diff options
| author | Yi-Hung Wei <yihung.wei@gmail.com> | 2019-08-22 16:17:50 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-08-25 17:48:43 -0400 |
| commit | 7177895154e6a35179d332f4a584d396c50d0612 (patch) | |
| tree | 552f64a6dab75559a550915e0326fba2bd510bb8 /net/openvswitch | |
| parent | 803f3e22ae10003a83c781498c0ac34cfe3463ff (diff) | |
openvswitch: Fix conntrack cache with timeout
This patch addresses a conntrack cache issue with timeout policy.
Currently, we do not check if the timeout extension is set properly in the
cached conntrack entry. Thus, after packet recirculate from conntrack
action, the timeout policy is not applied properly. This patch fixes the
aforementioned issue.
Fixes: 06bd2bdf19d2 ("openvswitch: Add timeout support to ct action")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/openvswitch')
| -rw-r--r-- | net/openvswitch/conntrack.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index a1852e035ebb..d8da6477d6be 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c | |||
| @@ -67,6 +67,7 @@ struct ovs_conntrack_info { | |||
| 67 | struct md_mark mark; | 67 | struct md_mark mark; |
| 68 | struct md_labels labels; | 68 | struct md_labels labels; |
| 69 | char timeout[CTNL_TIMEOUT_NAME_MAX]; | 69 | char timeout[CTNL_TIMEOUT_NAME_MAX]; |
| 70 | struct nf_ct_timeout *nf_ct_timeout; | ||
| 70 | #if IS_ENABLED(CONFIG_NF_NAT) | 71 | #if IS_ENABLED(CONFIG_NF_NAT) |
| 71 | struct nf_nat_range2 range; /* Only present for SRC NAT and DST NAT. */ | 72 | struct nf_nat_range2 range; /* Only present for SRC NAT and DST NAT. */ |
| 72 | #endif | 73 | #endif |
| @@ -697,6 +698,14 @@ static bool skb_nfct_cached(struct net *net, | |||
| 697 | if (help && rcu_access_pointer(help->helper) != info->helper) | 698 | if (help && rcu_access_pointer(help->helper) != info->helper) |
| 698 | return false; | 699 | return false; |
| 699 | } | 700 | } |
| 701 | if (info->nf_ct_timeout) { | ||
| 702 | struct nf_conn_timeout *timeout_ext; | ||
| 703 | |||
| 704 | timeout_ext = nf_ct_timeout_find(ct); | ||
| 705 | if (!timeout_ext || info->nf_ct_timeout != | ||
| 706 | rcu_dereference(timeout_ext->timeout)) | ||
| 707 | return false; | ||
| 708 | } | ||
| 700 | /* Force conntrack entry direction to the current packet? */ | 709 | /* Force conntrack entry direction to the current packet? */ |
| 701 | if (info->force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) { | 710 | if (info->force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) { |
| 702 | /* Delete the conntrack entry if confirmed, else just release | 711 | /* Delete the conntrack entry if confirmed, else just release |
| @@ -1657,6 +1666,10 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, | |||
| 1657 | ct_info.timeout)) | 1666 | ct_info.timeout)) |
| 1658 | pr_info_ratelimited("Failed to associated timeout " | 1667 | pr_info_ratelimited("Failed to associated timeout " |
| 1659 | "policy `%s'\n", ct_info.timeout); | 1668 | "policy `%s'\n", ct_info.timeout); |
| 1669 | else | ||
| 1670 | ct_info.nf_ct_timeout = rcu_dereference( | ||
| 1671 | nf_ct_timeout_find(ct_info.ct)->timeout); | ||
| 1672 | |||
| 1660 | } | 1673 | } |
| 1661 | 1674 | ||
| 1662 | if (helper) { | 1675 | if (helper) { |