Re: [ovs-dev] [PATCH net] openvswitch: add nf_ct_is_confirmed check before assigning the helper

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Aaron Conole <aconole@redhat.com>
To: Xin Long <lucien.xin@gmail.com>
Cc: network dev <netdev@vger.kernel.org>,
	dev@openvswitch.org, Florian Westphal <fw@strlen.de>,
	Ilya Maximets <i.maximets@ovn.org>,
	Eric Dumazet <edumazet@google.com>,
	kuba@kernel.org, Paolo Abeni <pabeni@redhat.com>,
	davem@davemloft.net, Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [ovs-dev] [PATCH net] openvswitch: add nf_ct_is_confirmed check before assigning the helper
Date: Tue, 11 Oct 2022 10:06:03 -0400	[thread overview]
Message-ID: <f7t8rlmh2us.fsf@redhat.com> (raw)
In-Reply-To: <f7tczayh47y.fsf@redhat.com> (Aaron Conole's message of "Tue, 11 Oct 2022 09:36:33 -0400")

Aaron Conole <aconole@redhat.com> writes:

> Xin Long <lucien.xin@gmail.com> writes:
>
>> A WARN_ON call trace would be triggered when 'ct(commit, alg=helper)'
>> applies on a confirmed connection:
>>
>>   WARNING: CPU: 0 PID: 1251 at net/netfilter/nf_conntrack_extend.c:98
>>   RIP: 0010:nf_ct_ext_add+0x12d/0x150 [nf_conntrack]
>>   Call Trace:
>>    <TASK>
>>    nf_ct_helper_ext_add+0x12/0x60 [nf_conntrack]
>>    __nf_ct_try_assign_helper+0xc4/0x160 [nf_conntrack]
>>    __ovs_ct_lookup+0x72e/0x780 [openvswitch]
>>    ovs_ct_execute+0x1d8/0x920 [openvswitch]
>>    do_execute_actions+0x4e6/0xb60 [openvswitch]
>>    ovs_execute_actions+0x60/0x140 [openvswitch]
>>    ovs_packet_cmd_execute+0x2ad/0x310 [openvswitch]
>>    genl_family_rcv_msg_doit.isra.15+0x113/0x150
>>    genl_rcv_msg+0xef/0x1f0
>>
>> which can be reproduced with these OVS flows:
>>
>>   table=0, in_port=veth1,tcp,tcp_dst=2121,ct_state=-trk
>>   actions=ct(commit, table=1)
>>   table=1, in_port=veth1,tcp,tcp_dst=2121,ct_state=+trk+new
>>   actions=ct(commit, alg=ftp),normal
>>
>> The issue was introduced by commit 248d45f1e193 ("openvswitch: Allow
>> attaching helper in later commit") where it somehow removed the check
>> of nf_ct_is_confirmed before asigning the helper. This patch is to fix
>> it by bringing it back.
>>
>> Fixes: 248d45f1e193 ("openvswitch: Allow attaching helper in later commit")
>> Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
>> Signed-off-by: Xin Long <lucien.xin@gmail.com>
>> ---
>
> Hi Xin,
>
> Looking at the original commit, I think this will read like a revert.  I
> am doing some testing now, but I think we need input from Yi-Hung to
> find out what the use case is that the original fixed.

I'm also not able to reproduce the WARN_ON.  My env:

kernel: 4c86114194e6 ("Merge tag 'iomap-6.1-merge-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux")

Using current upstream OVS
I used your flows (adjusting the port names):

 cookie=0x0, duration=246.240s, table=0, n_packets=17, n_bytes=1130, ct_state=-trk,tcp,in_port=v0,tp_dst=2121 actions=ct(commit,table=1)
 cookie=0x0, duration=246.240s, table=1, n_packets=1, n_bytes=74, ct_state=+new+trk,tcp,in_port=v0,tp_dst=2121 actions=ct(commit,alg=ftp),NORMAL

and ran:

$ ip netns exec server python3 -m pyftpdlib -i 172.31.110.20 &
$ ip netns exec client curl ftp://172.31.110.20:2121

but no WARN_ON message got triggered.  Are there additional flows you
used that I am missing, or perhaps this should be on a different kernel
commit?

> -Aaron

next prev parent reply	other threads:[~2022-10-11 14:06 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-06 19:45 [PATCH net] openvswitch: add nf_ct_is_confirmed check before assigning the helper Xin Long
2022-10-11 13:33 ` Paolo Abeni
2022-10-11 13:36 ` [ovs-dev] " Aaron Conole
2022-10-11 14:06   ` Aaron Conole [this message]
2022-10-11 14:22     ` Xin Long
2022-10-12 12:15 ` Aaron Conole
2022-10-13  1:50 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f7t8rlmh2us.fsf@redhat.com \
    --to=aconole@redhat.com \
    --cc=davem@davemloft.net \
    --cc=dev@openvswitch.org \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=i.maximets@ovn.org \
    --cc=kuba@kernel.org \
    --cc=lucien.xin@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.