* [PATCH net-next v3 0/8] openvswitch: NAT support.
@ 2015-11-26 0:08 Jarno Rajahalme
2015-11-26 0:08 ` [PATCH net-next v3 2/8] netfilter: Factor out nf_ct_get_info() Jarno Rajahalme
` (4 more replies)
0 siblings, 5 replies; 17+ messages in thread
From: Jarno Rajahalme @ 2015-11-26 0:08 UTC (permalink / raw)
To: netdev-u79uwXL29TY76Z2rM5mHXA
Cc: dev-yBygre7rU0TnMu66kgdUjQ, netfilter-devel-u79uwXL29TY76Z2rM5mHXA
This series adds NAT support to openvswitch kernel module. A few
changes are needed to the netfilter code to facilitate this (patches
1-3/8). Patches 4-7 make the openvswitch kernel module ready for the
patch 8 that adds the NAT support by calling into netfilter NAT code
from the openvswitch conntrack action.
The OVS master now has the corresponding OVS userspace support to use
and test the NAT features. Below if a walk through of a simple use
case.
In this case ports 1 and 2 are in different namespaces. The OpenFlow
table below only allows IPv4 connections initiated from port 1, and
applies source NAT to those connections:
in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
in_port=2,ct_state=+est,ct_zone=1,ip,action=1
This flow table matches all IPv4 traffic from port 1, runs them
through conntrack in zone 1 and NATs them. The NAT is initialized to
do source IP mapping to the given range for the first packet of each
connection, after which the new connection is committed (confirmed).
For further packets of already tracked connections NAT is done
according to the connection state and the commit is a no-op. Each
packet that is not flagged as a drop by the CT action is forwarded to
port 2. The CT action does an implicit fragmentation reassembly, so
that only complete packets are run through conntrack. Reassembled
packets are re-fragmented on output.
The IPv4 traffic coming from port 2 is first matched for the
non-tracked state (-trk), which means that the packet has not been
through a CT action yet. Such traffic is run trough the conntrack in
zone 1 and all packets associated with a NATted connection are NATted
also in the return direction. After the packet has been through
conntrack it is recirculated back to OpenFlow table 0 (which is the
default table, so all the rules above are in table 0). The CT action
changes the 'trk' flag to being set, so the packets after
recirculation no longer match the second rule. The third rule then
matches the recirculated packets that were marked as established by
conntrack (+est), and the packet is output on port 1. Matching on
ct_zone is not strictly needed, but in this test case it verifies that
the ct_zone key attribute is properly set by the conntrack action.
A full test case requires rules for ARP handling not shown here.
The flow table above is an OpenFlow table, and the rules therein
are translated to kernel flow entries on-demand by ovs-vswitchd.
Jarno Rajahalme (8):
netfilter: Remove IP_CT_NEW_REPLY definition.
netfilter: Factor out nf_ct_get_info().
netfilter: Allow calling into nat helper without skb_dst.
openvswitch: Update the CT state key only after nf_conntrack_in().
openvswitch: Find existing conntrack entry after upcall.
openvswitch: Handle NF_REPEAT in conntrack action.
openvswitch: Delay conntrack helper call for new connections.
openvswitch: Interface with NAT.
include/net/netfilter/nf_conntrack.h | 15 +
include/uapi/linux/netfilter/nf_conntrack_common.h | 12 +-
include/uapi/linux/openvswitch.h | 47 ++
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 29 +-
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 29 +-
net/netfilter/nf_conntrack_core.c | 22 +-
net/openvswitch/conntrack.c | 632 +++++++++++++++++++--
net/openvswitch/conntrack.h | 3 +-
8 files changed, 686 insertions(+), 103 deletions(-)
--
2.1.4
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
^ permalink raw reply [flat|nested] 17+ messages in thread* [PATCH net-next v3 2/8] netfilter: Factor out nf_ct_get_info(). 2015-11-26 0:08 [PATCH net-next v3 0/8] openvswitch: NAT support Jarno Rajahalme @ 2015-11-26 0:08 ` Jarno Rajahalme 2015-11-26 6:18 ` [ovs-dev] " Simon Horman [not found] ` <1448496501-109561-1-git-send-email-jarno-LZ6Gd1LRuIk@public.gmane.org> ` (3 subsequent siblings) 4 siblings, 1 reply; 17+ messages in thread From: Jarno Rajahalme @ 2015-11-26 0:08 UTC (permalink / raw) To: netdev; +Cc: netfilter-devel, dev, jarno Define a new inline function to map conntrack status to enum ip_conntrack_info. This removes the need to otherwise duplicate this code in a later patch ("openvswitch: Find existing conntrack entry after upcall."). Signed-off-by: Jarno Rajahalme <jarno@ovn.org> --- include/net/netfilter/nf_conntrack.h | 15 +++++++++++++++ net/netfilter/nf_conntrack_core.c | 22 +++------------------- 2 files changed, 18 insertions(+), 19 deletions(-) diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index fde4068..b3de10e 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -125,6 +125,21 @@ nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash) tuplehash[hash->tuple.dst.dir]); } +static inline enum ip_conntrack_info +nf_ct_get_info(const struct nf_conntrack_tuple_hash *h) +{ + const struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); + + if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) + return IP_CT_ESTABLISHED_REPLY; + /* Once we've had two way comms, always ESTABLISHED. */ + if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) + return IP_CT_ESTABLISHED; + if (test_bit(IPS_EXPECTED_BIT, &ct->status)) + return IP_CT_RELATED; + return IP_CT_NEW; +} + static inline u_int16_t nf_ct_l3num(const struct nf_conn *ct) { return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 3cb3cb8..70ddbd8 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1056,25 +1056,9 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl, ct = nf_ct_tuplehash_to_ctrack(h); /* It exists; we have (non-exclusive) reference. */ - if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) { - *ctinfo = IP_CT_ESTABLISHED_REPLY; - /* Please set reply bit if this packet OK */ - *set_reply = 1; - } else { - /* Once we've had two way comms, always ESTABLISHED. */ - if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { - pr_debug("nf_conntrack_in: normal packet for %p\n", ct); - *ctinfo = IP_CT_ESTABLISHED; - } else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) { - pr_debug("nf_conntrack_in: related packet for %p\n", - ct); - *ctinfo = IP_CT_RELATED; - } else { - pr_debug("nf_conntrack_in: new packet for %p\n", ct); - *ctinfo = IP_CT_NEW; - } - *set_reply = 0; - } + *ctinfo = nf_ct_get_info(h); + *set_reply = NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY; + skb->nfct = &ct->ct_general; skb->nfctinfo = *ctinfo; return ct; -- 2.1.4 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [ovs-dev] [PATCH net-next v3 2/8] netfilter: Factor out nf_ct_get_info(). 2015-11-26 0:08 ` [PATCH net-next v3 2/8] netfilter: Factor out nf_ct_get_info() Jarno Rajahalme @ 2015-11-26 6:18 ` Simon Horman 0 siblings, 0 replies; 17+ messages in thread From: Simon Horman @ 2015-11-26 6:18 UTC (permalink / raw) To: Jarno Rajahalme; +Cc: netdev, dev, netfilter-devel On Wed, Nov 25, 2015 at 04:08:15PM -0800, Jarno Rajahalme wrote: > Define a new inline function to map conntrack status to enum > ip_conntrack_info. This removes the need to otherwise duplicate this > code in a later patch ("openvswitch: Find existing conntrack entry > after upcall."). > > Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Reviewed-by: Simon Horman <simon.horman@netronome.com> > --- > include/net/netfilter/nf_conntrack.h | 15 +++++++++++++++ > net/netfilter/nf_conntrack_core.c | 22 +++------------------- > 2 files changed, 18 insertions(+), 19 deletions(-) > > diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h > index fde4068..b3de10e 100644 > --- a/include/net/netfilter/nf_conntrack.h > +++ b/include/net/netfilter/nf_conntrack.h > @@ -125,6 +125,21 @@ nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash) > tuplehash[hash->tuple.dst.dir]); > } > > +static inline enum ip_conntrack_info > +nf_ct_get_info(const struct nf_conntrack_tuple_hash *h) > +{ > + const struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); > + > + if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) > + return IP_CT_ESTABLISHED_REPLY; > + /* Once we've had two way comms, always ESTABLISHED. */ > + if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) > + return IP_CT_ESTABLISHED; > + if (test_bit(IPS_EXPECTED_BIT, &ct->status)) > + return IP_CT_RELATED; > + return IP_CT_NEW; > +} > + > static inline u_int16_t nf_ct_l3num(const struct nf_conn *ct) > { > return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; > diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c > index 3cb3cb8..70ddbd8 100644 > --- a/net/netfilter/nf_conntrack_core.c > +++ b/net/netfilter/nf_conntrack_core.c > @@ -1056,25 +1056,9 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl, > ct = nf_ct_tuplehash_to_ctrack(h); > > /* It exists; we have (non-exclusive) reference. */ > - if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) { > - *ctinfo = IP_CT_ESTABLISHED_REPLY; > - /* Please set reply bit if this packet OK */ > - *set_reply = 1; > - } else { > - /* Once we've had two way comms, always ESTABLISHED. */ > - if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { > - pr_debug("nf_conntrack_in: normal packet for %p\n", ct); > - *ctinfo = IP_CT_ESTABLISHED; > - } else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) { > - pr_debug("nf_conntrack_in: related packet for %p\n", > - ct); > - *ctinfo = IP_CT_RELATED; > - } else { > - pr_debug("nf_conntrack_in: new packet for %p\n", ct); > - *ctinfo = IP_CT_NEW; > - } > - *set_reply = 0; > - } > + *ctinfo = nf_ct_get_info(h); > + *set_reply = NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY; > + > skb->nfct = &ct->ct_general; > skb->nfctinfo = *ctinfo; > return ct; > -- > 2.1.4 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <1448496501-109561-1-git-send-email-jarno-LZ6Gd1LRuIk@public.gmane.org>]
* [PATCH net-next v3 1/8] netfilter: Remove IP_CT_NEW_REPLY definition. [not found] ` <1448496501-109561-1-git-send-email-jarno-LZ6Gd1LRuIk@public.gmane.org> @ 2015-11-26 0:08 ` Jarno Rajahalme 2015-11-26 5:41 ` [ovs-dev] " Simon Horman 2015-11-26 0:08 ` [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst Jarno Rajahalme ` (2 subsequent siblings) 3 siblings, 1 reply; 17+ messages in thread From: Jarno Rajahalme @ 2015-11-26 0:08 UTC (permalink / raw) To: netdev-u79uwXL29TY76Z2rM5mHXA Cc: dev-yBygre7rU0TnMu66kgdUjQ, netfilter-devel-u79uwXL29TY76Z2rM5mHXA Remove the definition of IP_CT_NEW_REPLY from the kernel as it does not make sense. This allows the definition of IP_CT_NUMBER to be simplified as well. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> --- include/uapi/linux/netfilter/nf_conntrack_common.h | 12 +++++++++--- net/openvswitch/conntrack.c | 2 -- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h index 319f471..2f067cf 100644 --- a/include/uapi/linux/netfilter/nf_conntrack_common.h +++ b/include/uapi/linux/netfilter/nf_conntrack_common.h @@ -20,9 +20,15 @@ enum ip_conntrack_info { IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, - IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY, - /* Number of distinct IP_CT types (no NEW in reply dirn). */ - IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 + /* No NEW in reply direction. */ + + /* Number of distinct IP_CT types. */ + IP_CT_NUMBER + + /* only for userspace compatibility */ +#ifndef __KERNEL__ + IP_CT_NEW_REPLY = IP_CT_NUMBER; +#endif }; #define NF_CT_STATE_INVALID_BIT (1 << 0) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index c2cc111..a28a819 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -73,7 +73,6 @@ static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) switch (ctinfo) { case IP_CT_ESTABLISHED_REPLY: case IP_CT_RELATED_REPLY: - case IP_CT_NEW_REPLY: ct_state |= OVS_CS_F_REPLY_DIR; break; default: @@ -90,7 +89,6 @@ static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) ct_state |= OVS_CS_F_RELATED; break; case IP_CT_NEW: - case IP_CT_NEW_REPLY: ct_state |= OVS_CS_F_NEW; break; default: -- 2.1.4 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [ovs-dev] [PATCH net-next v3 1/8] netfilter: Remove IP_CT_NEW_REPLY definition. 2015-11-26 0:08 ` [PATCH net-next v3 1/8] netfilter: Remove IP_CT_NEW_REPLY definition Jarno Rajahalme @ 2015-11-26 5:41 ` Simon Horman [not found] ` <20151126054100.GB21626-IxS8c3vjKQDk1uMJSBkQmQ@public.gmane.org> 0 siblings, 1 reply; 17+ messages in thread From: Simon Horman @ 2015-11-26 5:41 UTC (permalink / raw) To: Jarno Rajahalme; +Cc: netdev, dev, netfilter-devel On Wed, Nov 25, 2015 at 04:08:14PM -0800, Jarno Rajahalme wrote: > Remove the definition of IP_CT_NEW_REPLY from the kernel as it does > not make sense. This allows the definition of IP_CT_NUMBER to be > simplified as well. > > Signed-off-by: Jarno Rajahalme <jarno@ovn.org> I hate to be the bearer of bad news but its not clear to me that this change doesn't break user-space. > --- > include/uapi/linux/netfilter/nf_conntrack_common.h | 12 +++++++++--- > net/openvswitch/conntrack.c | 2 -- > 2 files changed, 9 insertions(+), 5 deletions(-) > > diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h > index 319f471..2f067cf 100644 > --- a/include/uapi/linux/netfilter/nf_conntrack_common.h > +++ b/include/uapi/linux/netfilter/nf_conntrack_common.h > @@ -20,9 +20,15 @@ enum ip_conntrack_info { > > IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, > IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, > - IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY, > - /* Number of distinct IP_CT types (no NEW in reply dirn). */ > - IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 > + /* No NEW in reply direction. */ > + > + /* Number of distinct IP_CT types. */ > + IP_CT_NUMBER > + > + /* only for userspace compatibility */ > +#ifndef __KERNEL__ > + IP_CT_NEW_REPLY = IP_CT_NUMBER; > +#endif > }; > > #define NF_CT_STATE_INVALID_BIT (1 << 0) > diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c > index c2cc111..a28a819 100644 > --- a/net/openvswitch/conntrack.c > +++ b/net/openvswitch/conntrack.c > @@ -73,7 +73,6 @@ static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) > switch (ctinfo) { > case IP_CT_ESTABLISHED_REPLY: > case IP_CT_RELATED_REPLY: > - case IP_CT_NEW_REPLY: > ct_state |= OVS_CS_F_REPLY_DIR; > break; > default: > @@ -90,7 +89,6 @@ static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) > ct_state |= OVS_CS_F_RELATED; > break; > case IP_CT_NEW: > - case IP_CT_NEW_REPLY: > ct_state |= OVS_CS_F_NEW; > break; > default: > -- > 2.1.4 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <20151126054100.GB21626-IxS8c3vjKQDk1uMJSBkQmQ@public.gmane.org>]
* Re: [PATCH net-next v3 1/8] netfilter: Remove IP_CT_NEW_REPLY definition. [not found] ` <20151126054100.GB21626-IxS8c3vjKQDk1uMJSBkQmQ@public.gmane.org> @ 2015-11-30 18:16 ` Jarno Rajahalme [not found] ` <391067B3-D60E-43BC-B669-2DD45924E5D8-LZ6Gd1LRuIk@public.gmane.org> 0 siblings, 1 reply; 17+ messages in thread From: Jarno Rajahalme @ 2015-11-30 18:16 UTC (permalink / raw) To: Simon Horman Cc: dev-yBygre7rU0TnMu66kgdUjQ, netdev-u79uwXL29TY76Z2rM5mHXA, netfilter-devel-u79uwXL29TY76Z2rM5mHXA > On Nov 25, 2015, at 21:41, Simon Horman <simon.horman@netronome.com> wrote: > >> On Wed, Nov 25, 2015 at 04:08:14PM -0800, Jarno Rajahalme wrote: >> Remove the definition of IP_CT_NEW_REPLY from the kernel as it does >> not make sense. This allows the definition of IP_CT_NUMBER to be >> simplified as well. >> >> Signed-off-by: Jarno Rajahalme <jarno@ovn.org> > > I hate to be the bearer of bad news but its not clear > to me that this change doesn't break user-space. > These should be no change for the userspace, unless __KERNEL__ is defined. Also, this is a minor clean-up only, so I have no problem dropping this patch, is need be. Jarno >> --- >> include/uapi/linux/netfilter/nf_conntrack_common.h | 12 +++++++++--- >> net/openvswitch/conntrack.c | 2 -- >> 2 files changed, 9 insertions(+), 5 deletions(-) >> >> diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h >> index 319f471..2f067cf 100644 >> --- a/include/uapi/linux/netfilter/nf_conntrack_common.h >> +++ b/include/uapi/linux/netfilter/nf_conntrack_common.h >> @@ -20,9 +20,15 @@ enum ip_conntrack_info { >> >> IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, >> IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, >> - IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY, >> - /* Number of distinct IP_CT types (no NEW in reply dirn). */ >> - IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 >> + /* No NEW in reply direction. */ >> + >> + /* Number of distinct IP_CT types. */ >> + IP_CT_NUMBER >> + >> + /* only for userspace compatibility */ >> +#ifndef __KERNEL__ >> + IP_CT_NEW_REPLY = IP_CT_NUMBER; >> +#endif >> }; >> >> #define NF_CT_STATE_INVALID_BIT (1 << 0) >> diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c >> index c2cc111..a28a819 100644 >> --- a/net/openvswitch/conntrack.c >> +++ b/net/openvswitch/conntrack.c >> @@ -73,7 +73,6 @@ static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) >> switch (ctinfo) { >> case IP_CT_ESTABLISHED_REPLY: >> case IP_CT_RELATED_REPLY: >> - case IP_CT_NEW_REPLY: >> ct_state |= OVS_CS_F_REPLY_DIR; >> break; >> default: >> @@ -90,7 +89,6 @@ static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) >> ct_state |= OVS_CS_F_RELATED; >> break; >> case IP_CT_NEW: >> - case IP_CT_NEW_REPLY: >> ct_state |= OVS_CS_F_NEW; >> break; >> default: >> -- >> 2.1.4 >> >> _______________________________________________ >> dev mailing list >> dev@openvswitch.org >> http://openvswitch.org/mailman/listinfo/dev _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <391067B3-D60E-43BC-B669-2DD45924E5D8-LZ6Gd1LRuIk@public.gmane.org>]
* Re: [PATCH net-next v3 1/8] netfilter: Remove IP_CT_NEW_REPLY definition. [not found] ` <391067B3-D60E-43BC-B669-2DD45924E5D8-LZ6Gd1LRuIk@public.gmane.org> @ 2015-12-01 2:46 ` Jarno Rajahalme 0 siblings, 0 replies; 17+ messages in thread From: Jarno Rajahalme @ 2015-12-01 2:46 UTC (permalink / raw) To: Simon Horman Cc: dev-yBygre7rU0TnMu66kgdUjQ, netdev-u79uwXL29TY76Z2rM5mHXA, netfilter-devel-u79uwXL29TY76Z2rM5mHXA > On Nov 30, 2015, at 10:16 AM, Jarno Rajahalme <jarno@ovn.org> wrote: > > >> On Nov 25, 2015, at 21:41, Simon Horman <simon.horman@netronome.com> wrote: >> >>> On Wed, Nov 25, 2015 at 04:08:14PM -0800, Jarno Rajahalme wrote: >>> Remove the definition of IP_CT_NEW_REPLY from the kernel as it does >>> not make sense. This allows the definition of IP_CT_NUMBER to be >>> simplified as well. >>> >>> Signed-off-by: Jarno Rajahalme <jarno@ovn.org> >> >> I hate to be the bearer of bad news but its not clear >> to me that this change doesn't break user-space. >> > > These should be no change for the userspace, unless __KERNEL__ is defined. > But there are two syntax errors in there when compiling from userspace, as Daniele just told me offline. I’ll respin the series.. Jarno > Also, this is a minor clean-up only, so I have no problem dropping this patch, is need be. > > Jarno > >>> --- >>> include/uapi/linux/netfilter/nf_conntrack_common.h | 12 +++++++++--- >>> net/openvswitch/conntrack.c | 2 -- >>> 2 files changed, 9 insertions(+), 5 deletions(-) >>> >>> diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h >>> index 319f471..2f067cf 100644 >>> --- a/include/uapi/linux/netfilter/nf_conntrack_common.h >>> +++ b/include/uapi/linux/netfilter/nf_conntrack_common.h >>> @@ -20,9 +20,15 @@ enum ip_conntrack_info { >>> >>> IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, >>> IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, >>> - IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY, >>> - /* Number of distinct IP_CT types (no NEW in reply dirn). */ >>> - IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 >>> + /* No NEW in reply direction. */ >>> + >>> + /* Number of distinct IP_CT types. */ >>> + IP_CT_NUMBER >>> + >>> + /* only for userspace compatibility */ >>> +#ifndef __KERNEL__ >>> + IP_CT_NEW_REPLY = IP_CT_NUMBER; >>> +#endif >>> }; >>> >>> #define NF_CT_STATE_INVALID_BIT (1 << 0) >>> diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c >>> index c2cc111..a28a819 100644 >>> --- a/net/openvswitch/conntrack.c >>> +++ b/net/openvswitch/conntrack.c >>> @@ -73,7 +73,6 @@ static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) >>> switch (ctinfo) { >>> case IP_CT_ESTABLISHED_REPLY: >>> case IP_CT_RELATED_REPLY: >>> - case IP_CT_NEW_REPLY: >>> ct_state |= OVS_CS_F_REPLY_DIR; >>> break; >>> default: >>> @@ -90,7 +89,6 @@ static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) >>> ct_state |= OVS_CS_F_RELATED; >>> break; >>> case IP_CT_NEW: >>> - case IP_CT_NEW_REPLY: >>> ct_state |= OVS_CS_F_NEW; >>> break; >>> default: >>> -- >>> 2.1.4 >>> >>> _______________________________________________ >>> dev mailing list >>> dev@openvswitch.org >>> http://openvswitch.org/mailman/listinfo/dev _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev ^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst. [not found] ` <1448496501-109561-1-git-send-email-jarno-LZ6Gd1LRuIk@public.gmane.org> 2015-11-26 0:08 ` [PATCH net-next v3 1/8] netfilter: Remove IP_CT_NEW_REPLY definition Jarno Rajahalme @ 2015-11-26 0:08 ` Jarno Rajahalme 2015-12-01 20:51 ` [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst.g Pablo Neira Ayuso 2015-11-26 0:08 ` [PATCH net-next v3 4/8] openvswitch: Update the CT state key only after nf_conntrack_in() Jarno Rajahalme 2015-11-26 0:08 ` [PATCH net-next v3 5/8] openvswitch: Find existing conntrack entry after upcall Jarno Rajahalme 3 siblings, 1 reply; 17+ messages in thread From: Jarno Rajahalme @ 2015-11-26 0:08 UTC (permalink / raw) To: netdev-u79uwXL29TY76Z2rM5mHXA Cc: dev-yBygre7rU0TnMu66kgdUjQ, netfilter-devel-u79uwXL29TY76Z2rM5mHXA NAT checksum recalculation code assumes existence of skb_dst, which becomes a problem for a later patch in the series ("openvswitch: Interface with NAT."). Simplify this by removing the check on skb_dst, as the checksum will be dealt with later in the stack. Suggested-by: Pravin Shelar <pshelar@nicira.com> Signed-off-by: Jarno Rajahalme <jarno@ovn.org> --- net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 29 ++++++++--------------------- net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 29 ++++++++--------------------- 2 files changed, 16 insertions(+), 42 deletions(-) diff --git a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c index 5075b7e..f8aad03 100644 --- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c @@ -127,28 +127,15 @@ static void nf_nat_ipv4_csum_recalc(struct sk_buff *skb, u8 proto, void *data, __sum16 *check, int datalen, int oldlen) { - const struct iphdr *iph = ip_hdr(skb); - struct rtable *rt = skb_rtable(skb); - if (skb->ip_summed != CHECKSUM_PARTIAL) { - if (!(rt->rt_flags & RTCF_LOCAL) && - (!skb->dev || skb->dev->features & NETIF_F_V4_CSUM)) { - skb->ip_summed = CHECKSUM_PARTIAL; - skb->csum_start = skb_headroom(skb) + - skb_network_offset(skb) + - ip_hdrlen(skb); - skb->csum_offset = (void *)check - data; - *check = ~csum_tcpudp_magic(iph->saddr, iph->daddr, - datalen, proto, 0); - } else { - *check = 0; - *check = csum_tcpudp_magic(iph->saddr, iph->daddr, - datalen, proto, - csum_partial(data, datalen, - 0)); - if (proto == IPPROTO_UDP && !*check) - *check = CSUM_MANGLED_0; - } + const struct iphdr *iph = ip_hdr(skb); + + skb->ip_summed = CHECKSUM_PARTIAL; + skb->csum_start = skb_headroom(skb) + skb_network_offset(skb) + + ip_hdrlen(skb); + skb->csum_offset = (void *)check - data; + *check = ~csum_tcpudp_magic(iph->saddr, iph->daddr, datalen, + proto, 0); } else inet_proto_csum_replace2(check, skb, htons(oldlen), htons(datalen), true); diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c index 238e70c..e0be97e 100644 --- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c @@ -131,28 +131,15 @@ static void nf_nat_ipv6_csum_recalc(struct sk_buff *skb, u8 proto, void *data, __sum16 *check, int datalen, int oldlen) { - const struct ipv6hdr *ipv6h = ipv6_hdr(skb); - struct rt6_info *rt = (struct rt6_info *)skb_dst(skb); - if (skb->ip_summed != CHECKSUM_PARTIAL) { - if (!(rt->rt6i_flags & RTF_LOCAL) && - (!skb->dev || skb->dev->features & NETIF_F_V6_CSUM)) { - skb->ip_summed = CHECKSUM_PARTIAL; - skb->csum_start = skb_headroom(skb) + - skb_network_offset(skb) + - (data - (void *)skb->data); - skb->csum_offset = (void *)check - data; - *check = ~csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr, - datalen, proto, 0); - } else { - *check = 0; - *check = csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr, - datalen, proto, - csum_partial(data, datalen, - 0)); - if (proto == IPPROTO_UDP && !*check) - *check = CSUM_MANGLED_0; - } + const struct ipv6hdr *ipv6h = ipv6_hdr(skb); + + skb->ip_summed = CHECKSUM_PARTIAL; + skb->csum_start = skb_headroom(skb) + skb_network_offset(skb) + + (data - (void *)skb->data); + skb->csum_offset = (void *)check - data; + *check = ~csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr, + datalen, proto, 0); } else inet_proto_csum_replace2(check, skb, htons(oldlen), htons(datalen), true); -- 2.1.4 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst.g 2015-11-26 0:08 ` [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst Jarno Rajahalme @ 2015-12-01 20:51 ` Pablo Neira Ayuso 2015-12-04 23:45 ` [ovs-dev] " Pravin Shelar 0 siblings, 1 reply; 17+ messages in thread From: Pablo Neira Ayuso @ 2015-12-01 20:51 UTC (permalink / raw) To: Jarno Rajahalme; +Cc: netdev, netfilter-devel, dev On Wed, Nov 25, 2015 at 04:08:16PM -0800, Jarno Rajahalme wrote: > NAT checksum recalculation code assumes existence of skb_dst, which > becomes a problem for a later patch in the series ("openvswitch: > Interface with NAT."). Simplify this by removing the check on > skb_dst, as the checksum will be dealt with later in the stack. > > Suggested-by: Pravin Shelar <pshelar@nicira.com> > Signed-off-by: Jarno Rajahalme <jarno@ovn.org> > --- > net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 29 ++++++++--------------------- > net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 29 ++++++++--------------------- > 2 files changed, 16 insertions(+), 42 deletions(-) > > diff --git a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c > index 5075b7e..f8aad03 100644 > --- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c > +++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c > @@ -127,28 +127,15 @@ static void nf_nat_ipv4_csum_recalc(struct sk_buff *skb, > u8 proto, void *data, __sum16 *check, > int datalen, int oldlen) > { > - const struct iphdr *iph = ip_hdr(skb); > - struct rtable *rt = skb_rtable(skb); > - > if (skb->ip_summed != CHECKSUM_PARTIAL) { > - if (!(rt->rt_flags & RTCF_LOCAL) && > - (!skb->dev || skb->dev->features & NETIF_F_V4_CSUM)) { > - skb->ip_summed = CHECKSUM_PARTIAL; > - skb->csum_start = skb_headroom(skb) + > - skb_network_offset(skb) + > - ip_hdrlen(skb); > - skb->csum_offset = (void *)check - data; > - *check = ~csum_tcpudp_magic(iph->saddr, iph->daddr, > - datalen, proto, 0); > - } else { > - *check = 0; > - *check = csum_tcpudp_magic(iph->saddr, iph->daddr, > - datalen, proto, > - csum_partial(data, datalen, > - 0)); > - if (proto == IPPROTO_UDP && !*check) > - *check = CSUM_MANGLED_0; > - } > + const struct iphdr *iph = ip_hdr(skb); > + > + skb->ip_summed = CHECKSUM_PARTIAL; > + skb->csum_start = skb_headroom(skb) + skb_network_offset(skb) + > + ip_hdrlen(skb); > + skb->csum_offset = (void *)check - data; > + *check = ~csum_tcpudp_magic(iph->saddr, iph->daddr, datalen, > + proto, 0); Is this change going to work with traffic that is redirected to the localhost? ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [ovs-dev] [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst.g 2015-12-01 20:51 ` [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst.g Pablo Neira Ayuso @ 2015-12-04 23:45 ` Pravin Shelar 0 siblings, 0 replies; 17+ messages in thread From: Pravin Shelar @ 2015-12-04 23:45 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: Jarno Rajahalme, dev, netdev, netfilter-devel On Tue, Dec 1, 2015 at 12:51 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Wed, Nov 25, 2015 at 04:08:16PM -0800, Jarno Rajahalme wrote: >> NAT checksum recalculation code assumes existence of skb_dst, which >> becomes a problem for a later patch in the series ("openvswitch: >> Interface with NAT."). Simplify this by removing the check on >> skb_dst, as the checksum will be dealt with later in the stack. >> >> Suggested-by: Pravin Shelar <pshelar@nicira.com> >> Signed-off-by: Jarno Rajahalme <jarno@ovn.org> >> --- >> net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 29 ++++++++--------------------- >> net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 29 ++++++++--------------------- >> 2 files changed, 16 insertions(+), 42 deletions(-) >> >> diff --git a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c >> index 5075b7e..f8aad03 100644 >> --- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c >> +++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c >> @@ -127,28 +127,15 @@ static void nf_nat_ipv4_csum_recalc(struct sk_buff *skb, >> u8 proto, void *data, __sum16 *check, >> int datalen, int oldlen) >> { >> - const struct iphdr *iph = ip_hdr(skb); >> - struct rtable *rt = skb_rtable(skb); >> - >> if (skb->ip_summed != CHECKSUM_PARTIAL) { >> - if (!(rt->rt_flags & RTCF_LOCAL) && >> - (!skb->dev || skb->dev->features & NETIF_F_V4_CSUM)) { >> - skb->ip_summed = CHECKSUM_PARTIAL; >> - skb->csum_start = skb_headroom(skb) + >> - skb_network_offset(skb) + >> - ip_hdrlen(skb); >> - skb->csum_offset = (void *)check - data; >> - *check = ~csum_tcpudp_magic(iph->saddr, iph->daddr, >> - datalen, proto, 0); >> - } else { >> - *check = 0; >> - *check = csum_tcpudp_magic(iph->saddr, iph->daddr, >> - datalen, proto, >> - csum_partial(data, datalen, >> - 0)); >> - if (proto == IPPROTO_UDP && !*check) >> - *check = CSUM_MANGLED_0; >> - } >> + const struct iphdr *iph = ip_hdr(skb); >> + >> + skb->ip_summed = CHECKSUM_PARTIAL; >> + skb->csum_start = skb_headroom(skb) + skb_network_offset(skb) + >> + ip_hdrlen(skb); >> + skb->csum_offset = (void *)check - data; >> + *check = ~csum_tcpudp_magic(iph->saddr, iph->daddr, datalen, >> + proto, 0); > > Is this change going to work with traffic that is redirected to the > localhost? localhost should handle CHECKSUM_PARTIAL just fine. So I do not see problem with always converting skb to CHECKSUM_PARTIAL skb. ^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net-next v3 4/8] openvswitch: Update the CT state key only after nf_conntrack_in(). [not found] ` <1448496501-109561-1-git-send-email-jarno-LZ6Gd1LRuIk@public.gmane.org> 2015-11-26 0:08 ` [PATCH net-next v3 1/8] netfilter: Remove IP_CT_NEW_REPLY definition Jarno Rajahalme 2015-11-26 0:08 ` [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst Jarno Rajahalme @ 2015-11-26 0:08 ` Jarno Rajahalme 2015-11-26 0:08 ` [PATCH net-next v3 5/8] openvswitch: Find existing conntrack entry after upcall Jarno Rajahalme 3 siblings, 0 replies; 17+ messages in thread From: Jarno Rajahalme @ 2015-11-26 0:08 UTC (permalink / raw) To: netdev-u79uwXL29TY76Z2rM5mHXA Cc: dev-yBygre7rU0TnMu66kgdUjQ, netfilter-devel-u79uwXL29TY76Z2rM5mHXA Only a successful nf_conntrack_in() call can effect a connection state change, so if suffices to update the key only after the nf_conntrack_in() returns. This change is needed for the later NAT patches. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> --- net/openvswitch/conntrack.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index a28a819..10f4a6e 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -194,7 +194,6 @@ static int ovs_ct_set_mark(struct sk_buff *skb, struct sw_flow_key *key, struct nf_conn *ct; u32 new_mark; - /* The connection could be invalid, in which case set_mark is no-op. */ ct = nf_ct_get(skb, &ctinfo); if (!ct) @@ -385,6 +384,10 @@ static bool skb_nfct_cached(const struct net *net, const struct sk_buff *skb, return true; } +/* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if + * not done already. Update key with new CT state after passing the packet + * through conntrack. + */ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, const struct ovs_conntrack_info *info, struct sk_buff *skb) @@ -410,14 +413,14 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, skb) != NF_ACCEPT) return -ENOENT; + ovs_ct_update_key(skb, key, true); + if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) { WARN_ONCE(1, "helper rejected packet"); return -EINVAL; } } - ovs_ct_update_key(skb, key, true); - return 0; } -- 2.1.4 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net-next v3 5/8] openvswitch: Find existing conntrack entry after upcall. [not found] ` <1448496501-109561-1-git-send-email-jarno-LZ6Gd1LRuIk@public.gmane.org> ` (2 preceding siblings ...) 2015-11-26 0:08 ` [PATCH net-next v3 4/8] openvswitch: Update the CT state key only after nf_conntrack_in() Jarno Rajahalme @ 2015-11-26 0:08 ` Jarno Rajahalme 3 siblings, 0 replies; 17+ messages in thread From: Jarno Rajahalme @ 2015-11-26 0:08 UTC (permalink / raw) To: netdev-u79uwXL29TY76Z2rM5mHXA Cc: dev-yBygre7rU0TnMu66kgdUjQ, netfilter-devel-u79uwXL29TY76Z2rM5mHXA Add a new function ovs_ct_find_existing() to find an existing conntrack entry for which this packet was already applied to. This is only to be called when there is evidence that the packet was already tracked and committed, but we lost the ct reference due to an userspace upcall. ovs_ct_find_existing() is called from skb_nfct_cached(), which can now hide the fact that the ct reference may have been lost due to an upcall. This allows ovs_ct_commit() to be simplified. This patch is needed by later "openvswitch: Interface with NAT" patch, as we need to be able to pass the packet through NAT using the original ct reference also after the reference is lost after an upcall. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> --- net/openvswitch/conntrack.c | 95 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 82 insertions(+), 13 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 10f4a6e..0c371d0 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -359,16 +359,87 @@ ovs_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone, return __nf_ct_expect_find(net, zone, &tuple); } +/* Find an existing conntrack entry for which this packet was already applied + * to. This is only called when there is evidence that the packet was already + * tracked and commited, but we lost the ct reference due to an userspace + * upcall. This means that on entry skb->nfct is NULL. + * On success, returns conntrack ptr, sets skb->nfct and ctinfo. + * Must be called rcu_read_lock()ed. */ +static struct nf_conn * +ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone, + u_int8_t l3num, struct sk_buff *skb, + enum ip_conntrack_info *ctinfo) +{ + struct nf_conntrack_l3proto *l3proto; + struct nf_conntrack_l4proto *l4proto; + struct nf_conntrack_tuple tuple; + struct nf_conntrack_tuple_hash *h; + struct nf_conn *ct; + unsigned int dataoff; + u_int8_t protonum; + + BUG_ON(skb->nfct != NULL); + + l3proto = __nf_ct_l3proto_find(l3num); + if (!l3proto) { + pr_debug("ovs_ct_find_existing: Can't get l3proto\n"); + return NULL; + } + if (l3proto->get_l4proto(skb, skb_network_offset(skb), &dataoff, + &protonum) <= 0) { + pr_debug("ovs_ct_find_existing: Can't get protonum\n"); + return NULL; + } + l4proto = __nf_ct_l4proto_find(l3num, protonum); + if (!l4proto) { + pr_debug("ovs_ct_find_existing: Can't get l4proto\n"); + return NULL; + } + if (!nf_ct_get_tuple(skb, skb_network_offset(skb), dataoff, l3num, + protonum, net, &tuple, l3proto, l4proto)) { + pr_debug("ovs_ct_find_existing: Can't get tuple\n"); + return NULL; + } + + /* look for tuple match */ + h = nf_conntrack_find_get(net, zone, &tuple); + if (!h) + return NULL; /* Not found. */ + + ct = nf_ct_tuplehash_to_ctrack(h); + + *ctinfo = nf_ct_get_info(h); + if (*ctinfo == IP_CT_NEW) { + /* This should not happen. */ + WARN_ONCE(1, "ovs_ct_find_existing: new packet for %p\n", ct); + } + skb->nfct = &ct->ct_general; + skb->nfctinfo = *ctinfo; + return ct; +} + /* Determine whether skb->nfct is equal to the result of conntrack lookup. */ -static bool skb_nfct_cached(const struct net *net, const struct sk_buff *skb, - const struct ovs_conntrack_info *info) +static bool skb_nfct_cached(struct net *net, + const struct sw_flow_key *key, + const struct ovs_conntrack_info *info, + struct sk_buff *skb) { enum ip_conntrack_info ctinfo; struct nf_conn *ct; ct = nf_ct_get(skb, &ctinfo); + /* If no ct, check if we have evidence that an existing conntrack entry + * might be found for this skb. This happens when we lose a skb->nfct + * due to an upcall. If the connection was not confirmed, it is not + * cached and needs to be run through conntrack again. */ + if (!ct && key->ct.state & OVS_CS_F_TRACKED + && !