conntrack: Use helpers from committed connections.

When a packet hits a flow rule without an explicitly specified helper, OvS has to rely on automatic application layer gateway detection to find related connections. This works as long as services are running on their standard ports, e.g. when FTP servers use TCP port 21. However, sometimes it's necessary to run services on non-standard ports. In that case, there is no way for OvS to guess which protocol is used within a given flow. Of course, this means that no related connections can be recognized. When a connection is committed with a particular helper, it's reasonable to assume this helper will be used in subsequent CT actions, as long as they don't override it. Achieve this behaviour by using the committed connection's helper when a flow rule does not specify one. Signed-off-by: Viacheslav Galaktionov <viacheslav.galaktionov@arknetworks.am> Acked-by: Ivan Malov <ivan.malov@arknetworks.am> Signed-off-by: Aaron Conole <aconole@redhat.com>
2025-09-03 15:55:19 +00:00 · 2023-12-11 12:51:02 +02:00
parent 14ef8b451f
commit 8abe32f957
3 changed files with 13 additions and 0 deletions
--- a/Documentation/faq/releases.rst
+++ b/Documentation/faq/releases.rst
@@ -140,6 +140,7 @@ Q: Are all features available with all datapaths?
    Conntrack Zone Limit            4.18           2.10         2.13     YES
    Conntrack NAT                   4.6            2.6          2.8      YES
    Conntrack NAT6                  4.6            2.6          2.8      3.0
+    Conntrack Helper Persist.       YES            YES          3.2      NO
    Tunnel - LISP                   NO             2.11         NO       NO
    Tunnel - STT                    NO             2.4          NO       YES
    Tunnel - GRE                    3.11           1.0          2.4      YES
--- a/3
+++ b/3
@@ -36,6 +36,9 @@ Post-v3.2.0
       The existing behaviour is maintained and a non key:value pair value
       will be applied to all other PMD thread cores.'pmd-sleep-show' is
       updated to show the maximum sleep for each PMD thread core.
+     * The userspace conntrack module no longer requires the user to specify
+       connection helpers in all flow rules. Instead, the helper specified
+       during connection commit will be used by default.


 v3.2.0 - 17 Aug 2023
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -1247,6 +1247,10 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
        conn = NULL;
    }

+    if (conn && helper == NULL) {
+        helper = conn->alg;
+    }
+
    enum ct_alg_ctl_type ct_alg_ctl = get_alg_ctl_type(pkt, helper);

    if (OVS_LIKELY(conn)) {
@@ -1336,6 +1340,11 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch,

    DP_PACKET_BATCH_FOR_EACH (i, packet, pkt_batch) {
        struct conn *conn = packet->md.conn;
+
+        if (helper == NULL && conn != NULL) {
+            helper = conn->alg;
+        }
+
        if (OVS_UNLIKELY(packet->md.ct_state == CS_INVALID)) {
            write_ct_md(packet, zone, NULL, NULL, NULL);
        } else if (conn &&