diff options
| -rw-r--r-- | net/openvswitch/conntrack.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 85256b312455..f718b724e650 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c | |||
| @@ -483,7 +483,11 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, | |||
| 483 | * actually run the packet through conntrack twice unless it's for a | 483 | * actually run the packet through conntrack twice unless it's for a |
| 484 | * different zone. | 484 | * different zone. |
| 485 | */ | 485 | */ |
| 486 | if (!skb_nfct_cached(net, key, info, skb)) { | 486 | bool cached = skb_nfct_cached(net, key, info, skb); |
| 487 | enum ip_conntrack_info ctinfo; | ||
| 488 | struct nf_conn *ct; | ||
| 489 | |||
| 490 | if (!cached) { | ||
| 487 | struct nf_conn *tmpl = info->ct; | 491 | struct nf_conn *tmpl = info->ct; |
| 488 | int err; | 492 | int err; |
| 489 | 493 | ||
| @@ -506,11 +510,18 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, | |||
| 506 | return -ENOENT; | 510 | return -ENOENT; |
| 507 | 511 | ||
| 508 | ovs_ct_update_key(skb, info, key, true); | 512 | ovs_ct_update_key(skb, info, key, true); |
| 513 | } | ||
| 509 | 514 | ||
| 510 | if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) { | 515 | /* Call the helper only if: |
| 511 | WARN_ONCE(1, "helper rejected packet"); | 516 | * - nf_conntrack_in() was executed above ("!cached") for a confirmed |
| 512 | return -EINVAL; | 517 | * connection, or |
| 513 | } | 518 | * - When committing an unconfirmed connection. |
| 519 | */ | ||
| 520 | ct = nf_ct_get(skb, &ctinfo); | ||
| 521 | if (ct && (nf_ct_is_confirmed(ct) ? !cached : info->commit) && | ||
| 522 | ovs_ct_helper(skb, info->family) != NF_ACCEPT) { | ||
| 523 | WARN_ONCE(1, "helper rejected packet"); | ||
| 524 | return -EINVAL; | ||
| 514 | } | 525 | } |
| 515 | 526 | ||
| 516 | return 0; | 527 | return 0; |