Skip to content

Commit

Permalink
netdev-offload-tc: Reject rules with unsupported ct_state flags.
Browse files Browse the repository at this point in the history 
TC flower doesn't support some ct state flags such as
INVALID/SNAT/DNAT/REPLY. So it is better to reject this rule.

Fixes: 576126a ("netdev-offload-tc: Add conntrack support")
Signed-off-by: wenxu <wenxu@ucloud.cn>
Reviewed-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
  • Loading branch information
@igsilya
wenxu authored and igsilya committed Feb 4, 2021
1 parent 9985c46 commit a6efca9
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions lib/netdev-offload-tc.c
View file
Expand Up @@ -1580,28 +1580,29 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match,
flower.key.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_NEW;
}
flower.mask.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_NEW;
mask->ct_state &= ~OVS_CS_F_NEW;
}

if (mask->ct_state & OVS_CS_F_ESTABLISHED) {
if (key->ct_state & OVS_CS_F_ESTABLISHED) {
flower.key.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED;
}
flower.mask.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED;
mask->ct_state &= ~OVS_CS_F_ESTABLISHED;
}

if (mask->ct_state & OVS_CS_F_TRACKED) {
if (key->ct_state & OVS_CS_F_TRACKED) {
flower.key.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_TRACKED;
}
flower.mask.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_TRACKED;
mask->ct_state &= ~OVS_CS_F_TRACKED;
}

if (flower.key.ct_state & TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED) {
flower.key.ct_state &= ~(TCA_FLOWER_KEY_CT_FLAGS_NEW);
flower.mask.ct_state &= ~(TCA_FLOWER_KEY_CT_FLAGS_NEW);
}

mask->ct_state = 0;
}

if (mask->ct_zone) {
Expand Down

0 comments on commit a6efca9

Please sign in to comment.