[ovs-dev] [PATCH 11/11] datapath: Allow attaching helper in later commit
Yifeng Sun
pkusunyifeng at gmail.com
Mon Oct 14 23:36:22 UTC 2019
LGTM, thanks.
Reviewed-by: Yifeng Sun <pkusunyifeng at gmail.com>
On Mon, Oct 14, 2019 at 10:56 AM Yi-Hung Wei <yihung.wei at gmail.com> wrote:
>
> Upstream commit:
> commit 248d45f1e1934f7849fbdc35ef1e57151cf063eb
> Author: Yi-Hung Wei <yihung.wei at gmail.com>
> Date: Fri Oct 4 09:26:44 2019 -0700
>
> openvswitch: Allow attaching helper in later commit
>
> This patch allows to attach conntrack helper to a confirmed conntrack
> entry. Currently, we can only attach alg helper to a conntrack entry
> when it is in the unconfirmed state. This patch enables an use case
> that we can firstly commit a conntrack entry after it passed some
> initial conditions. After that the processing pipeline will further
> check a couple of packets to determine if the connection belongs to
> a particular application, and attach alg helper to the connection
> in a later stage.
>
> Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
>
> Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
> ---
> datapath/conntrack.c | 21 +++++++++++++--------
> 1 file changed, 13 insertions(+), 8 deletions(-)
>
> diff --git a/datapath/conntrack.c b/datapath/conntrack.c
> index f6e9386f4707..838cf63c908f 100644
> --- a/datapath/conntrack.c
> +++ b/datapath/conntrack.c
> @@ -1045,6 +1045,8 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
>
> ct = nf_ct_get(skb, &ctinfo);
> if (ct) {
> + bool add_helper = false;
> +
> /* Packets starting a new connection must be NATted before the
> * helper, so that the helper knows about the NAT. We enforce
> * this by delaying both NAT and helper calls for unconfirmed
> @@ -1062,16 +1064,17 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
> }
>
> /* Userspace may decide to perform a ct lookup without a helper
> - * specified followed by a (recirculate and) commit with one.
> - * Therefore, for unconfirmed connections which we will commit,
> - * we need to attach the helper here.
> + * specified followed by a (recirculate and) commit with one,
> + * or attach a helper in a later commit. Therefore, for
> + * connections which we will commit, we may need to attach
> + * the helper here.
> */
> - if (!nf_ct_is_confirmed(ct) && info->commit &&
> - info->helper && !nfct_help(ct)) {
> + if (info->commit && info->helper && !nfct_help(ct)) {
> int err = __nf_ct_try_assign_helper(ct, info->ct,
> GFP_ATOMIC);
> if (err)
> return err;
> + add_helper = true;
>
> /* helper installed, add seqadj if NAT is required */
> if (info->nat && !nfct_seqadj(ct)) {
> @@ -1081,11 +1084,13 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
> }
>
> /* Call the helper only if:
> - * - nf_conntrack_in() was executed above ("!cached") for a
> - * confirmed connection, or
> + * - nf_conntrack_in() was executed above ("!cached") or a
> + * helper was just attached ("add_helper") for a confirmed
> + * connection, or
> * - When committing an unconfirmed connection.
> */
> - if ((nf_ct_is_confirmed(ct) ? !cached : info->commit) &&
> + if ((nf_ct_is_confirmed(ct) ? !cached || add_helper :
> + info->commit) &&
> ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
> return -EINVAL;
> }
> --
> 2.7.4
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
More information about the dev
mailing list