Startsida Utforska Hjälp
Logga in
GfA
/
linux_kernel
5
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Bläddra i källkod

openvswitch: Do not trigger events for unconfirmed connections.

Receiving change events before the 'new' event for the connection has
been received can be confusing.  Avoid triggering change events for
setting conntrack mark or labels before the conntrack entry has been
confirmed.

Fixes: 182e3042e15d ("openvswitch: Allow matching on conntrack mark")
Fixes: c2ac66735870 ("openvswitch: Allow matching on conntrack label")
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jarno Rajahalme 8 år sedan
förälder
9ff464db50
incheckning
193e309678
1 ändrade filer med 22 tillägg och 6 borttagningar
Unifierad Vy Visa Diff Statistik
  1. 22 6
      net/openvswitch/conntrack.c

+ 22 - 6
net/openvswitch/conntrack.c
Visa fil 

@@ -245,7 +245,8 @@ static int ovs_ct_set_mark(struct sk_buff *skb, struct sw_flow_key *key,
 
 	new_mark = ct_mark | (ct->mark & ~(mask));
 
 	new_mark = ct_mark | (ct->mark & ~(mask));
 
 	if (ct->mark != new_mark) {
 
 	if (ct->mark != new_mark) {
 
 		ct->mark = new_mark;
 
 		ct->mark = new_mark;
 
-		nf_conntrack_event_cache(IPCT_MARK, ct);
 
+		if (nf_ct_is_confirmed(ct))
 
+			nf_conntrack_event_cache(IPCT_MARK, ct);
 
 		key->ct.mark = new_mark;
 
 		key->ct.mark = new_mark;
 
 	}
 
 	}
 
 
 
@@ -262,7 +263,6 @@ static int ovs_ct_set_labels(struct sk_buff *skb, struct sw_flow_key *key,
 
 	enum ip_conntrack_info ctinfo;
 
 	enum ip_conntrack_info ctinfo;
 
 	struct nf_conn_labels *cl;
 
 	struct nf_conn_labels *cl;
 
 	struct nf_conn *ct;
 
 	struct nf_conn *ct;
 
-	int err;
 
 
 
 	/* The connection could be invalid, in which case set_label is no-op.*/
 
 	/* The connection could be invalid, in which case set_label is no-op.*/
 
 	ct = nf_ct_get(skb, &ctinfo);
 
 	ct = nf_ct_get(skb, &ctinfo);
 
@@ -277,10 +277,26 @@ static int ovs_ct_set_labels(struct sk_buff *skb, struct sw_flow_key *key,
 
 	if (!cl || sizeof(cl->bits) < OVS_CT_LABELS_LEN)
 
 	if (!cl || sizeof(cl->bits) < OVS_CT_LABELS_LEN)
 
 		return -ENOSPC;
 
 		return -ENOSPC;
 
 
 
-	err = nf_connlabels_replace(ct, (u32 *)labels, (u32 *)mask,
 
-				    OVS_CT_LABELS_LEN / sizeof(u32));
 
-	if (err)
 
-		return err;
 
+	if (nf_ct_is_confirmed(ct)) {
 
+		/* Triggers a change event, which makes sense only for
 
+		 * confirmed connections.
 
+		 */
 
+		int err = nf_connlabels_replace(ct, (u32 *)labels, (u32 *)mask,
 
+						OVS_CT_LABELS_LEN / sizeof(u32));
 
+		if (err)
 
+			return err;
 
+	} else {
 
+		u32 *dst = (u32 *)cl->bits;
 
+		const u32 *msk = (const u32 *)mask->ct_labels;
 
+		const u32 *lbl = (const u32 *)labels->ct_labels;
 
+		int i;
 
+
 
+		/* No-one else has access to the non-confirmed entry, copy
 
+		 * labels over, keeping any bits we are not explicitly setting.
 
+		 */
 
+		for (i = 0; i < OVS_CT_LABELS_LEN / sizeof(u32); i++)
 
+			dst[i] = (dst[i] & ~msk[i]) | (lbl[i] & msk[i]);
 
+	}
 
 
 
 	ovs_ct_get_labels(ct, &key->ct.labels);
 
 	ovs_ct_get_labels(ct, &key->ct.labels);
 
 	return 0;
 
 	return 0;