT) && - skb->protocol == htons(ETH_P_IP) && - ip_hdr(skb)->protocol == IPPROTO_ICMP) { - if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, - hooknum)) - err = NF_DROP; - goto out; - } else if (IS_ENABLED(CONFIG_IPV6) && - skb->protocol == htons(ETH_P_IPV6)) { - __be16 frag_off; - u8 nexthdr = ipv6_hdr(skb)->nexthdr; - int hdrlen = ipv6_skip_exthdr(skb, - sizeof(struct ipv6hdr), - &nexthdr, &frag_off); - - if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { - if (!nf_nat_icmpv6_reply_translation(skb, ct, - ctinfo, - hooknum, - hdrlen)) - err = NF_DROP; - goto out; - } - } - /* Non-ICMP, fall thru to initialize if needed. */ - fallthrough; - case IP_CT_NEW: - /* Seen it before? This can happen for loopback, retrans, - * or local packets. - */ - if (!nf_nat_initialized(ct, maniptype)) { - /* Initialize according to the NAT action. */ - err = (range && range->flags & NF_NAT_RANGE_MAP_IPS) - /* Action is set up to establish a new - * mapping. - */ - ? nf_nat_setup_info(ct, range, maniptype) - : nf_nat_alloc_null_binding(ct, hooknum); - if (err != NF_ACCEPT) - goto out; - } - break; - - case IP_CT_ESTABLISHED: - case IP_CT_ESTABLISHED_REPLY: - break; - - default: - err = NF_DROP; - goto out; - } - - err = nf_nat_packet(ct, ctinfo, hooknum, skb); -out: - /* Update the flow key if NAT successful. */ - if (err == NF_ACCEPT) - ovs_nat_update_key(key, skb, maniptype); - - return err; -} - /* Returns NF_DROP if the packet should be dropped, NF_ACCEPT otherwise. */ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, const struct ovs_conntrack_info *info, struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { - enum nf_nat_manip_type maniptype; - int err; + int err, action = 0; if (!(info->nat & OVS_CT_NAT)) return NF_ACCEPT; + if (info->nat & OVS_CT_SRC_NAT) + action |= BIT(NF_NAT_MANIP_SRC); + if (info->nat & OVS_CT_DST_NAT) + action |= BIT(NF_NAT_MANIP_DST); - /* Add NAT extension if not confirmed yet. */ - if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) - return NF_DROP; /* Can't NAT. */ + err = nf_ct_nat(skb, ct, ctinfo, &action, &info->range, info->commit); - /* Determine NAT type. - * Check if the NAT type can be deduced from the tracked connection. - * Make sure new expected connections (IP_CT_RELATED) are NATted only - * when committing. - */ - if (ctinfo != IP_CT_NEW && ct->status & IPS_NAT_MASK && - (ctinfo != IP_CT_RELATED || info->commit)) { - /* NAT an established or related connection like before. */ - if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) - /* This is the REPLY direction for a connection - * for which NAT was applied in the forward - * direction. Do the reverse NAT. - */ - maniptype = ct->status & IPS_SRC_NAT - ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC; - else - maniptype = ct->status & IPS_SRC_NAT - ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST; - } else if (info->nat & OVS_CT_SRC_NAT) { - maniptype = NF_NAT_MANIP_SRC; - } else if (info->nat & OVS_CT_DST_NAT) { - maniptype = NF_NAT_MANIP_DST; - } else { - return NF_ACCEPT; /* Connection is not NATed. */ - } - err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype, key); - - if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { - if (ct->status & IPS_SRC_NAT) { - if (maniptype == NF_NAT_MANIP_SRC) - maniptype = NF_NAT_MANIP_DST; - else - maniptype = NF_NAT_MANIP_SRC; - - err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, - maniptype, key); - } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { - err = ovs_ct_nat_execute(skb, ct, ctinfo, NULL, - NF_NAT_MANIP_SRC, key); - } - } + if (action & BIT(NF_NAT_MANIP_SRC)) + ovs_nat_update_key(key, skb, NF_NAT_MANIP_SRC); + if (action & BIT(NF_NAT_MANIP_DST)) + ovs_nat_update_key(key, skb, NF_NAT_MANIP_DST); return err; } diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index bb87d1e910ea..ccad9c5ba4f0 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -863,90 +863,6 @@ static void tcf_ct_params_free_rcu(struct rcu_head *head) tcf_ct_params_free(params); } -#if IS_ENABLED(CONFIG_NF_NAT) -/* Modelled after nf_nat_ipv[46]_fn(). - * range is only used for new, uninitialized NAT