From patchwork Tue Nov 15 15:50:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13043908 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 194C1C4332F for ; Tue, 15 Nov 2022 15:51:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238390AbiKOPvY (ORCPT ); Tue, 15 Nov 2022 10:51:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47810 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238464AbiKOPvF (ORCPT ); Tue, 15 Nov 2022 10:51:05 -0500 Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C29210565 for ; Tue, 15 Nov 2022 07:51:01 -0800 (PST) Received: by mail-qk1-x731.google.com with SMTP id z17so9712581qki.11 for ; Tue, 15 Nov 2022 07:51:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eNsIsgsiY9aSMzVAbHWx1gLoq3RWmANOWSvcUJFgLio=; b=V5bGokaeY96ku5yT5KwbgGIJNgAdpcRvS1vP5sS9YcOAhrxKhWP3fD2skwmoxsEsQ9 Ey7pbZWXXjTVzGfQoqE7Bbqd+OYp4X1+A1yC8AJNXo0fNP4ZbXYv4WybkNbrjh7wrWp7 VuCSjhnvVMtO/MGfRuFnmQzt7LlogqiGBt9uTIKgPScZWG0uUdGFgoTgJ5Y5XYxFqDAp sH1apzJPd2vfOFWqC/oR21WMf4GPtPb6M6S/Srg3V0hSkjt3EHswjyzAiRqAfbB9cA7w RFvdGEJpXB8sUsS8QNclK3slSlF57SphONWyvafFr9T/4ae84C5ObPuGkfhu6n1pxJId HGWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eNsIsgsiY9aSMzVAbHWx1gLoq3RWmANOWSvcUJFgLio=; b=XaLzMOSkiaRQ+sirbEWJxzFIAhYE+UiIdNlotexSp2AxZZbY0iSx497qDChqa3augb gvdlqiUl79G9h0xraezh27qr3F1GChA2bR/3NuYR2+DcB0wXukPKVMWxjW7D0J/W57wF nqrG88vvICD8iA5BgqUOQ4bGELPO5eA6uEkkgwrirrsVHZcjUvGhdB1cbVt9UYaEZFL7 5DHBhRjndBUqhd+QFAWs0iBbZ9ebfygmpmGnNDNhc0BPSMc5lMJZPD1dfGMT4h6Bzf6T lzMmE2OCEtrLGIAQd3hr3J6POyDpbSl3HCVXQOTc6fyvUCLIYD6qeNMxTrnA0l5oO5hG cKvw== X-Gm-Message-State: ANoB5pmLmtW7B/RBzXkmhT6d+obo5oJCWrWZRPWP+NjE1ZXuYODc6SD4 eImyySbBawHh/o6VajpIgR5c8dM1dIycog== X-Google-Smtp-Source: AA0mqf6yKbEBsHzn++92ogZNpe2DZX8s5dZ4raBdgFp6L7ZK2QUAsVTMK1pyI/YqCcY+VTXpaaSJ9Q== X-Received: by 2002:a05:620a:1f9:b0:6fa:2240:7c02 with SMTP id x25-20020a05620a01f900b006fa22407c02mr16211292qkn.561.1668527460065; Tue, 15 Nov 2022 07:51:00 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id f9-20020a05620a280900b006eeb3165554sm8244351qkp.19.2022.11.15.07.50.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Nov 2022 07:50:59 -0800 (PST) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Eelco Chaudron , Aaron Conole Subject: [PATCH net-next 1/5] openvswitch: delete the unncessary skb_pull_rcsum call in ovs_ct_nat_execute Date: Tue, 15 Nov 2022 10:50:53 -0500 Message-Id: <83692c116f1d5d5ee03ce8386b32cced78c9a022.1668527318.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org The calls to ovs_ct_nat_execute() are as below: ovs_ct_execute() ovs_ct_lookup() __ovs_ct_lookup() ovs_ct_nat() ovs_ct_nat_execute() ovs_ct_commit() __ovs_ct_lookup() ovs_ct_nat() ovs_ct_nat_execute() and since skb_pull_rcsum() and skb_push_rcsum() are already called in ovs_ct_execute(), there's no need to do it again in ovs_ct_nat_execute(). Signed-off-by: Xin Long Acked-by: Aaron Conole --- net/openvswitch/conntrack.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 4348321856af..4c5e5a6475af 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -735,10 +735,7 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, const struct nf_nat_range2 *range, enum nf_nat_manip_type maniptype, struct sw_flow_key *key) { - int hooknum, nh_off, err = NF_ACCEPT; - - nh_off = skb_network_offset(skb); - skb_pull_rcsum(skb, nh_off); + int hooknum, err = NF_ACCEPT; /* See HOOK2MANIP(). */ if (maniptype == NF_NAT_MANIP_SRC) @@ -755,7 +752,7 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, hooknum)) err = NF_DROP; - goto push; + goto out; } else if (IS_ENABLED(CONFIG_IPV6) && skb->protocol == htons(ETH_P_IPV6)) { __be16 frag_off; @@ -770,7 +767,7 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, hooknum, hdrlen)) err = NF_DROP; - goto push; + goto out; } } /* Non-ICMP, fall thru to initialize if needed. */ @@ -788,7 +785,7 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, ? nf_nat_setup_info(ct, range, maniptype) : nf_nat_alloc_null_binding(ct, hooknum); if (err != NF_ACCEPT) - goto push; + goto out; } break; @@ -798,13 +795,11 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, default: err = NF_DROP; - goto push; + goto out; } err = nf_nat_packet(ct, ctinfo, hooknum, skb); -push: - skb_push_rcsum(skb, nh_off); - +out: /* Update the flow key if NAT successful. */ if (err == NF_ACCEPT) ovs_nat_update_key(key, skb, maniptype); From patchwork Tue Nov 15 15:50:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13043909 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 165D2C433FE for ; Tue, 15 Nov 2022 15:51:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238464AbiKOPv1 (ORCPT ); Tue, 15 Nov 2022 10:51:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47730 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238341AbiKOPvG (ORCPT ); Tue, 15 Nov 2022 10:51:06 -0500 Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 75501FD2E for ; Tue, 15 Nov 2022 07:51:02 -0800 (PST) Received: by mail-qk1-x733.google.com with SMTP id g10so9728461qkl.6 for ; Tue, 15 Nov 2022 07:51:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wUi86z/NVTiwGRNW4R1ZL+vB4OqCDoTZN1oi8dFBlq0=; b=USNF4UViS4+Lov7Xx71uuMZ+PULGJPQcjy93/io/jtiIvtLeytN5g9G82pwJ7GMa6c D+RYmc80solR0qPnz2zLq4LX0h/HXCFr+Mjmdw7MlHEnoR+vSUVK68JVroY6eGG+MN6O VRBZSo3dfGX5Xh4192e20LuDDiu35p+Nk03iw4dY7deSrgZ4tFNeLTh/LUv2W8y15JDf CgcQc+yvlgP9ptwU6doGRvek0Wl9rFmHC9YXRDciru3Z/z/DQsbEDsgq1i3nf5vSnGLY G60Z4ck4wvgsWzLa47tiD9GyhG98BtuDkOGtoLBITe4SLexDrIEjsCE2evNrL4acLUmv mrNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wUi86z/NVTiwGRNW4R1ZL+vB4OqCDoTZN1oi8dFBlq0=; b=j3KbZAPxM0bdOOE+Guf46+p67NdqeDH+Zn5lNf3+RXVEVTo3QLXRGznJmIl2nTVpUP dtqLyCvcLsMSeHvadHB2x7DKbIyMPDk+vqseGGLFUkB5j01W62idZdwz/u7P3rzSqzjS GKJ/gCqQbQ+RMVnQz7FLxiBVpEpL9TUyKimFe3rplcR2RegL7s6FtzEH4wFCINkXCYfM TLMomGJW0ftsvmsFSUzDdPo3Cc+NzI9WsnO95uGqNrD0odlUIUtQOciN4cqdUOQI0glF WyXDJ149hXB4FHnQr73IF0vyCqZ0KTEIhBvcrt/vlGul39UeAzVfH8jaWK7ci+ClzqY2 NFIA== X-Gm-Message-State: ANoB5plBwNWXFNyl44XLJ112iIcHEis8yVWjfcn8oPsmIbOE/bJlxOxr dUtRvPyARr+Ng27oCJl+LlLVZxnIyWsalA== X-Google-Smtp-Source: AA0mqf7mqjVDS/u8xeXKRpBMx/Yz7LA7T+iAG/N4zZaBnd9tPU/NcJpQC4Q9D4VcdYp5vL0FLihJjg== X-Received: by 2002:a05:620a:1d51:b0:6ee:d622:5f28 with SMTP id dm17-20020a05620a1d5100b006eed6225f28mr14874910qkb.682.1668527461200; Tue, 15 Nov 2022 07:51:01 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id f9-20020a05620a280900b006eeb3165554sm8244351qkp.19.2022.11.15.07.51.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Nov 2022 07:51:00 -0800 (PST) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Eelco Chaudron , Aaron Conole Subject: [PATCH net-next 2/5] openvswitch: return NF_ACCEPT when OVS_CT_NAT is net set in info nat Date: Tue, 15 Nov 2022 10:50:54 -0500 Message-Id: <8c17d8ea9547254180031510a3160fcd97ac945f.1668527318.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Either OVS_CT_SRC_NAT or OVS_CT_DST_NAT is set, OVS_CT_NAT must be set in info->nat. Thus, if OVS_CT_NAT is not set in info->nat, it will definitely not do NAT but returns NF_ACCEPT in ovs_ct_nat(). This patch changes nothing funcational but only makes this return earlier in ovs_ct_nat() to keep consistent with TC's processing in tcf_ct_act_nat(). Signed-off-by: Xin Long Acked-by: Aaron Conole --- net/openvswitch/conntrack.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 4c5e5a6475af..cc643a556ea1 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -816,6 +816,9 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, enum nf_nat_manip_type maniptype; int err; + if (!(info->nat & OVS_CT_NAT)) + return NF_ACCEPT; + /* Add NAT extension if not confirmed yet. */ if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) return NF_ACCEPT; /* Can't NAT. */ @@ -825,8 +828,7 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, * Make sure new expected connections (IP_CT_RELATED) are NATted only * when committing. */ - if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW && - ct->status & IPS_NAT_MASK && + if (ctinfo != IP_CT_NEW && ct->status & IPS_NAT_MASK && (ctinfo != IP_CT_RELATED || info->commit)) { /* NAT an established or related connection like before. */ if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) From patchwork Tue Nov 15 15:50:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13043911 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52794C4332F for ; Tue, 15 Nov 2022 15:51:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238560AbiKOPvb (ORCPT ); Tue, 15 Nov 2022 10:51:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47646 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238402AbiKOPvG (ORCPT ); Tue, 15 Nov 2022 10:51:06 -0500 Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 901CBFCF9 for ; Tue, 15 Nov 2022 07:51:03 -0800 (PST) Received: by mail-qk1-x736.google.com with SMTP id d7so7339346qkk.3 for ; Tue, 15 Nov 2022 07:51:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0/dJp6pSaSk5bNOXFhDmrwekhhFvo9MHRRYBq5+AfmM=; b=jt6QXj5gwR3opj8iee51o11UD97ecuRcHdt1YVE15Jpx160A3ZSASTH6NrMfkkFn3p kj/N9ZWBQJZdQAPuFBnGVfY2/v3lxE8XwSdzdRzAN57eAetqjGyoKqIu0vBjI5AWTbsT onUfX160n2vGu1QfJ+gBRZCPNq/a9kmhIjW9L+LOXkJuZNWF2c4MN+Q/Da2/o1MzGMax djJLnr80TdPYDLs0VcWfXRYm84y00YyLEB3rD6N3PsxNd4dMjFCbCtxf3n6GTyxJYvuW J36F+O8L2eSBQD/7SbZD4OjxSXBmY0eSn014H3ssubqIQSGMkwqSglEYELhCetI/I0bb WMrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0/dJp6pSaSk5bNOXFhDmrwekhhFvo9MHRRYBq5+AfmM=; b=gZ0chv/rJTC329uIVppkGADSJRtMpVB2B0dw7sAglwx+o8NpgIWmJ7byP/mexQGmXR bcIv9SRoXxU9mk2UFTwaUphrsJ5/PY9Igs70xC6FCVlLmw/Wo87NyWvj6iNiAna1GU6r wwndrgXJHg2akf6K1FXAGKyIOKta7kidCIw1L1kI+CbrbPNi82wYP5WBin3/qjWCrio0 HsgUGDiqJV0IHxxXOKbyjb/w4u6hNNYApdxjZ0H193UIn9xF2xvLUMem+foD//Oovaf6 9MLY6V4GwLGwJzlRZHmPz6skgiYfxfKppp/m73Oeg5WZizQiJjUtvo9czj9O2igU4ta2 XgKQ== X-Gm-Message-State: ANoB5pnYyqHxoR49JekKMY4CvxC/4SK8bHs4WGjdrNHwcEKuJqw9rUhq 8YZ/rKt+QCcs9CY33w3S7VM2fxvZS0/bDA== X-Google-Smtp-Source: AA0mqf6YdHh8yeXMotR7DG+Ykw1OGaZLc/1j79CbtfIR7//DUjUq6QTa2bOZrEW0znhAbcFoTpLCYw== X-Received: by 2002:a05:620a:11a9:b0:6fa:1c1:26de with SMTP id c9-20020a05620a11a900b006fa01c126demr16005941qkk.511.1668527462520; Tue, 15 Nov 2022 07:51:02 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id f9-20020a05620a280900b006eeb3165554sm8244351qkp.19.2022.11.15.07.51.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Nov 2022 07:51:02 -0800 (PST) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Eelco Chaudron , Aaron Conole Subject: [PATCH net-next 3/5] net: sched: return NF_ACCEPT when fails to add nat ext in tcf_ct_act_nat Date: Tue, 15 Nov 2022 10:50:55 -0500 Message-Id: <236f51919c3f1a8322a88ec0e9d4e179a70658ce.1668527318.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org This patch changes to return NF_ACCEPT when fails to add nat ext before doing NAT in tcf_ct_act_nat(), to keep consistent with OVS' processing in ovs_ct_nat(). Signed-off-by: Xin Long --- net/sched/act_ct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index da0b7f665277..8869b3ef6642 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -994,7 +994,7 @@ static int tcf_ct_act_nat(struct sk_buff *skb, /* Add NAT extension if not confirmed yet. */ if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) - return NF_DROP; /* Can't NAT. */ + return NF_ACCEPT; /* Can't NAT. */ if (ctinfo != IP_CT_NEW && (ct->status & IPS_NAT_MASK) && (ctinfo != IP_CT_RELATED || commit)) { From patchwork Tue Nov 15 15:50:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13043910 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A7CDC43217 for ; Tue, 15 Nov 2022 15:51:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238549AbiKOPv2 (ORCPT ); Tue, 15 Nov 2022 10:51:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47824 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238407AbiKOPvG (ORCPT ); Tue, 15 Nov 2022 10:51:06 -0500 Received: from mail-qv1-xf2f.google.com (mail-qv1-xf2f.google.com [IPv6:2607:f8b0:4864:20::f2f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D32E010CF for ; Tue, 15 Nov 2022 07:51:04 -0800 (PST) Received: by mail-qv1-xf2f.google.com with SMTP id ml12so10079142qvb.0 for ; Tue, 15 Nov 2022 07:51:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ftc4nyJPCQ5yv+ESZ/mwBO5w+pMaoMwclsSo3pRBP2Y=; b=LZeJCsribPeANSan0QrIQkXsX8a85sRH9RttUv/apw8/i3bKAi/BDMLN7FWXZ6v3B2 0d8kpMCBR0GNLt7zWyIOy9UBAxSS2iY6QRnxYUcpnKUbmwJdrKkSTsaANF7bUW97FKgI ZMDlJ3Dz1lGjpk43xxJMrozSSRkxP66VCWy2crmQwrnxB2O8N9wK8tJWBx28idLcXFDU UEvYmeJ/z365uCV8avlQHSSoAj+WAKjL/TkZS/3LXAf0LNywgnTikxxhNBjE0YB15ckQ kDjkrk3qEzRj17fEQBhqsuLHQn5R/GKv/pkrohzffVKVZTkVJ4urN6LK1sw8Qvxwo6Yi Jj3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ftc4nyJPCQ5yv+ESZ/mwBO5w+pMaoMwclsSo3pRBP2Y=; b=K+lEMhjU3W4ZeWslrFSJE12kIAUx7bciMUEf5LFac43+eG/rxsV5hnwKcpvlWowiNm QpdvQ1EmHGeVanXroEblse+wp3Fgi81I1HI0c5yhUi9pvWMXcir4lugOPF7qj+FNvQfz gY99Gp5lt44QMA57PrbkTC0j5xYPDXbDYbg4jRIhaytUxOC/pDF86qeHUQiTVfQhyAcZ wlAh3BMHaX6wg8tZ2LynESD/CzvPaQuJsXzyGZEi25Uz/N+AaMTyr9m6si+ORbB1F+Bt OSpgGmwswomQsaLQlRSjLASsRu8CVMf6cN8XON/gXg+3I/1LjOhn/dlxI5ixd2FOIZbB aW5w== X-Gm-Message-State: ANoB5pkS3IscVOT6Z1AzjHVHnQ8A3ZNlm/AQnniut4FYbQ+o3DREdhqv mpMOLnna8U93muGH0JIOOqfKyOvR4JDu2w== X-Google-Smtp-Source: AA0mqf4F41TxPxZha+8HTIZ0VpHGrvr6vK6P6wwwfHyc3Ye/ieD3L3CGapqz8NZYPhV1qr24BPNHSA== X-Received: by 2002:a0c:fb07:0:b0:4b9:a12:1286 with SMTP id c7-20020a0cfb07000000b004b90a121286mr17256971qvp.50.1668527463678; Tue, 15 Nov 2022 07:51:03 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id f9-20020a05620a280900b006eeb3165554sm8244351qkp.19.2022.11.15.07.51.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Nov 2022 07:51:03 -0800 (PST) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Eelco Chaudron , Aaron Conole Subject: [PATCH net-next 4/5] net: sched: update the nat flag for icmp error packets in ct_nat_execute Date: Tue, 15 Nov 2022 10:50:56 -0500 Message-Id: <6d407551f0a1bb96a273299dbc2cd2657c160c82.1668527318.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org In ovs_ct_nat_execute(), the packet flow key nat flags are updated when it processes ICMP(v6) error packets translation successfully. In ct_nat_execute() when processing ICMP(v6) error packets translation successfully, it should have done the same in ct_nat_execute() to set post_ct_s/dnat flag, which will be used to update flow key nat flags in OVS module later. Signed-off-by: Xin Long --- net/sched/act_ct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 8869b3ef6642..c7782c9a6ab6 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -936,13 +936,13 @@ static int ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, } err = nf_nat_packet(ct, ctinfo, hooknum, skb); +out: if (err == NF_ACCEPT) { if (maniptype == NF_NAT_MANIP_SRC) tc_skb_cb(skb)->post_ct_snat = 1; if (maniptype == NF_NAT_MANIP_DST) tc_skb_cb(skb)->post_ct_dnat = 1; } -out: return err; } #endif /* CONFIG_NF_NAT */ From patchwork Tue Nov 15 15:50:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13043912 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC27FC433FE for ; Tue, 15 Nov 2022 15:51:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238477AbiKOPvd (ORCPT ); Tue, 15 Nov 2022 10:51:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47742 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238442AbiKOPvI (ORCPT ); Tue, 15 Nov 2022 10:51:08 -0500 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 40AFD15A1F for ; Tue, 15 Nov 2022 07:51:06 -0800 (PST) Received: by mail-qt1-x82a.google.com with SMTP id l15so8941502qtv.4 for ; Tue, 15 Nov 2022 07:51:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=b3dkVw0I5iUbZi1oywiEHid0jq8CFq7Ygr+f7x7bi8E=; b=LDEKyj5KAKzXzLzb81y4qRlEo8+o5s6dJph0hC24hDAjpf7W/RbqS9263M9HdhzD6A QuHdwptdhzEwmXgu6x19edHRPCKDFlhJRPPl0CLx0kfbsQutN9qu7miNd28TtHM7JIve 1bWVAfPNoZhmuCo7OntZv41wXOpK3JxI2zaPmdJyNuPKqBxspeVaDF8o1l2N227mqAiq 67mkP7ZKMh16aCDGQJ9frkSowTKhYOw1gkHQlhqKS204hvPh42DxP/FJ4nG/ymHrk3fH JWJxqRa2c7RuKntr2h4iaZjc3bf/D1IyFEeF+xcj4PmWNSGf++E4iMB9yEaFE/h84Xxd MZvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=b3dkVw0I5iUbZi1oywiEHid0jq8CFq7Ygr+f7x7bi8E=; b=rYQQ7+Qy8aECkHspDjCGaxE9LscrZcrX8KPqi76HLPQ4tfk55zP7tYDZC1Ulr6s0Mm CIEIBIDlk57GEHbGLoy9e7cF9t0wJ5VnCKtcETrcW3kkuNdw86K6H+/jo/e3GvfNIxWQ T3XNsFI323O9bIHNEZ7pZCSdPvN3GTJzZVC9APe5E+6pJsiT7VL4GzZSDjp8HdgKJKmq eSEYHTP0qlXzAC9udQWaH+3n+hrqQUMIMXUVWkurhsMI8s+Dsm3r2tXiHADCanIrEfiv v/u6ipHkFhW0HvnwodU1+rCe9QaW4RDvuhQJ1GfNcF5d9ZgQ03PUTacuj0rMchZ9OVsN IY7w== X-Gm-Message-State: ANoB5pm3Xw5kITbFhy7YgJnA8QP2qy1NvoKONoEhZHSooYixrKLDCpcw x2SbMs/+ejYEIjs8ZIfbWPeiiyUntWkRtw== X-Google-Smtp-Source: AA0mqf5+tQSHJPh8UY4Z+RFrriAsU4i6GYlalZEKBeuYcElIboW7QYRmh9F9LzDstoGBiFo7myLHKA== X-Received: by 2002:ac8:4790:0:b0:3a5:30df:1f50 with SMTP id k16-20020ac84790000000b003a530df1f50mr16914511qtq.682.1668527465018; Tue, 15 Nov 2022 07:51:05 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id f9-20020a05620a280900b006eeb3165554sm8244351qkp.19.2022.11.15.07.51.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Nov 2022 07:51:04 -0800 (PST) From: Xin Long To: network dev , dev@openvswitch.org Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Pravin B Shelar , Jamal Hadi Salim , Cong Wang , Jiri Pirko , Pablo Neira Ayuso , Florian Westphal , Marcelo Ricardo Leitner , Davide Caratti , Eelco Chaudron , Aaron Conole Subject: [PATCH net-next 5/5] net: move the nat function to nf_nat_core for ovs and tc Date: Tue, 15 Nov 2022 10:50:57 -0500 Message-Id: <488fbfa082eb8a0ab81622a7c13c26b6fd8a0602.1668527318.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org There are two nat functions are nearly the same in both OVS and TC code, (ovs_)ct_nat_execute() and ovs_ct_nat/tcf_ct_act_nat(). This patch is to move them to netfilter nf_nat_core and export nf_ct_nat() so that it can be shared by both OVS and TC, and keep the nat (type) check and nat flag update in OVS and TC's own place, as these parts are different between OVS and TC. Note that in OVS nat function it was using skb->protocol to get the proto as it already skips vlans in key_extract(), while it doesn't in TC, and TC has to call skb_protocol() to get proto. So in nf_ct_nat_execute(), we keep using skb_protocol() which works for both OVS and TC. Signed-off-by: Xin Long --- include/net/netfilter/nf_nat.h | 4 + net/netfilter/nf_nat_core.c | 131 +++++++++++++++++++++++++++++++ net/openvswitch/conntrack.c | 137 +++------------------------------ net/sched/act_ct.c | 136 +++----------------------------- 4 files changed, 156 insertions(+), 252 deletions(-) diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h index e9eb01e99d2f..9877f064548a 100644 --- a/include/net/netfilter/nf_nat.h +++ b/include/net/netfilter/nf_nat.h @@ -104,6 +104,10 @@ unsigned int nf_nat_inet_fn(void *priv, struct sk_buff *skb, const struct nf_hook_state *state); +int nf_ct_nat(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo, int *action, + const struct nf_nat_range2 *range, bool commit); + static inline int nf_nat_initialized(const struct nf_conn *ct, enum nf_nat_manip_type manip) { diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index e29e4ccb5c5a..1c72b8caa24e 100644 --- a/net/netfilter/nf_nat_core.c +++ b/net/netfilter/nf_nat_core.c @@ -784,6 +784,137 @@ nf_nat_inet_fn(void *priv, struct sk_buff *skb, } EXPORT_SYMBOL_GPL(nf_nat_inet_fn); +/* Modelled after nf_nat_ipv[46]_fn(). + * range is only used for new, uninitialized NAT state. + * Returns either NF_ACCEPT or NF_DROP. + */ +static int nf_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo, int *action, + const struct nf_nat_range2 *range, + enum nf_nat_manip_type maniptype) +{ + __be16 proto = skb_protocol(skb, true); + int hooknum, err = NF_ACCEPT; + + /* See HOOK2MANIP(). */ + if (maniptype == NF_NAT_MANIP_SRC) + hooknum = NF_INET_LOCAL_IN; /* Source NAT */ + else + hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */ + + switch (ctinfo) { + case IP_CT_RELATED: + case IP_CT_RELATED_REPLY: + if (proto == htons(ETH_P_IP) && + ip_hdr(skb)->protocol == IPPROTO_ICMP) { + if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, + hooknum)) + err = NF_DROP; + goto out; + } else if (IS_ENABLED(CONFIG_IPV6) && proto == htons(ETH_P_IPV6)) { + __be16 frag_off; + u8 nexthdr = ipv6_hdr(skb)->nexthdr; + int hdrlen = ipv6_skip_exthdr(skb, + sizeof(struct ipv6hdr), + &nexthdr, &frag_off); + + if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { + if (!nf_nat_icmpv6_reply_translation(skb, ct, + ctinfo, + hooknum, + hdrlen)) + err = NF_DROP; + goto out; + } + } + /* Non-ICMP, fall thru to initialize if needed. */ + fallthrough; + case IP_CT_NEW: + /* Seen it before? This can happen for loopback, retrans, + * or local packets. + */ + if (!nf_nat_initialized(ct, maniptype)) { + /* Initialize according to the NAT action. */ + err = (range && range->flags & NF_NAT_RANGE_MAP_IPS) + /* Action is set up to establish a new + * mapping. + */ + ? nf_nat_setup_info(ct, range, maniptype) + : nf_nat_alloc_null_binding(ct, hooknum); + if (err != NF_ACCEPT) + goto out; + } + break; + + case IP_CT_ESTABLISHED: + case IP_CT_ESTABLISHED_REPLY: + break; + + default: + err = NF_DROP; + goto out; + } + + err = nf_nat_packet(ct, ctinfo, hooknum, skb); + if (err == NF_ACCEPT) + *action |= (1 << maniptype); +out: + return err; +} + +int nf_ct_nat(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo, int *action, + const struct nf_nat_range2 *range, bool commit) +{ + enum nf_nat_manip_type maniptype; + int err, ct_action = *action; + + *action = 0; + + /* Add NAT extension if not confirmed yet. */ + if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) + return NF_ACCEPT; /* Can't NAT. */ + + if (ctinfo != IP_CT_NEW && (ct->status & IPS_NAT_MASK) && + (ctinfo != IP_CT_RELATED || commit)) { + /* NAT an established or related connection like before. */ + if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) + /* This is the REPLY direction for a connection + * for which NAT was applied in the forward + * direction. Do the reverse NAT. + */ + maniptype = ct->status & IPS_SRC_NAT + ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC; + else + maniptype = ct->status & IPS_SRC_NAT + ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST; + } else if (ct_action & (1 << NF_NAT_MANIP_SRC)) { + maniptype = NF_NAT_MANIP_SRC; + } else if (ct_action & (1 << NF_NAT_MANIP_DST)) { + maniptype = NF_NAT_MANIP_DST; + } else { + return NF_ACCEPT; + } + + err = nf_ct_nat_execute(skb, ct, ctinfo, action, range, maniptype); + if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { + if (ct->status & IPS_SRC_NAT) { + if (maniptype == NF_NAT_MANIP_SRC) + maniptype = NF_NAT_MANIP_DST; + else + maniptype = NF_NAT_MANIP_SRC; + + err = nf_ct_nat_execute(skb, ct, ctinfo, action, range, + maniptype); + } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { + err = nf_ct_nat_execute(skb, ct, ctinfo, action, NULL, + NF_NAT_MANIP_SRC); + } + } + return err; +} +EXPORT_SYMBOL_GPL(nf_ct_nat); + struct nf_nat_proto_clean { u8 l3proto; u8 l4proto; diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index cc643a556ea1..d03c75165663 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -726,144 +726,27 @@ static void ovs_nat_update_key(struct sw_flow_key *key, } } -/* Modelled after nf_nat_ipv[46]_fn(). - * range is only used for new, uninitialized NAT state. - * Returns either NF_ACCEPT or NF_DROP. - */ -static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, - enum ip_conntrack_info ctinfo, - const struct nf_nat_range2 *range, - enum nf_nat_manip_type maniptype, struct sw_flow_key *key) -{ - int hooknum, err = NF_ACCEPT; - - /* See HOOK2MANIP(). */ - if (maniptype == NF_NAT_MANIP_SRC) - hooknum = NF_INET_LOCAL_IN; /* Source NAT */ - else - hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */ - - switch (ctinfo) { - case IP_CT_RELATED: - case IP_CT_RELATED_REPLY: - if (IS_ENABLED(CONFIG_NF_NAT) && - skb->protocol == htons(ETH_P_IP) && - ip_hdr(skb)->protocol == IPPROTO_ICMP) { - if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, - hooknum)) - err = NF_DROP; - goto out; - } else if (IS_ENABLED(CONFIG_IPV6) && - skb->protocol == htons(ETH_P_IPV6)) { - __be16 frag_off; - u8 nexthdr = ipv6_hdr(skb)->nexthdr; - int hdrlen = ipv6_skip_exthdr(skb, - sizeof(struct ipv6hdr), - &nexthdr, &frag_off); - - if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { - if (!nf_nat_icmpv6_reply_translation(skb, ct, - ctinfo, - hooknum, - hdrlen)) - err = NF_DROP; - goto out; - } - } - /* Non-ICMP, fall thru to initialize if needed. */ - fallthrough; - case IP_CT_NEW: - /* Seen it before? This can happen for loopback, retrans, - * or local packets. - */ - if (!nf_nat_initialized(ct, maniptype)) { - /* Initialize according to the NAT action. */ - err = (range && range->flags & NF_NAT_RANGE_MAP_IPS) - /* Action is set up to establish a new - * mapping. - */ - ? nf_nat_setup_info(ct, range, maniptype) - : nf_nat_alloc_null_binding(ct, hooknum); - if (err != NF_ACCEPT) - goto out; - } - break; - - case IP_CT_ESTABLISHED: - case IP_CT_ESTABLISHED_REPLY: - break; - - default: - err = NF_DROP; - goto out; - } - - err = nf_nat_packet(ct, ctinfo, hooknum, skb); -out: - /* Update the flow key if NAT successful. */ - if (err == NF_ACCEPT) - ovs_nat_update_key(key, skb, maniptype); - - return err; -} - /* Returns NF_DROP if the packet should be dropped, NF_ACCEPT otherwise. */ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, const struct ovs_conntrack_info *info, struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { - enum nf_nat_manip_type maniptype; - int err; + int err, action = 0; if (!(info->nat & OVS_CT_NAT)) return NF_ACCEPT; + if (info->nat & OVS_CT_SRC_NAT) + action |= (1 << NF_NAT_MANIP_SRC); + if (info->nat & OVS_CT_DST_NAT) + action |= (1 << NF_NAT_MANIP_DST); - /* Add NAT extension if not confirmed yet. */ - if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) - return NF_ACCEPT; /* Can't NAT. */ + err = nf_ct_nat(skb, ct, ctinfo, &action, &info->range, info->commit); - /* Determine NAT type. - * Check if the NAT type can be deduced from the tracked connection. - * Make sure new expected connections (IP_CT_RELATED) are NATted only - * when committing. - */ - if (ctinfo != IP_CT_NEW && ct->status & IPS_NAT_MASK && - (ctinfo != IP_CT_RELATED || info->commit)) { - /* NAT an established or related connection like before. */ - if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) - /* This is the REPLY direction for a connection - * for which NAT was applied in the forward - * direction. Do the reverse NAT. - */ - maniptype = ct->status & IPS_SRC_NAT - ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC; - else - maniptype = ct->status & IPS_SRC_NAT - ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST; - } else if (info->nat & OVS_CT_SRC_NAT) { - maniptype = NF_NAT_MANIP_SRC; - } else if (info->nat & OVS_CT_DST_NAT) { - maniptype = NF_NAT_MANIP_DST; - } else { - return NF_ACCEPT; /* Connection is not NATed. */ - } - err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype, key); - - if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { - if (ct->status & IPS_SRC_NAT) { - if (maniptype == NF_NAT_MANIP_SRC) - maniptype = NF_NAT_MANIP_DST; - else - maniptype = NF_NAT_MANIP_SRC; - - err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, - maniptype, key); - } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { - err = ovs_ct_nat_execute(skb, ct, ctinfo, NULL, - NF_NAT_MANIP_SRC, key); - } - } + if (action & (1 << NF_NAT_MANIP_SRC)) + ovs_nat_update_key(key, skb, NF_NAT_MANIP_SRC); + if (action & (1 << NF_NAT_MANIP_DST)) + ovs_nat_update_key(key, skb, NF_NAT_MANIP_DST); return err; } diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index c7782c9a6ab6..0c410220239f 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -863,90 +863,6 @@ static void tcf_ct_params_free_rcu(struct rcu_head *head) tcf_ct_params_free(params); } -#if IS_ENABLED(CONFIG_NF_NAT) -/* Modelled after nf_nat_ipv[46]_fn(). - * range is only used for new, uninitialized NAT state. - * Returns either NF_ACCEPT or NF_DROP. - */ -static int ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, - enum