[ovs-dev] Reset ct_mark and ct_lables in conntrack entry

Jinjun Gao jinjung at vmware.com
Mon Jul 13 16:27:22 UTC 2020 

Hi Alin/Anand,

We have a project that needs to support ALG FTP on Windows OVS. I have added CT_HELP and CT_TUPLE_MASTER in previous merged patch. Now, we also need to support ct_mark and ct_labels. We have tested that FTP data traffic cannot inherit ct_mark and ct_labels from its master FTP control traffic in current implementation. I have cooked a patch to implement it. But I have a confusion that need to discuss with you guys.

In our project, there is a rule like “ruleid (0x1000) from(any) to(any) service(ftp) allow”. This rule will be pushed to OVS by controller. The ruleid will be set in ct_mark field only in ftp control flow:
actions=ct(commit,zone=61439,mark=0x3f1/0xffffffff,label=0x1018/0xffffffff000000000000000000001fff,helper=ftp), the ftp data flow has no ct_mark field: actions=ct(commit,zone=61439,label=0x80/0xffffffff0000000000001380).

In general, the CT entry cannot derive the ct_mark at connection commit because there is no ct_mark field in flow rule’s ct actions. For FTP data traffic, it has master conntrack entry. If its master conntrack entry has ct_mark, should FTP data conntrack entry inherit its master’s ct_mark even though it has no ct_mark field in ct actions?

I checked userspace datapath ALG FTP support code. Seems it will not inherit master’s ct_mark/ct_labels if it has no ct_mark/ct_labels field in ct commit actions.
https://github.com/openvswitch/ovs/blob/master/lib/conntrack.c#L1374
     if (conn && setmark) {.  <<<< setmark should be NULL if there is no ct_mark field in ct commit actions. If setmark is NULL in FTP data traffic, it will cannot inherit master’s mark even master has mark.
        set_mark(pkt, conn, setmark[0], setmark[1]);
    }

    if (conn && setlabel) { <<<<
        set_label(pkt, conn, &setlabel[0], &setlabel[1]);
    }

I don’t know Linux datapath how to implement it, but for the same ALG FTP rule in our project, the FTP data traffic can inherit master’s mark in Linux OVS even though it has no ct_mark field in ct commit actions.
Here, do you have any suggestion? The FTP data flow should always inherit master’s mark/labels even though it has no ct_mark/ct_labels field in ct commit actions. Or it should always consider its ct_mark/ct_labels field in ct commit actions at firstly.

Thanks,
- Jinjun

More information about the dev mailing list