* [PATCH 1/2] openvswitch: support asymmetric conntrack
@ 2019-12-03 21:34 Aaron Conole
2019-12-03 21:34 ` [PATCH 2/2] act_ct: " Aaron Conole
2019-12-05 0:32 ` [PATCH 1/2] openvswitch: " David Miller
0 siblings, 2 replies; 4+ messages in thread
From: Aaron Conole @ 2019-12-03 21:34 UTC (permalink / raw)
To: netdev
Cc: Pravin B Shelar, David S . Miller, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, dev, linux-kernel, Marcelo Leitner, Paul Blakey,
Roi Dayan, Nicolas Dichtel
The openvswitch module shares a common conntrack and NAT infrastructure
exposed via netfilter. It's possible that a packet needs both SNAT and
DNAT manipulation, due to e.g. tuple collision. Netfilter can support
this because it runs through the NAT table twice - once on ingress and
again after egress. The openvswitch module doesn't have such capability.
Like netfilter hook infrastructure, we should run through NAT twice to
keep the symmetry.
Fixes: 05752523e565 ("openvswitch: Interface with NAT.")
Signed-off-by: Aaron Conole <aconole@redhat.com>
---
NOTE: this is a repost to see if the email client issues go away.
net/openvswitch/conntrack.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index df9c80bf621d..e726159cfcfa 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -903,6 +903,17 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key,
}
err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype);
+ if (err == NF_ACCEPT &&
+ ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) {
+ if (maniptype == NF_NAT_MANIP_SRC)
+ maniptype = NF_NAT_MANIP_DST;
+ else
+ maniptype = NF_NAT_MANIP_SRC;
+
+ err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range,
+ maniptype);
+ }
+
/* Mark NAT done if successful and update the flow key. */
if (err == NF_ACCEPT)
ovs_nat_update_key(key, skb, maniptype);
--
2.21.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/2] act_ct: support asymmetric conntrack
2019-12-03 21:34 [PATCH 1/2] openvswitch: support asymmetric conntrack Aaron Conole
@ 2019-12-03 21:34 ` Aaron Conole
2019-12-05 0:33 ` David Miller
2019-12-05 0:32 ` [PATCH 1/2] openvswitch: " David Miller
1 sibling, 1 reply; 4+ messages in thread
From: Aaron Conole @ 2019-12-03 21:34 UTC (permalink / raw)
To: netdev
Cc: Pravin B Shelar, David S . Miller, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, dev, linux-kernel, Marcelo Leitner, Paul Blakey,
Roi Dayan, Nicolas Dichtel
The act_ct TC module shares a common conntrack and NAT infrastructure
exposed via netfilter. It's possible that a packet needs both SNAT and
DNAT manipulation, due to e.g. tuple collision. Netfilter can support
this because it runs through the NAT table twice - once on ingress and
again after egress. The act_ct action doesn't have such capability.
Like netfilter hook infrastructure, we should run through NAT twice to
keep the symmetry.
Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
---
NOTE: this is a repost to see if the email client issues go away.
net/sched/act_ct.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index ae0de372b1c8..bf2d69335d4b 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -329,6 +329,7 @@ static int tcf_ct_act_nat(struct sk_buff *skb,
bool commit)
{
#if IS_ENABLED(CONFIG_NF_NAT)
+ int err;
enum nf_nat_manip_type maniptype;
if (!(ct_action & TCA_CT_ACT_NAT))
@@ -359,7 +360,17 @@ static int tcf_ct_act_nat(struct sk_buff *skb,
return NF_ACCEPT;
}
- return ct_nat_execute(skb, ct, ctinfo, range, maniptype);
+ err = ct_nat_execute(skb, ct, ctinfo, range, maniptype);
+ if (err == NF_ACCEPT &&
+ ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) {
+ if (maniptype == NF_NAT_MANIP_SRC)
+ maniptype = NF_NAT_MANIP_DST;
+ else
+ maniptype = NF_NAT_MANIP_SRC;
+
+ err = ct_nat_execute(skb, ct, ctinfo, range, maniptype);
+ }
+ return err;
#else
return NF_ACCEPT;
#endif
--
2.21.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 2/2] act_ct: support asymmetric conntrack
2019-12-03 21:34 ` [PATCH 2/2] act_ct: " Aaron Conole
@ 2019-12-05 0:33 ` David Miller
0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2019-12-05 0:33 UTC (permalink / raw)
To: aconole
Cc: netdev, pshelar, jhs, xiyou.wangcong, jiri, dev, linux-kernel,
mleitner, paulb, roid, nicolas.dichtel
From: Aaron Conole <aconole@redhat.com>
Date: Tue, 3 Dec 2019 16:34:14 -0500
> The act_ct TC module shares a common conntrack and NAT infrastructure
> exposed via netfilter. It's possible that a packet needs both SNAT and
> DNAT manipulation, due to e.g. tuple collision. Netfilter can support
> this because it runs through the NAT table twice - once on ingress and
> again after egress. The act_ct action doesn't have such capability.
>
> Like netfilter hook infrastructure, we should run through NAT twice to
> keep the symmetry.
>
> Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
>
> Signed-off-by: Aaron Conole <aconole@redhat.com>
> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> ---
> NOTE: this is a repost to see if the email client issues go away.
Applied and queued up for -stable.
Next time, please:
1) Provide an introductory posting ala "[PATCH net 0/N] ..." describing
what the patch series does on a high level, how it is doing it, and
why it is doing it that way.
This allows people to understand what they are about to read, and it
gives me a single mail to respon to when I apply your entire series.
2) Always clearly indicate the target GIT tree in your Subject line,
in these cases it should have been "[PATCH net N/M]"
Thank you.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] openvswitch: support asymmetric conntrack
2019-12-03 21:34 [PATCH 1/2] openvswitch: support asymmetric conntrack Aaron Conole
2019-12-03 21:34 ` [PATCH 2/2] act_ct: " Aaron Conole
@ 2019-12-05 0:32 ` David Miller
1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2019-12-05 0:32 UTC (permalink / raw)
To: aconole
Cc: netdev, pshelar, jhs, xiyou.wangcong, jiri, dev, linux-kernel,
mleitner, paulb, roid, nicolas.dichtel
From: Aaron Conole <aconole@redhat.com>
Date: Tue, 3 Dec 2019 16:34:13 -0500
> The openvswitch module shares a common conntrack and NAT infrastructure
> exposed via netfilter. It's possible that a packet needs both SNAT and
> DNAT manipulation, due to e.g. tuple collision. Netfilter can support
> this because it runs through the NAT table twice - once on ingress and
> again after egress. The openvswitch module doesn't have such capability.
>
> Like netfilter hook infrastructure, we should run through NAT twice to
> keep the symmetry.
>
> Fixes: 05752523e565 ("openvswitch: Interface with NAT.")
> Signed-off-by: Aaron Conole <aconole@redhat.com>
> ---
> NOTE: this is a repost to see if the email client issues go away.
Applied and queued up for -stable.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-12-05 0:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-03 21:34 [PATCH 1/2] openvswitch: support asymmetric conntrack Aaron Conole
2019-12-03 21:34 ` [PATCH 2/2] act_ct: " Aaron Conole
2019-12-05 0:33 ` David Miller
2019-12-05 0:32 ` [PATCH 1/2] openvswitch: " David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).