Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp1594468rdb; Sat, 23 Dec 2023 13:13:25 -0800 (PST) X-Google-Smtp-Source: AGHT+IEy/ITyMtAbtBdCxbDHAia0Xx19PQgWI9ONeTxQQ/9UClrcALmW3XNnCgrXjz4kNs+eZ2GA X-Received: by 2002:a05:6a20:7f98:b0:18f:97c:8a3b with SMTP id d24-20020a056a207f9800b0018f097c8a3bmr4627241pzj.102.1703366004680; Sat, 23 Dec 2023 13:13:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703366004; cv=none; d=google.com; s=arc-20160816; b=UqE00obFAeIXLzXCim+hpwMmDMIi3u/BcA36rX2tAbevAJ+600conLDdXwAPOX+a2Q GMFLRLWRAtMtYdGrWJSV4LJwHXzoh8eJvX66X3a24JpT08e+R0d9Kj9by8N8wMTRDggL JM5Hepoz7J73PPurkR4n5ckH7ou03Ir4tbOkIiVi2HT8HNYHSWzUF4+Zi8mT8429BpmD 6IYUWycR2bIsg4M1wcllN10/lqzh1DFtpNpLhoIQ5tszGNdgSop1ZCjc1zXAR6+bLTp9 aq6NZo6Pw3QvRDETxADXEEwurNHK0g2dFRxrE2Q8WYdAxUAT+j4IWRm6b2txHFdHaZU+ NlcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=OQW3Wqqrv3iT6WFNr5m6wCJjEmXW8liKa9Kfac20ZSE=; fh=x//Y8hdzeePNC7yztIyUJaNA14cfS3cRovoQFooL74w=; b=a4o/ntX8yWc1wwQ4UdJVNwHc6LfMOMk9OWTTAPcMa6dPFHdRr0peDzlrK5nokJFeQ0 wWmjMtmpN5iDh9kFcPHqnMOm5ekM0+FNZqipxY9YUwjnmdQrUajNc+S59WkDDAwBt7v4 7Irv9cpWYGh4L/YwzWpDvLF3s0JoZG2k928lqWTVk4ZHZ9Wyuzs8DFbauowkKVsa0PpJ Nsbj+dIc0Yi+w380UDlZw4qJqNa1pgNZwPFiONJKm7X4Au+u4ln7K84u61/SDTCZ+CIY NF7EOiHcE2bOT5sRx0YsI60gzU3uFHLQlw+c5qRM5Ec/aNS/cF3Q/0Ii0RD6Lxm/gV3g zZ9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=MXsO3swr; spf=pass (google.com: domain of linux-kernel+bounces-10589-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10589-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 127-20020a630185000000b005cdf9a34830si2920116pgb.588.2023.12.23.13.13.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 Dec 2023 13:13:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-10589-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=MXsO3swr; spf=pass (google.com: domain of linux-kernel+bounces-10589-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10589-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 46C4A28332B for ; Sat, 23 Dec 2023 21:13:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2E9AA17992; Sat, 23 Dec 2023 21:13:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="MXsO3swr" X-Original-To: linux-kernel@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F466171A7; Sat, 23 Dec 2023 21:13:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D1896C433C7; Sat, 23 Dec 2023 21:13:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1703365992; bh=eS/NNuZs+uOixwQlUIyReqblSnwjefK/9VvHHvHlqSg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=MXsO3swrJ93l572Jy066m5YHVhMaZHJtrpERQsudltVi+PY0qP/mbxhFCHy31XP8A RAPeblZ3kpeq2YECDLYZHXh8AvJe5aWl0cZGzpbftDubvJwJBhRLGBFJy3QIDJUIZb /8nMPThkBRXuaMvR7cBYb5oc3+TMfHVLdsc2u/M8cJ6StX32JTx8Uq/QY+njQ0ULRk vzYdLkA3nq33W1USIamUafyNeRhPlXmGD+tITdVkksvuPQnYmn4lP4zydgJqTjZsJG E1JYTWZV2ynH0Oobz9tnVG8sS6YROLG6QzsG162xYFNCApoujlWNekRBH16Lmz3aMM OImY4pFCB0KyQ== Date: Sat, 23 Dec 2023 21:13:06 +0000 From: Simon Horman To: Brad Cowie Cc: netdev@vger.kernel.org, dev@openvswitch.org, fw@strlen.de, linux-kernel@vger.kernel.org, kadlec@netfilter.org, edumazet@google.com, netfilter-devel@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, davem@davemloft.net, pablo@netfilter.org, Xin Long , Aaron Conole , coreteam@netfilter.org Subject: Re: [PATCH net] netfilter: nf_nat: fix action not being set for all ct states Message-ID: <20231223211306.GA215659@kernel.org> References: <20231221224311.130319-1-brad@faucet.nz> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231221224311.130319-1-brad@faucet.nz> + Xin Long Aaron Conole coreteam@netfilter.org On Fri, Dec 22, 2023 at 11:43:11AM +1300, Brad Cowie wrote: > This fixes openvswitch's handling of nat packets in the related state. > > In nf_ct_nat_execute(), which is called from nf_ct_nat(), ICMP/ICMPv6 > packets in the IP_CT_RELATED or IP_CT_RELATED_REPLY state, which have > not been dropped, will follow the goto, however the placement of the > goto label means that updating the action bit field will be bypassed. > > This causes ovs_nat_update_key() to not be called from ovs_ct_nat() > which means the openvswitch match key for the ICMP/ICMPv6 packet is not > updated and the pre-nat value will be retained for the key, which will > result in the wrong openflow rule being matched for that packet. > > Move the goto label above where the action bit field is being set so > that it is updated in all cases where the packet is accepted. > > Fixes: ebddb1404900 ("net: move the nat function to nf_nat_ovs for ovs and tc") > Signed-off-by: Brad Cowie Thanks Brad, I agree with your analysis and that the problem appears to have been introduced by the cited commit. I am curious to know what use case triggers this / why it when unnoticed for a year. But in any case, this fix looks good to me. Reviewed-by: Simon Horman > --- > net/netfilter/nf_nat_ovs.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_nat_ovs.c b/net/netfilter/nf_nat_ovs.c > index 551abd2da614..0f9a559f6207 100644 > --- a/net/netfilter/nf_nat_ovs.c > +++ b/net/netfilter/nf_nat_ovs.c > @@ -75,9 +75,10 @@ static int nf_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, > } > > err = nf_nat_packet(ct, ctinfo, hooknum, skb); > +out: > if (err == NF_ACCEPT) > *action |= BIT(maniptype); > -out: > + > return err; > } > > -- > 2.34.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >