From 280337736851db0358511ee211d02dc0975aad1a Mon Sep 17 00:00:00 2001 From: Jarno Rajahalme Date: Mon, 10 Apr 2017 18:18:30 -0700 Subject: [PATCH] datapath: Avoid struct copy on conntrack labels. Older kernels have variable sized labels, and the struct itself contains only the length, so we must memcpy the bits explicitly. The modified system test fails on older kernels without this change. VMware-BZ: #1841876 Fixes: 09aa98ad496d ("datapath: Inherit master's labels.") Signed-off-by: Jarno Rajahalme Acked-by: Andy Zhou --- datapath/conntrack.c | 7 +++++-- tests/system-traffic.at | 18 +++++++++--------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index 4df73528b..47f1a9938 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -365,9 +365,12 @@ static int ovs_ct_init_labels(struct nf_conn *ct, struct sw_flow_key *key, if (!cl) return -ENOSPC; - /* Inherit the master's labels, if any. */ + /* Inherit the master's labels, if any. Must use memcpy for backport + * as struct assignment only copies the length field in older + * kernels. + */ if (master_cl) - *cl = *master_cl; + memcpy(cl->bits, master_cl->bits, OVS_CT_LABELS_LEN); if (have_mask) { u32 *dst = (u32 *)cl->bits; diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 1816b1a88..c04277351 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -3044,7 +3044,7 @@ dnl Non-REPLY/RELATED packets get the ACL lookup with the packet headers dnl in the actual packet direction in reg0 (IN=1, OUT=2). REPLY packets dnl get the ACL lookup using the conntrack tuple and the inverted direction. dnl RELATED packets get ACL lookup using the conntrack tuple in the direction -dnl of the master connection, as storted in ct_mark. +dnl of the master connection, as stored in ct_label[0]. dnl dnl Incoming non-related packet in the original direction (ACL IN) table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv action=set_field:1->reg0,resubmit(,3),goto_table:5 @@ -3056,7 +3056,7 @@ dnl Outgoing non-related reply packet (CT ACL IN) table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv action=set_field:1->reg0,resubmit(,3,ct),goto_table:4 dnl dnl Related packet (CT ACL in the direction of the master connection.) -table=1 ip, ct_state=+rel+trk-inv, action=move:NXM_NX_CT_MARK[[]]->NXM_NX_REG0[[]],resubmit(,3,ct),goto_table:4 +table=1 ip, ct_state=+rel+trk-inv, action=move:NXM_NX_CT_LABEL[[0]]->NXM_NX_REG0[[0]],resubmit(,3,ct),goto_table:4 dnl Drop everything else. table=1 priority=0, action=drop dnl @@ -3088,15 +3088,15 @@ table=5 reg2=0 priority=1000 action=drop dnl dnl Commit new incoming FTP control connections with SNAT range. Must match on dnl 'tcp' when setting 'alg=ftp'. Store the directionality of non-related -dnl connections to ct_mark. Store the rule ID to labels. -table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6 +dnl connections to ct_label[0] Store the rule ID to ct_label[96..127]. +table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6 dnl Commit other new incoming non-related IP connections with SNAT range. -table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6 +table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6 dnl Commit non-related outgoing new IP connections with DNAT range. dnl (This should not get any packets in this test.) -table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6 +table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6 dnl Commit new related connections in either direction, which need 'nat' -dnl and which inherit the mark (the direction of the original direction +dnl and which inherit the label (the direction of the original direction dnl master tuple) from the master connection. table=5 priority=10 reg2=1 ct_state=+new+rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat,exec(move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6 dnl @@ -3122,8 +3122,8 @@ table=10 priority=100 arp xreg0=0 action=normal table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]] table=10 priority=0 action=drop ], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=$2,sport=,dport=),zone=1,mark=1,labels=0x4d2000000000000000000000000,protoinfo=(state=),helper=ftp -tcp,orig=(src=10.1.1.2,dst=$2,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),zone=1,mark=1,labels=0x4d2000000000000000000000000,protoinfo=(state=) +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=$2,sport=,dport=),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=),helper=ftp +tcp,orig=(src=10.1.1.2,dst=$2,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=) ]) ]) -- 2.39.5