On Tue, Nov 10, 2020 at 6:41 PM Florian Westphal <f...@strlen.de> wrote:
>
> Numan Siddique <nusid...@redhat.com> wrote:
> > On Tue, Nov 10, 2020 at 5:55 PM Florian Westphal <f...@strlen.de> wrote:
> > >
> > > Numan Siddique <nusid...@redhat.com> wrote:
> > > > On Tue, Nov 10, 2020 at 3:06 AM Florian Westphal <f...@strlen.de> wrote:
> > > > Thanks for the comments. I actually tried this approach first, but it
> > > > doesn't seem to work.
> > > > I noticed that for the committed connections, the ct tcp flag -
> > > > IP_CT_TCP_FLAG_BE_LIBERAL is
> > > > not set when nf_conntrack_in() calls resolve_normal_ct().
> > >
> > > Yes, it won't be set during nf_conntrack_in, thats why I suggested
> > > to do it before confirming the connection.
> >
> > Sorry for the confusion. What I mean is - I tested your suggestion - i.e
> > called
> > nf_ct_set_tcp_be_liberal() before calling nf_conntrack_confirm().
> >
> > Once the connection is established, for subsequent packets, openvswitch
> > calls nf_conntrack_in() [1] to see if the packet is part of the
> > existing connection or not (i.e ct.new or ct.est )
> > and if the packet happens to be out-of-window then skb->_nfct is set
> > to NULL. And the tcp
> > be flags set during confirmation are not reflected when
> > nf_conntrack_in() calls resolve_normal_ct().
>
> Can you debug where this happens? This looks very very wrong.
> resolve_normal_ct() has no business to check any of those flags
> (and I don't see where it uses them, it should only deal with the
> tuples).
>
> The flags come into play when nf_conntrack_handle_packet() gets called
> after resolve_normal_ct has found an entry, since that will end up
> calling the tcp conntrack part.
>
> The entry found/returned by resolve_normal_ct should be the same
> nf_conn entry that was confirmed earlier, i.e. it should be in "liberal"
> mode.
I debugged a bit. Calling nf_ct_set_tcp_be_liberal() in ct_commit
doesn't work because
- the first SYN packet during connection establishment is committed
to the contract.
- but tcp_in_window() calls tcp_options() which clears the tcp ct
flags for the SYN and SYN-ACK packets.
And hence the flags get cleared.
So I think it should be enough if openvswitch calls
nf_ct_set_tcp_be_liberal() once the connection is established.
I posted v2. Request to take a look.
Thanks
Numan
>
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
