Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2277973ybl; Thu, 19 Dec 2019 10:54:14 -0800 (PST) X-Google-Smtp-Source: APXvYqxTG3mbDD/xJQVt8dD256b5srzQ3NA3DQhf1JwclCEZezc+9pJvyXtL7DkKMX8rgpDNGh7x X-Received: by 2002:a05:6830:605:: with SMTP id w5mr6464602oti.79.1576781654198; Thu, 19 Dec 2019 10:54:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576781654; cv=none; d=google.com; s=arc-20160816; b=VNALMnQtTiHtSBAHGLphN9oIxN+EGBvFCJ4GllukRpV0qesKfVCpp6aezzFkWc4mHT LTS0TC+sH7lgUyfTUmRZesOTHzlE3KNEWX3E0//MaSJ7RsFHbYAnrbA+zyh28JIjBVnZ Dmftmk4JLKfS8vLNVXqiUFrG3NUXLXAj4NU2YF6idBg9jmAchcgUYP6stkKOicBKfxTm uQQwL/17myjiFGTCZFrNFTYi6oatANeOngJuxwfK0CyvoT6GiHJixrB3tIYYOGm9ylLZ bRUV28APuy3KDBoYAfM6r3AAihIswhKHgKI73GkVQEhZgFTOEqrKi6OwlC+rrumlMbk8 kxTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kh+YfdSaIw4aAXez6vp+JamR9iOd4ejKaakanzVyCiI=; b=WkQM9mRSp/2auKECDh1tGjNz6vKAa5ZEQemlNPTdy1Mz4yFwh/l5Hj0R8AIz/NxKbZ DBlyJN38M4Qm160lSicSE9WEqHp/jshOmycWuHZmj+cPUvZhp9vvRXp/yv9MSBmpyOnp Qz0Ne9NMD9hCc2RXS/Va2AKih6RJ1ISY/OyIkW6323szUnAyaNyOM/a5+SJB2g+mBVCf iGSzpsO/EDnpI0XdWESktFy0cmHyadtn1cQcR0ELZBCLM3PQOq2d31OfX+lC75nYG26r 30kjg0IGKZv1LOu4IWVEhBOBebainj0GTNyXz7tfxO1psxtHe3m1gMe2FuKQZ4jxxZfb ae+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=giJxS7pk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y130si3326336oiy.28.2019.12.19.10.54.02; Thu, 19 Dec 2019 10:54:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=giJxS7pk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729960AbfLSSwr (ORCPT + 99 others); Thu, 19 Dec 2019 13:52:47 -0500 Received: from mail.kernel.org ([198.145.29.99]:47460 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730283AbfLSSwo (ORCPT ); Thu, 19 Dec 2019 13:52:44 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8B1482468A; Thu, 19 Dec 2019 18:52:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576781564; bh=1PxvcWMoJDi7qVwBIOeTcemwFDTFkq4tPGTvQHkT/QA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=giJxS7pkkUIe8Ag1ZmiFiGi/Id8B0GlhROR5lw3BZkYVywAYUf6jfCheAKtlpkhWg FX7hclBTJ/QmbFxuwcxAi3pszGHzxO/myHmYb0MJ3Gc+hOVj7Aer1CD3c3VvGs7i8W RlsxOpmYuA4HHaJi4xCsWPB8NGaYlls49/cB8/YA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Aaron Conole , "David S. Miller" Subject: [PATCH 4.19 08/47] openvswitch: support asymmetric conntrack Date: Thu, 19 Dec 2019 19:34:22 +0100 Message-Id: <20191219182903.506958631@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191219182857.659088743@linuxfoundation.org> References: <20191219182857.659088743@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Aaron Conole [ Upstream commit 5d50aa83e2c8e91ced2cca77c198b468ca9210f4 ] The openvswitch module shares a common conntrack and NAT infrastructure exposed via netfilter. It's possible that a packet needs both SNAT and DNAT manipulation, due to e.g. tuple collision. Netfilter can support this because it runs through the NAT table twice - once on ingress and again after egress. The openvswitch module doesn't have such capability. Like netfilter hook infrastructure, we should run through NAT twice to keep the symmetry. Fixes: 05752523e565 ("openvswitch: Interface with NAT.") Signed-off-by: Aaron Conole Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/openvswitch/conntrack.c | 11 +++++++++++ 1 file changed, 11 insertions(+) --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -897,6 +897,17 @@ static int ovs_ct_nat(struct net *net, s } err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype); + if (err == NF_ACCEPT && + ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) { + if (maniptype == NF_NAT_MANIP_SRC) + maniptype = NF_NAT_MANIP_DST; + else + maniptype = NF_NAT_MANIP_SRC; + + err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, + maniptype); + } + /* Mark NAT done if successful and update the flow key. */ if (err == NF_ACCEPT) ovs_nat_update_key(key, skb, maniptype);