openvswitch: return NF_DROP when fails to add nat ext in ovs_ct_nat

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2163374
Upstream Status: linux.git

commit 2b85144
Author: Xin Long <lucien.xin@gmail.com>
Date:   Thu Dec 8 11:56:10 2022 -0500

    openvswitch: return NF_DROP when fails to add nat ext in ovs_ct_nat

    When it fails to allocate nat ext, the packet should be dropped, like
    the memory allocation failures in other places in ovs_ct_nat().

    This patch changes to return NF_DROP when fails to add nat ext before
    doing NAT in ovs_ct_nat(), also it would keep consistent with tc
    action ct' processing in tcf_ct_act_nat().

    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Acked-by: Aaron Conole <aconole@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Antoine Tenart <atenart@redhat.com>

Author: atenart

net/openvswitch/conntrack.c

@@ -880,7 +880,7 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key,
 
 	/* Add NAT extension if not confirmed yet. */
 	if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct))
-		return NF_ACCEPT;   /* Can't NAT. */
+		return NF_DROP;   /* Can't NAT. */
 
 	/* Determine NAT type.
 	 * Check if the NAT type can be deduced from the tracked connection.