From patchwork Sat Feb  6 01:41:04 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jarno Rajahalme <jarno@ovn.org>
X-Patchwork-Id: 579727
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3159814032A
	for <patchwork-incoming@ozlabs.org>;
	Sat,  6 Feb 2016 12:42:29 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751411AbcBFBmX (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 5 Feb 2016 20:42:23 -0500
Received: from relay3-d.mail.gandi.net ([217.70.183.195]:34236 "EHLO
	relay3-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751312AbcBFBlg (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 5 Feb 2016 20:41:36 -0500
Received: from mfilter49-d.gandi.net (mfilter49-d.gandi.net [217.70.178.180])
	by relay3-d.mail.gandi.net (Postfix) with ESMTP id E60B9A80C2;
	Sat,  6 Feb 2016 02:41:35 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter49-d.gandi.net
Received: from relay3-d.mail.gandi.net ([IPv6:::ffff:217.70.183.195])
	by mfilter49-d.gandi.net (mfilter49-d.gandi.net [::ffff:10.0.15.180])
	(amavisd-new, port 10024)
	with ESMTP id xzqwoOjdGkKX; Sat,  6 Feb 2016 02:41:34 +0100 (CET)
X-Originating-IP: 208.91.1.34
Received: from sc9-mailhost1.vmware.com (unknown [208.91.1.34])
	(Authenticated sender: jarno@ovn.org)
	by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 61F47A80AA;
	Sat,  6 Feb 2016 02:41:33 +0100 (CET)
From: Jarno Rajahalme <jarno@ovn.org>
To: netfilter-devel@vger.kernel.org
Cc: netdev@vger.kernel.org, dev@openvswitch.org, jarno@ovn.org
Subject: [PATCH nf-next v7 6/7] openvswitch: Delay conntrack helper call for
	new connections.
Date: Fri,  5 Feb 2016 17:41:04 -0800
Message-Id: <1454722865-59558-7-git-send-email-jarno@ovn.org>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1454722865-59558-1-git-send-email-jarno@ovn.org>
References: <1454722865-59558-1-git-send-email-jarno@ovn.org>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

There is no need to help connections that are not confirmed, so we can
delay helping new connections to the time when they are confirmed.
This change is needed for NAT support, and having this as a separate
patch will make the following NAT patch a bit easier to review.

Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
---
 net/openvswitch/conntrack.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index fa9ab25..fc0ef11 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -464,6 +464,7 @@ static bool skb_nfct_cached(struct net *net,
 /* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if
  * not done already.  Update key with new CT state after passing the packet
  * through conntrack.
+ * Note that invalid packets are accepted while the skb->nfct remains unset!
  */
 static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
 			   const struct ovs_conntrack_info *info,
@@ -474,7 +475,11 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
 	 * actually run the packet through conntrack twice unless it's for a
 	 * different zone.
 	 */
-	if (!skb_nfct_cached(net, key, info, skb)) {
+	bool cached = skb_nfct_cached(net, key, info, skb);
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct;
+
+	if (!cached) {
 		struct nf_conn *tmpl = info->ct;
 		int err;
 
@@ -497,11 +502,16 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
 			return -ENOENT;
 
 		ovs_ct_update_key(skb, info, key, true);
+	}
 
-		if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
-			WARN_ONCE(1, "helper rejected packet");
-			return -EINVAL;
-		}
+	/* Call the helper right after nf_conntrack_in() for confirmed
+	 * connections, but only when commiting for unconfirmed connections.
+	 */
+	ct = nf_ct_get(skb, &ctinfo);
+	if (ct && (nf_ct_is_confirmed(ct) ? !cached : info->commit)
+	    && ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
+		WARN_ONCE(1, "helper rejected packet");
+		return -EINVAL;
 	}
 
 	return 0;