[ovs-dev] [PATCH 06/10] datapath: Delay conntrack helper call for new connections.

Thu, 09 Jun 2016 15:46:59 -0700 

There is no need to help connections that are not confirmed, so we can
delay helping new connections to the time when they are confirmed.
This change is needed for NAT support, and having this as a separate
patch will make the following NAT patch a bit easier to review.

This patch also squashes in an upstream fix to assign helper in case
not yet assigned when committing a connection.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
---
 datapath/conntrack.c | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index aeb061e..1769fa3 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -487,7 +487,11 @@ static int __ovs_ct_lookup(struct net *net, struct 
sw_flow_key *key,
         * actually run the packet through conntrack twice unless it's for a
         * different zone.
         */
-       if (!skb_nfct_cached(net, key, info, skb)) {
+       bool cached = skb_nfct_cached(net, key, info, skb);
+       enum ip_conntrack_info ctinfo;
+       struct nf_conn *ct;
+
+       if (!cached) {
                struct nf_conn *tmpl = info->ct;
                int err;
 
@@ -510,11 +514,31 @@ static int __ovs_ct_lookup(struct net *net, struct 
sw_flow_key *key,
                        return -ENOENT;
 
                ovs_ct_update_key(skb, info, key, true);
+       }
 
-               if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
-                       WARN_ONCE(1, "helper rejected packet");
-                       return -EINVAL;
-               }
+       /* Userspace may decide to perform a ct lookup without a helper
+        * specified followed by a (recirculate and) commit with one.
+        * Therefore, for unconfirmed connections which we will commit,
+        * we need to attach the helper here.
+        */
+       if (!nf_ct_is_confirmed(ct) && info->commit &&
+           info->helper && !nfct_help(ct)) {
+               int err = __nf_ct_try_assign_helper(ct, info->ct,
+                                                   GFP_ATOMIC);
+               if (err)
+                       return err;
+       }
+
+       /* Call the helper only if:
+        * - nf_conntrack_in() was executed above ("!cached") for a confirmed
+        *   connection, or
+        * - When committing an unconfirmed connection.
+        */
+       ct = nf_ct_get(skb, &ctinfo);
+       if (ct && (nf_ct_is_confirmed(ct) ? !cached : info->commit) &&
+           ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
+               WARN_ONCE(1, "helper rejected packet");
+               return -EINVAL;
        }
 
        return 0;
-- 
2.1.4

_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to