> On Apr 29, 2016, at 2:12 AM, Florian Westphal <f...@strlen.de> wrote: > > Pablo Neira Ayuso <pa...@netfilter.org <mailto:pa...@netfilter.org>> wrote: >> On Wed, Apr 20, 2016 at 02:31:10PM -0700, Jarno Rajahalme wrote: >>> Clear the skb hash when it does not reflect the actual header values >>> any more. >>> >>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org> >>> --- >>> net/netfilter/nf_nat_core.c | 1 + >>> 1 file changed, 1 insertion(+) >>> >>> diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c >>> index 06a9f45..3c2302f 100644 >>> --- a/net/netfilter/nf_nat_core.c >>> +++ b/net/netfilter/nf_nat_core.c >>> @@ -505,6 +505,7 @@ unsigned int nf_nat_packet(struct nf_conn *ct, >>> if (!l3proto->manip_pkt(skb, 0, l4proto, &target, mtype)) >>> return NF_DROP; >>> } >>> + skb_clear_hash(skb); >>> return NF_ACCEPT; >>> } >> >> Cc'ing Florian. >> >> This seems to affect the new tracing infrastructure for nf_tables: > > Right. > > Jarno, what is your patch trying to fix?
In the OVS datapath we clear the skb hash whenever we change any of the fields that may be used to compute it. This guarantees that any given flow will get the same hash value when assigning packets to bond interfaces based on the skb hash. If the hash is not cleared, some packets may use the pre-nat hash provided by a nic, for example, while others may not have the nic provided hash and compute a new one post-nat. Also, if DNAT is used for load balancing, the hash should be computed after the NAT for the difference in the destination address to make a difference in the hash value. We could also clear the hash in the OVS datapath code after calling into nf nat, but could that still have the same issue with affecting the nf_tables tracing (of which I know nothing about)? Jarno _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
