openvswitch: load and reference the NAT helper.
This improves the original commit17c357efe5
("openvswitch: load NAT helper") where it unconditionally tries to load the module for every flow using NAT, so not efficient when loading multiple flows. It also doesn't hold any references to the NAT module while the flow is active. This change fixes those problems. It will try to load the module only if it's not present. It grabs a reference to the NAT module and holds it while the flow is active. Finally, an error message shows up if either actions above fails. Fixes:17c357efe5
("openvswitch: load NAT helper") Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
53b11308a1
commit
fec9c271b8
|
@ -1307,6 +1307,7 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name,
|
||||||
{
|
{
|
||||||
struct nf_conntrack_helper *helper;
|
struct nf_conntrack_helper *helper;
|
||||||
struct nf_conn_help *help;
|
struct nf_conn_help *help;
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
helper = nf_conntrack_helper_try_module_get(name, info->family,
|
helper = nf_conntrack_helper_try_module_get(name, info->family,
|
||||||
key->ip.proto);
|
key->ip.proto);
|
||||||
|
@ -1321,13 +1322,21 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name,
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_NF_NAT_NEEDED
|
||||||
|
if (info->nat) {
|
||||||
|
ret = nf_nat_helper_try_module_get(name, info->family,
|
||||||
|
key->ip.proto);
|
||||||
|
if (ret) {
|
||||||
|
nf_conntrack_helper_put(helper);
|
||||||
|
OVS_NLERR(log, "Failed to load \"%s\" NAT helper, error: %d",
|
||||||
|
name, ret);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
rcu_assign_pointer(help->helper, helper);
|
rcu_assign_pointer(help->helper, helper);
|
||||||
info->helper = helper;
|
info->helper = helper;
|
||||||
|
return ret;
|
||||||
if (info->nat)
|
|
||||||
request_module("ip_nat_%s", name);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#if IS_ENABLED(CONFIG_NF_NAT)
|
#if IS_ENABLED(CONFIG_NF_NAT)
|
||||||
|
@ -1801,8 +1810,13 @@ void ovs_ct_free_action(const struct nlattr *a)
|
||||||
|
|
||||||
static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
|
static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
|
||||||
{
|
{
|
||||||
if (ct_info->helper)
|
if (ct_info->helper) {
|
||||||
|
#ifdef CONFIG_NF_NAT_NEEDED
|
||||||
|
if (ct_info->nat)
|
||||||
|
nf_nat_helper_put(ct_info->helper);
|
||||||
|
#endif
|
||||||
nf_conntrack_helper_put(ct_info->helper);
|
nf_conntrack_helper_put(ct_info->helper);
|
||||||
|
}
|
||||||
if (ct_info->ct) {
|
if (ct_info->ct) {
|
||||||
if (ct_info->timeout[0])
|
if (ct_info->timeout[0])
|
||||||
nf_ct_destroy_timeout(ct_info->ct);
|
nf_ct_destroy_timeout(ct_info->ct);
|
||||||
|
|
Loading…
Reference in New Issue