diff options
author | Numan Siddique <nusiddiq@redhat.com> | 2020-11-16 18:31:26 +0530 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2020-11-20 09:53:48 -0800 |
commit | e2ef5203c817a60bfb591343ffd851b6537370ff (patch) | |
tree | c6a45770510a3e7907daa4da955e4a91151d89f0 /net/openvswitch | |
parent | 4082c502bf9c8a6afe4268c654d4e93ab7dfeb69 (diff) | |
download | lwn-e2ef5203c817a60bfb591343ffd851b6537370ff.tar.gz lwn-e2ef5203c817a60bfb591343ffd851b6537370ff.zip |
net: openvswitch: Be liberal in tcp conntrack.
There is no easy way to distinguish if a conntracked tcp packet is
marked invalid because of tcp_in_window() check error or because
it doesn't belong to an existing connection. With this patch,
openvswitch sets liberal tcp flag for the established sessions so
that out of window packets are not marked invalid.
A helper function - nf_ct_set_tcp_be_liberal(nf_conn) is added which
sets this flag for both the directions of the nf_conn.
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20201116130126.3065077-1-nusiddiq@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/openvswitch')
-rw-r--r-- | net/openvswitch/conntrack.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 4beb96139d77..6a88daab0190 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -1037,6 +1037,14 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, ovs_ct_helper(skb, info->family) != NF_ACCEPT) { return -EINVAL; } + + if (nf_ct_protonum(ct) == IPPROTO_TCP && + nf_ct_is_confirmed(ct) && nf_conntrack_tcp_established(ct)) { + /* Be liberal for tcp packets so that out-of-window + * packets are not marked invalid. + */ + nf_ct_set_tcp_be_liberal(ct); + } } return 0; |