From patchwork Sun Jul 16 21:09:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13314893 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BE939448 for ; Sun, 16 Jul 2023 21:09:25 +0000 (UTC) Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A18D3E5A for ; Sun, 16 Jul 2023 14:09:23 -0700 (PDT) Received: by mail-qv1-xf2e.google.com with SMTP id 6a1803df08f44-6355e774d0aso19542136d6.1 for ; Sun, 16 Jul 2023 14:09:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689541762; x=1692133762; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7BVBcAhIogjUc/p9bMbLAsRRz8KRA/ydghEtJQf8BD0=; b=QquoHKapeeE+Y+bdJe3DhWCj1/X5r9Nj1HyEgRWit6M9/lkNjUzcWuUp4MQk4So3Pz M0ESDLA8OMqxrCG6gkJA+YQeeUZUYTaimAhigywnRQI6tWnlOctH4AIY4SaTgVq6ZME/ XOoJTohcf7pcLp48lE3tHCHdpyWvkKZ7HEAnnI5j3JBX14tqIsdYYEFA3YE48A4fR5JD pTWAKQ7WZQv9u0OUaaaeCxnbQUUqTnhmieQ8Av/P/59CStPAmPaR/13THJjyYBYedasL bMFYhDUFFqiJAmWmzzumLts6SryPMabYFmRKUKed2s2JHsMNr/IxQg8fP7B446uq/yNa pZgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689541762; x=1692133762; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7BVBcAhIogjUc/p9bMbLAsRRz8KRA/ydghEtJQf8BD0=; b=Uo/p1JEWBwMcIrPY+SGfgJfXTaXJJ2O+bsNWUH7uESxMDAXVfInJ/YUldSvvsh8H3b Jwv6jhAAxMBafs+6WeKXTMr0oWz4w8YHxSx0wLBU62Vq4VOASBW7W+rDuaFi8Sg6XNPT X4ZIVuB5/JzmM6AngItEoyRgdQPNpKbw2jRdenS6F4rsaDKr5cnjH808vmdOvo9DtAg1 qRIkX+pAQ/R3lXzTzuRQOCRPCm0HUjzkI7vrt4qC5jVz5lmBP1ybQ3nwAyjuzMxD9zIe jFnWgMdboKzLonSfQWm+OZK82QGflatSO7/qgnMyGxojX3chWZDIUXiG08Vi8Il29E2N Xeow== X-Gm-Message-State: ABy/qLZ0VMfmft5nxlhzv6j+zbOZNcaf+HjOEkOrhmCgchM4CfI6WKf3 DAk/sIHVfMHqaO/yeRL2W1OZW5PjMar4hQ== X-Google-Smtp-Source: APBJJlH6zlJUrk04wSon7/Zwz2WkDqEo6tvpik9A+ghc1fArDEqXLNQ4BCy1inDBeNk3REkByQiTJw== X-Received: by 2002:a0c:cc08:0:b0:626:3a5a:f8dc with SMTP id r8-20020a0ccc08000000b006263a5af8dcmr9054626qvk.57.1689541762500; Sun, 16 Jul 2023 14:09:22 -0700 (PDT) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id g5-20020a0cdf05000000b0062635bd22aesm4654745qvl.109.2023.07.16.14.09.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Jul 2023 14:09:22 -0700 (PDT) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Aaron Conole Subject: [PATCH net-next 1/3] netfilter: allow exp not to be removed in nf_ct_find_expectation Date: Sun, 16 Jul 2023 17:09:17 -0400 Message-Id: <74bd67f806666fd9a3975ae441c308128409ea32.1689541664.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org Currently nf_conntrack_in() calling nf_ct_find_expectation() will remove the exp from the hash table. However, in some scenario, we expect the exp not to be removed when the created ct will not be confirmed, like in OVS and TC conntrack in the following patches. This patch allows exp not to be removed by setting IPS_CONFIRMED in the status of the tmpl. Signed-off-by: Xin Long Acked-by: Aaron Conole --- include/net/netfilter/nf_conntrack_expect.h | 2 +- net/netfilter/nf_conntrack_core.c | 2 +- net/netfilter/nf_conntrack_expect.c | 4 ++-- net/netfilter/nft_ct.c | 2 ++ 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index cf0d81be5a96..165e7a03b8e9 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h @@ -100,7 +100,7 @@ nf_ct_expect_find_get(struct net *net, struct nf_conntrack_expect * nf_ct_find_expectation(struct net *net, const struct nf_conntrack_zone *zone, - const struct nf_conntrack_tuple *tuple); + const struct nf_conntrack_tuple *tuple, bool unlink); void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp, u32 portid, int report); diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 992393102d5f..9f6f2e643575 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1756,7 +1756,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl, cnet = nf_ct_pernet(net); if (cnet->expect_count) { spin_lock_bh(&nf_conntrack_expect_lock); - exp = nf_ct_find_expectation(net, zone, tuple); + exp = nf_ct_find_expectation(net, zone, tuple, !tmpl || nf_ct_is_confirmed(tmpl)); if (exp) { /* Welcome, Mr. Bond. We've been expecting you... */ __set_bit(IPS_EXPECTED_BIT, &ct->status); diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 96948e98ec53..81ca348915c9 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c @@ -171,7 +171,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_find_get); struct nf_conntrack_expect * nf_ct_find_expectation(struct net *net, const struct nf_conntrack_zone *zone, - const struct nf_conntrack_tuple *tuple) + const struct nf_conntrack_tuple *tuple, bool unlink) { struct nf_conntrack_net *cnet = nf_ct_pernet(net); struct nf_conntrack_expect *i, *exp = NULL; @@ -211,7 +211,7 @@ nf_ct_find_expectation(struct net *net, !refcount_inc_not_zero(&exp->master->ct_general.use))) return NULL; - if (exp->flags & NF_CT_EXPECT_PERMANENT) { + if (exp->flags & NF_CT_EXPECT_PERMANENT || !unlink) { refcount_inc(&exp->use); return exp; } else if (del_timer(&exp->timeout)) { diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 38958e067aa8..e87fd4314c68 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -262,6 +262,7 @@ static void nft_ct_set_zone_eval(const struct nft_expr *expr, regs->verdict.code = NF_DROP; return; } + __set_bit(IPS_CONFIRMED_BIT, &ct->status); } nf_ct_set(skb, ct, IP_CT_NEW); @@ -368,6 +369,7 @@ static bool nft_ct_tmpl_alloc_pcpu(void) return false; } + __set_bit(IPS_CONFIRMED_BIT, &tmp->status); per_cpu(nft_ct_pcpu_template, cpu) = tmp; } From patchwork Sun Jul 16 21:09:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13314894 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E57AE9448 for ; Sun, 16 Jul 2023 21:09:26 +0000 (UTC) Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 084F9E63 for ; Sun, 16 Jul 2023 14:09:24 -0700 (PDT) Received: by mail-ot1-x335.google.com with SMTP id 46e09a7af769-6b9c90527a0so1003633a34.1 for ; Sun, 16 Jul 2023 14:09:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689541764; x=1692133764; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7U3lPBoNQjayaS/DivUlToHQ86EUNtyyOsS93ieyNc4=; b=V+DLU8QkExlQtpa7W/xekYpUU4Cw+cbP5zbw7AsvXjcmZ0EgCuaj6WPlVI7D7BKvld WU/6UsQ6uFUy32P0WCFKyyR/1GzWIDJDZvTtU6RyvOrcniCRcWlQcm9Gh0HGScUnOcIw 9iuM9g62IEQjLuezVcxGroHyghWd7jz2MibzqPjdvXTIB/Uhpb+v5km0vYN4eq+6XoBX cjFYhpJcOtpykfMbWOemj6Rwt9JXIv9xNZA9FiW9M59darVZx8ji0iKME9cza6xDutm/ uFS3sR1FHme1eCV+1PxrbEmEcCQcmudgDXsZeswUdQGw+/Q2mZDjDfP6/WwNbq06Z52a 4KCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689541764; x=1692133764; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7U3lPBoNQjayaS/DivUlToHQ86EUNtyyOsS93ieyNc4=; b=VEj5naDM5Z7QdzTT8ePg12j6kFyhV45HEqgZ8TrRG+75Z81VGGaABEzR7A0ti81r2j 059zsip+BknlLvyz3hK+yhP4Qi1x+YAnml44sCNxZvs/tnsn1D9+lQHX0O4qt5EHf86g ykQthxCBYnjv/PnuSYNuwtDIgjo2ZQw0V3Gxjl3bqfLrTCWuTzVLvxkrp786VGXfK5Tc /wUEUZyj+gwZOcqa9zwTvNVbb5IL3+wc4N+QGxTPPLhz+XvbPBzzhocoNcQyf/ETtsF3 k8ABqJdRtEB9VXwlARKeMDI23102jwMhztWNhW5LvIFBodR0p8pTplyIlgZyP+keAWvS Ifig== X-Gm-Message-State: ABy/qLaM0bhz9ToQ6XNYvro4PEFVtr8nQHbfK60PBXT5bCactDZAQZfo sJ+owlYfnElE9Oe8HFaRSzWUwTOmhIiBbw== X-Google-Smtp-Source: APBJJlGqDyLJX6ISrwxeuAXWP6pIpwukzp8JbjFHJX6Ft+YE6M6X0TAaQi9PUsXwcSwL2qPziq0dQw== X-Received: by 2002:a05:6358:7f18:b0:133:e1e:f0b5 with SMTP id p24-20020a0563587f1800b001330e1ef0b5mr9100381rwn.12.1689541763575; Sun, 16 Jul 2023 14:09:23 -0700 (PDT) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id g5-20020a0cdf05000000b0062635bd22aesm4654745qvl.109.2023.07.16.14.09.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Jul 2023 14:09:23 -0700 (PDT) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Aaron Conole Subject: [PATCH net-next 2/3] net: sched: set IPS_CONFIRMED in tmpl status only when commit is set in act_ct Date: Sun, 16 Jul 2023 17:09:18 -0400 Message-Id: <4ffd82b3acc34ebd09855a26eb148fcd59fa872c.1689541664.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org With the following flows, the packets will be dropped if OVS TC offload is enabled. 