ip_conntrack_info ctinfo, - const struct nf_nat_range2 *range, - enum nf_nat_manip_type maniptype) -{ - __be16 proto = skb_protocol(skb, true); - int hooknum, err = NF_ACCEPT; - - /* See HOOK2MANIP(). */ - if (maniptype == NF_NAT_MANIP_SRC) - hooknum = NF_INET_LOCAL_IN; /* Source NAT */ - else - hooknum = NF_INET_LOCAL_OUT; /* Destination NAT */ - - switch (ctinfo) { - case IP_CT_RELATED: - case IP_CT_RELATED_REPLY: - if (proto == htons(ETH_P_IP) && - ip_hdr(skb)->protocol == IPPROTO_ICMP) { - if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, - hooknum)) - err = NF_DROP; - goto out; - } else if (IS_ENABLED(CONFIG_IPV6) && proto == htons(ETH_P_IPV6)) { - __be16 frag_off; - u8 nexthdr = ipv6_hdr(skb)->nexthdr; - int hdrlen = ipv6_skip_exthdr(skb, - sizeof(struct ipv6hdr), - &nexthdr, &frag_off); - - if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { - if (!nf_nat_icmpv6_reply_translation(skb, ct, - ctinfo, - hooknum, - hdrlen)) - err = NF_DROP; - goto out; - } - } - /* Non-ICMP, fall thru to initialize if needed. */ - fallthrough; - case IP_CT_NEW: - /* Seen it before? This can happen for loopback, retrans, - * or local packets. - */ - if (!nf_nat_initialized(ct, maniptype)) { - /* Initialize according to the NAT action. */ - err = (range && range->flags & NF_NAT_RANGE_MAP_IPS) - /* Action is set up to establish a new - * mapping. - */ - ? nf_nat_setup_info(ct, range, maniptype) - : nf_nat_alloc_null_binding(ct, hooknum); - if (err != NF_ACCEPT) - goto out; - } - break; - - case IP_CT_ESTABLISHED: - case IP_CT_ESTABLISHED_REPLY: - break; - - default: - err = NF_DROP; - goto out; - } - - err = nf_nat_packet(ct, ctinfo, hooknum, skb); -out: - if (err == NF_ACCEPT) { - if (maniptype == NF_NAT_MANIP_SRC) - tc_skb_cb(skb)->post_ct_snat = 1; - if (maniptype == NF_NAT_MANIP_DST) - tc_skb_cb(skb)->post_ct_dnat = 1; - } - return err; -} -#endif /* CONFIG_NF_NAT */ - static void tcf_ct_act_set_mark(struct nf_conn *ct, u32 mark, u32 mask) { #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) @@ -986,52 +902,22 @@ static int tcf_ct_act_nat(struct sk_buff *skb, bool commit) { #if IS_ENABLED(CONFIG_NF_NAT) - int err; - enum nf_nat_manip_type maniptype; + int err, action = 0; if (!(ct_action & TCA_CT_ACT_NAT)) return NF_ACCEPT; + if (ct_action & TCA_CT_ACT_NAT_SRC) + action |= (1 << NF_NAT_MANIP_SRC); + if (ct_action & TCA_CT_ACT_NAT_DST) + action |= (1 << NF_NAT_MANIP_DST); - /* Add NAT extension if not confirmed yet. */ - if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct)) - return NF_ACCEPT; /* Can't NAT. */ - - if (ctinfo != IP_CT_NEW && (ct->status & IPS_NAT_MASK) && - (ctinfo != IP_CT_RELATED || commit)) { - /* NAT an established or related connection like before. */ - if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) - /* This is the REPLY direction for a connection - * for which NAT was applied in the forward - * direction. Do the reverse NAT. - */ - maniptype = ct->status & IPS_SRC_NAT - ? NF_NAT_MANIP_DST : NF_NAT_MANIP_SRC; - else - maniptype = ct->status & IPS_SRC_NAT - ? NF_NAT_MANIP_SRC : NF_NAT_MANIP_DST; - } else if (ct_action & TCA_CT_ACT_NAT_SRC) { - maniptype = NF_NAT_MANIP_SRC; - } else if (ct_action & TCA_CT_ACT_NAT_DST) { - maniptype = NF_NAT_MANIP_DST; - } else { - return NF_ACCEPT; - } + err = nf_ct_nat(skb, ct, ctinfo, &action, range, commit); + + if (action & (1 << NF_NAT_MANIP_SRC)) + tc_skb_cb(skb)->post_ct_snat = 1; + if (action & (1 << NF_NAT_MANIP_DST)) + tc_skb_cb(skb)->post_ct_dnat = 1; - err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); - if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { - if (ct->status & IPS_SRC_NAT) { - if (maniptype == NF_NAT_MANIP_SRC) - maniptype = NF_NAT_MANIP_DST; - else - maniptype = NF_NAT_MANIP_SRC; - - err = ct_nat_execute(skb, ct, ctinfo, range, - maniptype); - } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { - err = ct_nat_execute(skb, ct, ctinfo, NULL, - NF_NAT_MANIP_SRC); - } - } return err; #else return NF_ACCEPT;