When a packet hits a flow rule without an explicitly specified helper, OvS has to rely on automatic application layer gateway detection to find related connections. This works as long as services are running on their standard ports, e.g. when FTP servers use TCP port 21.
However, sometimes it's necessary to run services on non-standard ports. In that case, there is no way for OvS to guess which protocol is used within a given flow. Of course, this means that no related connections can be recognized. When a connection is committed with a particular helper, it's reasonable to assume this helper will be used in subsequent CT actions, as long as they don't override it. Achieve this behaviour by using the committed connection's helper when a flow rule does not specify one. Signed-off-by: Viacheslav Galaktionov <[email protected]> Acked-by: Ivan Malov <[email protected]> --- lib/conntrack.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/conntrack.c b/lib/conntrack.c index c27ac5a6f..59a4a413f 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -1245,6 +1245,10 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, conn = NULL; } + if (conn && helper == NULL) { + helper = conn->alg; + } + enum ct_alg_ctl_type ct_alg_ctl = get_alg_ctl_type(pkt, helper); if (OVS_LIKELY(conn)) { @@ -1334,6 +1338,11 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, DP_PACKET_BATCH_FOR_EACH (i, packet, pkt_batch) { struct conn *conn = packet->md.conn; + + if (helper == NULL && conn != NULL) { + helper = conn->alg; + } + if (OVS_UNLIKELY(packet->md.ct_state == CS_INVALID)) { write_ct_md(packet, zone, NULL, NULL, NULL); } else if (conn && -- 2.42.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
