| Message ID | 87588ad6631f7d60691fddb860e075ebebeaa5ec.1623248030.git.marcelo.leitner@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 13c62f5371e3eb4fc3400cfa26e64ca75f888008 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] net/sched: act_ct: handle DNAT tuple collision | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Clearly marked for net |
| netdev/subject_prefix | success | Link |
| netdev/cc_maintainers | fail | 2 blamed authors not CCed: davem@davemloft.net aconole@redhat.com; 5 maintainers not CCed: jiri@resnulli.us aconole@redhat.com xiyou.wangcong@gmail.com davem@davemloft.net kuba@kernel.org |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | warning | WARNING: Possible repeated word: 'This' |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | Link |
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Wed, 9 Jun 2021 11:23:56 -0300 you wrote: > This this the counterpart of 8aa7b526dc0b ("openvswitch: handle DNAT > tuple collision") for act_ct. From that commit changelog: > > """ > With multiple DNAT rules it's possible that after destination > translation the resulting tuples collide. > > [...] Here is the summary with links: - [net] net/sched: act_ct: handle DNAT tuple collision https://git.kernel.org/netdev/net/c/13c62f5371e3 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 18edd9ad1410947c0464341cf601b87bf7a7a6ff..a656baa321fe1686ac8f87f8a35819f067f65869 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -904,14 +904,19 @@ static int tcf_ct_act_nat(struct sk_buff *skb, } err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); - if (err == NF_ACCEPT && - ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) { - if (maniptype == NF_NAT_MANIP_SRC) - maniptype = NF_NAT_MANIP_DST; - else - maniptype = NF_NAT_MANIP_SRC; - - err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); + if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { + if (ct->status & IPS_SRC_NAT) { + if (maniptype == NF_NAT_MANIP_SRC) + maniptype = NF_NAT_MANIP_DST; + else + maniptype = NF_NAT_MANIP_SRC; + + err = ct_nat_execute(skb, ct, ctinfo, range, + maniptype); + } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { + err = ct_nat_execute(skb, ct, ctinfo, NULL, + NF_NAT_MANIP_SRC); + } } return err; #else
This this the counterpart of 8aa7b526dc0b ("openvswitch: handle DNAT tuple collision") for act_ct. From that commit changelog: """ With multiple DNAT rules it's possible that after destination translation the resulting tuples collide. ... Netfilter handles this case by allocating a null binding for SNAT at egress by default. Perform the same operation in openvswitch for DNAT if no explicit SNAT is requested by the user and allocate a null binding for SNAT for packets in the "original" direction. """ Fixes: 95219afbb980 ("act_ct: support asymmetric conntrack") Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> --- I have a tdc test for this but I'll submit it to net-next once this one gets accepted. It requires some changes to tdc itself. net/sched/act_ct.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-)