Hi Joe,
On Wed, Dec 02, 2015 at 11:53:52PM -0800, Joe Stringer wrote:
> From: Joe Stringer <[email protected]>
>
> Allow matching and setting the ct_label field. As with ct_mark, this is
> populated by executing the CT action. The label field may be modified by
> specifying a label and mask nested under the CT action. It is stored as
> metadata attached to the connection. Label modification occurs after
> lookup, and will only persist when the conntrack entry is committed by
> providing the COMMIT flag to the CT action. Labels are currently fixed
> to 128 bits in size.
>
> Upstream: c2ac667 "openvswitch: Allow matching on conntrack label"
> Signed-off-by: Joe Stringer <[email protected]>
[snip]
> +void ovs_ct_exit(struct net *net)
> +{
> + struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
> +
> + if (ovs_net->xt_label)
> + nf_connlabels_put(net);
> +}
> +
> #endif /* CONFIG_NF_CONNTRACK && LINUX > 3.9 */
It appears that the above code is compiled if the conditions on
the line above are met. However, below nf_connlabels_put compatibility
code is compiled for a different set of conditions.
I have observed a build failure due to nf_connlabels_put() being
undefined when compiling against v4.2.6 with NF_CONNTRACK but not
NF_CONNTRACK_LABELS enabled.
[snip]
On Wed, Dec 02, 2015 at 11:53:39PM -0800, Joe Stringer wrote:
> From: Joe Stringer <[email protected]>
>
> This is a partial backport of Linux commit 86ca02e77408
> "netfilter: connlabels: Export setting connlabel length".
>
> Signed-off-by: Joe Stringer <[email protected]>
[snip]
> diff --git
> a/datapath/linux/compat/include/net/netfilter/nf_conntrack_labels.h
> b/datapath/linux/compat/include/net/netfilter/nf_conntrack_labels.h
> new file mode 100644
> index 000000000000..e49a289c5388
> --- /dev/null
> +++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_labels.h
> @@ -0,0 +1,41 @@
> +#ifndef _NF_CONNTRACK_LABELS_WRAPPER_H
> +#define _NF_CONNTRACK_LABELS_WRAPPER_H
> +
> +#include <linux/kconfig.h>
> +#include <linux/version.h>
> +#include_next <net/netfilter/nf_conntrack_labels.h>
> +
> +#if LINUX_VERSION_CODE < KERNEL_VERSION(4,3,0) && \
> + IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS)
> +
> +#ifndef NF_CT_LABELS_MAX_SIZE
> +#define NF_CT_LABELS_MAX_SIZE ((XT_CONNLABEL_MAXBIT + 1) / BITS_PER_BYTE)
> +#endif
> +
> +/* XXX: This doesn't lock others out from doing the same configuration
> + * simultaneously. */
> +static inline int nf_connlabels_get(struct net *net, unsigned int n_bits)
> +{
> + size_t words;
> +
> + if (n_bits > (NF_CT_LABELS_MAX_SIZE * BITS_PER_BYTE))
> + return -ERANGE;
> +
> + words = BITS_TO_LONGS(n_bits);
> +
> + net->ct.labels_used++;
> + if (words > net->ct.label_words)
> + net->ct.label_words = words;
> +
> + return 0;
> +}
> +
> +static inline void nf_connlabels_put(struct net *net)
> +{
> + net->ct.labels_used--;
> + if (net->ct.labels_used == 0)
> + net->ct.label_words = 0;
> +}
> +
> +#endif
> +#endif /* _NF_CONNTRACK_LABELS_WRAPPER_H */
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev
