Re: [PATCH net 1/1] net: openvswitch: Fix ct_state nat flags for conns arriving from tc

From: Paul Blakey <paulb@nvidia.com>
To: Jakub Kicinski <kuba@kernel.org>
Cc: <dev@openvswitch.org>, <netdev@vger.kernel.org>,
	Cong Wang <xiyou.wangcong@gmail.com>,
	Jamal Hadi Salim <jhs@mojatatu.com>,
	"Pravin B Shelar" <pshelar@ovn.org>, <davem@davemloft.net>,
	Jiri Pirko <jiri@nvidia.com>, Saeed Mahameed <saeedm@nvidia.com>,
	Oz Shlomo <ozsh@nvidia.com>, Vlad Buslov <vladbu@nvidia.com>,
	Roi Dayan <roid@nvidia.com>
Subject: Re: [PATCH net 1/1] net: openvswitch: Fix ct_state nat flags for conns arriving from tc
Date: Wed, 5 Jan 2022 10:29:32 +0200	[thread overview]
Message-ID: <3fd43dfd-f44b-5afc-83c6-d3c9ae7d1a30@nvidia.com> (raw)
In-Reply-To: <20220104100835.57e51cb0@kicinski-fedora-PC1C0HJN.hsd1.ca.comcast.net>

On Tue, 4 Jan 2022, Jakub Kicinski wrote:

> On Tue, 4 Jan 2022 10:28:21 +0200 Paul Blakey wrote:
> > Netfilter conntrack maintains NAT flags per connection indicating
> > whether NAT was configured for the connection. Openvswitch maintains
> > NAT flags on the per packet flow key ct_state field, indicating
> > whether NAT was actually executed on the packet.
> > 
> > When a packet misses from tc to ovs the conntrack NAT flags are set.
> > However, NAT was not necessarily executed on the packet because the
> > connection's state might still be in NEW state. As such, openvswitch wrongly
> > assumes that NAT was executed and sets an incorrect flow key NAT flags.
> > 
> > Fix this, by flagging to openvswitch which NAT was actually done in
> > act_ct via tc_skb_ext and tc_skb_cb to the openvswitch module, so
> > the packet flow key NAT flags will be correctly set.
> 
> Fixes ?

I wasn't sure which patches to blame, I guess the bug was there from the
introduction of action ct in tc, so I'll blame that. 

> 
> > Signed-off-by: Paul Blakey <paulb@nvidia.com>
> 
> > diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> > index 4507d77d6941..bab45a009310 100644
> > --- a/include/linux/skbuff.h
> > +++ b/include/linux/skbuff.h
> > @@ -287,7 +287,9 @@ struct tc_skb_ext {
> >  	__u32 chain;
> >  	__u16 mru;
> >  	__u16 zone;
> > -	bool post_ct;
> > +	bool post_ct:1;
> > +	bool post_ct_snat:1;
> > +	bool post_ct_dnat:1;
> 
> single bit bool variables seem weird, use a unsigned int type, like u8.
> 
> >  };
> >  #endif
> >  
> > diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h
> > index 9e71691c491b..a171dfa91910 100644
> > --- a/include/net/pkt_sched.h
> > +++ b/include/net/pkt_sched.h
> > @@ -197,7 +197,9 @@ struct tc_skb_cb {
> >  	struct qdisc_skb_cb qdisc_cb;
> >  
> >  	u16 mru;
> > -	bool post_ct;
> > +	bool post_ct: 1;
> 
> extra space

Will remove, and send v2.

> 
> > +	bool post_ct_snat:1;
> > +	bool post_ct_dnat:1;
> >  	u16 zone; /* Only valid if post_ct = true */
> >  };
> 