Commit dd41d33f authored by Jarno Rajahalme's avatar Jarno Rajahalme Committed by David S. Miller

openvswitch: Add force commit.

Stateful network admission policy may allow connections to one
direction and reject connections initiated in the other direction.
After policy change it is possible that for a new connection an
overlapping conntrack entry already exists, where the original
direction of the existing connection is opposed to the new
connection's initial packet.

Most importantly, conntrack state relating to the current packet gets
the "reply" designation based on whether the original direction tuple
or the reply direction tuple matched.  If this "directionality" is
wrong w.r.t. to the stateful network admission policy it may happen
that packets in neither direction are correctly admitted.

This patch adds a new "force commit" option to the OVS conntrack
action that checks the original direction of an existing conntrack
entry.  If that direction is opposed to the current packet, the
existing conntrack entry is deleted and a new one is subsequently
created in the correct direction.
Signed-off-by: default avatarJarno Rajahalme <jarno@ovn.org>
Acked-by: default avatarPravin B Shelar <pshelar@ovn.org>
Acked-by: default avatarJoe Stringer <joe@ovn.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9dd7f890
...@@ -674,6 +674,10 @@ struct ovs_action_hash { ...@@ -674,6 +674,10 @@ struct ovs_action_hash {
* @OVS_CT_ATTR_HELPER: variable length string defining conntrack ALG. * @OVS_CT_ATTR_HELPER: variable length string defining conntrack ALG.
* @OVS_CT_ATTR_NAT: Nested OVS_NAT_ATTR_* for performing L3 network address * @OVS_CT_ATTR_NAT: Nested OVS_NAT_ATTR_* for performing L3 network address
* translation (NAT) on the packet. * translation (NAT) on the packet.
* @OVS_CT_ATTR_FORCE_COMMIT: Like %OVS_CT_ATTR_COMMIT, but instead of doing
* nothing if the connection is already committed will check that the current
* packet is in conntrack entry's original direction. If directionality does
* not match, will delete the existing conntrack entry and commit a new one.
*/ */
enum ovs_ct_attr { enum ovs_ct_attr {
OVS_CT_ATTR_UNSPEC, OVS_CT_ATTR_UNSPEC,
...@@ -684,6 +688,7 @@ enum ovs_ct_attr { ...@@ -684,6 +688,7 @@ enum ovs_ct_attr {
OVS_CT_ATTR_HELPER, /* netlink helper to assist detection of OVS_CT_ATTR_HELPER, /* netlink helper to assist detection of
related connections. */ related connections. */
OVS_CT_ATTR_NAT, /* Nested OVS_NAT_ATTR_* */ OVS_CT_ATTR_NAT, /* Nested OVS_NAT_ATTR_* */
OVS_CT_ATTR_FORCE_COMMIT, /* No argument */
__OVS_CT_ATTR_MAX __OVS_CT_ATTR_MAX
}; };
......
...@@ -65,6 +65,7 @@ struct ovs_conntrack_info { ...@@ -65,6 +65,7 @@ struct ovs_conntrack_info {
struct nf_conn *ct; struct nf_conn *ct;
u8 commit : 1; u8 commit : 1;
u8 nat : 3; /* enum ovs_ct_nat */ u8 nat : 3; /* enum ovs_ct_nat */
u8 force : 1;
u16 family; u16 family;
struct md_mark mark; struct md_mark mark;
struct md_labels labels; struct md_labels labels;
...@@ -613,10 +614,13 @@ static bool skb_nfct_cached(struct net *net, ...@@ -613,10 +614,13 @@ static bool skb_nfct_cached(struct net *net,
*/ */
if (!ct && key->ct.state & OVS_CS_F_TRACKED && if (!ct && key->ct.state & OVS_CS_F_TRACKED &&
!(key->ct.state & OVS_CS_F_INVALID) && !(key->ct.state & OVS_CS_F_INVALID) &&
key->ct.zone == info->zone.id) key->ct.zone == info->zone.id) {
ct = ovs_ct_find_existing(net, &info->zone, info->family, skb, ct = ovs_ct_find_existing(net, &info->zone, info->family, skb,
!!(key->ct.state !!(key->ct.state
& OVS_CS_F_NAT_MASK)); & OVS_CS_F_NAT_MASK));
if (ct)
nf_ct_get(skb, &ctinfo);
}
if (!ct) if (!ct)
return false; return false;
if (!net_eq(net, read_pnet(&ct->ct_net))) if (!net_eq(net, read_pnet(&ct->ct_net)))
...@@ -630,6 +634,18 @@ static bool skb_nfct_cached(struct net *net, ...@@ -630,6 +634,18 @@ static bool skb_nfct_cached(struct net *net,
if (help && rcu_access_pointer(help->helper) != info->helper) if (help && rcu_access_pointer(help->helper) != info->helper)
return false; return false;
} }
/* Force conntrack entry direction to the current packet? */
if (info->force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) {
/* Delete the conntrack entry if confirmed, else just release
* the reference.
*/
if (nf_ct_is_confirmed(ct))
nf_ct_delete(ct, 0, 0);
else
nf_conntrack_put(&ct->ct_general);
nf_ct_set(skb, NULL, 0);
return false;
}
return true; return true;
} }
...@@ -1207,6 +1223,7 @@ static int parse_nat(const struct nlattr *attr, ...@@ -1207,6 +1223,7 @@ static int parse_nat(const struct nlattr *attr,
static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = { static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = {
[OVS_CT_ATTR_COMMIT] = { .minlen = 0, .maxlen = 0 }, [OVS_CT_ATTR_COMMIT] = { .minlen = 0, .maxlen = 0 },
[OVS_CT_ATTR_FORCE_COMMIT] = { .minlen = 0, .maxlen = 0 },
[OVS_CT_ATTR_ZONE] = { .minlen = sizeof(u16), [OVS_CT_ATTR_ZONE] = { .minlen = sizeof(u16),
.maxlen = sizeof(u16) }, .maxlen = sizeof(u16) },
[OVS_CT_ATTR_MARK] = { .minlen = sizeof(struct md_mark), [OVS_CT_ATTR_MARK] = { .minlen = sizeof(struct md_mark),
...@@ -1246,6 +1263,9 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, ...@@ -1246,6 +1263,9 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info,
} }
switch (type) { switch (type) {
case OVS_CT_ATTR_FORCE_COMMIT:
info->force = true;
/* fall through. */
case OVS_CT_ATTR_COMMIT: case OVS_CT_ATTR_COMMIT:
info->commit = true; info->commit = true;
break; break;
...@@ -1472,7 +1492,9 @@ int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info, ...@@ -1472,7 +1492,9 @@ int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info,
if (!start) if (!start)
return -EMSGSIZE; return -EMSGSIZE;
if (ct_info->commit && nla_put_flag(skb, OVS_CT_ATTR_COMMIT)) if (ct_info->commit && nla_put_flag(skb, ct_info->force
? OVS_CT_ATTR_FORCE_COMMIT
: OVS_CT_ATTR_COMMIT))
return -EMSGSIZE; return -EMSGSIZE;
if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) && if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) &&
nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone.id)) nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone.id))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment