From patchwork Wed Mar 9 00:24:43 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jarno Rajahalme X-Patchwork-Id: 594497 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id E35CA1409C2 for ; Wed, 9 Mar 2016 11:25:48 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751429AbcCIAZp (ORCPT ); Tue, 8 Mar 2016 19:25:45 -0500 Received: from relay4-d.mail.gandi.net ([217.70.183.196]:51189 "EHLO relay4-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751592AbcCIAZe (ORCPT ); Tue, 8 Mar 2016 19:25:34 -0500 Received: from mfilter18-d.gandi.net (mfilter18-d.gandi.net [217.70.178.146]) by relay4-d.mail.gandi.net (Postfix) with ESMTP id B5F83172097; Wed, 9 Mar 2016 01:25:27 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter18-d.gandi.net Received: from relay4-d.mail.gandi.net ([IPv6:::ffff:217.70.183.196]) by mfilter18-d.gandi.net (mfilter18-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id ruCDXa_jTBwS; Wed, 9 Mar 2016 01:25:26 +0100 (CET) X-Originating-IP: 67.170.218.6 Received: from localhost.localdomain (c-67-170-218-6.hsd1.ca.comcast.net [67.170.218.6]) (Authenticated sender: jarno@ovn.org) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 4D15617209B; Wed, 9 Mar 2016 01:25:24 +0100 (CET) From: Jarno Rajahalme To: netfilter-devel@vger.kernel.org Cc: netdev@vger.kernel.org, dev@openvswitch.org, jarno@ovn.org Subject: [PATCH nf-next v8 7/8] openvswitch: Delay conntrack helper call for new connections. Date: Tue, 8 Mar 2016 16:24:43 -0800 Message-Id: <1457483084-13944-7-git-send-email-jarno@ovn.org> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1457483084-13944-1-git-send-email-jarno@ovn.org> References: <1457483084-13944-1-git-send-email-jarno@ovn.org> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org There is no need to help connections that are not confirmed, so we can delay helping new connections to the time when they are confirmed. This change is needed for NAT support, and having this as a separate patch will make the following NAT patch a bit easier to review. Signed-off-by: Jarno Rajahalme --- net/openvswitch/conntrack.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 92613de..5711f80 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -483,7 +483,11 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, * actually run the packet through conntrack twice unless it's for a * different zone. */ - if (!skb_nfct_cached(net, key, info, skb)) { + bool cached = skb_nfct_cached(net, key, info, skb); + enum ip_conntrack_info ctinfo; + struct nf_conn *ct; + + if (!cached) { struct nf_conn *tmpl = info->ct; int err; @@ -506,11 +510,17 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, return -ENOENT; ovs_ct_update_key(skb, info, key, true); + } - if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) { - WARN_ONCE(1, "helper rejected packet"); - return -EINVAL; - } + /* Call the helper only if we did nf_conntrack_in() above ('!cached') + * for confirmed connections, but only when committing for unconfirmed + * connections. + */ + ct = nf_ct_get(skb, &ctinfo); + if (ct && (nf_ct_is_confirmed(ct) ? !cached : info->commit) && + ovs_ct_helper(skb, info->family) != NF_ACCEPT) { + WARN_ONCE(1, "helper rejected packet"); + return -EINVAL; } return 0;