compat: handle NF_REPEAT error on nf_conntrack_in.

In patch [1] rpl_nf_conntrack_in was backported as static inline
function without do..while loop handling NF_REPEAT error.
In patch [2] rpl_nf_conntrack_in backported function was removed
from compat/include/net/netfilter/nf_conntrack_core.h as an unused.

As a result the do..while loop around nf_conntrack_in was lost and
this caused problems on old RHEL kernels with the tcp SYN
loss on a connection with same 5-tuple, which ran in last
nf_conntrack_tcp_timeout_time_wait. The connection could be
initiated on a tcp SYN retry after one second.

1: https://github.com/openvswitch/ovs/commit/4fdec8986a203b0dc9d9c183c932826967572e0f
2: https://github.com/openvswitch/ovs/commit/e9b33ad780f3bc712a5de6be9e1e0803fadcd249

Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2021-September/387623.html
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2021-October/388424.html
Signed-off-by: Vladislav Odintsov <odivlad@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>

1 files changed, 8 insertions, 1 deletions

diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
index 4cce92f66..bc18c56b8 100644
--- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
@@ -108,7 +108,14 @@ static inline bool rpl_nf_ct_delete(struct nf_conn *ct, u32 portid, int report)
 static inline unsigned int
 rpl_nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state)
 {
-	return nf_conntrack_in(state->net, state->pf, state->hook, skb);
+	int err;
+
+	/* Repeat if requested, see nf_iterate(). */
+	do {
+		err = nf_conntrack_in(state->net, state->pf, state->hook, skb);
+	} while (err == NF_REPEAT);
+
+	return err;
 }
 #define nf_conntrack_in rpl_nf_conntrack_in
 #endif /* HAVE_NF_CONNTRACK_IN_TAKES_NF_HOOK_STATE */