The upstream code uses NF_INET_PRE_ROUTING hook for the nf_conntrack_in()
call, which does deeper (eg l4proto) validation. It was previously
thought that using the NF_INET_ROUTING hook for this function on older
kernels would trigger kernel panics due to a dependency on the
unpopulated skb->dev, however during recent testing on a variety of
platforms (Centos7.[12], Ubuntu 1[46].04, Fedora23) using the latest
distribution kernels and the OVS kernel module testsuite, no such kernel
panics were observed. Therefore it appears to be safe to bring this in
line with upstream without any other workarounds.
Reported-by: Jesse Gross <je...@kernel.org>
Signed-off-by: Joe Stringer <j...@ovn.org>
---
datapath/conntrack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index ddfb0c42b379..a2fc450edc05 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -772,7 +772,7 @@ static int __ovs_ct_lookup(struct net *net, struct
sw_flow_key *key,
/* Repeat if requested, see nf_iterate(). */
do {
err = nf_conntrack_in(net, info->family,
- NF_INET_FORWARD, skb);
+ NF_INET_PRE_ROUTING, skb);
} while (err == NF_REPEAT);
if (err != NF_ACCEPT)
--
2.9.3
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
