From: Pablo Neira Ayuso <pa...@netfilter.org> Upstream commit: commit 08733a0cb7decce40bbbd0331a0449465f13c444 Author: Pablo Neira Ayuso <pa...@netfilter.org> Date: Thu Nov 3 10:56:43 2016 +0100
netfilter: handle NF_REPEAT from nf_conntrack_in() NF_REPEAT is only needed from nf_conntrack_in() under a very specific case required by the TCP protocol tracker, we can handle this case without returning to the core hook path. Handling of NF_REPEAT from the nf_reinject() is left untouched. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> [Committer notes] Shift the functionality into the compat code, protected by v4.10 version check. This allows the datapath/conntrack.c to match upstream. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> Signed-off-by: Joe Stringer <j...@ovn.org> --- datapath/conntrack.c | 8 ++------ .../include/net/netfilter/nf_conntrack_core.h | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index a0c5443..36db32a 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -770,12 +770,8 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, skb->nfctinfo = IP_CT_NEW; } - /* Repeat if requested, see nf_iterate(). */ - do { - err = nf_conntrack_in(net, info->family, - NF_INET_PRE_ROUTING, skb); - } while (err == NF_REPEAT); - + err = nf_conntrack_in(net, info->family, + NF_INET_PRE_ROUTING, skb); if (err != NF_ACCEPT) return -ENOENT; diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h index 09a53c3..16b57a6 100644 --- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h +++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h @@ -67,4 +67,25 @@ static inline bool rpl_nf_ct_get_tuple(const struct sk_buff *skb, #define nf_ct_get_tuple rpl_nf_ct_get_tuple #endif /* HAVE_NF_CT_GET_TUPLEPR_TAKES_STRUCT_NET */ +/* Commit 08733a0cb7de ("netfilter: handle NF_REPEAT from nf_conntrack_in()") + * introduced behavioural changes to this function which cannot be detected + * in the headers. Unconditionally backport to kernels older than the one which + * contains this commit. */ +#if LINUX_VERSION_CODE < KERNEL_VERSION(4,10,0) +static unsigned int rpl_nf_conntrack_in(struct net *net, u_int8_t pf, + unsigned int hooknum, + struct sk_buff *skb) +{ + int err; + + /* Repeat if requested, see nf_iterate(). */ + do { + err = nf_conntrack_in(net, pf, hooknum, skb); + } while (err == NF_REPEAT); + + return err; +} +#define nf_conntrack_in rpl_nf_conntrack_in +#endif /* < 4.10 */ + #endif /* _NF_CONNTRACK_CORE_WRAPPER_H */ -- 2.1.4 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev