[ovs-git] [openvswitch/ovs] cbbf81: datapath: make ndo_get_stats64 a void function
GitHub
noreply at github.com
Fri Feb 24 01:12:48 UTC 2017
Branch: refs/heads/review/jarno_ct_bp_v1
Home: https://github.com/openvswitch/ovs
Commit: cbbf8141fd52eaf89c713482275d637ae6489225
https://github.com/openvswitch/ovs/commit/cbbf8141fd52eaf89c713482275d637ae6489225
Author: stephen hemminger <stephen at networkplumber.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M datapath/vport-internal_dev.c
Log Message:
-----------
datapath: make ndo_get_stats64 a void function
Upstream commit:
commit bc1f44709cf27fb2a5766cadafe7e2ad5e9cb221
Author: stephen hemminger <stephen at networkplumber.org>
Date: Fri Jan 6 19:12:52 2017 -0800
net: make ndo_get_stats64 a void function
The network device operation for reading statistics is only called
in one place, and it ignores the return value. Having a structure
return value is potentially confusing because some future driver could
incorrectly assume that the return value was used.
Fix all drivers with ndo_get_stats64 to have a void function.
Signed-off-by: Stephen Hemminger <sthemmin at microsoft.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
This seems to be fine for all prior Linux versions as well.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: b641cb0bfb32cc6e9aa79d654612e85ab873f3ae
https://github.com/openvswitch/ovs/commit/b641cb0bfb32cc6e9aa79d654612e85ab873f3ae
Author: Florian Westphal <fw at strlen.de>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M acinclude.m4
M datapath/conntrack.c
M datapath/linux/compat/include/linux/skbuff.h
Log Message:
-----------
datapath: add and use skb_nfct helper
Upstream commit:
commit cb9c68363efb6d1f950ec55fb06e031ee70db5fc
Author: Florian Westphal <fw at strlen.de>
Date: Mon Jan 23 18:21:56 2017 +0100
skbuff: add and use skb_nfct helper
Followup patch renames skb->nfct and changes its type so add a helper to
avoid intrusive rename change later.
Signed-off-by: Florian Westphal <fw at strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 568b020934b2bdfbdd862f838fad4dd6effa33b6
https://github.com/openvswitch/ovs/commit/568b020934b2bdfbdd862f838fad4dd6effa33b6
Author: Florian Westphal <fw at strlen.de>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M acinclude.m4
M datapath/conntrack.c
M datapath/linux/compat/include/net/netfilter/nf_conntrack.h
Log Message:
-----------
datapath: add and use nf_ct_set helper
Upstream commit:
commit c74454fadd5ea6fc866ffe2c417a0dba56b2bf1c
Author: Florian Westphal <fw at strlen.de>
Date: Mon Jan 23 18:21:57 2017 +0100
netfilter: add and use nf_ct_set helper
Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff.
This avoids changing code in followup patch that merges skb->nfct and
skb->nfctinfo into skb->_nfct.
Signed-off-by: Florian Westphal <fw at strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 820125a9ce17d45f1a65781a86b8c48d655a4e4d
https://github.com/openvswitch/ovs/commit/820125a9ce17d45f1a65781a86b8c48d655a4e4d
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M datapath/conntrack.c
Log Message:
-----------
datapath: Fix comments for skb->_nfct
Upstream commit:
commit 5e17da634a21b1200853fe82ba67d6571f2beabe
Author: Jarno Rajahalme <jarno at ovn.org>
Date: Thu Feb 9 11:21:52 2017 -0800
openvswitch: Fix comments for skb->_nfct
Fix comments referring to skb 'nfct' and 'nfctinfo' fields now that
they are combined into '_nfct'.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Acked-by: Joe Stringer <joe at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: a8f59b793b9703c595939d519c7cf84ebe5996ad
https://github.com/openvswitch/ovs/commit/a8f59b793b9703c595939d519c7cf84ebe5996ad
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M datapath/conntrack.c
M tests/system-traffic.at
Log Message:
-----------
datapath: Use inverted tuple in ovs_ct_find_existing() if NATted.
Upstream commit:
commit 9ff464db50e437eef131f719cc2e9902eea9c607
Author: Jarno Rajahalme <jarno at ovn.org>
Date: Thu Feb 9 11:21:53 2017 -0800
openvswitch: Use inverted tuple in ovs_ct_find_existing() if NATted.
The conntrack lookup for existing connections fails to invert the
packet 5-tuple for NATted packets, and therefore fails to find the
existing conntrack entry. Conntrack only stores 5-tuples for incoming
packets, and there are various situations where a lookup on a packet
that has already been transformed by NAT needs to be made. Looking up
an existing conntrack entry upon executing packet received from the
userspace is one of them.
This patch fixes ovs_ct_find_existing() to invert the packet 5-tuple
for the conntrack lookup whenever the packet has already been
transformed by conntrack from its input form as evidenced by one of
the NAT flags being set in the conntrack state metadata.
Fixes: 05752523e565 ("openvswitch: Interface with NAT.")
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Acked-by: Joe Stringer <joe at ovn.org>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
This patch also adds a test case to OVS system tests to verify the
behavior.
The following is a more thorough explanation of what is going on:
When we have evidence that an existing conntrack entry could exist, we
must invert the tuple if NAT has already been applied, as the current
packet headers do not match any tuple stored in conntrack. For
example, if a packet from private address X to a public address B is
source-NATted to A, the conntrack entry will have the following tuples
(ignoring the protocol and port numbers) after the conntrack entry is
committed:
Original direction tuple: (X,B)
Reply direction tuple: (B,A)
Now, if a reply packet is already transformed back to the private
address space (e.g., with a CT(nat) action), the tuple corresponding
to the current packet headers is:
Current packet tuple: (B,X)
This does not match either of the conntrack tuples above. Normally
this does not matter, as the conntrack lookup was already done using
the tuple (B,A), but if the current packet does not match any flow in
the OVS datapath, the packet is sent to userspace via an upcall,
during which the packet's skb is freed, and the conntrack entry
pointer in the skb is lost. When the packet is reintroduced to the
datapath, any further conntrack action will need to perform a new
conntrack lookup to find the entry again. Prior to this patch this
second lookup failed. The datapath flow setup corresponding to the
upcall can succeed, however, allowing all further packets in the reply
direction to re-use the conntrack entry pointer in the skb, so
typically the lookup failure only causes a packet drop.
The solution is to invert the tuple derived from the current packet
headers in case the conntrack state stored in the packet metadata
indicates that the packet has been transformed by NAT:
Inverted tuple: (X,B)
With this the conntrack entry can be found, matching the original
direction tuple.
This same logic also works for the original direction packets:
Current packet tuple (after reverse NAT): (A,B)
Inverted tuple: (B,A)
While the current packet tuple (A,B) does not match either of the
conntrack tuples, the inverted one (B,A) does match the reply
direction tuple.
Since the inverted tuple matches the reverse direction tuple the
direction of the packet must be reversed as well.
Fixes: c5f6c06b58d6 ("datapath: Interface with NAT.")
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: fc44ceb9e518a4bf050a92f550b39013c5f94f14
https://github.com/openvswitch/ovs/commit/fc44ceb9e518a4bf050a92f550b39013c5f94f14
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M datapath/conntrack.c
Log Message:
-----------
datapath: Do not trigger events for unconfirmed connections.
Upstream commit:
commit 193e30967897f3a8b6f9f137ac30571d832c2c5c
Author: Jarno Rajahalme <jarno at ovn.org>
Date: Thu Feb 9 11:21:54 2017 -0800
openvswitch: Do not trigger events for unconfirmed connections.
Receiving change events before the 'new' event for the connection has
been received can be confusing. Avoid triggering change events for
setting conntrack mark or labels before the conntrack entry has been
confirmed.
Fixes: 182e3042e15d ("openvswitch: Allow matching on conntrack mark")
Fixes: c2ac66735870 ("openvswitch: Allow matching on conntrack label")
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Acked-by: Joe Stringer <joe at ovn.org>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Upstream commit:
commit 2317c6b51e4249dbfa093e1b88cab0a9f0564b7f
Author: Jarno Rajahalme <jarno at ovn.org>
Date: Fri Feb 17 18:11:58 2017 -0800
openvswitch: Set event bit after initializing labels.
Connlabels are included in conntrack netlink event messages only if
the IPCT_LABEL bit is set in the event cache (see
ctnetlink_conntrack_event()). Set it after initializing labels for a
new connection.
