From: Pablo Neira Ayuso <[email protected]>
Upstream commit:
commit 08733a0cb7decce40bbbd0331a0449465f13c444
Author: Pablo Neira Ayuso <[email protected]>
Date: Thu Nov 3 10:56:43 2016 +0100
netfilter: handle NF_REPEAT from nf_conntrack_in()
NF_REPEAT is only needed from nf_conntrack_in() under a very specific
case required by the TCP protocol tracker, we can handle this case
without returning to the core hook path. Handling of NF_REPEAT from the
nf_reinject() is left untouched.
Signed-off-by: Pablo Neira Ayuso <[email protected]>
This upstream change is impossible to detect at module compile time,
so we keep the NF_REPEAT check after the nf_conntrack_in() call.
Signed-off-by: Jarno Rajahalme <[email protected]>
---
datapath/conntrack.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 3c51ce6..72d25ec 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -769,7 +769,10 @@ static int __ovs_ct_lookup(struct net *net, struct
sw_flow_key *key,
skb->nfctinfo = IP_CT_NEW;
}
- /* Repeat if requested, see nf_iterate(). */
+ /* Repeat if requested, see nf_iterate().
+ * Newer conntrack code no longer returns NF_REPEAT, but
+ * it is impossible to detect that at module compile time.
+ */
do {
err = nf_conntrack_in(net, info->family,
NF_INET_PRE_ROUTING, skb);
--
2.1.4
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
