From: Aaron Conole <aconole@redhat.com>
To: netdev@vger.kernel.org
Cc: Pravin B Shelar <pshelar@ovn.org>,
"David S . Miller" <davem@davemloft.net>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
dev@openvswitch.org, linux-kernel@vger.kernel.org
Subject: [PATCH net 1/2] openvswitch: support asymmetric conntrack
Date: Fri, 8 Nov 2019 16:07:13 -0500 [thread overview]
Message-ID: <20191108210714.12426-1-aconole@redhat.com> (raw)
The openvswitch module shares a common conntrack and NAT infrastructure
exposed via netfilter. It's possible that a packet needs both SNAT and
DNAT manipulation, due to e.g. tuple collision. Netfilter can support
this because it runs through the NAT table twice - once on ingress and
again after egress. The openvswitch module doesn't have such capability.
Like netfilter hook infrastructure, we should run through NAT twice to
keep the symmetry.
Fixes: 05752523e565 ("openvswitch: Interface with NAT.")
Signed-off-by: Aaron Conole <aconole@redhat.com>
---
net/openvswitch/conntrack.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 05249eb45082..283e8f9a5fd2 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -903,6 +903,17 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key,
}
err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype);
+ if (err == NF_ACCEPT &&
+ ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) {
+ if (maniptype == NF_NAT_MANIP_SRC)
+ maniptype = NF_NAT_MANIP_DST;
+ else
+ maniptype = NF_NAT_MANIP_SRC;
+
+ err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range,
+ maniptype);
+ }
+
/* Mark NAT done if successful and update the flow key. */
if (err == NF_ACCEPT)
ovs_nat_update_key(key, skb, maniptype);
--
2.21.0
next reply other threads:[~2019-11-08 21:07 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-08 21:07 Aaron Conole [this message]
2019-11-08 21:07 ` [PATCH net 2/2] act_ct: support asymmetric conntrack Aaron Conole
2019-11-14 14:22 ` Roi Dayan
2019-11-14 14:24 ` Paul Blakey
2019-11-18 21:24 ` Aaron Conole
2019-11-14 16:29 ` Marcelo Ricardo Leitner
2019-11-18 21:21 ` Aaron Conole
2019-11-18 22:40 ` Marcelo Ricardo Leitner
2019-11-22 20:39 ` Aaron Conole
2019-11-22 20:43 ` Marcelo Ricardo Leitner
2019-11-09 22:15 ` [PATCH net 1/2] openvswitch: " Pravin Shelar
2019-11-18 20:39 ` Aaron Conole
2019-11-25 15:38 ` Aaron Conole
2019-11-26 4:07 ` Pravin Shelar
2019-11-12 8:52 ` Nicolas Dichtel
2019-11-18 21:19 ` Aaron Conole
2019-11-28 8:22 ` Nicolas Dichtel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191108210714.12426-1-aconole@redhat.com \
--to=aconole@redhat.com \
--cc=davem@davemloft.net \
--cc=dev@openvswitch.org \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pshelar@ovn.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.