[PATCH net] openvswitch: fix drop over mtu packet after defrag in act_ct

[PATCH net] openvswitch: fix drop over mtu packet after defrag in act_ct

[wenxu]

From: wenxu <wenxu@ucloud.cn>

When openvswitch conntrack offload with act_ct action. Fragment packets
defrag in the ingress tc act_ct action and miss the next chain. Then the
packet pass to the openvswitch datapath without the mru. The defrag over
mtu packet will be dropped in output of openvswitch for over mtu.

"kernel: net2: dropped over-mtu packet: 1508 > 1500"

Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
 include/linux/skbuff.h    | 1 +
 include/net/sch_generic.h | 1 +
 net/openvswitch/flow.c    | 1 +
 net/sched/act_ct.c        | 8 ++++++--
 net/sched/cls_api.c       | 1 +
 5 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 0c0377f..0d842d6 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -283,6 +283,7 @@ struct nf_bridge_info {
  */
 struct tc_skb_ext {
 	__u32 chain;
+	__u16 mru;
 };
 #endif
 
diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
index c510b03..45401d5 100644
--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -384,6 +384,7 @@ struct qdisc_skb_cb {
 	};
 #define QDISC_CB_PRIV_LEN 20
 	unsigned char		data[QDISC_CB_PRIV_LEN];
+	u16			mru;
 };
 
 typedef void tcf_chain_head_change_t(struct tcf_proto *tp_head, void *priv);
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 9d375e7..03942c3 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -890,6 +890,7 @@ int ovs_flow_key_extract(const struct ip_tunnel_info *tun_info,
 	if (static_branch_unlikely(&tc_recirc_sharing_support)) {
 		tc_ext = skb_ext_find(skb, TC_SKB_EXT);
 		key->recirc_id = tc_ext ? tc_ext->chain : 0;
+		OVS_CB(skb)->mru = tc_ext ? tc_ext->mru : 0;
 	} else {
 		key->recirc_id = 0;
 	}
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index 5928efb..69445ab 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -706,8 +706,10 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb,
 		if (err && err != -EINPROGRESS)
 			goto out_free;
 
-		if (!err)
+		if (!err) {
 			*defrag = true;
+			cb.mru = IPCB(skb)->frag_max_size;
+		}
 	} else { /* NFPROTO_IPV6 */
 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
 		enum ip6_defrag_users user = IP6_DEFRAG_CONNTRACK_IN + zone;
@@ -717,8 +719,10 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb,
 		if (err && err != -EINPROGRESS)
 			goto out_free;
 
-		if (!err)
+		if (!err) {
 			*defrag = true;
+			cb.mru = IP6CB(skb)->frag_max_size;
+		}
 #else
 		err = -EOPNOTSUPP;
 		goto out_free;
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index e62beec..a4d9eaa 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -1628,6 +1628,7 @@ int tcf_classify_ingress(struct sk_buff *skb,
 		if (WARN_ON_ONCE(!ext))
 			return TC_ACT_SHOT;
 		ext->chain = last_executed_chain;
+		ext->mru = qdisc_skb_cb(skb)->mru;
 	}
 
 	return ret;
-- 
1.8.3.1

Re: [PATCH net] openvswitch: fix drop over mtu packet after defrag in act_ct

[David Miller]

From: wenxu@ucloud.cn
Date: Tue, 21 Jul 2020 11:09:52 +0800

> From: wenxu <wenxu@ucloud.cn>
> 
> When openvswitch conntrack offload with act_ct action. Fragment packets
> defrag in the ingress tc act_ct action and miss the next chain. Then the
> packet pass to the openvswitch datapath without the mru. The defrag over
> mtu packet will be dropped in output of openvswitch for over mtu.
> 
> "kernel: net2: dropped over-mtu packet: 1508 > 1500"
> 
> Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
> Signed-off-by: wenxu <wenxu@ucloud.cn>

Just FYI, I'm not applying this without some review.

Re: [PATCH net] openvswitch: fix drop over mtu packet after defrag in act_ct

[wenxu]

Hi paulb & Pravin,


Could you review for this patch> Thanks.


BR

wenxu

On 7/21/2020 11:09 AM, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
>
> When openvswitch conntrack offload with act_ct action. Fragment packets
> defrag in the ingress tc act_ct action and miss the next chain. Then the
> packet pass to the openvswitch datapath without the mru. The defrag over
> mtu packet will be dropped in output of openvswitch for over mtu.
>
> "kernel: net2: dropped over-mtu packet: 1508 > 1500"
>
> Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
> Signed-off-by: wenxu <wenxu@ucloud.cn>
> ---
>  include/linux/skbuff.h    | 1 +
>  include/net/sch_generic.h | 1 +
>  net/openvswitch/flow.c    | 1 +
>  net/sched/act_ct.c        | 8 ++++++--
>  net/sched/cls_api.c       | 1 +
>  5 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> index 0c0377f..0d842d6 100644
> --- a/include/linux/skbuff.h
> +++ b/include/linux/skbuff.h
> @@ -283,6 +283,7 @@ struct nf_bridge_info {
>   */
>  struct tc_skb_ext {
>  	__u32 chain;
> +	__u16 mru;
>  };
>  #endif
>  
> diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
> index c510b03..45401d5 100644
> --- a/include/net/sch_generic.h
> +++ b/include/net/sch_generic.h
> @@ -384,6 +384,7 @@ struct qdisc_skb_cb {
>  	};
>  #define QDISC_CB_PRIV_LEN 20
>  	unsigned char		data[QDISC_CB_PRIV_LEN];
> +	u16			mru;
>  };
>  
>  typedef void tcf_chain_head_change_t(struct tcf_proto *tp_head, void *priv);
> diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
> index 9d375e7..03942c3 100644
> --- a/net/openvswitch/flow.c
> +++ b/net/openvswitch/flow.c
> @@ -890,6 +890,7 @@ int ovs_flow_key_extract(const struct ip_tunnel_info *tun_info,
>  	if (static_branch_unlikely(&tc_recirc_sharing_support)) {
>  		tc_ext = skb_ext_find(skb, TC_SKB_EXT);
>  		key->recirc_id = tc_ext ? tc_ext->chain : 0;
> +		OVS_CB(skb)->mru = tc_ext ? tc_ext->mru : 0;
>  	} else {
>  		key->recirc_id = 0;
>  	}
> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> index 5928efb..69445ab 100644
> --- a/net/sched/act_ct.c
> +++ b/net/sched/act_ct.c
> @@ -706,8 +706,10 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb,
>  		if (err && err != -EINPROGRESS)
>  			goto out_free;
>  
> -		if (!err)
> +		if (!err) {
>  			*defrag = true;
> +			cb.mru = IPCB(skb)->frag_max_size;
> +		}
>  	} else { /* NFPROTO_IPV6 */
>  #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
>  		enum ip6_defrag_users user = IP6_DEFRAG_CONNTRACK_IN + zone;
> @@ -717,8 +719,10 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb,
>  		if (err && err != -EINPROGRESS)
>  			goto out_free;
>  
> -		if (!err)
> +		if (!err) {
>  			*defrag = true;
> +			cb.mru = IP6CB(skb)->frag_max_size;
> +		}
>  #else
>  		err = -EOPNOTSUPP;
>  		goto out_free;
> diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
> index e62beec..a4d9eaa 100644
> --- a/net/sched/cls_api.c
> +++ b/net/sched/cls_api.c
> @@ -1628,6 +1628,7 @@ int tcf_classify_ingress(struct sk_buff *skb,
>  		if (WARN_ON_ONCE(!ext))
>  			return TC_ACT_SHOT;
>  		ext->chain = last_executed_chain;
> +		ext->mru = qdisc_skb_cb(skb)->mru;
>  	}
>  
>  	return ret;

Re: [PATCH net] openvswitch: fix drop over mtu packet after defrag in act_ct

[David Miller]

From: wenxu@ucloud.cn
Date: Tue, 21 Jul 2020 11:09:52 +0800

> From: wenxu <wenxu@ucloud.cn>
> 
> When openvswitch conntrack offload with act_ct action. Fragment packets
> defrag in the ingress tc act_ct action and miss the next chain. Then the
> packet pass to the openvswitch datapath without the mru. The defrag over
> mtu packet will be dropped in output of openvswitch for over mtu.
> 
> "kernel: net2: dropped over-mtu packet: 1508 > 1500"
> 
> Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
> Signed-off-by: wenxu <wenxu@ucloud.cn>

After an entire week, nobody has reviewed this patch.

Therefore I am dropping it from my patchwork queue.