From b292cce2ff5336524874b80da26b60c653984ca4 Mon Sep 17 00:00:00 2001
From: Eelco Chaudron <echaudro@redhat.com>
Date: Tue, 7 Feb 2023 15:05:25 +0100
Subject: netdev-offload-tc: Conntrack ALGs are not supported with tc.

tc does not support conntrack ALGs. Even worse, with tc enabled, they
should not be used/configured at all. This is because even though TC
will ignore the rules with ALG configured, i.e., they will flow through
the kernel module, return traffic might flow through a tc conntrack
rule, and it will not invoke the ALG helper.

Fixes: 576126a931cd ("netdev-offload-tc: Add conntrack support")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Roi Dayan <roid@nvidia.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Tested-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
---
 lib/netdev-offload-tc.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'lib')

diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c
index 5a2b26651..4fb9d9f21 100644
--- a/lib/netdev-offload-tc.c
+++ b/lib/netdev-offload-tc.c
@@ -1426,6 +1426,10 @@ parse_put_flow_ct_action(struct tc_flower *flower,
                         get_32aligned_u128(&ct_label->mask);
                 }
                 break;
+                /* The following option we do not support in tc-ct, and should
+                 * not be ignored for proper operation. */
+                case OVS_CT_ATTR_HELPER:
+                    return EOPNOTSUPP;
             }
         }
 
-- 
cgit v1.2.1