Found upon further system testing, where it was noticed that labels
were missing from the conntrack events.
Fixes: 193e30967897 ("openvswitch: Do not trigger events for unconfirmed con
nections.")
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Fixes: 372ce9737d2b ("datapath: Allow matching on conntrack mark")
Fixes: 038e34abaa31 ("datapath: Allow matching on conntrack label")
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 3ad8b5bb15c9ddb7e26ec3ad0564bd7cf36cc266
https://github.com/openvswitch/ovs/commit/3ad8b5bb15c9ddb7e26ec3ad0564bd7cf36cc266
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M datapath/conntrack.c
M datapath/linux/compat/include/linux/openvswitch.h
Log Message:
-----------
datapath: Unionize ovs_key_ct_label with a u32 array.
Upstream commit:
commit cb80d58fae76d8ea93555149b2b16e19b89a1f4f
Author: Jarno Rajahalme <jarno at ovn.org>
Date: Thu Feb 9 11:21:55 2017 -0800
openvswitch: Unionize ovs_key_ct_label with a u32 array.
Make the array of labels in struct ovs_key_ct_label an union, adding a
u32 array of the same byte size as the existing u8 array. It is
faster to loop through the labels 32 bits at the time, which is also
the alignment of netlink attributes.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Acked-by: Joe Stringer <joe at ovn.org>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: fd6019b7a299018e9a00d9de43717818b5f8aa0a
https://github.com/openvswitch/ovs/commit/fd6019b7a299018e9a00d9de43717818b5f8aa0a
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M datapath/conntrack.c
Log Message:
-----------
datapath: Simplify labels length logic.
Upstream commit:
commit b87cec3814ccc7f6afb0a1378ee7e5110d07cdd3
Author: Jarno Rajahalme <jarno at ovn.org>
Date: Thu Feb 9 11:21:56 2017 -0800
openvswitch: Simplify labels length logic.
Since 23014011ba42 ("netfilter: conntrack: support a fixed size of 128
distinct labels"), the size of conntrack labels extension has fixed to
128 bits, so we do not need to check for labels sizes shorter than 128
at run-time. This patch simplifies labels length logic accordingly,
but allows the conntrack labels size to be increased in the future
without breaking the build. In the event of conntrack labels
increasing in size OVS would still be able to deal with the 128 first
label bits.
Suggested-by: Joe Stringer <joe at ovn.org>
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Acked-by: Joe Stringer <joe at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 44b55a0dff83ea322f1a61e89fc50ac988a6bf87
https://github.com/openvswitch/ovs/commit/44b55a0dff83ea322f1a61e89fc50ac988a6bf87
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M datapath/conntrack.c
Log Message:
-----------
datapath: Refactor labels initialization.
Upstream commit:
Refactoring conntrack labels initialization makes changes in later
patches easier to review.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Acked-by: Joe Stringer <joe at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 993688a68f38a54b945792d42b17a49bcccd5703
https://github.com/openvswitch/ovs/commit/993688a68f38a54b945792d42b17a49bcccd5703
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M datapath/conntrack.c
Log Message:
-----------
datapath: Inherit master's labels.
Upstream commit:
commit 09aa98ad496d6b11a698b258bc64d7f64c55d682
Author: Jarno Rajahalme <jarno at ovn.org>
Date: Thu Feb 9 11:21:58 2017 -0800
openvswitch: Inherit master's labels.
We avoid calling into nf_conntrack_in() for expected connections, as
that would remove the expectation that we want to stick around until
we are ready to commit the connection. Instead, we do a lookup in the
expectation table directly. However, after a successful expectation
lookup we have set the flow key label field from the master
connection, whereas nf_conntrack_in() does not do this. This leads to
master's labels being inherited after an expectation lookup, but those
labels not being inherited after the corresponding conntrack action
with a commit flag.
This patch resolves the problem by changing the commit code path to
also inherit the master's labels to the expected connection.
Resolving this conflict in favor of inheriting the labels allows more
information be passed from the master connection to related
connections, which would otherwise be much harder if the 32 bits in
the connmark are not enough. Labels can still be set explicitly, so
this change only affects the default values of the labels in presense
of a master connection.
Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Acked-by: Joe Stringer <joe at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Fixes: a94ebc39996b ("datapath: Add conntrack action")
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 2fb0772922ffb5e3eb478fa670e3597780fe4c47
https://github.com/openvswitch/ovs/commit/2fb0772922ffb5e3eb478fa670e3597780fe4c47
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M lib/netlink.c
Log Message:
-----------
netlink: Simplify nl_msg_start_nested().
Since there is no data to copy nl_msg_put_unspec_uninit() may be used
directly, rather than via nl_msg_put_unspec().
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 69120af7922dee3909fa5986058623bddd6fd18d
https://github.com/openvswitch/ovs/commit/69120af7922dee3909fa5986058623bddd6fd18d
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M include/openvswitch/meta-flow.h
M include/openvswitch/ofp-actions.h
M lib/bundle.c
M lib/bundle.h
M lib/learn.c
M lib/learn.h
M lib/meta-flow.c
M lib/multipath.c
M lib/multipath.h
M lib/nx-match.c
M lib/nx-match.h
M lib/ofp-actions.c
M lib/ofp-parse.c
M lib/ofp-util.c
M ofproto/ofproto-dpif-trace.c
M ofproto/ofproto.c
M utilities/ovs-ofctl.c
Log Message:
-----------
lib: Check match and action prerequisities with 'match'.
Supply the match mask to prerequisities checking when available. This
allows checking for zero-valued matches. Non-zero valued matches
imply the presense of corresponding mask bits, but for zero valued
matches we must explicitly check the mask, too.
This is required now only for conntrack validity checking due to the
conntrack state having and 'invalid' bit, but not 'valid' bit. One
way to match an valid conntrack state is to match on the 'tracked' bit
being one and 'invalid' bit being zero. The latter requires the
corresponding mask bit be verified.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: a0e805bac880fba770f970e2d485479715f582b8
https://github.com/openvswitch/ovs/commit/a0e805bac880fba770f970e2d485479715f582b8
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M datapath/actions.c
M datapath/conntrack.c
M datapath/conntrack.h
M datapath/flow.c
M datapath/flow.h
M datapath/flow_netlink.c
M datapath/flow_netlink.h
M datapath/linux/compat/include/linux/openvswitch.h
Log Message:
-----------
datapath: Add original direction conntrack tuple to sw_flow_key.
Upstream commit:
commit 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc
Author: Jarno Rajahalme <jarno at ovn.org>
Date: Thu Feb 9 11:21:59 2017 -0800
openvswitch: Add original direction conntrack tuple to sw_flow_key.
Add the fields of the conntrack original direction 5-tuple to struct
sw_flow_key. The new fields are initially marked as non-existent, and
are populated whenever a conntrack action is executed and either finds
or generates a conntrack entry. This means that these fields exist
for all packets that were not rejected by conntrack as untrackable.
The original tuple fields in the sw_flow_key are filled from the
original direction tuple of the conntrack entry relating to the
current packet, or from the original direction tuple of the master
conntrack entry, if the current conntrack entry has a master.
Generally, expected connections of connections having an assigned
helper (e.g., FTP), have a master conntrack entry.
The main purpose of the new conntrack original tuple fields is to
allow matching on them for policy decision purposes, with the premise
that the admissibility of tracked connections reply packets (as well
as original direction packets), and both direction packets of any
related connections may be based on ACL rules applying to the master
connection's original direction 5-tuple. This also makes it easier to
make policy decisions when the actual packet headers might have been
transformed by NAT, as the original direction 5-tuple represents the
packet headers before any such transformation.
When using the original direction 5-tuple the admissibility of return
and/or related packets need not be based on the mere existence of a
conntrack entry, allowing separation of admission policy from the
established conntrack state. While existence of a conntrack entry is
required for admission of the return or related packets, policy
changes can render connections that were initially admitted to be
rejected or dropped afterwards. If the admission of the return and
related packets was based on mere conntrack state (e.g., connection
being in an established state), a policy change that would make the
connection rejected or dropped would need to find and delete all
conntrack entries affected by such a change. When using the original
direction 5-tuple matching the affected conntrack entries can be
allowed to time out instead, as the established state of the
connection would not need to be the basis for packet admission any
more.
It should be noted that the directionality of related connections may
be the same or different than that of the master connection, and
neither the original direction 5-tuple nor the conntrack state bits
carry this information. If needed, the directionality of the master
connection can be stored in master's conntrack mark or labels, which
are automatically inherited by the expected related connections.
The fact that neither ARP nor ND packets are trackable by conntrack
allows mutual exclusion between ARP/ND and the new conntrack original
tuple fields. Hence, the IP addresses are overlaid in union with ARP
and ND fields. This allows the sw_flow_key to not grow much due to
this patch, but it also means that we must be careful to never use the
new key fields with ARP or ND packets. ARP is easy to distinguish and
keep mutually exclusive based on the ethernet type, but ND being an
ICMPv6 protocol requires a bit more attention.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Acked-by: Joe Stringer <joe at ovn.org>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 7d278efe4a02b6d63c3d3fed1f1e91b8127cb7db
https://github.com/openvswitch/ovs/commit/7d278efe4a02b6d63c3d3fed1f1e91b8127cb7db
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M include/openvswitch/flow.h
M lib/flow.c
M lib/match.c
M lib/packets.h
M ofproto/ofproto-dpif.c
M tests/ovs-ofctl.at
Log Message:
-----------
flow: Make room after ct_state.
'ct_state' currently only needs 8 bits, so we can make room for a new
CT field introduced in the next patch.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: e829fa4c3409aa2e23c404eb336f5f9608f1536a
https://github.com/openvswitch/ovs/commit/e829fa4c3409aa2e23c404eb336f5f9608f1536a
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M build-aux/extract-ofp-fields
M include/openvswitch/flow.h
M include/openvswitch/match.h
M include/openvswitch/meta-flow.h
M lib/conntrack.c
M lib/flow.c
M lib/flow.h
M lib/match.c
M lib/meta-flow.c
M lib/meta-flow.xml
M lib/nx-match.c
M lib/nx-match.h
M lib/odp-execute.c
M lib/odp-util.c
M lib/odp-util.h
M lib/ofp-util.c
M lib/packets.h
M ofproto/ofproto-dpif-rid.h
M ofproto/ofproto-dpif-sflow.c
M ofproto/ofproto-dpif-xlate.c
M ofproto/ofproto-dpif.c
M tests/odp.at
M tests/ofproto-dpif.at
M tests/ofproto.at
M tests/system-traffic.at
Log Message:
-----------
odp: Support conntrack orig tuple key.
Userspace support for datapath original direction conntrack tuple.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 3832486e1aadd9e800a2a077d319bfcf0aa89587
https://github.com/openvswitch/ovs/commit/3832486e1aadd9e800a2a077d319bfcf0aa89587
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M include/openvswitch/ofp-actions.h
M lib/ofp-actions.c
M ofproto/ofproto-dpif-xlate.c
M tests/ofp-actions.at
M tests/ofproto-dpif.at
M tests/system-traffic.at
M utilities/ovs-ofctl.8.in
Log Message:
-----------
actions: Add resubmit with conntrack tuple.
Add resubmit option to use the Conntrack original direction tuple
swapped with the corresponding packet header fields during the lookup.
This could allow the same ACL table be used for admitting return
and/or related traffic as is used for admitting the original direction
traffic.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 75d7d8689883ced3af7547de7d221ad3bc1c59c4
https://github.com/openvswitch/ovs/commit/75d7d8689883ced3af7547de7d221ad3bc1c59c4
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M acinclude.m4
M datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
Log Message:
-----------
compat: nf_ct_delete compat.
Upstream commit:
commit f330a7fdbe1611104622faff7e614a246a7d20f0
Author: Florian Westphal <fw at strlen.de>
Date: Thu Aug 25 15:33:31 2016 +0200
netfilter: conntrack: get rid of conntrack timer
With stats enabled this eats 80 bytes on x86_64 per nf_conn entry, as
Eric Dumazet pointed out during netfilter workshop 2016.
Eric also says: "Another reason was the fact that Thomas was about to
change max timer range [..]" (500462a9de657f8, 'timers: Switch to
a non-cascading wheel').
Remove the timer and use a 32bit jiffies value containing timestamp until
entry is valid.
During conntrack lookup, even before doing tuple comparision, check
the timeout value and evict the entry in case it is too old.
The dying bit is used as a synchronization point to avoid races where
multiple cpus try to evict the same entry.
Because lookup is always lockless, we need to bump the refcnt once
when we evict, else we could try to evict already-dead entry that
is being recycled.
