compat: handle NF_REPEAT error on nf_conntrack_in.

In patch [1] rpl_nf_conntrack_in was backported as static inline function without do..while loop handling NF_REPEAT error. In patch [2] rpl_nf_conntrack_in backported function was removed from compat/include/net/netfilter/nf_conntrack_core.h as an unused. As a result the do..while loop around nf_conntrack_in was lost and this caused problems on old RHEL kernels with the tcp SYN loss on a connection with same 5-tuple, which ran in last nf_conntrack_tcp_timeout_time_wait. The connection could be initiated on a tcp SYN retry after one second. 1: 4fdec89 2: e9b33ad Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2021-September/387623.html Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2021-October/388424.html Signed-off-by: Vladislav Odintsov <odivlad@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
openvswitch · Dec 9, 2021 · 72745ab · 72745ab
1 parent 18db7ec
commit 72745ab
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
@@ -108,7 +108,14 @@ static inline bool rpl_nf_ct_delete(struct nf_conn *ct, u32 portid, int report)
 static inline unsigned int
 rpl_nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state)
 {
-	return nf_conntrack_in(state->net, state->pf, state->hook, skb);
+	int err;
+
+	/* Repeat if requested, see nf_iterate(). */
+	do {
+		err = nf_conntrack_in(state->net, state->pf, state->hook, skb);
+	} while (err == NF_REPEAT);
+
+	return err;
 }
 #define nf_conntrack_in rpl_nf_conntrack_in
 #endif /* HAVE_NF_CONNTRACK_IN_TAKES_NF_HOOK_STATE */