diff options
author | wenxu <wenxu@ucloud.cn> | 2021-02-04 10:50:14 +0800 |
---|---|---|
committer | Ilya Maximets <i.maximets@ovn.org> | 2021-02-04 20:11:12 +0100 |
commit | 498cf3eaed1cc8e163876e23ecf333c392079778 (patch) | |
tree | 83f1cc49aac865fb3807b196d4c84e30738d8186 | |
parent | 255fd6ad25bdf75050b8de886205109349e0a4af (diff) | |
download | openvswitch-498cf3eaed1cc8e163876e23ecf333c392079778.tar.gz |
netdev-offload-tc: Reject rules with unsupported ct_state flags.
TC flower doesn't support some ct state flags such as
INVALID/SNAT/DNAT/REPLY. So it is better to reject this rule.
Fixes: 576126a931cd ("netdev-offload-tc: Add conntrack support")
Signed-off-by: wenxu <wenxu@ucloud.cn>
Reviewed-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
-rw-r--r-- | lib/netdev-offload-tc.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c index 586d99db1..7cdd84944 100644 --- a/lib/netdev-offload-tc.c +++ b/lib/netdev-offload-tc.c @@ -1646,6 +1646,7 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match, flower.key.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_NEW; } flower.mask.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_NEW; + mask->ct_state &= ~OVS_CS_F_NEW; } if (mask->ct_state & OVS_CS_F_ESTABLISHED) { @@ -1653,6 +1654,7 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match, flower.key.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED; } flower.mask.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED; + mask->ct_state &= ~OVS_CS_F_ESTABLISHED; } if (mask->ct_state & OVS_CS_F_TRACKED) { @@ -1660,14 +1662,13 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match, flower.key.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_TRACKED; } flower.mask.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_TRACKED; + mask->ct_state &= ~OVS_CS_F_TRACKED; } if (flower.key.ct_state & TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED) { flower.key.ct_state &= ~(TCA_FLOWER_KEY_CT_FLAGS_NEW); flower.mask.ct_state &= ~(TCA_FLOWER_KEY_CT_FLAGS_NEW); } - - mask->ct_state = 0; } if (mask->ct_zone) { |