The upstream code uses NF_INET_PRE_ROUTING hook for the nf_conntrack_in() call, which does deeper (eg l4proto) validation. It was previously thought that using the NF_INET_ROUTING hook for this function on older kernels would trigger kernel panics due to a dependency on the unpopulated skb->dev, however during recent testing on a variety of platforms (Centos7.[12], Ubuntu 1[46].04, Fedora23) using the latest distribution kernels and the OVS kernel module testsuite, no such kernel panics were observed. Therefore it appears to be safe to bring this in line with upstream without any other workarounds.
Reported-by: Jesse Gross <je...@kernel.org> Signed-off-by: Joe Stringer <j...@ovn.org> --- datapath/conntrack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index ddfb0c42b379..a2fc450edc05 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -772,7 +772,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, /* Repeat if requested, see nf_iterate(). */ do { err = nf_conntrack_in(net, info->family, - NF_INET_FORWARD, skb); + NF_INET_PRE_ROUTING, skb); } while (err == NF_REPEAT); if (err != NF_ACCEPT) -- 2.9.3 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev