From patchwork Sat Oct 17 04:35:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Pfaff X-Patchwork-Id: 1383608 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ovn.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CCqwS469Dz9sTr for ; Sat, 17 Oct 2020 15:36:24 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 21EF888EBB; Sat, 17 Oct 2020 04:36:23 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZW413fimW3QD; Sat, 17 Oct 2020 04:36:20 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by whitealder.osuosl.org (Postfix) with ESMTP id EBD6188E89; Sat, 17 Oct 2020 04:36:19 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id D0249C0895; Sat, 17 Oct 2020 04:36:19 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 83712C0051 for ; Sat, 17 Oct 2020 04:36:18 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 7FBF688E89 for ; Sat, 17 Oct 2020 04:36:18 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kZ4Xrva7LbLC for ; Sat, 17 Oct 2020 04:36:16 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay11.mail.gandi.net (relay11.mail.gandi.net [217.70.178.231]) by whitealder.osuosl.org (Postfix) with ESMTPS id 65E2C88E99 for ; Sat, 17 Oct 2020 04:36:16 +0000 (UTC) Received: from sigfpe.attlocal.net (75-54-222-30.lightspeed.rdcyca.sbcglobal.net [75.54.222.30]) (Authenticated sender: blp@ovn.org) by relay11.mail.gandi.net (Postfix) with ESMTPSA id 58535100004; Sat, 17 Oct 2020 04:36:13 +0000 (UTC) From: Ben Pfaff To: dev@openvswitch.org Date: Fri, 16 Oct 2020 21:35:16 -0700 Message-Id: <20201017043515.2695557-2-blp@ovn.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201017043515.2695557-1-blp@ovn.org> References: <20201017043515.2695557-1-blp@ovn.org> MIME-Version: 1.0 Cc: Ben Pfaff Subject: [ovs-dev] [PATCH v4 1/2] conntrack: Rename "master" connection to "parent" connection. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Signed-off-by: Ben Pfaff Signed-off-by: Ben Pfaff Acked-by: Alin Gabriel Serdean --- include/openvswitch/meta-flow.h | 14 +++---- lib/conntrack-private.h | 10 ++--- lib/conntrack.c | 74 ++++++++++++++++----------------- lib/ct-dpif.c | 6 +-- lib/ct-dpif.h | 2 +- lib/meta-flow.xml | 2 +- lib/netlink-conntrack.c | 6 +-- tests/ofproto-dpif.at | 6 +-- tests/system-traffic.at | 6 +-- 9 files changed, 63 insertions(+), 63 deletions(-) diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h index d529a9f0d21c..95e52e3587ee 100644 --- a/include/openvswitch/meta-flow.h +++ b/include/openvswitch/meta-flow.h @@ -852,7 +852,7 @@ enum OVS_PACKED_ENUM mf_field_id { /* "ct_nw_proto". * * The "protocol" byte in the IPv4 or IPv6 header for the original - * direction conntrack tuple, or of the master conntrack entry, if the + * direction conntrack tuple, or of the parent conntrack entry, if the * current connection is a related connection. * * The value is initially zero and populated by the CT action. The value @@ -873,7 +873,7 @@ enum OVS_PACKED_ENUM mf_field_id { /* "ct_nw_src". * * IPv4 source address of the original direction tuple of the conntrack - * entry, or of the master conntrack entry, if the current connection is a + * entry, or of the parent conntrack entry, if the current connection is a * related connection. * * The value is populated by the CT action. @@ -892,7 +892,7 @@ enum OVS_PACKED_ENUM mf_field_id { /* "ct_nw_dst". * * IPv4 destination address of the original direction tuple of the - * conntrack entry, or of the master conntrack entry, if the current + * conntrack entry, or of the parent conntrack entry, if the current * connection is a related connection. * * The value is populated by the CT action. @@ -911,7 +911,7 @@ enum OVS_PACKED_ENUM mf_field_id { /* "ct_ipv6_src". * * IPv6 source address of the original direction tuple of the conntrack - * entry, or of the master conntrack entry, if the current connection is a + * entry, or of the