This is the standard/expected way when conntrack entries are destroyed.
Followup patches will introduce garbage colliction via work queue
and further places where we can reap obsoleted entries (e.g. during
netlink dumps), this is needed to avoid expired conntracks from hanging
around for too long when lookup rate is low after a busy period.
Signed-off-by: Florian Westphal <fw at strlen.de>
Acked-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Upstream commit f330a7fdbe16 ("netfilter: conntrack: get rid of
conntrack timer") changes the way nf_ct_delete() is called. Prior to
commit the call pattern was like this:
if (del_timer(&ct->timeout))
nf_ct_delete(ct, ...);
After this change nf_ct_delete() is called directly:
nf_ct_delete(ct, ...);
This patch provides a replacement implementation for nf_ct_delete()
that first calls the del_timer(). This replacement is only used if
the struct nf_conn has member 'timeout' of type 'struct timer_list'.
The following patch introduces the first caller to nf_ct_delete() in
the OVS kernel module.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 36ba776125c366a5ca87074e7b2cd4f3972d2b62
https://github.com/openvswitch/ovs/commit/36ba776125c366a5ca87074e7b2cd4f3972d2b62
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M datapath/conntrack.c
M datapath/linux/compat/include/linux/openvswitch.h
Log Message:
-----------
datapath: Add force commit.
Upstream patch:
commit dd41d33f0b033885211a5d6f3ee19e73238aa9ee
Author: Jarno Rajahalme <jarno at ovn.org>
Date: Thu Feb 9 11:22:00 2017 -0800
openvswitch: Add force commit.
Stateful network admission policy may allow connections to one
direction and reject connections initiated in the other direction.
After policy change it is possible that for a new connection an
overlapping conntrack entry already exists, where the original
direction of the existing connection is opposed to the new
connection's initial packet.
Most importantly, conntrack state relating to the current packet gets
the "reply" designation based on whether the original direction tuple
or the reply direction tuple matched. If this "directionality" is
wrong w.r.t. to the stateful network admission policy it may happen
that packets in neither direction are correctly admitted.
This patch adds a new "force commit" option to the OVS conntrack
action that checks the original direction of an existing conntrack
entry. If that direction is opposed to the current packet, the
existing conntrack entry is deleted and a new one is subsequently
created in the correct direction.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Acked-by: Joe Stringer <joe at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 78c6e1ec7c20adc2a854188ca40fff77c2b65f78
https://github.com/openvswitch/ovs/commit/78c6e1ec7c20adc2a854188ca40fff77c2b65f78
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M include/openvswitch/ofp-actions.h
M lib/conntrack.c
M lib/conntrack.h
M lib/dpif-netdev.c
M lib/odp-util.c
M lib/ofp-actions.c
M ofproto/ofproto-dpif-xlate.c
M tests/odp.at
M tests/ofp-actions.at
M tests/ofproto-dpif.at
M tests/system-traffic.at
M tests/test-conntrack.c
M utilities/ovs-ofctl.8.in
Log Message:
-----------
conntrack: Force commit.
Userspace support for force commit.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 74dd7ab371bdeb33a076b6c987778a2fc6e40c59
https://github.com/openvswitch/ovs/commit/74dd7ab371bdeb33a076b6c987778a2fc6e40c59
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M datapath/linux/compat/include/linux/openvswitch.h
Log Message:
-----------
datapath: Add a missing comment.
Make openvswitch.h better match upstream by adding a missing comment.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Commit: f6fd35fa1b0b1a9b42d8fd13665dd1ef74d916e9
https://github.com/openvswitch/ovs/commit/f6fd35fa1b0b1a9b42d8fd13665dd1ef74d916e9
Author: Jarno Rajahalme <jarno at ovn.org>
Date: 2017-02-23 (Thu, 23 Feb 2017)
Changed paths:
M tests/system-traffic.at
Log Message:
-----------
tests: Add an FTP test without conntrack.
If FTP tests with conntrack fail, it is informative to know if the
problem is with the FTP client and/or server, or with conntrack
itself.
Signed-off-by: Jarno Rajahalme <jarno at ovn.org>
Compare: https://github.com/openvswitch/ovs/compare/cbbf8141fd52^...f6fd35fa1b0b
More information about the git
mailing list