diff options
| author | Jarno Rajahalme <jarno@ovn.org> | 2016-03-10 13:54:22 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-03-14 18:47:29 -0400 |
| commit | 28b6e0c1ace45779c60e7cefe6d469b7ecb520b8 (patch) | |
| tree | 8c5266f5b2fc2b647d47dcdb06ed65d7f9946037 /net/openvswitch | |
| parent | 5b6b929376a621e2bd3367f5de563d7123506597 (diff) | |
openvswitch: Delay conntrack helper call for new connections.
There is no need to help connections that are not confirmed, so we can
delay helping new connections to the time when they are confirmed.
This change is needed for NAT support, and having this as a separate
patch will make the following NAT patch a bit easier to review.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/openvswitch')
| -rw-r--r-- | net/openvswitch/conntrack.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 85256b312455..f718b724e650 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c | |||
| @@ -483,7 +483,11 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, | |||
| 483 | * actually run the packet through conntrack twice unless it's for a | 483 | * actually run the packet through conntrack twice unless it's for a |
| 484 | * different zone. | 484 | * different zone. |
| 485 | */ | 485 | */ |
| 486 | if (!skb_nfct_cached(net, key, info, skb)) { | 486 | bool cached = skb_nfct_cached(net, key, info, skb); |
| 487 | enum ip_conntrack_info ctinfo; | ||
| 488 | struct nf_conn *ct; | ||
| 489 | |||
| 490 | if (!cached) { | ||
| 487 | struct nf_conn *tmpl = info->ct; | 491 | struct nf_conn *tmpl = info->ct; |
| 488 | int err; | 492 | int err; |
| 489 | 493 | ||
| @@ -506,11 +510,18 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, | |||
| 506 | return -ENOENT; | 510 | return -ENOENT; |
| 507 | 511 | ||
| 508 | ovs_ct_update_key(skb, info, key, true); | 512 | ovs_ct_update_key(skb, info, key, true); |
| 513 | } | ||
| 509 | 514 | ||
| 510 | if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) { | 515 | /* Call the helper only if: |
| 511 | WARN_ONCE(1, "helper rejected packet"); | 516 | * - nf_conntrack_in() was executed above ("!cached") for a confirmed |
| 512 | return -EINVAL; | 517 | * connection, or |
| 513 | } | 518 | * - When committing an unconfirmed connection. |
| 519 | */ | ||
| 520 | ct = nf_ct_get(skb, &ctinfo); | ||
| 521 | if (ct && (nf_ct_is_confirmed(ct) ? !cached : info->commit) && | ||
| 522 | ovs_ct_helper(skb, info->family) != NF_ACCEPT) { | ||
| 523 | WARN_ONCE(1, "helper rejected packet"); | ||
| 524 | return -EINVAL; | ||
| 514 | } | 525 | } |
| 515 | 526 | ||
| 516 | return 0; | 527 | return 0; |