This patch is to avoid generating incorrect conntrack entry In a certain use case of conntrack flow that if flow included ct(commit, nat) action, but no detail action/direction specified, CT will generate incorrect conntrack entry. For example, add below flow: ip,priority=500,in_port=1,ct_state=-trk actions=ct(table=1,nat)' ip,priority=500,in_port=2,ct_state=-trk actions=ct(table=1,nat)' table=1,in_port=1,ip,ct_state=+trk+new actions=ct*(commit,nat)*,2 table=1,in_port=1,ip,ct_state=-new+trk+est actions=2 table=1,in_port=2,ip,ct_state=-new+trk+est actions=1 start traffic from 192.168.2.2 to 192.168.2.7 ovs dpdk datpath generate CT entry as below: icmp,orig=(src=192.168.2.2,dst=192.168.2.7,id=17038,type=8,code=0), reply=(src=*0.0.0.0*,dst=192.168.2.2,id=17038,type=0,code=0) reply key src 0.0.0.0 is generated not correct by "nat_get_unique_tuple". but ovs kernel datapath will generate correct ct entry as below: icmp,orig=(src=192.168.2.2,dst=192.168.2.7,id=17038,type=8,code=0), reply=(src=192.168.2.7,dst=192.168.2.2,id=17038,type=0,code=0)
To compatible with this use case of flow, and also be consistent with kernel datapath's behavior, this patch treat this nat without action specified as not nat, and don't do "nat_get_unique_tuple" and malloc a nat_conn that is attached to nc. Signed-off-by: Zhong Zhong <[email protected]> --- lib/conntrack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index 47a443f..581b62b 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -942,7 +942,7 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, nc->parent_key = alg_exp->parent_key; } - if (nat_action_info) { + if (nat_action_info && nat_action_info->nat_action) { nc->nat_action = nat_action_info->nat_action; if (alg_exp) { -- -- Best Regards Zhong, Zhong Email: [email protected] _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
