diff options
author | Jarno Rajahalme <jarno@ovn.org> | 2016-03-10 10:54:21 -0800 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-03-14 23:47:29 +0100 |
commit | 5b6b929376a621e2bd3367f5de563d7123506597 (patch) | |
tree | 4fff562e9ef2b2ee7f5c856cc83a4dc54be79904 | |
parent | 289f225349cb2a97448fd14599ab34b741f706f3 (diff) |
openvswitch: Handle NF_REPEAT in conntrack action.
Repeat the nf_conntrack_in() call when it returns NF_REPEAT. This
avoids dropping a SYN packet re-opening an existing TCP connection.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | net/openvswitch/conntrack.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index ae36fe2ed483..85256b312455 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -485,6 +485,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, */ if (!skb_nfct_cached(net, key, info, skb)) { struct nf_conn *tmpl = info->ct; + int err; /* Associate skb with specified zone. */ if (tmpl) { @@ -495,8 +496,13 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, skb->nfctinfo = IP_CT_NEW; } - if (nf_conntrack_in(net, info->family, NF_INET_PRE_ROUTING, - skb) != NF_ACCEPT) + /* Repeat if requested, see nf_iterate(). */ + do { + err = nf_conntrack_in(net, info->family, + NF_INET_PRE_ROUTING, skb); + } while (err == NF_REPEAT); + + if (err != NF_ACCEPT) return -ENOENT; ovs_ct_update_key(skb, info, key, true); |