[ovs-dev] [PATCH branch-2.7 09/25] datapath: handle NF_REPEAT from nf_conntrack_in()

Jarno Rajahalme jarno at ovn.org
Wed Mar 15 23:31:13 UTC 2017


From: Pablo Neira Ayuso <pablo at netfilter.org>

Upstream commit:
    commit 08733a0cb7decce40bbbd0331a0449465f13c444
    Author: Pablo Neira Ayuso <pablo at netfilter.org>
    Date:   Thu Nov 3 10:56:43 2016 +0100

    netfilter: handle NF_REPEAT from nf_conntrack_in()

    NF_REPEAT is only needed from nf_conntrack_in() under a very specific
    case required by the TCP protocol tracker, we can handle this case
    without returning to the core hook path. Handling of NF_REPEAT from the
    nf_reinject() is left untouched.

    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

[Committer notes]
    Shift the functionality into the compat code, protected by v4.10
    version check. This allows the datapath/conntrack.c to match
    upstream.

Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Signed-off-by: Joe Stringer <joe at ovn.org>
---
 datapath/conntrack.c                                |  8 ++------
 .../include/net/netfilter/nf_conntrack_core.h       | 21 +++++++++++++++++++++
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index a0c5443..36db32a 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -770,12 +770,8 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
 			skb->nfctinfo = IP_CT_NEW;
 		}
 
-		/* Repeat if requested, see nf_iterate(). */
-		do {
-			err = nf_conntrack_in(net, info->family,
-					      NF_INET_PRE_ROUTING, skb);
-		} while (err == NF_REPEAT);
-
+		err = nf_conntrack_in(net, info->family,
+				      NF_INET_PRE_ROUTING, skb);
 		if (err != NF_ACCEPT)
 			return -ENOENT;
 
diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
index 09a53c3..16b57a6 100644
--- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
@@ -67,4 +67,25 @@ static inline bool rpl_nf_ct_get_tuple(const struct sk_buff *skb,
 #define nf_ct_get_tuple rpl_nf_ct_get_tuple
 #endif /* HAVE_NF_CT_GET_TUPLEPR_TAKES_STRUCT_NET */
 
+/* Commit 08733a0cb7de ("netfilter: handle NF_REPEAT from nf_conntrack_in()")
+ * introduced behavioural changes to this function which cannot be detected
+ * in the headers. Unconditionally backport to kernels older than the one which
+ * contains this commit. */
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4,10,0)
+static unsigned int rpl_nf_conntrack_in(struct net *net, u_int8_t pf,
+					unsigned int hooknum,
+					struct sk_buff *skb)
+{
+	int err;
+
+	/* Repeat if requested, see nf_iterate(). */
+	do {
+		err = nf_conntrack_in(net, pf, hooknum, skb);
+	} while (err == NF_REPEAT);
+
+	return err;
+}
+#define nf_conntrack_in rpl_nf_conntrack_in
+#endif /* < 4.10 */
+
 #endif /* _NF_CONNTRACK_CORE_WRAPPER_H */
-- 
2.1.4



More information about the dev mailing list