Hello.
On 12/17/2015 3:36 AM, Jarno Rajahalme wrote:
There is no need to help connections that are not confirmed, so we can
delay helping new connections to the time when they are confirmed.
This change is needed for NAT support, and having this as a separate
patch will make the following NAT patch a bit easier to review.
Signed-off-by: Jarno Rajahalme <jarno@xxxxxxx>
---
net/openvswitch/conntrack.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 7aa38fa..ba44287 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
[...]
@@ -491,11 +496,16 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
return -ENOENT;
ovs_ct_update_key(skb, key, true);
+ }
- if (ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
- WARN_ONCE(1, "helper rejected packet");
- return -EINVAL;
- }
+ /* Call the helper right after nf_conntrack_in() for confirmed
+ * connections, but only when commiting for unconfirmed connections.
+ */
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct && (nf_ct_is_confirmed(ct) ? !cached : info->commit)
+ && ovs_ct_helper(skb, info->family) != NF_ACCEPT) {
Please leave && on the line being broken, don't carry it into the
continuation line.
MBR, Sergei
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