(key->ct.state & OVS_CS_F_INVALID) + && key->ct.zone == info->zone.id) + ct = ovs_ct_find_existing(net, &info->zone, info->family, skb, + &ctinfo); if (!ct) return false; + if (!net_eq(net, read_pnet(&ct->ct_net))) return false; if (!nf_ct_zone_equal_any(info->ct, nf_ct_zone(ct))) @@ -397,7 +468,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, * actually run the packet through conntrack twice unless it's for a * different zone. */ - if (!skb_nfct_cached(net, skb, info)) { + if (!skb_nfct_cached(net, key, info, skb)) { struct nf_conn *tmpl = info->ct; /* Associate skb with specified zone. */ @@ -431,6 +502,13 @@ static int ovs_ct_lookup(struct net *net, struct sw_flow_key *key, { struct nf_conntrack_expect *exp; + /* If we pass an expected packet through nf_conntrack_in() the + * expectiation will be removed, but the packet could still be lost in + * upcall processing. To prevent this from happening we perform an + * explicit expectation lookup. Expected connections are always new, + * and will be passed through conntrack only when they are committed, + * as it is OK to remove the expectation at that time. + */ exp = ovs_ct_expect_find(net, &info->zone, info->family, skb); if (exp) { u8 state; @@ -453,21 +531,12 @@ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key, const struct ovs_conntrack_info *info, struct sk_buff *skb) { - u8 state; int err; - state = key->ct.state; - if (key->ct.zone == info->zone.id && - ((state & OVS_CS_F_TRACKED) && !(state & OVS_CS_F_NEW))) { - /* Previous lookup has shown that this connection is already - * tracked and committed. Skip committing. - */ - return 0; - } - err = __ovs_ct_lookup(net, key, info, skb); if (err) return err; + /* This is a no-op if the connection has already been confirmed. */ if (nf_conntrack_confirm(skb) != NF_ACCEPT) return -EINVAL; -- 2.1.4 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net-next v3 6/8] openvswitch: Handle NF_REPEAT in conntrack action. 2015-11-26 0:08 [PATCH net-next v3 0/8] openvswitch: NAT support Jarno Rajahalme 2015-11-26 0:08 ` [PATCH net-next v3 2/8] netfilter: Factor out nf_ct_get_info() Jarno Rajahalme [not found] ` <1448496501-109561-1-git-send-email-jarno-LZ6Gd1LRuIk@public.gmane.org> @ 2015-11-26 0:08 ` Jarno Rajahalme 2015-11-26 0:08 ` [PATCH net-next v3 7/8] openvswitch: Delay conntrack helper call for new connections Jarno Rajahalme 2015-11-26 0:08 ` [PATCH net-next v3 8/8] openvswitch: Interface with NAT Jarno Rajahalme 4 siblings, 0 replies; 17+ messages in thread From: Jarno Rajahalme @ 2015-11-26 0:08 UTC (permalink / raw) To: netdev; +Cc: netfilter-devel, dev, jarno Repeat the nf_conntrack_in() call when it returns NF_REPEAT. This avoids dropping a SYN packet re-opening an existing TCP connection. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> --- net/openvswitch/conntrack.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 0c371d0..7aa38fa 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -470,6 +470,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, */ if (!skb_nfct_cached(net, key, info, skb)) { struct nf_conn *tmpl = info->ct; + int err; /* Associate skb with specified zone. */ if (tmpl) { @@ -480,8 +481,13 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, skb->nfctinfo = IP_CT_NEW; } - if (nf_conntrack_in(net, info->family, NF_INET_PRE_ROUTING, - skb) != NF_ACCEPT) + /* Repeat if requested, see nf_iterate(). */ + do { + err = nf_conntrack_in(net, info->family, + NF_INET_PRE_ROUTING, skb); + } while (err == NF_REPEAT); + + if (err != NF_ACCEPT) return -ENOENT; ovs_ct_update_key(skb, key, true); -- 2.1.4 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net-next v3 7/8] openvswitch: Delay conntrack helper call for new connections. 2015-11-26 0:08 [PATCH net-next v3 0/8] openvswitch: NAT support Jarno Rajahalme ` (2 preceding siblings ...) 2015-11-26 0:08 ` [PATCH net-next v3 6/8] openvswitch: Handle NF_REPEAT in conntrack action Jarno Rajahalme @ 2015-11-26 0:08 ` Jarno Rajahalme 2015-11-26 0:08 ` [PATCH net-next v3 8/8] openvswitch: Interface with NAT Jarno Rajahalme 4 siblings, 0 replies; 17+ messages in thread From: Jarno Rajahalme @ 2015-11-26 0:08 UTC (permalink / raw) To: netdev; +Cc: netfilter-devel, dev, jarno There is no need to help connections that are not confirmed, so we can delay helping new connections to the time when they are confirmed. This change is needed for NAT support, and having this as a separate patch will make the following NAT patch a bit easier to review. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> --- net/openvswitch/conntrack.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 7aa38fa..ba44287 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -458,6 +458,7 @@ static bool skb_nfct_cached(struct net *net, /* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if * not done already. Update key with new CT state after passing the packet * through conntrack. + * Note that invalid packets are accepted while the skb->nfct remains unset! */ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, const struct ovs_conntrack_info *info, @@ -468,7 +469,11 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, * actually run the packet through conntrack twice unless it's for a * different zone. */ - if (!skb_nfct_cached(net, key, info, skb)) { + bool cached = skb_nfct_cached(net, key, info, skb); + enum ip_conntrack_info ctinfo; + struct nf_conn *ct; + + if (!cached) { struct nf_conn *tmpl = info->ct; int err; @@ -491,11 +496,16 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, return -ENOENT; ovs_ct_update_key(skb, key, true); + } - if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) { - WARN_ONCE(1, "helper rejected packet"); - return -EINVAL; - } + /* Call the helper right after nf_conntrack_in() for confirmed + * connections, but only when commiting for unconfirmed connections. + */ + ct = nf_ct_get(skb, &ctinfo); + if (ct && (nf_ct_is_confirmed(ct) ? !cached : info->commit) + && ovs_ct_helper(skb, info->family) != NF_ACCEPT) { + WARN_ONCE(1, "helper rejected packet"); + return -EINVAL; } return 0; -- 2.1.4 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net-next v3 8/8] openvswitch: Interface with NAT. 2015-11-26 0:08 [PATCH net-next v3 0/8] openvswitch: NAT support Jarno Rajahalme ` (3 preceding siblings ...) 2015-11-26 0:08 ` [PATCH net-next v3 7/8] openvswitch: Delay conntrack helper call for new connections Jarno Rajahalme @ 2015-11-26 0:08 ` Jarno Rajahalme 2015-11-26 2:39 ` kbuild test robot 2015-11-26 4:19 ` kbuild test robot 4 siblings, 2 replies; 17+ messages in thread From: Jarno Rajahalme @ 2015-11-26 0:08 UTC (permalink / raw) To: netdev; +Cc: netfilter-devel, dev, jarno Extend OVS conntrack interface to cover NAT. New nested OVS_CT_ATTR_NAT attribute may be used to include NAT with a CT action. A bare OVS_CT_ATTR_NAT only mangles existing and expected connections. If OVS_NAT_ATTR_SRC or OVS_NAT_ATTR_DST is included within the nested attributes, new (non-committed/non-confirmed) connections are mangled according to the rest of the nested attributes. The corresponding OVS userspace patch series includes test cases (in tests/system-traffic.at) that also serve as example uses. This work extends on a branch by Thomas Graf at https://github.com/tgraf/ovs/tree/nat. