[ovs-dev] [PATCH] conntrack: Fix for force/commit bug

Greg Rose gvrose8192 at gmail.com
Wed Jul 12 18:05:20 UTC 2017 

When the direction is being forced key->ct_state may not have been
set.  Check for this condition and take action to set the state
correctly so that the force direction occurs.

Co-authored-by: Joe Stringer <joe at ovn.org>
Signed-off-by: Joe Stringer <joe at ovn.org>
Signed-off-by: Greg Rose <gvrose8192 at gmail.com>
---
 datapath/conntrack.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index bf28fc0..2da0321 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -665,7 +665,7 @@ ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone,
 
 /* Determine whether skb->_nfct is equal to the result of conntrack lookup. */
 static bool skb_nfct_cached(struct net *net,
-			    const struct sw_flow_key *key,
+			    struct sw_flow_key *key,
 			    const struct ovs_conntrack_info *info,
 			    struct sk_buff *skb)
 {
@@ -675,12 +675,22 @@ static bool skb_nfct_cached(struct net *net,
 	ct = nf_ct_get(skb, &ctinfo);
 	/* If no ct, check if we have evidence that an existing conntrack entry
 	 * might be found for this skb.  This happens when we lose a skb->_nfct
-	 * due to an upcall.  If the connection was not confirmed, it is not
-	 * cached and needs to be run through conntrack again.
+	 * due to an upcall, or if the direction is being forced.  If the
+	 * connection was not confirmed, it is not cached and needs to be run
+	 * through conntrack again.
 	 */
-	if (!ct && key->ct_state & OVS_CS_F_TRACKED &&
+	if ((!ct && (key->ct_state & OVS_CS_F_TRACKED &&
 	    !(key->ct_state & OVS_CS_F_INVALID) &&
-	    key->ct_zone == info->zone.id) {
+	    key->ct_zone == info->zone.id)) ||
+	    (!key->ct_state && info->force)) {
+		if (!key->ct_state && info->force && !info->ct) {
+			int result = nf_conntrack_in(net, info->family,
+						     NF_INET_PRE_ROUTING, skb);
+			if (result != NF_ACCEPT)
+				return false;
+			/* Update the key, but keep the NAT flags. */
+			ovs_ct_update_key(skb, info, key, true, true);
+		}
 		ct = ovs_ct_find_existing(net, &info->zone, info->family, skb,
 					  !!(key->ct_state
 					     & OVS_CS_F_NAT_MASK));
-- 
1.8.3.1

More information about the dev mailing list