From: Florian Westphal <fw@strlen.de>
To: Joe Stringer <joestringer@nicira.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
pablo@netfilter.org, kaber@trash.net, jpettit@nicira.com,
pshelar@nicira.com, azhou@nicira.com, jesse@nicira.com,
fwestpha@redhat.com, hannes@redhat.com, tgraf@noironetworks.com
Subject: Re: [PATCH net-next 8/9] openvswitch: Allow matching on conntrack label
Date: Fri, 31 Jul 2015 15:20:04 +0200 [thread overview]
Message-ID: <20150731132004.GA20471@breakpoint.cc> (raw)
In-Reply-To: <1438279963-29563-9-git-send-email-joestringer@nicira.com>
Joe Stringer <joestringer@nicira.com> wrote:
> Allow matching and setting the conntrack label field. As with ct_mark,
> this is populated by executing the ct() action, and is a writable field.
> The set_field() action may be used to modify the label, which will take
> effect on the most recent conntrack entry.
>
> E.g.: actions:ct(zone=1),set_field(1->ct_label)
>
> This will perform conntrack lookup in zone 1, then modify the label for
> that entry. The conntrack entry itself must be committed using the
> "commit" flag in the conntrack action flags for this change to persist.
>
> Signed-off-by: Joe Stringer <joestringer@nicira.com>
> +/* Load connlabel and ensure it supports 128-bit labels */
> +static struct xt_match *load_connlabel(struct net *net)
> +{
> +#ifdef CONFIG_NF_CONNTRACK_LABELS
> + struct xt_match *match;
> + struct xt_mtchk_param mtpar;
> + struct xt_connlabel_mtinfo info;
> + int err = -EINVAL;
> +
> + match = xt_request_find_match(NFPROTO_UNSPEC, "connlabel", 0);
> + if (IS_ERR(match)) {
> + match = NULL;
> + goto exit;
> + }
> +
> + info.bit = sizeof(struct ovs_key_ct_label) * 8 - 1;
> + info.options = 0;
> +
> + mtpar.net = net;
> + mtpar.table = match->table;
> + mtpar.entryinfo = NULL;
> + mtpar.match = match;
> + mtpar.matchinfo = &info;
> + mtpar.hook_mask = BIT(NF_INET_PRE_ROUTING);
> + mtpar.family = NFPROTO_IPV4;
> +
> + err = xt_check_match(&mtpar, XT_ALIGN(match->matchsize), match->proto,
> + 0);
Yummy :-)
Rather than adding a dependency on xtables I think a better option would
be to move the
par->net->ct.labels_used++;
words = BITS_TO_LONGS(info->bit+1);
if (words > par->net->ct.label_words)
par->net->ct.label_words = words;
parts from the checkentry/destroy hooks of xt_connlabel into
nf_conntrack_labels.c so that you don't need this mtpar stunt above
anymore (and I'd like to add ctlabel set support for nft at one point
so I'd also need to move that out of xt_label).
You can move that out of this series and submit that to nf-devel as
separate patch if you want.
> + ovs_ct_verify(OVS_KEY_ATTR_CT_LABEL)) {
> + const struct ovs_key_ct_label *cl;
> +
> + cl = nla_data(a[OVS_KEY_ATTR_CT_LABEL]);
> + SW_FLOW_KEY_MEMCPY(match, ct.label, cl->ct_label,
> + sizeof(*cl), is_mask);
> + *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_LABEL);
> + }
So you're using labels as arbitrary 128 bit identifier, right?
Nothing wrong with that, just asking.
next prev parent reply other threads:[~2015-07-31 13:20 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-30 18:12 [PATCH net-next 0/9] OVS conntrack support Joe Stringer
2015-07-30 18:12 ` [PATCH net-next 1/9] openvswitch: Scrub packet in ovs_vport_receive() Joe Stringer
2015-07-30 18:40 ` Thomas Graf
2015-07-30 23:16 ` Joe Stringer
2015-07-31 7:38 ` Thomas Graf
2015-07-31 3:43 ` Pravin Shelar
2015-07-31 14:34 ` Hannes Frederic Sowa
2015-07-31 17:51 ` Joe Stringer
2015-08-01 19:17 ` Thomas Graf
2015-08-05 4:40 ` Joe Stringer
2015-08-07 22:07 ` Jesse Gross
2015-07-30 18:12 ` [PATCH net-next 2/9] openvswitch: Serialize acts with original netlink len Joe Stringer
2015-07-30 19:35 ` Thomas Graf
2015-07-30 18:12 ` [PATCH net-next 3/9] openvswitch: Move MASKED* macros to datapath.h Joe Stringer
2015-07-30 19:36 ` Thomas Graf
2015-07-30 18:12 ` [PATCH net-next 4/9] ipv6: Export nf_ct_frag6_gather() Joe Stringer
2015-07-30 19:36 ` Thomas Graf
2015-07-30 18:12 ` [PATCH net-next 5/9] openvswitch: Add conntrack action Joe Stringer
2015-07-31 14:52 ` Hannes Frederic Sowa
2015-07-31 18:35 ` Joe Stringer
2015-07-31 15:26 ` Hannes Frederic Sowa
2015-07-31 20:14 ` Joe Stringer
2015-08-01 2:08 ` Pravin Shelar
2015-08-03 22:58 ` Joe Stringer
2015-07-30 18:12 ` [PATCH net-next 6/9] openvswitch: Allow matching on conntrack mark Joe Stringer
2015-07-30 18:12 ` [PATCH net-next 7/9] netfilter: Always export nf_connlabels_replace() Joe Stringer
2015-07-30 18:12 ` [PATCH net-next 8/9] openvswitch: Allow matching on conntrack label Joe Stringer
2015-07-31 13:20 ` Florian Westphal [this message]
2015-07-31 23:07 ` Joe Stringer
2015-07-30 18:12 ` [PATCH net-next 9/9] openvswitch: Allow attaching helpers to ct action Joe Stringer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150731132004.GA20471@breakpoint.cc \
--to=fw@strlen.de \
--cc=azhou@nicira.com \
--cc=fwestpha@redhat.com \
--cc=hannes@redhat.com \
--cc=jesse@nicira.com \
--cc=joestringer@nicira.com \
--cc=jpettit@nicira.com \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=pshelar@nicira.com \
--cc=tgraf@noironetworks.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).