From: aaron conole <acon...@redhat.com>
Upstream commit:
commit 5d50aa83e2c8e91ced2cca77c198b468ca9210f4
author: aaron conole <acon...@redhat.com>
date: tue dec 3 16:34:13 2019 -0500
openvswitch: support asymmetric conntrack
the openvswitch module shares a common conntrack and nat infrastructure
exposed via netfilter. it's possible that a packet needs both snat and
dnat manipulation, due to e.g. tuple collision. netfilter can support
this because it runs through the nat table twice - once on ingress and
again after egress. the openvswitch module doesn't have such capability.
like netfilter hook infrastructure, we should run through nat twice to
keep the symmetry.
fixes: 05752523e565 ("openvswitch: interface with nat.")
signed-off-by: aaron conole <acon...@redhat.com>
signed-off-by: david s. miller <da...@davemloft.net>
Fixes: c5f6c06b58d6 ("datapath: Interface with NAT.")
Cc: aaron conole <acon...@redhat.com>
Signed-off-by: Greg Rose <gvrose8...@gmail.com>
---
datapath/conntrack.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 5b4d6cc..c7a318b 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -978,6 +978,17 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key
*key,
}
err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype);
+ if (err == NF_ACCEPT &&
+ ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) {
+ if (maniptype == NF_NAT_MANIP_SRC)
+ maniptype = NF_NAT_MANIP_DST;
+ else
+ maniptype = NF_NAT_MANIP_SRC;
+
+ err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range,
+ maniptype);
+ }
+
/* Mark NAT done if successful and update the flow key. */
if (err == NF_ACCEPT)
ovs_nat_update_key(key, skb, maniptype);
--
1.8.3.1
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
