diff options
author | Jarno Rajahalme <jarno@ovn.org> | 2016-03-10 13:54:18 -0500 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-03-14 18:47:27 -0400 |
commit | 9f13ded8d3c715147c4759f937cfb712c185ca13 (patch) | |
tree | af0dd87e45676f8037fab80a2d93753047207f50 | |
parent | 264619055bd52bc2278af848472176642d759874 (diff) |
openvswitch: Add commentary to conntrack.c
This makes the code easier to understand and the following patches
more focused.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | net/openvswitch/conntrack.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 304529015744..2c2bf071f6d6 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c | |||
@@ -152,8 +152,12 @@ static void ovs_ct_update_key(const struct sk_buff *skb, | |||
152 | ct = nf_ct_get(skb, &ctinfo); | 152 | ct = nf_ct_get(skb, &ctinfo); |
153 | if (ct) { | 153 | if (ct) { |
154 | state = ovs_ct_get_state(ctinfo); | 154 | state = ovs_ct_get_state(ctinfo); |
155 | /* All unconfirmed entries are NEW connections. */ | ||
155 | if (!nf_ct_is_confirmed(ct)) | 156 | if (!nf_ct_is_confirmed(ct)) |
156 | state |= OVS_CS_F_NEW; | 157 | state |= OVS_CS_F_NEW; |
158 | /* OVS persists the related flag for the duration of the | ||
159 | * connection. | ||
160 | */ | ||
157 | if (ct->master) | 161 | if (ct->master) |
158 | state |= OVS_CS_F_RELATED; | 162 | state |= OVS_CS_F_RELATED; |
159 | zone = nf_ct_zone(ct); | 163 | zone = nf_ct_zone(ct); |
@@ -165,6 +169,9 @@ static void ovs_ct_update_key(const struct sk_buff *skb, | |||
165 | __ovs_ct_update_key(key, state, zone, ct); | 169 | __ovs_ct_update_key(key, state, zone, ct); |
166 | } | 170 | } |
167 | 171 | ||
172 | /* This is called to initialize CT key fields possibly coming in from the local | ||
173 | * stack. | ||
174 | */ | ||
168 | void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) | 175 | void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) |
169 | { | 176 | { |
170 | ovs_ct_update_key(skb, NULL, key, false); | 177 | ovs_ct_update_key(skb, NULL, key, false); |
@@ -199,7 +206,6 @@ static int ovs_ct_set_mark(struct sk_buff *skb, struct sw_flow_key *key, | |||
199 | struct nf_conn *ct; | 206 | struct nf_conn *ct; |
200 | u32 new_mark; | 207 | u32 new_mark; |
201 | 208 | ||
202 | |||
203 | /* The connection could be invalid, in which case set_mark is no-op. */ | 209 | /* The connection could be invalid, in which case set_mark is no-op. */ |
204 | ct = nf_ct_get(skb, &ctinfo); | 210 | ct = nf_ct_get(skb, &ctinfo); |
205 | if (!ct) | 211 | if (!ct) |
@@ -375,6 +381,11 @@ static bool skb_nfct_cached(const struct net *net, const struct sk_buff *skb, | |||
375 | return true; | 381 | return true; |
376 | } | 382 | } |
377 | 383 | ||
384 | /* Pass 'skb' through conntrack in 'net', using zone configured in 'info', if | ||
385 | * not done already. Update key with new CT state. | ||
386 | * Note that if the packet is deemed invalid by conntrack, skb->nfct will be | ||
387 | * set to NULL and 0 will be returned. | ||
388 | */ | ||
378 | static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, | 389 | static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, |
379 | const struct ovs_conntrack_info *info, | 390 | const struct ovs_conntrack_info *info, |
380 | struct sk_buff *skb) | 391 | struct sk_buff *skb) |
@@ -418,6 +429,13 @@ static int ovs_ct_lookup(struct net *net, struct sw_flow_key *key, | |||
418 | { | 429 | { |
419 | struct nf_conntrack_expect *exp; | 430 | struct nf_conntrack_expect *exp; |
420 | 431 | ||
432 | /* If we pass an expected packet through nf_conntrack_in() the | ||
433 | * expectation is typically removed, but the packet could still be | ||
434 | * lost in upcall processing. To prevent this from happening we | ||
435 | * perform an explicit expectation lookup. Expected connections are | ||
436 | * always new, and will be passed through conntrack only when they are | ||
437 | * committed, as it is OK to remove the expectation at that time. | ||
438 | */ | ||
421 | exp = ovs_ct_expect_find(net, &info->zone, info->family, skb); | 439 | exp = ovs_ct_expect_find(net, &info->zone, info->family, skb); |
422 | if (exp) { | 440 | if (exp) { |
423 | u8 state; | 441 | u8 state; |
@@ -455,6 +473,7 @@ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key, | |||
455 | err = __ovs_ct_lookup(net, key, info, skb); | 473 | err = __ovs_ct_lookup(net, key, info, skb); |
456 | if (err) | 474 | if (err) |
457 | return err; | 475 | return err; |
476 | /* This is a no-op if the connection has already been confirmed. */ | ||
458 | if (nf_conntrack_confirm(skb) != NF_ACCEPT) | 477 | if (nf_conntrack_confirm(skb) != NF_ACCEPT) |
459 | return -EINVAL; | 478 | return -EINVAL; |
460 | 479 | ||