From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Aaron Conole <aconole@redhat.com>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.4 28/37] act_ct: support asymmetric conntrack
Date: Tue, 17 Dec 2019 21:09:49 +0100 [thread overview]
Message-ID: <20191217200732.321097920@linuxfoundation.org> (raw)
In-Reply-To: <20191217200721.741054904@linuxfoundation.org>
From: Aaron Conole <aconole@redhat.com>
[ Upstream commit 95219afbb980f10934de9f23a3e199be69c5ed09 ]
The act_ct TC module shares a common conntrack and NAT infrastructure
exposed via netfilter. It's possible that a packet needs both SNAT and
DNAT manipulation, due to e.g. tuple collision. Netfilter can support
this because it runs through the NAT table twice - once on ingress and
again after egress. The act_ct action doesn't have such capability.
Like netfilter hook infrastructure, we should run through NAT twice to
keep the symmetry.
Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/act_ct.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -329,6 +329,7 @@ static int tcf_ct_act_nat(struct sk_buff
bool commit)
{
#if IS_ENABLED(CONFIG_NF_NAT)
+ int err;
enum nf_nat_manip_type maniptype;
if (!(ct_action & TCA_CT_ACT_NAT))
@@ -359,7 +360,17 @@ static int tcf_ct_act_nat(struct sk_buff
return NF_ACCEPT;
}
- return ct_nat_execute(skb, ct, ctinfo, range, maniptype);
+ err = ct_nat_execute(skb, ct, ctinfo, range, maniptype);
+ if (err == NF_ACCEPT &&
+ ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) {
+ if (maniptype == NF_NAT_MANIP_SRC)
+ maniptype = NF_NAT_MANIP_DST;
+ else
+ maniptype = NF_NAT_MANIP_SRC;
+
+ err = ct_nat_execute(skb, ct, ctinfo, range, maniptype);
+ }
+ return err;
#else
return NF_ACCEPT;
#endif
next prev parent reply other threads:[~2019-12-17 20:12 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-17 20:09 [PATCH 5.4 00/37] 5.4.5-stable review Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 01/37] inet: protect against too small mtu values Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 02/37] mqprio: Fix out-of-bounds access in mqprio_dump Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 03/37] net: bridge: deny dev_set_mac_address() when unregistering Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 04/37] net: dsa: fix flow dissection on Tx path Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 05/37] net: ethernet: ti: cpsw: fix extra rx interrupt Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 06/37] net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 07/37] net_sched: validate TCA_KIND attribute in tc_chain_tmplt_add() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 08/37] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 09/37] net: thunderx: start phy before starting autonegotiation Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 10/37] net/tls: Fix return values to avoid ENOTSUPP Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 11/37] openvswitch: support asymmetric conntrack Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 12/37] tcp: md5: fix potential overestimation of TCP option space Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 13/37] tipc: fix ordering of tipc module init and exit routine Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 14/37] net/mlx5e: Query global pause state before setting prio2buffer Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 15/37] net: ipv6: add net argument to ip6_dst_lookup_flow Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 16/37] net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 17/37] tcp: fix rejected syncookies due to stale timestamps Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 18/37] tcp: tighten acceptance of ACKs not matching a child socket Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 19/37] tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 20/37] net: core: rename indirect block ingress cb function Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 21/37] net: sched: allow indirect blocks to bind to clsact in TC Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 22/37] cls_flower: Fix the behavior using port ranges with hw-offload Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 23/37] gre: refetch erspan header from skb->data after pskb_may_pull() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 24/37] Fixed updating of ethertype in function skb_mpls_pop Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 25/37] hsr: fix a NULL pointer dereference in hsr_dev_xmit() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 26/37] net: Fixed updating of ethertype in skb_mpls_push() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 27/37] net/mlx5e: Fix TXQ indices to be sequential Greg Kroah-Hartman
2019-12-17 20:09 ` Greg Kroah-Hartman [this message]
2019-12-17 20:09 ` [PATCH 5.4 29/37] net/mlx5e: Fix SFF 8472 eeprom length Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 30/37] net/mlx5e: Fix freeing flow with kfree() and not kvfree() Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 31/37] net/mlx5e: Fix translation of link mode into speed Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 32/37] net/mlx5e: ethtool, Fix analysis of speed setting Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 33/37] page_pool: do not release pool until inflight == 0 Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 34/37] xdp: obtain the mem_id mutex before trying to remove an entry Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 35/37] ionic: keep users rss hash across lif reset Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 36/37] net: mscc: ocelot: unregister the PTP clock on deinit Greg Kroah-Hartman
2019-12-17 20:09 ` [PATCH 5.4 37/37] r8169: add missing RX enabling for WoL on RTL8125 Greg Kroah-Hartman
2019-12-18 10:24 ` [PATCH 5.4 00/37] 5.4.5-stable review Jon Hunter
2019-12-18 14:34 ` Greg Kroah-Hartman
2019-12-18 14:22 ` Naresh Kamboju
2019-12-18 14:35 ` Greg Kroah-Hartman
2019-12-18 14:48 ` Guenter Roeck
2019-12-18 14:53 ` Greg Kroah-Hartman
2019-12-18 20:59 ` shuah
2019-12-19 8:44 ` Greg Kroah-Hartman
2019-12-18 21:02 ` Geert Uytterhoeven
2019-12-19 8:45 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191217200732.321097920@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aconole@redhat.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).