From patchwork Wed Mar 9 23:10:23 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jarno Rajahalme X-Patchwork-Id: 595333 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 6E0F0140328 for ; Thu, 10 Mar 2016 10:11:00 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934400AbcCIXKx (ORCPT ); Wed, 9 Mar 2016 18:10:53 -0500 Received: from relay6-d.mail.gandi.net ([217.70.183.198]:46607 "EHLO relay6-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754300AbcCIXKp (ORCPT ); Wed, 9 Mar 2016 18:10:45 -0500 Received: from mfilter28-d.gandi.net (mfilter28-d.gandi.net [217.70.178.159]) by relay6-d.mail.gandi.net (Postfix) with ESMTP id 09B38FB8A7; Thu, 10 Mar 2016 00:10:44 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter28-d.gandi.net Received: from relay6-d.mail.gandi.net ([IPv6:::ffff:217.70.183.198]) by mfilter28-d.gandi.net (mfilter28-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id W3qrynyXFBuL; Thu, 10 Mar 2016 00:10:42 +0100 (CET) X-Originating-IP: 67.170.218.6 Received: from localhost.localdomain (c-67-170-218-6.hsd1.ca.comcast.net [67.170.218.6]) (Authenticated sender: jarno@ovn.org) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 44B0BFB8A3; Thu, 10 Mar 2016 00:10:40 +0100 (CET) From: Jarno Rajahalme To: netfilter-devel@vger.kernel.org Cc: netdev@vger.kernel.org, dev@openvswitch.org, jarno@ovn.org Subject: [PATCH nf-next v9 7/8] openvswitch: Delay conntrack helper call for new connections. Date: Wed, 9 Mar 2016 15:10:23 -0800 Message-Id: <1457565024-27300-7-git-send-email-jarno@ovn.org> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1457565024-27300-1-git-send-email-jarno@ovn.org> References: <1457565024-27300-1-git-send-email-jarno@ovn.org> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org There is no need to help connections that are not confirmed, so we can delay helping new connections to the time when they are confirmed. This change is needed for NAT support, and having this as a separate patch will make the following NAT patch a bit easier to review. Signed-off-by: Jarno Rajahalme --- net/openvswitch/conntrack.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 92613de..5711f80 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -483,7 +483,11 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, * actually run the packet through conntrack twice unless it's for a * different zone. */ - if (!skb_nfct_cached(net, key, info, skb)) { + bool cached = skb_nfct_cached(net, key, info, skb); + enum ip_conntrack_info ctinfo; + struct nf_conn *ct; + + if (!cached) { struct nf_conn *tmpl = info->ct; int err; @@ -506,11 +510,17 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, return -ENOENT; ovs_ct_update_key(skb, info, key, true); + } - if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) { - WARN_ONCE(1, "helper rejected packet"); - return -EINVAL; - } + /* Call the helper only if we did nf_conntrack_in() above ('!cached') + * for confirmed connections, but only when committing for unconfirmed + * connections. + */ + ct = nf_ct_get(skb, &ctinfo); + if (ct && (nf_ct_is_confirmed(ct) ? !cached : info->commit) && + ovs_ct_helper(skb, info->family) != NF_ACCEPT) { + WARN_ONCE(1, "helper rejected packet"); + return -EINVAL; } return 0;