From patchwork Thu Feb  9 01:30:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jarno Rajahalme <jarno@ovn.org>
X-Patchwork-Id: 725907
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3vJgXQ6QS9z9s7F
	for <patchwork-incoming@ozlabs.org>;
	Thu,  9 Feb 2017 12:31:34 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752543AbdBIBbF (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 8 Feb 2017 20:31:05 -0500
Received: from relay2-d.mail.gandi.net ([217.70.183.194]:57404 "EHLO
	relay2-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752525AbdBIBbC (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 8 Feb 2017 20:31:02 -0500
Received: from mfilter22-d.gandi.net (mfilter22-d.gandi.net [217.70.178.150])
	by relay2-d.mail.gandi.net (Postfix) with ESMTP id 86337C5A5C;
	Thu,  9 Feb 2017 02:30:56 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter22-d.gandi.net
Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194])
	by mfilter22-d.gandi.net (mfilter22-d.gandi.net [::ffff:10.0.15.180])
	(amavisd-new, port 10024)
	with ESMTP id uQXMjCZg6IKq; Thu,  9 Feb 2017 02:30:55 +0100 (CET)
X-Originating-IP: 208.91.1.34
Received: from sc9-mailhost1.vmware.com (unknown [208.91.1.34])
	(Authenticated sender: jarno@ovn.org)
	by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 72A2AC5A54;
	Thu,  9 Feb 2017 02:30:53 +0100 (CET)
From: Jarno Rajahalme <jarno@ovn.org>
To: netdev@vger.kernel.org
Cc: jarno@ovn.org, joe@ovn.org, pshelar@ovn.org
Subject: [PATCH v3 net-next 03/10] openvswitch: Do not trigger events for
	unconfirmed connections.
Date: Wed,  8 Feb 2017 17:30:30 -0800
Message-Id: <1486603837-7202-4-git-send-email-jarno@ovn.org>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1486603837-7202-1-git-send-email-jarno@ovn.org>
References: <1486603837-7202-1-git-send-email-jarno@ovn.org>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Receiving change events before the 'new' event for the connection has
been received can be confusing.  Avoid triggering change events for
setting conntrack mark or labels before the conntrack entry has been
confirmed.

Fixes: 182e3042e15d ("openvswitch: Allow matching on conntrack mark")
Fixes: c2ac66735870 ("openvswitch: Allow matching on conntrack label")
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
---
 net/openvswitch/conntrack.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 4df9a54..a6ff374 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -245,7 +245,8 @@ static int ovs_ct_set_mark(struct sk_buff *skb, struct sw_flow_key *key,
 	new_mark = ct_mark | (ct->mark & ~(mask));
 	if (ct->mark != new_mark) {
 		ct->mark = new_mark;
-		nf_conntrack_event_cache(IPCT_MARK, ct);
+		if (nf_ct_is_confirmed(ct))
+			nf_conntrack_event_cache(IPCT_MARK, ct);
 		key->ct.mark = new_mark;
 	}
 
@@ -262,7 +263,6 @@ static int ovs_ct_set_labels(struct sk_buff *skb, struct sw_flow_key *key,
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn_labels *cl;
 	struct nf_conn *ct;
-	int err;
 
 	/* The connection could be invalid, in which case set_label is no-op.*/
 	ct = nf_ct_get(skb, &ctinfo);
@@ -277,10 +277,26 @@ static int ovs_ct_set_labels(struct sk_buff *skb, struct sw_flow_key *key,
 	if (!cl || sizeof(cl->bits) < OVS_CT_LABELS_LEN)
 		return -ENOSPC;
 
-	err = nf_connlabels_replace(ct, (u32 *)labels, (u32 *)mask,
-				    OVS_CT_LABELS_LEN / sizeof(u32));
-	if (err)
-		return err;
+	if (nf_ct_is_confirmed(ct)) {
+		/* Triggers a change event, which makes sense only for
+		 * confirmed connections.
+		 */
+		int err = nf_connlabels_replace(ct, (u32 *)labels, (u32 *)mask,
+						OVS_CT_LABELS_LEN / sizeof(u32));
+		if (err)
+			return err;
+	} else {
+		u32 *dst = (u32 *)cl->bits;
+		const u32 *msk = (const u32 *)mask->ct_labels;
+		const u32 *lbl = (const u32 *)labels->ct_labels;
+		int i;
+
+		/* No-one else has access to the non-confirmed entry, copy
+		 * labels over, keeping any bits we are not explicitly setting.
+		 */
+		for (i = 0; i < OVS_CT_LABELS_LEN / sizeof(u32); i++)
+			dst[i] = (dst[i] & ~msk[i]) | (lbl[i] & msk[i]);
+	}
 
 	ovs_ct_get_labels(ct, &key->ct.labels);
 	return 0;