parent conntrack entry, if the current connection is a * related connection. * * The value is populated by the CT action. @@ -930,7 +930,7 @@ enum OVS_PACKED_ENUM mf_field_id { /* "ct_ipv6_dst". * * IPv6 destination address of the original direction tuple of the - * conntrack entry, or of the master conntrack entry, if the current + * conntrack entry, or of the parent conntrack entry, if the current * connection is a related connection. * * The value is populated by the CT action. @@ -949,7 +949,7 @@ enum OVS_PACKED_ENUM mf_field_id { /* "ct_tp_src". * * Transport layer source port of the original direction tuple of the - * conntrack entry, or of the master conntrack entry, if the current + * conntrack entry, or of the parent conntrack entry, if the current * connection is a related connection. * * The value is populated by the CT action. @@ -967,7 +967,7 @@ enum OVS_PACKED_ENUM mf_field_id { /* "ct_tp_dst". * * Transport layer destination port of the original direction tuple of the - * conntrack entry, or of the master conntrack entry, if the current + * conntrack entry, or of the parent conntrack entry, if the current * connection is a related connection. * * The value is populated by the CT action. diff --git a/lib/conntrack-private.h b/lib/conntrack-private.h index 3434753016f0..789af82ff77d 100644 --- a/lib/conntrack-private.h +++ b/lib/conntrack-private.h @@ -71,13 +71,13 @@ struct alg_exp_node { /* Key of data connection to be created. */ struct conn_key key; /* Corresponding key of the control connection. */ - struct conn_key master_key; + struct conn_key parent_key; /* The NAT replacement address to be used by the data connection. */ union ct_addr alg_nat_repl_addr; - /* The data connection inherits the master control + /* The data connection inherits the parent control * connection label and mark. */ - ovs_u128 master_label; - uint32_t master_mark; + ovs_u128 parent_label; + uint32_t parent_mark; /* True if for NAT application, the alg replaces the dest address; * otherwise, the source address is replaced. */ bool nat_rpl_dst; @@ -92,7 +92,7 @@ struct conn { /* Immutable data. */ struct conn_key key; struct conn_key rev_key; - struct conn_key master_key; /* Only used for orig_tuple support. */ + struct conn_key parent_key; /* Only used for orig_tuple support. */ struct ovs_list exp_node; struct cmap_node cm_node; struct nat_action_info_t *nat_info; diff --git a/lib/conntrack.c b/lib/conntrack.c index f42ba4b601c7..930ed0be6186 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -144,7 +144,7 @@ detect_ftp_ctl_type(const struct conn_lookup_ctx *ctx, struct dp_packet *pkt); static void -expectation_clean(struct conntrack *ct, const struct conn_key *master_key); +expectation_clean(struct conntrack *ct, const struct conn_key *parent_key); static struct ct_l4_proto *l4_protos[] = { [IPPROTO_TCP] = &ct_proto_tcp, @@ -585,14 +585,14 @@ write_ct_md(struct dp_packet *pkt, uint16_t zone, const struct conn *conn, /* Use the original direction tuple if we have it. */ if (conn) { if (conn->alg_related) { - key = &conn->master_key; + key = &conn->parent_key; } else { key = &conn->key; } } else if (alg_exp) { - pkt->md.ct_mark = alg_exp->master_mark; - pkt->md.ct_label = alg_exp->master_label; - key = &alg_exp->master_key; + pkt->md.ct_mark = alg_exp->parent_mark; + pkt->md.ct_label = alg_exp->parent_label; + key = &alg_exp->parent_key; } pkt->md.ct_orig_tuple_ipv6 = false; @@ -1002,9 +1002,9 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, if (alg_exp) { nc->alg_related = true; - nc->mark = alg_exp->master_mark; - nc->label = alg_exp->master_label; - nc->master_key = alg_exp->master_key; + nc->mark = alg_exp->parent_mark; + nc->label = alg_exp->parent_label; + nc->parent_key = alg_exp->parent_key; } if (nat_action_info) { @@ -1312,7 +1312,7 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, if (!conn) { pkt->md.ct_state |= CS_INVALID; write_ct_md(pkt, zone, NULL, NULL, NULL); - char *log_msg = xasprintf("Missing master conn %p", rev_conn); + char *log_msg = xasprintf("Missing parent conn %p", rev_conn); ct_print_conn_info(rev_conn, log_msg, VLL_INFO, true, true); free(log_msg); return; @@ -2677,16 +2677,16 @@ expectation_remove(struct hmap *alg_expectations, /* This function must be called with the ct->resources read lock taken. */ static struct alg_exp_node * expectation_ref_lookup_unique(const struct hindex *alg_expectation_refs, - const struct conn_key *master_key, + const struct conn_key *parent_key, const struct conn_key *alg_exp_key, uint32_t basis) { struct alg_exp_node *alg_exp_node; HINDEX_FOR_EACH_WITH_HASH (alg_exp_node, node_ref, - conn_key_hash(master_key, basis), + conn_key_hash(parent_key, basis), alg_expectation_refs) { - if (!conn_key_cmp(&alg_exp_node->master_key, master_key) && + if (!conn_key_cmp(&alg_exp_node->parent_key, parent_key) && !conn_key_cmp(&alg_exp_node->key, alg_exp_key)) { return alg_exp_node; } @@ -2701,23 +2701,23 @@ expectation_ref_create(struct hindex *alg_expectation_refs, uint32_t basis) { if (!expectation_ref_lookup_unique(alg_expectation_refs, - &alg_exp_node->master_key, + &alg_exp_node->parent_key, &alg_exp_node->key, basis)) { hindex_insert(alg_expectation_refs, &alg_exp_node->node_ref, - conn_key_hash(&alg_exp_node->master_key, basis)); + conn_key_hash(&alg_exp_node->parent_key, basis)); } } static void -expectation_clean(struct conntrack *ct, const struct conn_key *master_key) +expectation_clean(struct conntrack *ct, const struct conn_key *parent_key) { ovs_rwlock_wrlock(&ct->resources_lock); struct alg_exp_node *node, *next; HINDEX_FOR_EACH_WITH_HASH_SAFE (node, next, node_ref, - conn_key_hash(master_key, ct->hash_basis), + conn_key_hash(parent_key, ct->hash_basis), &ct->alg_expectation_refs) { - if (!conn_key_cmp(&node->master_key, master_key)) { + if (!conn_key_cmp(&node->parent_key, parent_key)) { expectation_remove(&ct->alg_expectations, &node->key, ct->hash_basis); hindex_remove(&ct->alg_expectation_refs, &node->node_ref); @@ -2730,7 +2730,7 @@ expectation_clean(struct conntrack *ct, const struct conn_key *master_key) static void expectation_create(struct conntrack *ct, ovs_be16 dst_port, - const struct conn *master_conn, bool reply, bool src_ip_wc, + const struct conn *parent_conn, bool reply, bool src_ip_wc, bool skip_nat) { union ct_addr src_addr; @@ -2739,47 +2739,47 @@ expectation_create(struct conntrack *ct, ovs_be16 dst_port, struct alg_exp_node *alg_exp_node = xzalloc(sizeof *alg_exp_node); if (reply) { - src_addr = master_conn->key.src.addr; - dst_addr = master_conn->key.dst.addr; + src_addr = parent_conn->key.src.addr; + dst_addr = parent_conn->key.dst.addr; alg_exp_node->nat_rpl_dst = true; if (skip_nat) { alg_nat_repl_addr = dst_addr; - } else if (master_conn->nat_info && - master_conn->nat_info->nat_action & NAT_ACTION_DST) { - alg_nat_repl_addr = master_conn->rev_key.src.addr; + } else if (parent_conn->nat_info && + parent_conn->nat_info->nat_action & NAT_ACTION_DST) { + alg_nat_repl_addr = parent_conn->rev_key.src.addr; alg_exp_node->nat_rpl_dst = false; } else { - alg_nat_repl_addr = master_conn->rev_key.dst.addr; + alg_nat_repl_addr = parent_conn->rev_key.dst.addr; } } else { - src_addr = master_conn->rev_key.src.addr; - dst_addr = master_conn->rev_key.dst.addr; + src_addr = parent_conn->rev_key.src.addr; + dst_addr = parent_conn->rev_key.dst.addr; alg_exp_node->nat_rpl_dst = false; if (skip_nat) { alg_nat_repl_addr = src_addr; - } else if (master_conn->nat_info && - master_conn->nat_info->nat_action & NAT_ACTION_DST) { - alg_nat_repl_addr = master_conn->key.dst.addr; + } else if (parent_conn->nat_info && + parent_conn->nat_info->nat_action & NAT_ACTION_DST) { + alg_nat_repl_addr = parent_conn->key.dst.addr; alg_exp_node->nat_rpl_dst = true; } else { - alg_nat_repl_addr = master_conn->key.src.addr; + alg_nat_repl_addr = parent_conn->key.src.addr; } } if (src_ip_wc) { memset(&src_addr, 0, sizeof src_addr); } - alg_exp_node->key.dl_type = master_conn->key.dl_type; - alg_exp_node->key.nw_proto = master_conn->key.nw_proto; - alg_exp_node->key.zone = master_conn->key.zone; + alg_exp_node->key.dl_type = parent_conn->key.dl_type; + alg_exp_node->key.nw_proto = parent_conn->key.nw_proto; + alg_exp_node->key.zone = parent_conn->key.zone; alg_exp_node->key.src.addr = src_addr; alg_exp_node->key.dst.addr = dst_addr; alg_exp_node->key.src.port = ALG_WC_SRC_PORT; alg_exp_node->key.dst.port = dst_port; - alg_exp_node->master_mark = master_conn->mark; - alg_exp_node->master_label = master_conn->label; - memcpy(&alg_exp_node->master_key, &master_conn->key, - sizeof alg_exp_node->master_key); + alg_exp_node->parent_mark = parent_conn->mark; + alg_exp_node->parent_label = parent_conn->label; + memcpy(&alg_exp_node->parent_key, &parent_conn->key, + sizeof alg_exp_node->parent_key); /* Take the write lock here because it is almost 100% * likely that the lookup will fail and * expectation_create() will be called below. */ diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c index 8c2480e7ac39..6a5ba052dd20 100644 --- a/lib/ct-dpif.c +++ b/lib/ct-dpif.c @@ -323,9 +323,9 @@ ct_dpif_format_entry(const struct ct_dpif_entry *entry, struct ds *ds, } ct_dpif_format_protoinfo(ds, ",protoinfo=", &entry->protoinfo, verbose); ct_dpif_format_helper(ds, ",helper=", &entry->helper); - if (verbose && entry->tuple_master.l3_type != 0) { - ds_put_cstr(ds, ",master=("); - ct_dpif_format_tuple(ds, &entry->tuple_master); + if (verbose && entry->tuple_parent.l3_type != 0) { + ds_put_cstr(ds, ",parent=("); + ct_dpif_format_tuple(ds, &entry->tuple_parent); ds_put_cstr(ds, ")"); } } diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h index e4c7a640b113..88f4c7e28cbf 100644 --- a/lib/ct-dpif.h +++ b/lib/ct-dpif.h @@ -177,7 +177,7 @@ struct ct_dpif_entry { /* Const members. */ struct ct_dpif_tuple tuple_orig; struct ct_dpif_tuple tuple_reply; - struct ct_dpif_tuple tuple_master; + struct ct_dpif_tuple tuple_parent; struct ct_dpif_helper helper; uint32_t id; uint16_t zone; diff --git a/lib/meta-flow.xml b/lib/meta-flow.xml index e72ba52ecd2c..28865f88c8a5 100644 --- a/lib/meta-flow.xml +++ b/lib/meta-flow.xml @@ -2794,7 +2794,7 @@ actions=clone(load:0->NXM_OF_IN_PORT[],output:123) connection), or be of different protocol (i.e., when an ICMP response is sent to an UDP packet). In case of related connections, e.g., an FTP data connection, the original direction tuple contains the - original direction headers from the master connection, e.g., an FTP + original direction headers from the parent connection, e.g., an FTP control connection.

diff --git a/lib/netlink-conntrack.c b/lib/netlink-conntrack.c index 86ab866cf591..78f1bf60bc29 100644 --- a/lib/netlink-conntrack.c +++ b/lib/netlink-conntrack.c @@ -237,7 +237,7 @@ nl_ct_flush(void) ofpbuf_uninit(&buf); /* Expectations are flushed automatically, because they do not - * have a master connection anymore */ + * have a parent connection anymore */ return err; } @@ -344,7 +344,7 @@ nl_ct_flush_zone(uint16_t flush_zone) ofpbuf_uninit(&buf); /* Expectations are flushed automatically, because they do not - * have a master connection anymore */ + * have a parent connection anymore */ return 0; } #endif @@ -1263,7 +1263,7 @@ nl_ct_attrs_to_ct_dpif_entry(struct ct_dpif_entry *entry, return false; } if (attrs[CTA_TUPLE_MASTER] && - !nl_ct_parse_tuple(attrs[CTA_TUPLE_MASTER], &entry->tuple_master, + !nl_ct_parse_tuple(attrs[CTA_TUPLE_MASTER], &entry->tuple_parent, nfgen_family)) { return false; } diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at index d129e60d32c2..88dd434e4e4a 100644 --- a/tests/ofproto-dpif.at +++ b/tests/ofproto-dpif.at @@ -9771,7 +9771,7 @@ dnl Non-REPLY/RELATED packets get the ACL lookup with the packet headers dnl in the actual packet direction in reg0 (IN=1, OUT=2). REPLY packets dnl get the ACL lookup using the conntrack tuple and the inverted direction. dnl RELATED packets get ACL lookup using the conntrack tuple in the direction -dnl of the master connection, as storted in ct_mark. +dnl of the parent connection, as storted in ct_mark. dnl dnl Incoming non-related packet in the original direction (ACL IN) table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv action=set_field:1->reg0,resubmit(,3),goto_table:5 @@ -9782,7 +9782,7 @@ table=1 reg3=2, ip, ct_state=-rel-rpl+trk-inv action=set_field:2->reg0,resubmit( dnl Outgoing non-related reply packet (CT ACL IN) table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv action=set_field:1->reg0,resubmit(,3,ct),goto_table:4 dnl -dnl Related packet (CT ACL in the direction of the master connection.) +dnl Related packet (CT ACL in the direction of the parent connection.) table=1 ip, ct_state=+rel+trk-inv, action=move:NXM_NX_CT_MARK[[]]->NXM_NX_REG0[[]],resubmit(,3,ct),goto_table:4 dnl Drop everything else. table=1 priority=0, action=drop @@ -9815,7 +9815,7 @@ table=5 reg2=0 priority=1000 action=drop dnl Commit new non-related IP connections. table=5 priority=10 reg2=1 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6 dnl Commit new related connections in either direction, which inherit the mark -dnl (the direction of the original direction master tuple) from the master +dnl (the direction of the original direction parent tuple) from the parent dnl connection. table=5 priority=10 reg2=1 ct_state=+new+rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,exec(move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6 dnl Forward everything else, including stateless accepts. diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 02f0e2716320..14f349b5b99f 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -4810,7 +4810,7 @@ dnl Non-REPLY/RELATED packets get the ACL lookup with the packet headers dnl in the actual packet direction in reg0 (IN=1, OUT=2). REPLY packets dnl get the ACL lookup using the conntrack tuple and the inverted direction. dnl RELATED packets get ACL lookup using the conntrack tuple in the direction -dnl of the master connection, as stored in ct_label[0]. +dnl of the parent connection, as stored in ct_label[0]. dnl dnl Incoming non-related packet in the original direction (ACL IN) table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv action=set_field:1->reg0,resubmit(,3),goto_table:5 @@ -4821,7 +4821,7 @@ table=1 reg3=2, ip, ct_state=-rel-rpl+trk-inv action=set_field:2->reg0,resubmit( dnl Outgoing non-related reply packet (CT ACL IN) table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv action=set_field:1->reg0,resubmit(,3,ct),goto_table:4 dnl -dnl Related packet (CT ACL in the direction of the master connection.) +dnl Related packet (CT ACL in the direction of the parent connection.) table=1 ip, ct_state=+rel+trk-inv, action=move:NXM_NX_CT_LABEL[[0]]->NXM_NX_REG0[[0]],resubmit(,3,ct),goto_table:4 dnl Drop everything else. table=1 priority=0, action=drop @@ -4863,7 +4863,7 @@ dnl (This should not get any packets in this test.) table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6 dnl Commit new related connections in either direction, which need 'nat' dnl and which inherit the label (the direction of the original direction -dnl master tuple) from the master connection. +dnl parent tuple) from the parent connection. table=5 priority=10 reg2=1 ct_state=+new+rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat,exec(move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6 dnl dnl NAT incoming non-NEW packets. Outgoing packets were NATted in table 0.