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> --- include/uapi/linux/openvswitch.h | 47 ++++ net/openvswitch/conntrack.c | 520 +++++++++++++++++++++++++++++++++++++-- net/openvswitch/conntrack.h | 3 +- 3 files changed, 544 insertions(+), 26 deletions(-) diff --git a/include/uapi/linux/openvswitch.h b/include/uapi/linux/openvswitch.h index 28ccedd..1a4bbdc 100644 --- a/include/uapi/linux/openvswitch.h +++ b/include/uapi/linux/openvswitch.h @@ -454,6 +454,12 @@ struct ovs_key_ct_labels { #define OVS_CS_F_REPLY_DIR 0x08 /* Flow is in the reply direction. */ #define OVS_CS_F_INVALID 0x10 /* Could not track connection. */ #define OVS_CS_F_TRACKED 0x20 /* Conntrack has occurred. */ +#define OVS_CS_F_SRC_NAT 0x40 /* Packet's source address/port was + mangled by NAT. */ +#define OVS_CS_F_DST_NAT 0x80 /* Packet's destination address/port + was mangled by NAT. */ + +#define OVS_CS_F_NAT_MASK (OVS_CS_F_SRC_NAT | OVS_CS_F_DST_NAT) /** * enum ovs_flow_attr - attributes for %OVS_FLOW_* commands. @@ -632,6 +638,8 @@ struct ovs_action_hash { * mask. For each bit set in the mask, the corresponding bit in the value is * copied to the connection tracking label field in the connection. * @OVS_CT_ATTR_HELPER: variable length string defining conntrack ALG. + * @OVS_CT_ATTR_NAT: Nested OVS_NAT_ATTR_* for performing L3 network address + * translation (NAT) on the packet. */ enum ovs_ct_attr { OVS_CT_ATTR_UNSPEC, @@ -641,12 +649,51 @@ enum ovs_ct_attr { OVS_CT_ATTR_LABELS, /* labels to associate with this connection. */ OVS_CT_ATTR_HELPER, /* netlink helper to assist detection of related connections. */ + OVS_CT_ATTR_NAT, /* Nested OVS_NAT_ATTR_* */ __OVS_CT_ATTR_MAX }; #define OVS_CT_ATTR_MAX (__OVS_CT_ATTR_MAX - 1) /** + * enum ovs_nat_attr - Attributes for %OVS_CT_ATTR_NAT. + * + * @OVS_NAT_ATTR_SRC: Flag for Source NAT (mangle source address/port). + * @OVS_NAT_ATTR_DST: Flag for Destination NAT (mangle destination + * address/port). Only one of (@OVS_NAT_ATTR_SRC, @OVS_NAT_ATTR_DST) may be + * specified. Effective only for packets for ct_state NEW connections. + * Packets of committed connections are mangled by the NAT action according to + * the committed NAT type regardless of the flags specified. As a corollary, a + * NAT action without a NAT type flag will only mangle packets of committed + * connections. The following NAT attributes only apply for NEW + * (non-committed) connections, and they may be included only when the CT + * action has the @OVS_CT_ATTR_COMMIT flag and either @OVS_NAT_ATTR_SRC or + * @OVS_NAT_ATTR_DST is also included. + * @OVS_NAT_ATTR_IP_MIN: struct in_addr or struct in6_addr + * @OVS_NAT_ATTR_IP_MAX: struct in_addr or struct in6_addr + * @OVS_NAT_ATTR_PROTO_MIN: u16 L4 protocol specific lower boundary (port) + * @OVS_NAT_ATTR_PROTO_MAX: u16 L4 protocol specific upper boundary (port) + * @OVS_NAT_ATTR_PERSISTENT: Flag for persistent IP mapping across reboots + * @OVS_NAT_ATTR_PROTO_HASH: Flag for pseudo random L4 port mapping (MD5) + * @OVS_NAT_ATTR_PROTO_RANDOM: Flag for fully randomized L4 port mapping + */ +enum ovs_nat_attr { + OVS_NAT_ATTR_UNSPEC, + OVS_NAT_ATTR_SRC, + OVS_NAT_ATTR_DST, + OVS_NAT_ATTR_IP_MIN, + OVS_NAT_ATTR_IP_MAX, + OVS_NAT_ATTR_PROTO_MIN, + OVS_NAT_ATTR_PROTO_MAX, + OVS_NAT_ATTR_PERSISTENT, + OVS_NAT_ATTR_PROTO_HASH, + OVS_NAT_ATTR_PROTO_RANDOM, + __OVS_NAT_ATTR_MAX, +}; + +#define OVS_NAT_ATTR_MAX (__OVS_NAT_ATTR_MAX - 1) + +/** * enum ovs_action_attr - Action types. * * @OVS_ACTION_ATTR_OUTPUT: Output packet to port. diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index ba44287..b1f18ae 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -20,6 +20,16 @@ #include <net/netfilter/nf_conntrack_zones.h> #include <net/netfilter/ipv6/nf_defrag_ipv6.h> +#ifdef CONFIG_NF_NAT_NEEDED +#include <linux/netfilter/nf_nat.h> +#include <net/netfilter/nf_nat_core.h> +#include <net/netfilter/nf_nat_l3proto.h> +#include <net/netfilter/nf_conntrack_seqadj.h> +#include <linux/sctp.h> +#include <linux/tcp.h> +#include <linux/udp.h> +#endif + #include "datapath.h" #include "conntrack.h" #include "flow.h" @@ -42,15 +52,29 @@ struct md_labels { struct ovs_key_ct_labels mask; }; +#ifdef CONFIG_NF_NAT_NEEDED +enum ovs_ct_nat { + OVS_CT_NAT = 1 << 0, /* NAT for committed connections only. */ + OVS_CT_SRC_NAT = 1 << 1, /* Source NAT for NEW connections. */ + OVS_CT_DST_NAT = 1 << 2, /* Destination NAT for NEW connections. */ +}; +#endif + /* Conntrack action context for execution. */ struct ovs_conntrack_info { struct nf_conntrack_helper *helper; struct nf_conntrack_zone zone; struct nf_conn *ct; u8 commit : 1; +#ifdef CONFIG_NF_NAT_NEEDED + u8 nat : 3; /* enum ovs_ct_nat */ +#endif u16 family; struct md_mark mark; struct md_labels labels; +#ifdef CONFIG_NF_NAT_NEEDED + struct nf_nat_range range; /* Only present for SRC NAT and DST NAT. */ +#endif }; static u16 key_to_nfproto(const struct sw_flow_key *key) @@ -135,11 +159,14 @@ static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state, ovs_ct_get_labels(ct, &key->ct.labels); } -/* Update 'key' based on skb->nfct. If 'post_ct' is true, then OVS has - * previously sent the packet to conntrack via the ct action. +/* Update 'key' based on skb->nfct. If 'post_ct' is true, then OVS has + * previously sent the packet to conntrack via the ct action. If + * 'keep_nat_flags' is true, the existing NAT flags retained, else they are + * initialized from the connection status. */ static void ovs_ct_update_key(const struct sk_buff *skb, - struct sw_flow_key *key, bool post_ct) + struct sw_flow_key *key, bool post_ct, + bool keep_nat_flags) { const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt; enum ip_conntrack_info ctinfo; @@ -149,10 +176,24 @@ static void ovs_ct_update_key(const struct sk_buff *skb, ct = nf_ct_get(skb, &ctinfo); if (ct) { state = ovs_ct_get_state(ctinfo); + /* All unconfirmed entries are NEW connections. */ if (!nf_ct_is_confirmed(ct)) state |= OVS_CS_F_NEW; + /* OVS persists the related flag for the duration of the + * connection. + */ if (ct->master) state |= OVS_CS_F_RELATED; +#ifdef CONFIG_NF_NAT_NEEDED + if (keep_nat_flags) + state |= key->ct.state & OVS_CS_F_NAT_MASK; + else { + if (ct->status & IPS_SRC_NAT) + state |= OVS_CS_F_SRC_NAT; + if (ct->status & IPS_DST_NAT) + state |= OVS_CS_F_DST_NAT; + } +#endif zone = nf_ct_zone(ct); } else if (post_ct) { state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID; @@ -160,9 +201,11 @@ static void ovs_ct_update_key(const struct sk_buff *skb, __ovs_ct_update_key(key, state, zone, ct); } +/* This is called to initialize CT key fields possibly coming in from the local + * stack. */ void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) { - ovs_ct_update_key(skb, key, false); + ovs_ct_update_key(skb, key, false, false); } int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb) @@ -251,6 +294,7 @@ static int ovs_ct_helper(struct sk_buff *skb, u16 proto) enum ip_conntrack_info ctinfo; unsigned int protoff; struct nf_conn *ct; + int err; ct = nf_ct_get(skb, &ctinfo); if (!ct || ctinfo == IP_CT_RELATED_REPLY) @@ -287,7 +331,20 @@ static int ovs_ct_helper(struct sk_buff *skb, u16 proto) return NF_DROP; } - return helper->help(skb, protoff, ct, ctinfo); + err = helper->help(skb, protoff, ct, ctinfo); + if (err != NF_ACCEPT) + return err; + +#ifdef CONFIG_NF_NAT_NEEDED + /* Adjust seqs after helper. This is needed due to some helpers (e.g., + * FTP with NAT) adusting the TCP payload size when mangling IP + * addresses and/or port numbers in the text-based control connection. + */ + if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) + && !nf_ct_seq_adjust(skb, ct, ctinfo, protoff)) + return NF_DROP; +#endif + return NF_ACCEPT; } /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero @@ -455,6 +512,189 @@ static bool skb_nfct_cached(struct net *net, return true; } +#ifdef CONFIG_NF_NAT_NEEDED +/* Modeled after nf_nat_ipv[46]_fn(). + * range is only used for new, uninitialized NAT state. + * Returns either NF_ACCEPT or NF_DROP. */ +static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + const struct nf_nat_range *range, + enum nf_nat_manip_type maniptype) +{ + int hooknum, nh_off, err = NF_ACCEPT; + + nh_off = skb_network_offset(skb); + skb_pull(skb, nh_off); + + /* See HOOK2MANIP(). */ + if (maniptype == NF_NAT_MANIP_SRC) + hooknum = NF_INET_LOCAL_IN; /* Source NAT */ + else + hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */ + + switch (ctinfo) { + case IP_CT_RELATED: + case IP_CT_RELATED_REPLY: + if (skb->protocol == htons(ETH_P_IP) + && ip_hdr(skb)->protocol == IPPROTO_ICMP) { + if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, + hooknum)) + err = NF_DROP; + goto push; + } else if (skb->protocol == htons(ETH_P_IPV6)) { + __be16 frag_off; + u8 nexthdr = ipv6_hdr(skb)->nexthdr; + int hdrlen = ipv6_skip_exthdr(skb, + sizeof(struct ipv6hdr), + &nexthdr, &frag_off); + + if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { + if (!nf_nat_icmpv6_reply_translation(skb, ct, + ctinfo, + hooknum, + hdrlen)) + err = NF_DROP; + goto push; + } + } + /* Non-ICMP, fall thru to initialize if needed. */ + case IP_CT_NEW: + /* Seen it before? This can happen for loopback, retrans, + * or local packets. + */ + if (!nf_nat_initialized(ct, maniptype)) { + /* Initialize according to the NAT action. */ + err = (range && range->flags & NF_NAT_RANGE_MAP_IPS) + /* Action is set up to establish a new + * mapping */ + ? nf_nat_setup_info(ct, range, maniptype) + : nf_nat_alloc_null_binding(ct, hooknum); + if (err != NF_ACCEPT) + goto push; + } + break; + + case IP_CT_ESTABLISHED: + case IP_CT_ESTABLISHED_REPLY: + break; + + default: + err = NF_DROP; + goto push; + } + + err = nf_nat_packet(ct, ctinfo, hooknum, skb); +push: + skb_push(skb, nh_off); + + return err; +} + +static void ovs_nat_update_key(struct sw_flow_key *key, + const struct sk_buff *skb, + enum nf_nat_manip_type maniptype) +{ + if (maniptype == NF_NAT_MANIP_SRC) { + __be16 src; + + key->ct.state |= OVS_CS_F_SRC_NAT; + if (key->eth.type == htons(ETH_P_IP)) + key->ipv4.addr.src = ip_hdr(skb)->saddr; + else if (key->eth.type == htons(ETH_P_IPV6)) + memcpy(&key->ipv6.addr.src, &ipv6_hdr(skb)->saddr, + sizeof(key->ipv6.addr.src)); + else + return; + + if (key->ip.proto == IPPROTO_UDP) + src = udp_hdr(skb)->source; + else if (key->ip.proto == IPPROTO_TCP) + src = tcp_hdr(skb)->source; + else if (key->ip.proto == IPPROTO_SCTP) + src = sctp_hdr(skb)->source; + else + return; + + key->tp.src = src; + } else { + __be16 dst; + + key->ct.state |= OVS_CS_F_DST_NAT; + if (key->eth.type == htons(ETH_P_IP)) + key->ipv4.addr.dst = ip_hdr(skb)->daddr; + else if (key->eth.type == htons(ETH_P_IPV6)) + memcpy(&key->ipv6.addr.dst, &ipv6_hdr(skb)->daddr, + sizeof(key->ipv6.addr.dst)); + else + return; + + if (key->ip.proto == IPPROTO_UDP) + dst = udp_hdr(skb)->dest; + else if (key->ip.proto == IPPROTO_TCP) + dst = tcp_hdr(skb)->dest; + else if (key->ip.proto == IPPROTO_SCTP) + dst = sctp_hdr(skb)->dest; + else + return; + + key->tp.dst = dst; + } +} + +/* Returns NF_DROP if the packet should be dropped, NF_ACCEPT otherwise. */ +static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, + const struct ovs_conntrack_info *info, + struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo) +{ + enum nf_nat_manip_type maniptype; + int err; + + if (nf_ct_is_untracked(ct)) { + /* A NAT action may only be performed on tracked packets. */ + return NF_ACCEPT; + } + + /* Add NAT extension if not confirmed yet. */ + if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) + return NF_ACCEPT; /* Can't NAT. */ + + /* Determine NAT type. + * Check if the NAT type can be deduced from the tracked connection. + * Make sure expected traffic is NATted only when commiting. + */ + if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW + && ct->status & IPS_NAT_MASK + && (!(ct->status & IPS_EXPECTED_BIT) || info->commit)) { + /* NAT an established or related connection like before. */ + if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) + /* This is the REPLY direction for a connection + * for which NAT was applied in the forward + * direction. Do the reverse NAT. + */ + maniptype = ct->status & IPS_SRC_NAT + ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC; + else + maniptype = ct->status & IPS_SRC_NAT + ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST; + } + else if (info->nat & OVS_CT_SRC_NAT) + maniptype = NF_NAT_MANIP_SRC; + else if (info->nat & OVS_CT_DST_NAT) + maniptype = NF_NAT_MANIP_DST; + else + return NF_ACCEPT; /* Connection is not NATed. */ + + err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype); + + /* Mark NAT done if successful and update the flow key. */ + if (err == NF_ACCEPT) + ovs_nat_update_key(key, skb, maniptype); + + return err; +} +#endif + /* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if * not done already. Update key with new CT state after passing the packet * through conntrack. @@ -495,17 +735,45 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, if (err != NF_ACCEPT) return -ENOENT; - ovs_ct_update_key(skb, key, true); + /* Clear CT state NAT flags to mark that we have not yet done + * NAT after the nf_conntrack_in() call. We can actually clear + * the whole state, as it will be re-initialized below. + */ + key->ct.state = 0; + + /* Update the key, but keep the NAT flags. */ + ovs_ct_update_key(skb, key, true, true); } - /* Call the helper right after nf_conntrack_in() for confirmed - * connections, but only when commiting for unconfirmed connections. - */ ct = nf_ct_get(skb, &ctinfo); - if (ct && (nf_ct_is_confirmed(ct) ? !cached : info->commit) - && ovs_ct_helper(skb, info->family) != NF_ACCEPT) { - WARN_ONCE(1, "helper rejected packet"); - return -EINVAL; + if (ct) { +#ifdef CONFIG_NF_NAT_NEEDED + /* Packets starting a new connection must be NATted before the + * helper, so that the helper knows about the NAT. We enforce + * this by delaying both NAT and helper calls for unconfirmed + * connections until the commiting CT action. For later + * packets NAT and Helper may be called in either order. + * + * NAT will be done only if the CT action has NAT, and only + * once per packet (per zone), as guarded by the NAT bits in + * the key->ct.state. + */ + if (info->nat && !(key->ct.state & OVS_CS_F_NAT_MASK) && + (nf_ct_is_confirmed(ct) || info->commit) && + ovs_ct_nat(net, key, info, skb, ct, ctinfo) != NF_ACCEPT) { + WARN_ONCE(1, "NAT rejected packet"); + return -EINVAL; + } +#endif + /* Call the helper whenever nf_conntrack_in() was called for + * confirmed connections, but only when commiting for + * unconfirmed connections. + */ + if ((nf_ct_is_confirmed(ct) ? !cached : info->commit) + && ovs_ct_helper(skb, info->family) != NF_ACCEPT) { + WARN_ONCE(1, "helper rejected packet"); + return -EINVAL; + } } return 0; @@ -529,15 +797,13 @@ static int ovs_ct_lookup(struct net *net, struct sw_flow_key *key, if (exp) { u8 state; + /* NOTE: New connections are NATted and Helped only when + * commited, so we are not calling into NAT here. + */ state = OVS_CS_F_TRACKED | OVS_CS_F_NEW | OVS_CS_F_RELATED; __ovs_ct_update_key(key, state, &info->zone, exp->master); - } else { - int err; - - err = __ovs_ct_lookup(net, key, info, skb); - if (err) - return err; - } + } else + return __ovs_ct_lookup(net, key, info, skb); return 0; } @@ -637,6 +903,131 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, return 0; } +#ifdef CONFIG_NF_NAT_NEEDED +static int parse_nat(const struct nlattr *attr, + struct ovs_conntrack_info *info, bool log) +{ + struct nlattr *a; + int rem; + bool have_ip_max = false; + bool have_proto_max = false; + bool ip_vers = (info->family == NFPROTO_IPV6); + + nla_for_each_nested(a, attr, rem) { + static const u16 ovs_nat_attr_lens[OVS_NAT_ATTR_MAX + 1][2] = { + [OVS_NAT_ATTR_SRC] = {0, 0}, + [OVS_NAT_ATTR_DST] = {0, 0}, + [OVS_NAT_ATTR_IP_MIN] = {sizeof(struct in_addr), + sizeof(struct in6_addr)}, + [OVS_NAT_ATTR_IP_MAX] = {sizeof(struct in_addr), + sizeof(struct in6_addr)}, + [OVS_NAT_ATTR_PROTO_MIN] = {sizeof(u16),sizeof(u16)}, + [OVS_NAT_ATTR_PROTO_MAX] = {sizeof(u16),sizeof(u16)}, + [OVS_NAT_ATTR_PERSISTENT] = {0, 0}, + [OVS_NAT_ATTR_PROTO_HASH] = {0, 0}, + [OVS_NAT_ATTR_PROTO_RANDOM] = {0, 0}, + }; + int type = nla_type(a); + + if (type > OVS_NAT_ATTR_MAX) { + OVS_NLERR(log, "Unknown nat attribute (type=%d, max=%d).\n", + type, OVS_NAT_ATTR_MAX); + return -EINVAL; + } + + if (ovs_nat_attr_lens[type][ip_vers] != nla_len(a)) { + OVS_NLERR(log, "NAT attribute type has unexpected " + " length (type=%d, length=%d, expected=%d).\n", + type, nla_len(a), + ovs_nat_attr_lens[type][ip_vers]); + return -EINVAL; + } + + switch (type) { + case OVS_NAT_ATTR_SRC: + case OVS_NAT_ATTR_DST: + if (info->nat) { + OVS_NLERR(log, "Only one type of NAT may be " + "specified.\n"); + return -ERANGE; + } + info->nat |= OVS_CT_NAT; + info->nat |= ((type == OVS_NAT_ATTR_SRC) + ? OVS_CT_SRC_NAT : OVS_CT_DST_NAT); + break; + + case OVS_NAT_ATTR_IP_MIN: + nla_memcpy(&info->range.min_addr, a, nla_len(a)); + info->range.flags |= NF_NAT_RANGE_MAP_IPS; + break; + + case OVS_NAT_ATTR_IP_MAX: + have_ip_max = true; + nla_memcpy(&info->range.max_addr, a, + sizeof(info->range.max_addr)); + info->range.flags |= NF_NAT_RANGE_MAP_IPS; + break; + + case OVS_NAT_ATTR_PROTO_MIN: + info->range.min_proto.all = htons(nla_get_u16(a)); + info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; + break; + + case OVS_NAT_ATTR_PROTO_MAX: + have_proto_max = true; + info->range.max_proto.all = htons(nla_get_u16(a)); + info->range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; + break; + + case OVS_NAT_ATTR_PERSISTENT: + info->range.flags |= NF_NAT_RANGE_PERSISTENT; + break; + + case OVS_NAT_ATTR_PROTO_HASH: + info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM; + break; + + case OVS_NAT_ATTR_PROTO_RANDOM: + info->range.flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; + break; + + default: + OVS_NLERR(log, "Unknown nat attribute (%d).\n", type); + return -EINVAL; + } + } + + if (rem > 0) { + OVS_NLERR(log, "NAT attribute has %d unknown bytes.\n", rem); + return -EINVAL; + } + if (!info->nat) { + /* Do not allow flags if no type is given. */ + if (info->range.flags) { + OVS_NLERR(log, "NAT flags may be given only when NAT " + "range (SRC or DST) is also specified.\n"); + return -EINVAL; + } + info->nat = OVS_CT_NAT; /* NAT existing connections. */ + } else if (!info->commit) { + OVS_NLERR(log, "NAT attributes may be specified only " + "when CT COMMIT flag is also specified.