Re: [ovs-dev] [PATCH net] Revert "openvswitch: switch to per-action label counting in conntrack"

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Aaron Conole <aconole@redhat.com>
To: Xin Long <lucien.xin@gmail.com>
Cc: network dev <netdev@vger.kernel.org>,
	 dev@openvswitch.org, ovs-dev@openvswitch.org,
	 Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
	 Jianbo Liu <jianbol@nvidia.com>,
	 Florian Westphal <fw@strlen.de>,
	 Ilya Maximets <i.maximets@ovn.org>,
	 Eric Dumazet <edumazet@google.com>,
	 kuba@kernel.org,  Paolo Abeni <pabeni@redhat.com>,
	 davem@davemloft.net
Subject: Re: [ovs-dev] [PATCH net] Revert "openvswitch: switch to per-action label counting in conntrack"
Date: Wed, 12 Mar 2025 10:25:51 -0400	[thread overview]
Message-ID: <f7tjz8uz5ow.fsf@redhat.com> (raw)
In-Reply-To: <1bdeb2f3a812bca016a225d3de714427b2cd4772.1741457143.git.lucien.xin@gmail.com> (Xin Long's message of "Sat, 8 Mar 2025 13:05:43 -0500")

Xin Long <lucien.xin@gmail.com> writes:

> Currently, ovs_ct_set_labels() is only called for confirmed conntrack
> entries (ct) within ovs_ct_commit(). However, if the conntrack entry
> does not have the labels_ext extension, attempting to allocate it in
> ovs_ct_get_conn_labels() for a confirmed entry triggers a warning in
> nf_ct_ext_add():
>
>   WARN_ON(nf_ct_is_confirmed(ct));
>
> This happens when the conntrack entry is created externally before OVS
> increments net->ct.labels_used. The issue has become more likely since
> commit fcb1aa5163b1 ("openvswitch: switch to per-action label counting
> in conntrack"), which changed to use per-action label counting and
> increment net->ct.labels_used when a flow with ct action is added.
>
> Since there’s no straightforward way to fully resolve this issue at the
> moment, this reverts the commit to avoid breaking existing use cases.
>
> Fixes: fcb1aa5163b1 ("openvswitch: switch to per-action label counting in conntrack")
> Reported-by: Jianbo Liu <jianbol@nvidia.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---

I did a quick test using the case provided by Jianbo and I wasn't able
to generate the warning.  If possible, I'd like Jianbo to confirm that
it works as well.

Acked-by: Aaron Conole <aconole@redhat.com>

>  net/openvswitch/conntrack.c | 30 ++++++++++++++++++------------
>  net/openvswitch/datapath.h  |  3 +++
>  2 files changed, 21 insertions(+), 12 deletions(-)
>
> diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
> index 3bb4810234aa..e573e9221302 100644
> --- a/net/openvswitch/conntrack.c
> +++ b/net/openvswitch/conntrack.c
> @@ -1368,8 +1368,11 @@ bool ovs_ct_verify(struct net *net, enum ovs_key_attr attr)
>  	    attr == OVS_KEY_ATTR_CT_MARK)
>  		return true;
>  	if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
> -	    attr == OVS_KEY_ATTR_CT_LABELS)
> -		return true;
> +	    attr == OVS_KEY_ATTR_CT_LABELS) {
> +		struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
> +
> +		return ovs_net->xt_label;
> +	}
>  
>  	return false;
>  }
> @@ -1378,7 +1381,6 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr,
>  		       const struct sw_flow_key *key,
>  		       struct sw_flow_actions **sfa,  bool log)
>  {
> -	unsigned int n_bits = sizeof(struct ovs_key_ct_labels) * BITS_PER_BYTE;
>  	struct ovs_conntrack_info ct_info;
>  	const char *helper = NULL;
>  	u16 family;
> @@ -1407,12 +1409,6 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr,
>  		return -ENOMEM;
>  	}
>  
> -	if (nf_connlabels_get(net, n_bits - 1)) {
> -		nf_ct_tmpl_free(ct_info.ct);
> -		OVS_NLERR(log, "Failed to set connlabel length");
> -		return -EOPNOTSUPP;
> -	}
> -
>  	if (ct_info.timeout[0]) {
>  		if (nf_ct_set_timeout(net, ct_info.ct, family, key->ip.proto,
>  				      ct_info.timeout))
> @@ -1581,7 +1577,6 @@ static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
>  	if (ct_info->ct) {
>  		if (ct_info->timeout[0])
>  			nf_ct_destroy_timeout(ct_info->ct);
> -		nf_connlabels_put(nf_ct_net(ct_info->ct));
>  		nf_ct_tmpl_free(ct_info->ct);
>  	}
>  }
> @@ -2006,9 +2001,17 @@ struct genl_family dp_ct_limit_genl_family __ro_after_init = {
>  
>  int ovs_ct_init(struct net *net)
>  {
> -#if	IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
> +	unsigned int n_bits = sizeof(struct ovs_key_ct_labels) * BITS_PER_BYTE;
>  	struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
>  
> +	if (nf_connlabels_get(net, n_bits - 1)) {
> +		ovs_net->xt_label = false;
> +		OVS_NLERR(true, "Failed to set connlabel length");
> +	} else {
> +		ovs_net->xt_label = true;
> +	}
> +
> +#if	IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
>  	return ovs_ct_limit_init(net, ovs_net);
>  #else
>  	return 0;
> @@ -2017,9 +2020,12 @@ int ovs_ct_init(struct net *net)
>  
>  void ovs_ct_exit(struct net *net)
>  {
> -#if	IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
>  	struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
>  
> +#if	IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
>  	ovs_ct_limit_exit(net, ovs_net);
>  #endif
> +
> +	if (ovs_net->xt_label)
> +		nf_connlabels_put(net);
>  }
> diff --git a/net/openvswitch/datapath.h b/net/openvswitch/datapath.h
> index 365b9bb7f546..9ca6231ea647 100644
> --- a/net/openvswitch/datapath.h
> +++ b/net/openvswitch/datapath.h
> @@ -160,6 +160,9 @@ struct ovs_net {
>  #if	IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
>  	struct ovs_ct_limit_info *ct_limit_info;
>  #endif
> +
> +	/* Module reference for configuring conntrack. */
> +	bool xt_label;
>  };
>  
>  /**

next prev parent reply	other threads:[~2025-03-12 14:26 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-08 18:05 [PATCH net] Revert "openvswitch: switch to per-action label counting in conntrack" Xin Long
2025-03-12 14:25 ` Aaron Conole [this message]
2025-03-13  3:17   ` [ovs-dev] " Jianbo Liu
2025-03-13  9:40 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f7tjz8uz5ow.fsf@redhat.com \
    --to=aconole@redhat.com \
    --cc=davem@davemloft.net \
    --cc=dev@openvswitch.org \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=i.maximets@ovn.org \
    --cc=jianbol@nvidia.com \
    --cc=kuba@kernel.org \
    --cc=lucien.xin@gmail.com \
    --cc=marcelo.leitner@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=ovs-dev@openvswitch.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.