* [PATCH net] openvswitch: Fix conntrack cache with timeout
@ 2019-08-22 0:14 Yi-Hung Wei
2019-08-22 18:11 ` kbuild test robot
0 siblings, 1 reply; 3+ messages in thread
From: Yi-Hung Wei @ 2019-08-22 0:14 UTC (permalink / raw)
To: netdev, pshelar; +Cc: Yi-Hung Wei
This patch addresses a conntrack cache issue with timeout policy.
Currently, we do not check if the timeout extension is set properly in the
cached conntrack entry. Thus, after packet recirculate from conntrack
action, the timeout policy is not applied properly. This patch fixes the
aforementioned issue.
Fixes: 06bd2bdf19d2 ("openvswitch: Add timeout support to ct action")
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
---
net/openvswitch/conntrack.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 848c6eb55064..45498fcf540d 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -67,6 +67,7 @@ struct ovs_conntrack_info {
struct md_mark mark;
struct md_labels labels;
char timeout[CTNL_TIMEOUT_NAME_MAX];
+ struct nf_ct_timeout *nf_ct_timeout;
#if IS_ENABLED(CONFIG_NF_NAT)
struct nf_nat_range2 range; /* Only present for SRC NAT and DST NAT. */
#endif
@@ -697,6 +698,14 @@ static bool skb_nfct_cached(struct net *net,
if (help && rcu_access_pointer(help->helper) != info->helper)
return false;
}
+ if (info->nf_ct_timeout) {
+ struct nf_conn_timeout *timeout_ext;
+
+ timeout_ext = nf_ct_timeout_find(ct);
+ if (!timeout_ext ||
+ info->nf_ct_timeout != timeout_ext->timeout)
+ return false;
+ }
/* Force conntrack entry direction to the current packet? */
if (info->force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) {
/* Delete the conntrack entry if confirmed, else just release
@@ -1657,6 +1666,10 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr,
ct_info.timeout))
pr_info_ratelimited("Failed to associated timeout "
"policy `%s'\n", ct_info.timeout);
+ else
+ ct_info.nf_ct_timeout =
+ nf_ct_timeout_find(ct_info.ct)->timeout;
+
}
if (helper) {
--
2.7.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] openvswitch: Fix conntrack cache with timeout
2019-08-22 0:14 [PATCH net] openvswitch: Fix conntrack cache with timeout Yi-Hung Wei
@ 2019-08-22 18:11 ` kbuild test robot
2019-08-22 18:32 ` Yi-Hung Wei
0 siblings, 1 reply; 3+ messages in thread
From: kbuild test robot @ 2019-08-22 18:11 UTC (permalink / raw)
To: Yi-Hung Wei; +Cc: kbuild-all, netdev, pshelar, Yi-Hung Wei
Hi Yi-Hung,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on net/master]
url: https://github.com/0day-ci/linux/commits/Yi-Hung-Wei/openvswitch-Fix-conntrack-cache-with-timeout/20190822-212539
reproduce:
# apt-get install sparse
# sparse version: v0.6.1-rc1-7-g2b96cd8-dirty
make ARCH=x86_64 allmodconfig
make C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
sparse warnings: (new ones prefixed by >>)
include/linux/sched.h:609:43: sparse: sparse: bad integer constant expression
include/linux/sched.h:609:73: sparse: sparse: invalid named zero-width bitfield `value'
include/linux/sched.h:610:43: sparse: sparse: bad integer constant expression
include/linux/sched.h:610:67: sparse: sparse: invalid named zero-width bitfield `bucket_id'
>> net/openvswitch/conntrack.c:706:41: sparse: sparse: incompatible types in comparison expression (different address spaces):
>> net/openvswitch/conntrack.c:706:41: sparse: struct nf_ct_timeout *
>> net/openvswitch/conntrack.c:706:41: sparse: struct nf_ct_timeout [noderef] <asn:4> *
vim +706 net/openvswitch/conntrack.c
670
671 /* Determine whether skb->_nfct is equal to the result of conntrack lookup. */
672 static bool skb_nfct_cached(struct net *net,
673 const struct sw_flow_key *key,
674 const struct ovs_conntrack_info *info,
675 struct sk_buff *skb)
676 {
677 enum ip_conntrack_info ctinfo;
678 struct nf_conn *ct;
679 bool ct_executed = true;
680
681 ct = nf_ct_get(skb, &ctinfo);
682 if (!ct)
683 ct = ovs_ct_executed(net, key, info, skb, &ct_executed);
684
685 if (ct)
686 nf_ct_get(skb, &ctinfo);
687 else
688 return false;
689
690 if (!net_eq(net, read_pnet(&ct->ct_net)))
691 return false;
692 if (!nf_ct_zone_equal_any(info->ct, nf_ct_zone(ct)))
693 return false;
694 if (info->helper) {
695 struct nf_conn_help *help;
696
697 help = nf_ct_ext_find(ct, NF_CT_EXT_HELPER);
698 if (help && rcu_access_pointer(help->helper) != info->helper)
699 return false;
700 }
701 if (info->nf_ct_timeout) {
702 struct nf_conn_timeout *timeout_ext;
703
704 timeout_ext = nf_ct_timeout_find(ct);
705 if (!timeout_ext ||
> 706 info->nf_ct_timeout != timeout_ext->timeout)
707 return false;
708 }
709 /* Force conntrack entry direction to the current packet? */
710 if (info->force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) {
711 /* Delete the conntrack entry if confirmed, else just release
712 * the reference.
713 */
714 if (nf_ct_is_confirmed(ct))
715 nf_ct_delete(ct, 0, 0);
716
717 nf_conntrack_put(&ct->ct_general);
718 nf_ct_set(skb, NULL, 0);
719 return false;
720 }
721
722 return ct_executed;
723 }
724
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] openvswitch: Fix conntrack cache with timeout
2019-08-22 18:11 ` kbuild test robot
@ 2019-08-22 18:32 ` Yi-Hung Wei
0 siblings, 0 replies; 3+ messages in thread
From: Yi-Hung Wei @ 2019-08-22 18:32 UTC (permalink / raw)
To: kbuild test robot
Cc: kbuild-all, Linux Kernel Network Developers, Pravin Shelar
On Thu, Aug 22, 2019 at 11:12 AM kbuild test robot <lkp@intel.com> wrote:
>
> Hi Yi-Hung,
>
> Thank you for the patch! Perhaps something to improve:
>
> [auto build test WARNING on net/master]
>
> url: https://github.com/0day-ci/linux/commits/Yi-Hung-Wei/openvswitch-Fix-conntrack-cache-with-timeout/20190822-212539
> reproduce:
> # apt-get install sparse
> # sparse version: v0.6.1-rc1-7-g2b96cd8-dirty
> make ARCH=x86_64 allmodconfig
> make C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'
>
> If you fix the issue, kindly add following tag
> Reported-by: kbuild test robot <lkp@intel.com>
>
>
> sparse warnings: (new ones prefixed by >>)
>
> include/linux/sched.h:609:43: sparse: sparse: bad integer constant expression
> include/linux/sched.h:609:73: sparse: sparse: invalid named zero-width bitfield `value'
> include/linux/sched.h:610:43: sparse: sparse: bad integer constant expression
> include/linux/sched.h:610:67: sparse: sparse: invalid named zero-width bitfield `bucket_id'
> >> net/openvswitch/conntrack.c:706:41: sparse: sparse: incompatible types in comparison expression (different address spaces):
> >> net/openvswitch/conntrack.c:706:41: sparse: struct nf_ct_timeout *
> >> net/openvswitch/conntrack.c:706:41: sparse: struct nf_ct_timeout [noderef] <asn:4> *
My v1 does not take care of the rcu pointer properly. I will fix the
reported issue and send v2.
Thanks,
-Yi-Hung
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-08-22 18:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-22 0:14 [PATCH net] openvswitch: Fix conntrack cache with timeout Yi-Hung Wei
2019-08-22 18:11 ` kbuild test robot
2019-08-22 18:32 ` Yi-Hung Wei
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).