2017-03-24 2:15 GMT-07:00 Darrell Ball <dlu...@gmail.com>:
> This patch adds orig tuple checking and context
> recovery; NAT interactions are factored in.
> Orig tuple support exists to better handle policy
> changes.
>
> Signed-off-by: Darrell Ball <dlu...@gmail.com>
> ---
> lib/conntrack.c | 69
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 69 insertions(+)
>
> diff --git a/lib/conntrack.c b/lib/conntrack.c
> index ee22280..5524495 100644
> --- a/lib/conntrack.c
> +++ b/lib/conntrack.c
> @@ -679,6 +679,72 @@ handle_nat(struct dp_packet *pkt, struct conn *conn,
> }
> }
>
> +static bool
> +check_orig_tuple(struct conntrack *ct, struct dp_packet *pkt,
> + struct conn_lookup_ctx *ctx_in, long long now,
> + unsigned *bucket, struct conn **conn,
> + const struct nat_action_info_t *nat_action_info)
> + OVS_REQUIRES(ct->buckets[*bucket].lock)
> +{
> + if ((ctx_in->key.dl_type == htons(ETH_TYPE_IP) &&
> + !pkt->md.ct_orig_tuple.ipv4.ipv4_proto) ||
> + (ctx_in->key.dl_type == htons(ETH_TYPE_IPV6) &&
> + !pkt->md.ct_orig_tuple.ipv6.ipv6_proto) ||
> + !(pkt->md.ct_state & (CS_SRC_NAT | CS_DST_NAT)) ||
> + nat_action_info){
> + return false;
> + }
> +
> + ct_lock_unlock(&ct->buckets[*bucket].lock);
> + struct conn_lookup_ctx ctx;
> + memset(&ctx, 0 , sizeof ctx);
> + ctx.conn = NULL;
> +
> + if (ctx_in->key.dl_type == htons(ETH_TYPE_IP)) {
> +
> + ctx.key.src.addr.ipv4_aligned = pkt->md.ct_orig_tuple.ipv4.ipv4_src;
> + ctx.key.dst.addr.ipv4_aligned = pkt->md.ct_orig_tuple.ipv4.ipv4_dst;
> +
> + if (ctx_in->key.nw_proto == IPPROTO_ICMP) {
> + ctx.key.src.icmp_id = ctx_in->key.src.icmp_id;
> + ctx.key.dst.icmp_id = ctx_in->key.dst.icmp_id;
> + uint16_t src_port = ntohs(pkt->md.ct_orig_tuple.ipv4.src_port);
> + ctx.key.src.icmp_type = (uint8_t) src_port;
> + ctx.key.dst.icmp_type = reverse_icmp_type(ctx.key.src.icmp_type);
> + } else {
> + ctx.key.src.port = pkt->md.ct_orig_tuple.ipv4.src_port;
> + ctx.key.dst.port = pkt->md.ct_orig_tuple.ipv4.dst_port;
> + }
> + ctx.key.nw_proto = pkt->md.ct_orig_tuple.ipv4.ipv4_proto;
> + } else {
> + ctx.key.src.addr.ipv6_aligned = pkt->md.ct_orig_tuple.ipv6.ipv6_src;
> + ctx.key.dst.addr.ipv6_aligned = pkt->md.ct_orig_tuple.ipv6.ipv6_dst;
> +
> + if (ctx_in->key.nw_proto == IPPROTO_ICMPV6) {
> + ctx.key.src.icmp_id = ctx_in->key.src.icmp_id;
> + ctx.key.dst.icmp_id = ctx_in->key.dst.icmp_id;
> + uint16_t src_port = ntohs(pkt->md.ct_orig_tuple.ipv6.src_port);
> + ctx.key.src.icmp_type = (uint8_t) src_port;
> + ctx.key.dst.icmp_type =
> reverse_icmp6_type(ctx.key.src.icmp_type);
> + } else {
> + ctx.key.src.port = pkt->md.ct_orig_tuple.ipv6.src_port;
> + ctx.key.dst.port = pkt->md.ct_orig_tuple.ipv6.dst_port;
> + }
> + ctx.key.nw_proto = pkt->md.ct_orig_tuple.ipv6.ipv6_proto;
> + }
> +
> + ctx.key.dl_type = ctx_in->key.dl_type;
> + ctx.key.zone = pkt->md.ct_zone;
> +
> + ctx.hash = conn_key_hash(&ctx.key, ct->hash_basis);
> + *bucket = hash_to_bucket(ctx.hash);
> + ct_lock_lock(&ct->buckets[*bucket].lock);
> + conn_key_lookup(&ct->buckets[*bucket], &ctx, now);
> + *conn = ctx.conn;
> +
> + return *conn ? true : false;
> +}
> +
> static void
> process_one(struct conntrack *ct, struct dp_packet *pkt,
> struct conn_lookup_ctx *ctx, uint16_t zone,
> @@ -735,6 +801,9 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
> if (nat_action_info && !create_new_conn) {
> handle_nat(pkt, conn, zone, ctx->reply, ctx->related);
> }
> +
> + }else if (check_orig_tuple(ct, pkt, ctx, now, &bucket, &conn,
> + nat_action_info)) {
Sorry, I don't understand the feature very much, so I'm going to ask a
couple of dumb
questions :-)
Why is the body of this 'else if' empty? Could you explain a little bit more
in the commit message?
Thanks
> } else {
> if (ctx->related) {
> pkt->md.ct_state = CS_INVALID;
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
