kernel: port upstream nft_flow_offload changes to xt_FLOWOFFLOAD and fix routing issues

Replace an old cleanup patch that never made it upstream with the proper
upstream fix. This patch was incompatible with the recent changes that
affected the way that the flow tuple dst entry was used.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commits 442ecce76169d and c8933ce533656)

2 files changed, 33 insertions, 20 deletions

diff --git a/target/linux/generic/hack-4.14/647-netfilter-flow-acct.patch b/target/linux/generic/hack-4.14/647-netfilter-flow-acct.patch
index 290570fe9f..f58b8bc716 100644
--- a/target/linux/generic/hack-4.14/647-netfilter-flow-acct.patch
+++ b/target/linux/generic/hack-4.14/647-netfilter-flow-acct.patch
@@ -1,6 +1,6 @@
 --- a/include/net/netfilter/nf_flow_table.h
 +++ b/include/net/netfilter/nf_flow_table.h
-@@ -164,6 +164,8 @@ struct nf_flow_table_hw {
+@@ -163,6 +163,8 @@ struct nf_flow_table_hw {
  int nf_flow_table_hw_register(const struct nf_flow_table_hw *offload);
  void nf_flow_table_hw_unregister(const struct nf_flow_table_hw *offload);
  
@@ -19,7 +19,7 @@
  
  struct flow_offload_entry {
  	struct flow_offload	flow;
-@@ -151,6 +152,22 @@ void flow_offload_free(struct flow_offlo
+@@ -152,6 +153,22 @@ void flow_offload_free(struct flow_offlo
  }
  EXPORT_SYMBOL_GPL(flow_offload_free);
  
diff --git a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
index 9692aa8a2b..a78b4cdf9c 100644
--- a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
+++ b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,408 @@
+@@ -0,0 +1,421 @@
 +/*
 + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
 + *
@@ -112,8 +112,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +#include <linux/netfilter/xt_FLOWOFFLOAD.h>
 +#include <net/ip.h>
 +#include <net/netfilter/nf_conntrack.h>
-+#include <net/netfilter/nf_flow_table.h>
++#include <net/netfilter/nf_conntrack_extend.h>
 +#include <net/netfilter/nf_conntrack_helper.h>
++#include <net/netfilter/nf_flow_table.h>
 +
 +static struct nf_flowtable nf_flowtable;
 +static HLIST_HEAD(hooks);
@@ -280,21 +281,24 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +}
 +
 +static bool
-+xt_flowoffload_skip(struct sk_buff *skb)
++xt_flowoffload_skip(struct sk_buff *skb, int family)
 +{
-+	struct ip_options *opt = &(IPCB(skb)->opt);
-+
-+	if (unlikely(opt->optlen))
-+		return true;
 +	if (skb_sec_path(skb))
 +		return true;
 +
++	if (family == NFPROTO_IPV4) {
++		const struct ip_options *opt = &(IPCB(skb)->opt);
++
++		if (unlikely(opt->optlen))
++			return true;
++	}
++
 +	return false;
 +}
 +
 +static struct dst_entry *
 +xt_flowoffload_dst(const struct nf_conn *ct, enum ip_conntrack_dir dir,
-+		   const struct xt_action_param *par)
++		   const struct xt_action_param *par, int ifindex)
 +{
 +	struct dst_entry *dst = NULL;
 +	struct flowi fl;
@@ -303,10 +307,12 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	switch (xt_family(par)) {
 +	case NFPROTO_IPV4:
 +		fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
++		fl.u.ip4.flowi4_oif = ifindex;
 +		break;
 +	case NFPROTO_IPV6:
 +		fl.u.ip6.saddr = ct->tuplehash[dir].tuple.dst.u3.in6;
 +		fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
++		fl.u.ip6.flowi6_oif = ifindex;
 +		break;
 +	}
 +
@@ -322,8 +328,8 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +{
 +	struct dst_entry *this_dst, *other_dst;
 +
-+	this_dst = xt_flowoffload_dst(ct, dir, par);
-+	other_dst = xt_flowoffload_dst(ct, !dir, par);
++	this_dst = xt_flowoffload_dst(ct, !dir, par, xt_out(par)->ifindex);
++	other_dst = xt_flowoffload_dst(ct, dir, par, xt_in(par)->ifindex);
 +	if (!this_dst || !other_dst)
 +		return -ENOENT;
 +
@@ -331,9 +337,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +		return -EINVAL;
 +
 +	route->tuple[dir].dst		= this_dst;
-+	route->tuple[dir].ifindex	= xt_in(par)->ifindex;
 +	route->tuple[!dir].dst		= other_dst;
-+	route->tuple[!dir].ifindex	= xt_out(par)->ifindex;
 +
 +	return 0;
 +}
@@ -342,7 +346,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +flowoffload_tg(struct sk_buff *skb, const struct xt_action_param *par)
 +{
 +	const struct xt_flowoffload_target_info *info = par->targinfo;
-+	const struct nf_conn_help *help;
++	struct tcphdr _tcph, *tcph = NULL;
 +	enum ip_conntrack_info ctinfo;
 +	enum ip_conntrack_dir dir;
 +	struct nf_flow_route route;
@@ -350,7 +354,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	struct nf_conn *ct;
 +	struct net *net;
 +
-+	if (xt_flowoffload_skip(skb))
++	if (xt_flowoffload_skip(skb, xt_family(par)))
 +		return XT_CONTINUE;
 +
 +	ct = nf_ct_get(skb, &ctinfo);
@@ -361,6 +365,11 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	case IPPROTO_TCP:
 +		if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED)
 +			return XT_CONTINUE;
++
++		tcph = skb_header_pointer(skb, par->thoff,
++					  sizeof(_tcph), &_tcph);
++		if (unlikely(!tcph || tcph->fin || tcph->rst))
++			return XT_CONTINUE;
 +		break;
 +	case IPPROTO_UDP:
 +		break;
@@ -368,12 +377,11 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +		return XT_CONTINUE;
 +	}
 +
-+	help = nfct_help(ct);
-+	if (help)
++	if (nf_ct_ext_exist(ct, NF_CT_EXT_HELPER) ||
++	    ct->status & IPS_SEQ_ADJUST)
 +		return XT_CONTINUE;
 +
-+	if (ctinfo == IP_CT_NEW ||
-+	    ctinfo == IP_CT_RELATED)
++	if (!nf_ct_is_confirmed(ct))
 +		return XT_CONTINUE;
 +
 +	if (!xt_in(par) || !xt_out(par))
@@ -391,6 +399,11 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	if (!flow)
 +		goto err_flow_alloc;
 +
++	if (tcph) {
++		ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
++		ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
++	}
++
 +	if (flow_offload_add(&nf_flowtable, flow) < 0)
 +		goto err_flow_add;
 +