\n"); + return -EINVAL; + } + /* Allow missing IP_MAX. */ + if (info->range.flags & NF_NAT_RANGE_MAP_IPS && !have_ip_max) { + memcpy(&info->range.max_addr, &info->range.min_addr, + sizeof(info->range.max_addr)); + } + /* Allow missing PROTO_MAX. */ + if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED + && !have_proto_max) { + info->range.max_proto.all = info->range.min_proto.all; + } + return 0; +} +#endif + static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = { [OVS_CT_ATTR_COMMIT] = { .minlen = 0, .maxlen = 0 }, [OVS_CT_ATTR_ZONE] = { .minlen = sizeof(u16), @@ -646,7 +1037,11 @@ static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = { [OVS_CT_ATTR_LABELS] = { .minlen = sizeof(struct md_labels), .maxlen = sizeof(struct md_labels) }, [OVS_CT_ATTR_HELPER] = { .minlen = 1, - .maxlen = NF_CT_HELPER_NAME_LEN } + .maxlen = NF_CT_HELPER_NAME_LEN }, +#ifdef CONFIG_NF_NAT_NEEDED + /* NAT length is checked when parsing the nested attributes. */ + [OVS_CT_ATTR_NAT] = { .minlen = 0, .maxlen = SIZE_MAX }, +#endif }; static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, @@ -657,8 +1052,8 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, nla_for_each_nested(a, attr, rem) { int type = nla_type(a); - int maxlen = ovs_ct_attr_lens[type].maxlen; - int minlen = ovs_ct_attr_lens[type].minlen; + size_t maxlen = ovs_ct_attr_lens[type].maxlen; + size_t minlen = ovs_ct_attr_lens[type].minlen; if (type > OVS_CT_ATTR_MAX) { OVS_NLERR(log, @@ -668,7 +1063,7 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, } if (nla_len(a) < minlen || nla_len(a) > maxlen) { OVS_NLERR(log, - "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)", + "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%lu)", type, nla_len(a), maxlen); return -EINVAL; } @@ -713,6 +1108,14 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, return -EINVAL; } break; +#ifdef CONFIG_NF_NAT_NEEDED + case OVS_CT_ATTR_NAT: { + int err = parse_nat(a, info, log); + if (err) + return err; + break; + } +#endif default: OVS_NLERR(log, "Unknown conntrack attr (%d)", type); @@ -798,6 +1201,70 @@ err_free_ct: return err; } +#ifdef CONFIG_NF_NAT_NEEDED +static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info, + struct sk_buff *skb) +{ + struct nlattr *start; + + start = nla_nest_start(skb, OVS_CT_ATTR_NAT); + if (!start) + return false; + + if (info->nat & OVS_CT_SRC_NAT) { + if (nla_put_flag(skb, OVS_NAT_ATTR_SRC)) + return false; + } else if (info->nat & OVS_CT_DST_NAT) { + if (nla_put_flag(skb, OVS_NAT_ATTR_DST)) + return false; + } else { + goto out; + } + + if (info->range.flags & NF_NAT_RANGE_MAP_IPS) { + if (info->family == NFPROTO_IPV4) { + if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN, + info->range.min_addr.ip) || + (info->range.max_addr.ip != info->range.min_addr.ip + && (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX, + info->range.max_addr.ip)))) + return false; + } else if (info->family == NFPROTO_IPV6) { + if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN, + &info->range.min_addr.in6) || + (memcmp(&info->range.max_addr.in6, + &info->range.min_addr.in6, + sizeof info->range.max_addr.in6) + && (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX, + &info->range.max_addr.in6)))) + return false; + } else + return false; + } + if (info->range.flags & NF_NAT_RANGE_PROTO_SPECIFIED && + (nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MIN, + ntohs(info->range.min_proto.all)) + || (info->range.max_proto.all != info->range.min_proto.all + && nla_put_u16(skb, OVS_NAT_ATTR_PROTO_MAX, + ntohs(info->range.max_proto.all))))) + return false; + + if (info->range.flags & NF_NAT_RANGE_PERSISTENT && + nla_put_flag(skb, OVS_NAT_ATTR_PERSISTENT)) + return false; + if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM && + nla_put_flag(skb, OVS_NAT_ATTR_PROTO_HASH)) + return false; + if (info->range.flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY && + nla_put_flag(skb, OVS_NAT_ATTR_PROTO_RANDOM)) + return false; +out: + nla_nest_end(skb, start); + + return true; +} +#endif + int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info, struct sk_buff *skb) { @@ -826,7 +1293,10 @@ int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info, ct_info->helper->name)) return -EMSGSIZE; } - +#ifdef CONFIG_NF_NAT_NEEDED + if (ct_info->nat && !ovs_ct_nat_to_attr(ct_info, skb)) + return -EMSGSIZE; +#endif nla_nest_end(skb, start); return 0; diff --git a/net/openvswitch/conntrack.h b/net/openvswitch/conntrack.h index a7544f4..8f6230b 100644 --- a/net/openvswitch/conntrack.h +++ b/net/openvswitch/conntrack.h @@ -37,7 +37,8 @@ void ovs_ct_free_action(const struct nlattr *a); #define CT_SUPPORTED_MASK (OVS_CS_F_NEW | OVS_CS_F_ESTABLISHED | \ OVS_CS_F_RELATED | OVS_CS_F_REPLY_DIR | \ - OVS_CS_F_INVALID | OVS_CS_F_TRACKED) + OVS_CS_F_INVALID | OVS_CS_F_TRACKED | \ + OVS_CS_F_SRC_NAT | OVS_CS_F_DST_NAT) #else #include <linux/errno.h> -- 2.1.4 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH net-next v3 8/8] openvswitch: Interface with NAT. 2015-11-26 0:08 ` [PATCH net-next v3 8/8] openvswitch: Interface with NAT Jarno Rajahalme @ 2015-11-26 2:39 ` kbuild test robot 2015-11-26 4:19 ` kbuild test robot 1 sibling, 0 replies; 17+ messages in thread From: kbuild test robot @ 2015-11-26 2:39 UTC (permalink / raw) To: Jarno Rajahalme; +Cc: kbuild-all, netdev, netfilter-devel, dev, jarno [-- Attachment #1: Type: text/plain, Size: 742 bytes --] Hi Jarno, [auto build test ERROR on net-next/master] url: https://github.com/0day-ci/linux/commits/Jarno-Rajahalme/openvswitch-NAT-support/20151126-081504 config: x86_64-randconfig-n0-11260924 (attached as .config) reproduce: # save the attached .config to linux build tree make ARCH=x86_64 All errors (new ones prefixed by >>): net/built-in.o: In function `__ovs_ct_lookup': >> conntrack.c:(.text+0x262f6a): undefined reference to `nf_nat_icmp_reply_translation' >> conntrack.c:(.text+0x26321b): undefined reference to `nf_nat_icmpv6_reply_translation' --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation [-- Attachment #2: .config.gz --] [-- Type: application/octet-stream, Size: 26415 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH net-next v3 8/8] openvswitch: Interface with NAT. 2015-11-26 0:08 ` [PATCH net-next v3 8/8] openvswitch: Interface with NAT Jarno Rajahalme 2015-11-26 2:39 ` kbuild test robot @ 2015-11-26 4:19 ` kbuild test robot 1 sibling, 0 replies; 17+ messages in thread From: kbuild test robot @ 2015-11-26 4:19 UTC (permalink / raw) To: Jarno Rajahalme; +Cc: kbuild-all, netdev, netfilter-devel, dev, jarno [-- Attachment #1: Type: text/plain, Size: 602 bytes --] Hi Jarno, [auto build test ERROR on net-next/master] url: https://github.com/0day-ci/linux/commits/Jarno-Rajahalme/openvswitch-NAT-support/20151126-081504 config: x86_64-randconfig-s0-11260956 (attached as .config) reproduce: # save the attached .config to linux build tree make ARCH=x86_64 All errors (new ones prefixed by >>): >> ERROR: "nf_nat_icmpv6_reply_translation" [net/openvswitch/openvswitch.ko] undefined! --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation [-- Attachment #2: .config.gz --] [-- Type: application/octet-stream, Size: 28081 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2015-12-04 23:45 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-26 0:08 [PATCH net-next v3 0/8] openvswitch: NAT support Jarno Rajahalme
2015-11-26 0:08 ` [PATCH net-next v3 2/8] netfilter: Factor out nf_ct_get_info() Jarno Rajahalme
2015-11-26 6:18 ` [ovs-dev] " Simon Horman
[not found] ` <1448496501-109561-1-git-send-email-jarno-LZ6Gd1LRuIk@public.gmane.org>
2015-11-26 0:08 ` [PATCH net-next v3 1/8] netfilter: Remove IP_CT_NEW_REPLY definition Jarno Rajahalme
2015-11-26 5:41 ` [ovs-dev] " Simon Horman
[not found] ` <20151126054100.GB21626-IxS8c3vjKQDk1uMJSBkQmQ@public.gmane.org>
2015-11-30 18:16 ` Jarno Rajahalme
[not found] ` <391067B3-D60E-43BC-B669-2DD45924E5D8-LZ6Gd1LRuIk@public.gmane.org>
2015-12-01 2:46 ` Jarno Rajahalme
2015-11-26 0:08 ` [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst Jarno Rajahalme
2015-12-01 20:51 ` [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst.g Pablo Neira Ayuso
2015-12-04 23:45 ` [ovs-dev] " Pravin Shelar
2015-11-26 0:08 ` [PATCH net-next v3 4/8] openvswitch: Update the CT state key only after nf_conntrack_in() Jarno Rajahalme
2015-11-26 0:08 ` [PATCH net-next v3 5/8] openvswitch: Find existing conntrack entry after upcall Jarno Rajahalme
2015-11-26 0:08 ` [PATCH net-next v3 6/8] openvswitch: Handle NF_REPEAT in conntrack action Jarno Rajahalme
2015-11-26 0:08 ` [PATCH net-next v3 7/8] openvswitch: Delay conntrack helper call for new connections Jarno Rajahalme
2015-11-26 0:08 ` [PATCH net-next v3 8/8] openvswitch: Interface with NAT Jarno Rajahalme
2015-11-26 2:39 ` kbuild test robot
2015-11-26 4:19 ` kbuild test robot
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.