[RFC PATCH] kernel: fix flow offload with IPv6 policy-based routing

DENG Qingfang Mon, 31 May 2021 13:03:17 -0700

Sync iptables FLOWOFFLOAD target with upstream nft_flow_offload.c, which
fixes the issue.


Fixes: FS#3649
Signed-off-by: DENG Qingfang <dqf...@gmail.com>
---
Note: I am by no means an expert on Netfilter subsystem. I just kind of
copied and pasted upstream nft_flow_offload.c here, which seemed to work.
A fix for kernel 5.10 is also required.

 .../650-netfilter-add-xt_OFFLOAD-target.patch         | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git 
a/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch 
b/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch
index d584cb5c6c..567ebe4528 100644
--- a/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch
+++ b/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <n...@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,427 @@
+@@ -0,0 +1,422 @@
 +/*
 + * Copyright (C) 2018 Felix Fietkau <n...@nbd.name>
 + *
@@ -315,7 +315,6 @@ Signed-off-by: Felix Fietkau <n...@nbd.name>
 +              fl.u.ip4.flowi4_oif = ifindex;
 +              break;
 +      case NFPROTO_IPV6:
-+              fl.u.ip6.saddr = ct->tuplehash[dir].tuple.dst.u3.in6;
 +              fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
 +              fl.u.ip6.flowi6_oif = ifindex;
 +              break;
@@ -333,13 +332,13 @@ Signed-off-by: Felix Fietkau <n...@nbd.name>
 +{
 +      struct dst_entry *this_dst, *other_dst;
 +
-+      this_dst = xt_flowoffload_dst(ct, !dir, par, xt_out(par)->ifindex);
++      this_dst = skb_dst(skb);
 +      other_dst = xt_flowoffload_dst(ct, dir, par, xt_in(par)->ifindex);
 +
 +      route->tuple[dir].dst           = this_dst;
 +      route->tuple[!dir].dst          = other_dst;
 +
-+      if (!this_dst || !other_dst)
++      if (!other_dst)
 +              return -ENOENT;
 +
 +      if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
@@ -390,9 +389,6 @@ Signed-off-by: Felix Fietkau <n...@nbd.name>
 +      if (!nf_ct_is_confirmed(ct))
 +              return XT_CONTINUE;
 +
-+      if (!xt_in(par) || !xt_out(par))
-+              return XT_CONTINUE;
-+
 +      if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status))
 +              return XT_CONTINUE;
 +
@@ -401,7 +397,6 @@ Signed-off-by: Felix Fietkau <n...@nbd.name>
 +      if (xt_flowoffload_route(skb, ct, par, &route, dir) == 0)
 +              flow = flow_offload_alloc(ct, &route);
 +
-+      dst_release(route.tuple[dir].dst);
 +      dst_release(route.tuple[!dir].dst);
 +
 +      if (!flow)
-- 
2.25.1


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[RFC PATCH] kernel: fix flow offload with IPv6 policy-based routing

Reply via email to