'ip,ct_state=-trk,in_port=1 actions=ct(zone=1)' 'ip,ct_state=+trk+new+rel,in_port=1 actions=ct(commit,zone=1)' 'ip,ct_state=+trk+new+rel,in_port=1 actions=ct(commit,zone=2),normal' In the 1st flow, it finds the exp from the hashtable and removes it then creates the ct with this exp in act_ct. However, in the 2nd flow it goes to the OVS upcall at the 1st time. When the skb comes back from userspace, it has to create the ct again without exp(the exp was removed last time). With no 'rel' set in the ct, the 3rd flow can never get matched. In OVS conntrack, it works around it by adding its own exp lookup function ovs_ct_expect_find() where it doesn't remove the exp. Instead of creating a real ct, it only updates its keys with the exp and its master info. So when the skb comes back, the exp is still in the hashtable. However, we can't do this trick in act_ct, as tc flower match is using a real ct, and passing the exp and its master info to flower parsing via tc_skb_cb is also not possible (tc_skb_cb size is not big enough). The simple and clear fix is to not remove the exp at the 1st flow, namely, not set IPS_CONFIRMED in tmpl when commit is not set in act_ct. Reported-by: Shuang Li Signed-off-by: Xin Long Acked-by: Aaron Conole Reviewed-by: Davide Caratti --- net/sched/act_ct.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index abc71a06d634..7c652d14528b 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -1238,7 +1238,8 @@ static int tcf_ct_fill_params(struct net *net, } } - __set_bit(IPS_CONFIRMED_BIT, &tmpl->status); + if (p->ct_action & TCA_CT_ACT_COMMIT) + __set_bit(IPS_CONFIRMED_BIT, &tmpl->status); return 0; err: nf_ct_put(p->tmpl); From patchwork Sun Jul 16 21:09:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13314895 X-Patchwork-Delegate: kuba@kernel.org Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 488EF9448 for ; Sun, 16 Jul 2023 21:09:29 +0000 (UTC) Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD41EE66 for ; Sun, 16 Jul 2023 14:09:25 -0700 (PDT) Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-765a311a7a9so163072485a.0 for ; Sun, 16 Jul 2023 14:09:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689541765; x=1692133765; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bJdCDWy+3IsOfWdTY7Qj7EfbVCNKkYlBmO3jJ1zSzAQ=; b=eFJ4Xherv/q+ftqonqCFRHLdyti1PJCHitGELE2HvtmnCowjLhjqIE4CM+rxwPFcsm Y+3vsIJtFf61Z9LAeXtt8EV75KVO2hy8saZWWGiYBsQtmKG15BDJ3mLpY+F4iZeTYieR Q+kj4J9XfakxnwPTEwlIwv0BTUUfV7fV6mWsyDnnoBbaxWnxtI73qlBaqyhqXHcPwuVx h0OqlThXjAAyKXpYn3HaQd6qdfReMAoKo4LZieMeSY83B93FzK2WomFq5qAFNTRMhbwD KbkE+beMD9lVcJUVDR6q8lH4ajw0oJ+TnqixzvKP/LXeGjPwfzlfrvCzzsazXVrI1WFm HBnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689541765; x=1692133765; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bJdCDWy+3IsOfWdTY7Qj7EfbVCNKkYlBmO3jJ1zSzAQ=; b=GlLv6bKOCTTeGa3nYOrT8URLTBX/9APZAaDebCxZmjRKn1ImjiEGfFrRze4KV7IwJU izV1yi8WJrlYHgPxXrHdxHTzLV6+8wcHXSYqedxrzH6QjEyndCd1jQYE5Cp1FGrqegFH HnbrENaysvNofODptRtOI+LBhNlAombg3XSiJqjyGbDmpQJzd9peJJjon8OHCqbqNSDI PXzimxXi09dwO96xyvKTK54dhdPE5HkUpZsF+fAb7RRr9hhEB2vZWz4UrUYGkVxO4z7h BwfvJ5nGqnXvHOqNdPnGNwnZG9vUF8loZKaDzDWM/oWzHr5RrMaDG+2bQ3sauo/5T7Kl SXpg== X-Gm-Message-State: ABy/qLacDrmCGkaN7Jqvu32keHjOAxb0Pdat+p0inHAnZhKesBQw34Qb aierIFiAJxNLkhe/AL4cbDDtCad7F4n5Mg== X-Google-Smtp-Source: APBJJlGuAp8hsY7ilScAvAcktyRYNCV6381Vamf4rRIxIg0jTb02zYap/UG8MF0ELG8somcfFh9q4Q== X-Received: by 2002:a05:620a:17a7:b0:767:ea44:daf9 with SMTP id ay39-20020a05620a17a700b00767ea44daf9mr9893133qkb.31.1689541764728; Sun, 16 Jul 2023 14:09:24 -0700 (PDT) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id g5-20020a0cdf05000000b0062635bd22aesm4654745qvl.109.2023.07.16.14.09.