[ovs-dev] [PATCH branch-2.7 09/25] datapath: handle NF_REPEAT from nf_conntrack_in()
Jarno Rajahalme
jarno at ovn.org
Wed Mar 15 23:31:13 UTC 2017
From: Pablo Neira Ayuso <pablo at netfilter.org>
Upstream commit:
commit 08733a0cb7decce40bbbd0331a0449465f13c444
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Thu Nov 3 10:56:43 2016 +0100
netfilter: handle NF_REPEAT from nf_conntrack_in()
NF_REPEAT is only needed from nf_conntrack_in() under a very specific
case required by the TCP protocol tracker, we can handle this case
without returning to the core hook path. Handling of NF_REPEAT from the
nf_reinject() is left untouched.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
[Committer notes]
Shift the functionality into the compat code, protected by v4.10
version check. This allows the datapath/conntrack.c to match
upstream.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Signed-off-by: Joe Stringer <joe at ovn.org>
---
datapath/conntrack.c | 8 ++------
.../include/net/netfilter/nf_conntrack_core.h | 21 +++++++++++++++++++++
2 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index a0c5443..36db32a 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -770,12 +770,8 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
skb->nfctinfo = IP_CT_NEW;
}
- /* Repeat if requested, see nf_iterate(). */
- do {
- err = nf_conntrack_in(net, info->family,
- NF_INET_PRE_ROUTING, skb);
- } while (err == NF_REPEAT);
-
+ err = nf_conntrack_in(net, info->family,
+ NF_INET_PRE_ROUTING, skb);
if (err != NF_ACCEPT)
return -ENOENT;
diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
index 09a53c3..16b57a6 100644
--- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
@@ -67,4 +67,25 @@ static inline bool rpl_nf_ct_get_tuple(const struct sk_buff *skb,
#define nf_ct_get_tuple rpl_nf_ct_get_tuple
#endif /* HAVE_NF_CT_GET_TUPLEPR_TAKES_STRUCT_NET */
+/* Commit 08733a0cb7de ("netfilter: handle NF_REPEAT from nf_conntrack_in()")
+ * introduced behavioural changes to this function which cannot be detected
+ * in the headers. Unconditionally backport to kernels older than the one which
+ * contains this commit. */
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4,10,0)
+static unsigned int rpl_nf_conntrack_in(struct net *net, u_int8_t pf,
+ unsigned int hooknum,
+ struct sk_buff *skb)
+{
+ int err;
+
+ /* Repeat if requested, see nf_iterate(). */
+ do {
+ err = nf_conntrack_in(net, pf, hooknum, skb);
+ } while (err == NF_REPEAT);
+
+ return err;
+}
+#define nf_conntrack_in rpl_nf_conntrack_in
+#endif /* < 4.10 */
+
#endif /* _NF_CONNTRACK_CORE_WRAPPER_H */
--
2.1.4
More information about the dev
mailing list