state. - * Returns either NF_ACCEPT or NF_DROP. - */ -static int ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, - enum ip_conntrack_info ctinfo, - const struct nf_nat_range2 *range, - enum nf_nat_manip_type maniptype) -{ - __be16 proto = skb_protocol(skb, true); - int hooknum, err = NF_ACCEPT; - - /* See HOOK2MANIP(). */ - if (maniptype == NF_NAT_MANIP_SRC) - hooknum = NF_INET_LOCAL_IN; /* Source NAT */ - else - hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */ - - switch (ctinfo) { - case IP_CT_RELATED: - case IP_CT_RELATED_REPLY: - if (proto == htons(ETH_P_IP) && - ip_hdr(skb)->protocol == IPPROTO_ICMP) { - if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, - hooknum)) - err = NF_DROP; - goto out; - } else if (IS_ENABLED(CONFIG_IPV6) && proto == htons(ETH_P_IPV6)) { - __be16 frag_off; - u8 nexthdr = ipv6_hdr(skb)->nexthdr; - int hdrlen = ipv6_skip_exthdr(skb, - sizeof(struct ipv6hdr), - &nexthdr, &frag_off); - - if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { - if (!nf_nat_icmpv6_reply_translation(skb, ct, - ctinfo, - hooknum, - hdrlen)) - err = NF_DROP; - goto out; - } - } - /* Non-ICMP, fall thru to initialize if needed. */ - fallthrough; - case IP_CT_NEW: - /* Seen it before? This can happen for loopback, retrans, - * or local packets. - */ - if (!nf_nat_initialized(ct, maniptype)) { - /* Initialize according to the NAT action. */ - err = (range && range->flags & NF_NAT_RANGE_MAP_IPS) - /* Action is set up to establish a new - * mapping. - */ - ? nf_nat_setup_info(ct, range, maniptype) - : nf_nat_alloc_null_binding(ct, hooknum); - if (err != NF_ACCEPT) - goto out; - } - break; - - case IP_CT_ESTABLISHED: - case IP_CT_ESTABLISHED_REPLY: - break; - - default: - err = NF_DROP; - goto out; - } - - err = nf_nat_packet(ct, ctinfo, hooknum, skb); -out: - if (err == NF_ACCEPT) { - if (maniptype == NF_NAT_MANIP_SRC) - tc_skb_cb(skb)->post_ct_snat = 1; - if (maniptype == NF_NAT_MANIP_DST) - tc_skb_cb(skb)->post_ct_dnat = 1; - } - return err; -} -#endif /* CONFIG_NF_NAT */ - static void tcf_ct_act_set_mark(struct nf_conn *ct, u32 mark, u32 mask) { #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) @@ -986,52 +902,22 @@ static int tcf_ct_act_nat(struct sk_buff *skb, bool commit) { #if IS_ENABLED(CONFIG_NF_NAT) - int err; - enum nf_nat_manip_type maniptype; + int err, action = 0; if (!(ct_action & TCA_CT_ACT_NAT)) return NF_ACCEPT; + if (ct_action & TCA_CT_ACT_NAT_SRC) + action |= BIT(NF_NAT_MANIP_SRC); + if (ct_action & TCA_CT_ACT_NAT_DST) + action |= BIT(NF_NAT_MANIP_DST); - /* Add NAT extension if not confirmed yet. */ - if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) - return NF_DROP; /* Can't NAT. */ - - if (ctinfo != IP_CT_NEW && (ct->status & IPS_NAT_MASK) && - (ctinfo != IP_CT_RELATED || commit)) { - /* NAT an established or related connection like before. */ - if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) - /* This is the REPLY direction for a connection - * for which NAT was applied in the forward - * direction. Do the reverse NAT. - */ - maniptype = ct->status & IPS_SRC_NAT - ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC; - else - maniptype = ct->status & IPS_SRC_NAT - ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST; - } else if (ct_action & TCA_CT_ACT_NAT_SRC) { - maniptype = NF_NAT_MANIP_SRC; - } else if (ct_action & TCA_CT_ACT_NAT_DST) { - maniptype = NF_NAT_MANIP_DST; - } else { - return NF_ACCEPT; - } + err = nf_ct_nat(skb, ct, ctinfo, &action, range, commit); + + if (action & BIT(NF_NAT_MANIP_SRC)) + tc_skb_cb(skb)->post_ct_snat = 1; + if (action & BIT(NF_NAT_MANIP_DST)) + tc_skb_cb(skb)->post_ct_dnat = 1; - err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); - if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { - if (ct->status & IPS_SRC_NAT) { - if (maniptype == NF_NAT_MANIP_SRC) - maniptype = NF_NAT_MANIP_DST; - else - maniptype = NF_NAT_MANIP_SRC; - - err = ct_nat_execute(skb, ct, ctinfo, range, - maniptype); - } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { - err = ct_nat_execute(skb, ct, ctinfo, NULL, - NF_NAT_MANIP_SRC); - } - } return err; #else return NF_ACCEPT;