Re: [ovs-dev] [PATCH] datapath-windows: Fix conntrack lookups for reversed keys

Tue, 01 Aug 2017 15:10:46 -0700 


________________________________________
From: [email protected] <[email protected]> on 
behalf of Anand Kumar <[email protected]>
Sent: Tuesday, August 1, 2017 3:01 PM
To: [email protected]
Subject: [ovs-dev] [PATCH] datapath-windows: Fix conntrack lookups for  
reversed keys

From: Sairam Venugopal <[email protected]>

The conntrack table needs to be queried for entries in either directions
to determine if the packet is in forward direction or reply direction.

The current behavior ends up reversing the incoming packet's 5-Tuple for
every entry in the loop instead of doing it only once.

Testing Done:
- Verified that ICMP requests are no longer treated as replies
in Conntrack.

Change-Id: I826a164cfb9137e2167c404ff5c9bfd9dfaa33ad
Co-authored-by: Sairam Venugopal <[email protected]>
Signed-off-by: Anand Kumar <[email protected]>
---
 datapath-windows/ovsext/Conntrack.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/datapath-windows/ovsext/Conntrack.c 
b/datapath-windows/ovsext/Conntrack.c
index 8ea1e65..917ebee 100644
--- a/datapath-windows/ovsext/Conntrack.c
+++ b/datapath-windows/ovsext/Conntrack.c
@@ -401,7 +401,14 @@ OvsCtLookup(OvsConntrackKeyLookupCtx *ctx)
     POVS_CT_ENTRY entry;
     BOOLEAN reply = FALSE;
     POVS_CT_ENTRY found = NULL;
-    OVS_CT_KEY key = ctx->key;
+
+    /* Reverse NAT must be performed before OvsCtLookup, so here
+     * we simply need to flip the src and dst in key and compare
+     * they are equal. Note that flipped key is not equal to
+     * rev_key due to NAT effect.
+     */
+    OVS_CT_KEY revCtxKey = ctx->key;
+    OvsCtKeyReverse(&revCtxKey);

     if (!ctTotalEntries) {
         return found;
@@ -410,19 +417,13 @@ OvsCtLookup(OvsConntrackKeyLookupCtx *ctx)
     LIST_FORALL(&ovsConntrackTable[ctx->hash & CT_HASH_TABLE_MASK], link) {
         entry = CONTAINING_RECORD(link, OVS_CT_ENTRY, link);

-        if (OvsCtKeyAreSame(key,entry->key)) {
+        if (OvsCtKeyAreSame(ctx->key, entry->key)) {
             found = entry;
             reply = FALSE;
             break;
         }

-        /* Reverse NAT must be performed before OvsCtLookup, so here
-         * we simply need to flip the src and dst in key and compare
-         * they are equal. Note that flipped key is not equal to
-         * rev_key due to NAT effect.
-         */
-        OvsCtKeyReverse(&key);
-        if (OvsCtKeyAreSame(key, entry->key)) {
+        if (OvsCtKeyAreSame(revCtxKey, entry->key)) {
             found = entry;
             reply = TRUE;
             break;
--
2.9.3.windows.1

_______________________________________________

Acked-by: Shashank Ram <[email protected]>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev






















					Reply via email to