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Jul 2023 14:09:24 -0700 (PDT) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Aaron Conole Subject: [PATCH net-next 3/3] openvswitch: set IPS_CONFIRMED in tmpl status only when commit is set in conntrack Date: Sun, 16 Jul 2023 17:09:19 -0400 Message-Id: X-Mailer: git-send-email 2.39.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: kuba@kernel.org By not setting IPS_CONFIRMED in tmpl that allows the exp not to be removed from the hashtable when lookup, we can simplify the exp processing code a lot in openvswitch conntrack. Signed-off-by: Xin Long Acked-by: Aaron Conole --- net/openvswitch/conntrack.c | 78 +++++-------------------------------- 1 file changed, 10 insertions(+), 68 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 331730fd3580..fa955e892210 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -455,45 +455,6 @@ static int ovs_ct_handle_fragments(struct net *net, struct sw_flow_key *key, return 0; } -static struct nf_conntrack_expect * -ovs_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone, - u16 proto, const struct sk_buff *skb) -{ - struct nf_conntrack_tuple tuple; - struct nf_conntrack_expect *exp; - - if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple)) - return NULL; - - exp = __nf_ct_expect_find(net, zone, &tuple); - if (exp) { - struct nf_conntrack_tuple_hash *h; - - /* Delete existing conntrack entry, if it clashes with the - * expectation. This can happen since conntrack ALGs do not - * check for clashes between (new) expectations and existing - * conntrack entries. nf_conntrack_in() will check the - * expectations only if a conntrack entry can not be found, - * which can lead to OVS finding the expectation (here) in the - * init direction, but which will not be removed by the - * nf_conntrack_in() call, if a matching conntrack entry is - * found instead. In this case all init direction packets - * would be reported as new related packets, while reply - * direction packets would be reported as un-related - * established packets. - */ - h = nf_conntrack_find_get(net, zone, &tuple); - if (h) { - struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); - - nf_ct_delete(ct, 0, 0); - nf_ct_put(ct); - } - } - - return exp; -} - /* This replicates logic from nf_conntrack_core.c that is not exported. */ static enum ip_conntrack_info ovs_ct_get_info(const struct nf_conntrack_tuple_hash *h) @@ -852,36 +813,16 @@ static int ovs_ct_lookup(struct net *net, struct sw_flow_key *key, const struct ovs_conntrack_info *info, struct sk_buff *skb) { - struct nf_conntrack_expect *exp; - - /* If we pass an expected packet through nf_conntrack_in() the - * expectation is typically removed, but the packet could still be - * lost in upcall processing. To prevent this from happening we - * perform an explicit expectation lookup. Expected connections are - * always new, and will be passed through conntrack only when they are - * committed, as it is OK to remove the expectation at that time. - */ - exp = ovs_ct_expect_find(net, &info->zone, info->family, skb); - if (exp) { - u8 state; - - /* NOTE: New connections are NATted and Helped only when - * committed, so we are not calling into NAT here. - */ - state = OVS_CS_F_TRACKED | OVS_CS_F_NEW | OVS_CS_F_RELATED; - __ovs_ct_update_key(key, state, &info->zone, exp->master); - } else { - struct nf_conn *ct; - int err; + struct nf_conn *ct; + int err; - err = __ovs_ct_lookup(net, key, info, skb); - if (err) - return err; + err = __ovs_ct_lookup(net, key, info, skb); + if (err) + return err; - ct = (struct nf_conn *)skb_nfct(skb); - if (ct) - nf_ct_deliver_cached_events(ct); - } + ct = (struct nf_conn *)skb_nfct(skb); + if (ct) + nf_ct_deliver_cached_events(ct); return 0; } @@ -1460,7 +1401,8 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, if (err) goto err_free_ct; - __set_bit(IPS_CONFIRMED_BIT, &ct_info.ct->status); + if (ct_info.commit) + __set_bit(IPS_CONFIRMED_BIT, &ct_info.ct->status); return 0; err_free_ct: __ovs_ct_free_action(&ct_info);