From patchwork Fri Sep 2 00:01:55 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Stringer X-Patchwork-Id: 665078 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (archives.nicira.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 3sQK7k71P3z9ryk for ; Fri, 2 Sep 2016 10:02:42 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 9152010B49; Thu, 1 Sep 2016 17:02:41 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id B441410B48 for ; Thu, 1 Sep 2016 17:02:39 -0700 (PDT) Received: from bar6.cudamail.com (localhost [127.0.0.1]) by mx3v3.cudamail.com (Postfix) with ESMTPS id 02FF31626EE for ; Thu, 1 Sep 2016 18:02:39 -0600 (MDT) X-ASG-Debug-ID: 1472774558-0b32370b3426cf00001-byXFYA Received: from mx3-pf3.cudamail.com ([192.168.14.3]) by bar6.cudamail.com with ESMTP id QC8TnOJXVzT3Sq2I (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 01 Sep 2016 18:02:38 -0600 (MDT) X-Barracuda-Envelope-From: joe@ovn.org X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.3 Received: from unknown (HELO relay2-d.mail.gandi.net) (217.70.183.194) by mx3-pf3.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted); 2 Sep 2016 00:02:37 -0000 Received-SPF: pass (mx3-pf3.cudamail.com: SPF record at ovn.org designates 217.70.183.194 as permitted sender) X-Barracuda-Apparent-Source-IP: 217.70.183.194 X-Barracuda-RBL-IP: 217.70.183.194 Received: from mfilter47-d.gandi.net (mfilter47-d.gandi.net [217.70.178.178]) by relay2-d.mail.gandi.net (Postfix) with ESMTP id 35DBAC5A46; Fri, 2 Sep 2016 02:02:36 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter47-d.gandi.net Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194]) by mfilter47-d.gandi.net (mfilter47-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id PROTNlIf2Xb1; Fri, 2 Sep 2016 02:02:34 +0200 (CEST) X-Originating-IP: 208.91.1.34 Received: from archer.eng.vmware.com (unknown [208.91.1.34]) (Authenticated sender: joe@ovn.org) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id A371DC5A53; Fri, 2 Sep 2016 02:02:33 +0200 (CEST) X-CudaMail-Envelope-Sender: joe@ovn.org From: Joe Stringer To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V3-831059325 X-CudaMail-DTE: 090116 X-CudaMail-Originating-IP: 217.70.183.194 Date: Thu, 1 Sep 2016 17:01:55 -0700 X-ASG-Orig-Subj: [##CM-V3-831059325##][PATCH] datapath: Use pre-routing hook for conntrack. Message-Id: <20160902000155.12906-1-joe@ovn.org> X-Mailer: git-send-email 2.9.3 X-Barracuda-Connect: UNKNOWN[192.168.14.3] X-Barracuda-Start-Time: 1472774558 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [PATCH] datapath: Use pre-routing hook for conntrack. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" The upstream code uses NF_INET_PRE_ROUTING hook for the nf_conntrack_in() call, which does deeper (eg l4proto) validation. It was previously thought that using the NF_INET_ROUTING hook for this function on older kernels would trigger kernel panics due to a dependency on the unpopulated skb->dev, however during recent testing on a variety of platforms (Centos7.[12], Ubuntu 1[46].04, Fedora23) using the latest distribution kernels and the OVS kernel module testsuite, no such kernel panics were observed. Therefore it appears to be safe to bring this in line with upstream without any other workarounds. Reported-by: Jesse Gross Signed-off-by: Joe Stringer Acked-by: Jesse Gross --- datapath/conntrack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index ddfb0c42b379..a2fc450edc05 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -772,7 +772,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, /* Repeat if requested, see nf_iterate(). */ do { err = nf_conntrack_in(net, info->family, - NF_INET_FORWARD, skb); + NF_INET_PRE_ROUTING, skb); } while (err == NF_REPEAT); if (err != NF_ACCEPT)