Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753114AbbG3SNe (ORCPT ); Thu, 30 Jul 2015 14:13:34 -0400 Received: from mail-pd0-f170.google.com ([209.85.192.170]:34437 "EHLO mail-pd0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754754AbbG3SN1 (ORCPT ); Thu, 30 Jul 2015 14:13:27 -0400 From: Joe Stringer To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, pablo@netfilter.org, kaber@trash.net, jpettit@nicira.com, pshelar@nicira.com, azhou@nicira.com, jesse@nicira.com, fwestpha@redhat.com, hannes@redhat.com, tgraf@noironetworks.com Subject: [PATCH net-next 9/9] openvswitch: Allow attaching helpers to ct action Date: Thu, 30 Jul 2015 11:12:43 -0700 Message-Id: <1438279963-29563-10-git-send-email-joestringer@nicira.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1438279963-29563-1-git-send-email-joestringer@nicira.com> References: <1438279963-29563-1-git-send-email-joestringer@nicira.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 7491 Lines: 254 Add support for using conntrack helpers to assist protocol detection. The new OVS_CT_ATTR_HELPER attribute of the ct action specifies a helper to be used for this connection. Example ODP flows allowing FTP connections from ports 1->2: in_port=1,tcp,action=ct(helper=ftp,commit),2 in_port=2,tcp,ct_state=-trk,action=ct(),recirc(1) recirc_id=1,in_port=2,tcp,ct_state=+trk-new+est,action=1 recirc_id=1,in_port=2,tcp,ct_state=+trk+rel,action=1 Signed-off-by: Joe Stringer --- include/uapi/linux/openvswitch.h | 1 + net/openvswitch/Kconfig | 1 + net/openvswitch/conntrack.c | 109 ++++++++++++++++++++++++++++++++++++++- 3 files changed, 109 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/openvswitch.h b/include/uapi/linux/openvswitch.h index f360dc9..e816170 100644 --- a/include/uapi/linux/openvswitch.h +++ b/include/uapi/linux/openvswitch.h @@ -626,6 +626,7 @@ enum ovs_ct_attr { OVS_CT_ATTR_UNSPEC, OVS_CT_ATTR_FLAGS, /* u8 bitmask of OVS_CT_F_*. */ OVS_CT_ATTR_ZONE, /* u16 zone id. */ + OVS_CT_ATTR_HELPER, __OVS_CT_ATTR_MAX }; diff --git a/net/openvswitch/Kconfig b/net/openvswitch/Kconfig index 92bb3d3..c25b221 100644 --- a/net/openvswitch/Kconfig +++ b/net/openvswitch/Kconfig @@ -36,6 +36,7 @@ config OPENVSWITCH_CONNTRACK bool "Open vSwitch conntrack action support" depends on OPENVSWITCH depends on NF_CONNTRACK + depends on NETFILTER_XTABLES default OPENVSWITCH ---help--- If you say Y here, then Open vSwitch module will be able to pass diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 5acc59a..e7a5ca7 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include @@ -30,6 +31,7 @@ struct ovs_ct_len_tbl { }; struct ovs_conntrack_info { + struct nf_conntrack_helper *helper; struct nf_conn *ct; u32 flags; u16 zone; @@ -158,6 +160,51 @@ bool ovs_ct_state_valid(const struct sw_flow_key *key) return __ovs_ct_state_valid(key->ct.state); } +/* 'skb' should already be pulled to nh_ofs. */ +static int ovs_ct_helper(struct sk_buff *skb, u16 proto) +{ + const struct nf_conntrack_helper *helper; + const struct nf_conn_help *help; + enum ip_conntrack_info ctinfo; + unsigned int protoff; + struct nf_conn *ct; + + ct = nf_ct_get(skb, &ctinfo); + if (!ct || ctinfo == IP_CT_RELATED_REPLY) + return NF_ACCEPT; + + help = nfct_help(ct); + if (!help) + return NF_ACCEPT; + + helper = rcu_dereference(help->helper); + if (!helper) + return NF_ACCEPT; + + switch (proto) { + case NFPROTO_IPV4: + protoff = ip_hdrlen(skb); + break; + case NFPROTO_IPV6: { + u8 nexthdr = ipv6_hdr(skb)->nexthdr; + __be16 frag_off; + + protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), + &nexthdr, &frag_off); + if (protoff < 0 || (frag_off & htons(~0x7)) != 0) { + pr_debug("proto header not found\n"); + return NF_ACCEPT; + } + break; + } + default: + WARN_ONCE(1, "helper invoked on non-IP family!"); + return NF_DROP; + } + + return helper->help(skb, protoff, ct, ctinfo); +} + static int handle_fragments(struct net *net, struct sw_flow_key *key, u16 zone, struct sk_buff *skb) { @@ -232,6 +279,13 @@ static bool skb_nfct_cached(const struct net *net, const struct sk_buff *skb, } if (info->zone != nf_ct_zone(ct)) return false; + if (info->helper) { + struct nf_conn_help *help; + + help = nf_ct_ext_find(ct, NF_CT_EXT_HELPER); + if (help && help->helper != info->helper) + return false; + } return true; } @@ -288,6 +342,11 @@ static int __ovs_ct_lookup(struct net *net, const struct sw_flow_key *key, if (nf_conntrack_in(net, info->family, NF_INET_PRE_ROUTING, skb) != NF_ACCEPT) return -ENOENT; + + if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) { + WARN_ONCE(1, "helper rejected packet"); + return -EINVAL; + } } return 0; @@ -437,15 +496,41 @@ int ovs_ct_set_label(struct sk_buff *skb, struct sw_flow_key *key, #endif } +static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, + const struct sw_flow_key *key, bool log) +{ + struct nf_conntrack_helper *helper; + struct nf_conn_help *help; + + helper = nf_conntrack_helper_try_module_get(name, info->family, + key->ip.proto); + if (!helper) { + OVS_NLERR(log, "Unknown helper \"%s\"", name); + return -ENOENT; + } + + help = nf_ct_helper_ext_add(info->ct, helper, GFP_KERNEL); + if (!help) { + module_put(helper->me); + return -ENOMEM; + } + + help->helper = helper; + info->helper = helper; + return 0; +} + static const struct ovs_ct_len_tbl ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = { [OVS_CT_ATTR_FLAGS] = { .minlen = sizeof(u32), .maxlen = sizeof(u32) }, [OVS_CT_ATTR_ZONE] = { .minlen = sizeof(u16), .maxlen = sizeof(u16) }, + [OVS_CT_ATTR_HELPER] = { .minlen = 1, + .maxlen = NF_CT_HELPER_NAME_LEN } }; static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, - bool log) + const char **helper, bool log) { struct nlattr *a; int rem; @@ -477,6 +562,13 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, case OVS_CT_ATTR_FLAGS: info->flags = nla_get_u32(a); break; + case OVS_CT_ATTR_HELPER: + *helper = nla_data(a); + if (!memchr(*helper, '\0', nla_len(a))) { + OVS_NLERR(log, "Invalid conntrack helper"); + return -EINVAL; + } + break; default: OVS_NLERR(log, "Unknown conntrack attr (%d)", type); @@ -518,6 +610,7 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, { struct ovs_conntrack_info ct_info; struct nf_conntrack_tuple t; + const char *helper = NULL; u16 family; int err; @@ -530,7 +623,7 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, memset(&ct_info, 0, sizeof(ct_info)); ct_info.family = family; - err = parse_ct(attr, &ct_info, log); + err = parse_ct(attr, &ct_info, &helper, log); if (err) return err; @@ -542,6 +635,11 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, OVS_NLERR(log, "Failed to allocate conntrack template"); return PTR_ERR(ct_info.ct); } + if (helper) { + err = ovs_ct_add_helper(&ct_info, helper, key, log); + if (err) + goto err_free_ct; + } err = ovs_nla_add_action(sfa, OVS_ACTION_ATTR_CT, &ct_info, sizeof(ct_info), log); @@ -570,6 +668,11 @@ int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info, if (nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone)) return -EMSGSIZE; #endif + if (ct_info->helper) { + if (nla_put_string(skb, OVS_CT_ATTR_HELPER, + ct_info->helper->name)) + return -EMSGSIZE; + } nla_nest_end(skb, start); @@ -580,6 +683,8 @@ void ovs_ct_free_action(const struct nlattr *a) { struct ovs_conntrack_info *ct_info = nla_data(a); + if (ct_info->helper) + module_put(ct_info->helper->me); if (ct_info->ct) nf_ct_put(ct_info->ct); } -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/