Re: [ovs-dev] [PATCH] compat: handle NF_REPEAT error on nf_conntrack_in

Mon, 06 Dec 2021 09:46:54 -0800 



On 11/26/2021 12:59 PM, Vladislav Odintsov wrote:

In patch [1] rpl_nf_conntrack_in was backported as static inline
function without do..while loop handling NF_REPEAT error.
In patch [2] rpl_nf_conntrack_in backported function was removed
from compat/include/net/netfilter/nf_conntrack_core.h as an unused.

As a result the do..while loop around nf_conntrack_in was lost and
this caused problems on old RHEL kernels with the tcp SYN
loss on a connection with same 5-tuple, which ran in last
nf_conntrack_tcp_timeout_time_wait. The connection could be
initiated on a tcp SYN retry after one second.

1: 
https://github.com/openvswitch/ovs/commit/4fdec8986a203b0dc9d9c183c932826967572e0f
2: 
https://github.com/openvswitch/ovs/commit/e9b33ad780f3bc712a5de6be9e1e0803fadcd249

Reported-at: 
https://mail.openvswitch.org/pipermail/ovs-dev/2021-September/387623.html
Reported-at: 
https://mail.openvswitch.org/pipermail/ovs-dev/2021-October/388424.html
Signed-off-by: Vladislav Odintsov <[email protected]>


LGTM - Thanks!

Reviewed-by: Greg Rose <[email protected]>



---
  .../compat/include/net/netfilter/nf_conntrack_core.h     | 9 ++++++++-
  1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h 
b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
index 4cce92f66..bc18c56b8 100644
--- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
@@ -108,7 +108,14 @@ static inline bool rpl_nf_ct_delete(struct nf_conn *ct, 
u32 portid, int report)
  static inline unsigned int
  rpl_nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state)
  {
-       return nf_conntrack_in(state->net, state->pf, state->hook, skb);
+       int err;
+
+       /* Repeat if requested, see nf_iterate(). */
+       do {
+               err = nf_conntrack_in(state->net, state->pf, state->hook, skb);
+       } while (err == NF_REPEAT);
+
+       return err;
  }
  #define nf_conntrack_in rpl_nf_conntrack_in
  #endif /* HAVE_NF_CONNTRACK_IN_TAKES_NF_HOOK_STATE */


_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev






















					Reply via email to