Hi Darrell,

Darrell Ball <dlu...@gmail.com> writes:

> Presently, alg processing is enabled by default to exercise testing.
> This is similar to kernels before 4.7.  The recommended default
> behavior in the kernel is to only process algs if a helper is
> supplied in a conntrack rule.  The behavior is changed to match the
> later kernels.
>
> Signed-off-by: Darrell Ball <dlu...@gmail.com>
> ---

I like having the alg processing off by default.  However, at this point
some folks may be relying (or not care about) on the default behavior of
the ct() action (which is to assume
ALG=whatever-is-appropriate-to-the-port).  I think we probably will need
to have a knob to enable / disable this.

More below.

>  lib/conntrack.c | 35 +++++++++++++++++++++++++++++------
>  1 file changed, 29 insertions(+), 6 deletions(-)
>
> diff --git a/lib/conntrack.c b/lib/conntrack.c
> index 7fbcfba..dea2fed 100644
> --- a/lib/conntrack.c
> +++ b/lib/conntrack.c
> @@ -789,13 +789,34 @@ conn_clean(struct conntrack *ct, struct conn *conn,
>      }
>  }
>  
> +static bool
> +ct_verify_helper(const char *helper, enum ct_alg_ctl_type ct_alg_ctl)
> +{

Since we know the algorithm at this point, doesn't it make sense to
just associate the alg with the connection?  I say that because if I
read this correctly (and I haven't had coffee yet - maybe I missed
something) non-standard ports won't get their associations properly (so
if I want to run ftp on port 2122 for example, the helper will not get
associated).

If we take the approach I mentioned in 2/4, we can just associate the
function pointer.  After all, the user asked for it - we should do what
the user wants.

> +    if (ct_alg_ctl == CT_ALG_CTL_NONE) {
> +        return true;
> +    } else if (helper) {
> +        if ((ct_alg_ctl == CT_ALG_CTL_FTP) &&
> +             !strncmp(helper, "ftp", strlen("ftp"))) {
> +            return true;
> +        } else if ((ct_alg_ctl == CT_ALG_CTL_TFTP) &&
> +                   !strncmp(helper, "tftp", strlen("tftp"))) {
> +            return true;
> +        } else {
> +            return false;
> +        }
> +    } else {
> +        return false;
> +    }
> +}
> +
>  /* This function is called with the bucket lock held. */
>  static struct conn *
>  conn_not_found(struct conntrack *ct, struct dp_packet *pkt,
>                 struct conn_lookup_ctx *ctx, bool commit, long long now,
>                 const struct nat_action_info_t *nat_action_info,
>                 struct conn *conn_for_un_nat_copy,
> -               const char *helper, const struct alg_exp_node *alg_exp)
> +               const char *helper, const struct alg_exp_node *alg_exp,
> +               enum ct_alg_ctl_type ct_alg_ctl)
>  {
>      struct conn *nc = NULL;
>  
> @@ -819,15 +840,16 @@ conn_not_found(struct conntrack *ct, struct dp_packet 
> *pkt,
>              return nc;
>          }
>  
> +        if (!ct_verify_helper(helper, ct_alg_ctl)) {
> +            return nc;
> +        }
> +
>          unsigned bucket = hash_to_bucket(ctx->hash);
>          nc = new_conn(&ct->buckets[bucket], pkt, &ctx->key, now);
>          ctx->conn = nc;
>          nc->rev_key = nc->key;
>          conn_key_reverse(&nc->rev_key);
> -
> -        if (helper) {
> -            nc->alg = xstrdup(helper);
> -        }
> +        nc->alg = nullable_xstrdup(helper);
>  
>          if (alg_exp) {
>              nc->alg_related = true;
> @@ -1182,7 +1204,8 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
>          }
>          ct_rwlock_unlock(&ct->resources_lock);
>          conn = conn_not_found(ct, pkt, ctx, commit, now, nat_action_info,
> -                              &conn_for_un_nat_copy, helper, alg_exp);
> +                              &conn_for_un_nat_copy, helper, alg_exp,
> +                              ct_alg_ctl);
>      }
>      write_ct_md(pkt, zone, conn, &ctx->key, alg_exp);
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to