aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux/generic/backport-4.14
diff options
context:
space:
mode:
Diffstat (limited to 'target/linux/generic/backport-4.14')
-rw-r--r--target/linux/generic/backport-4.14/366-netfilter-nf_flow_table-clean-up-and-fix-dst-handlin.patch89
-rw-r--r--target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch39
-rw-r--r--target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch4
-rw-r--r--target/linux/generic/backport-4.14/372-netfilter-nft_flow_offload-fix-interaction-with-vrf-.patch4
4 files changed, 43 insertions, 93 deletions
diff --git a/target/linux/generic/backport-4.14/366-netfilter-nf_flow_table-clean-up-and-fix-dst-handlin.patch b/target/linux/generic/backport-4.14/366-netfilter-nf_flow_table-clean-up-and-fix-dst-handlin.patch
deleted file mode 100644
index 491f057858..0000000000
--- a/target/linux/generic/backport-4.14/366-netfilter-nf_flow_table-clean-up-and-fix-dst-handlin.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From: Felix Fietkau <nbd@nbd.name>
-Date: Thu, 15 Mar 2018 18:21:43 +0100
-Subject: [PATCH] netfilter: nf_flow_table: clean up and fix dst handling
-
-dst handling in the code is inconsistent and possibly wrong. In my test,
-skb_dst(skb) holds the dst entry after routing but before NAT, so the
-code could possibly return the same dst entry for both directions of a
-connection.
-Additionally, there was some confusion over the dst entry vs the address
-passed as parameter to rt_nexthop/rt6_nexthop.
-
-Do an explicit dst lookup for both ends of the connection and always use
-the source address for it. When running the IP hook, use the dst entry
-for the opposite direction for determining the route.
-
-Signed-off-by: Felix Fietkau <nbd@nbd.name>
----
-
---- a/net/netfilter/nf_flow_table_ip.c
-+++ b/net/netfilter/nf_flow_table_ip.c
-@@ -238,7 +238,7 @@ nf_flow_offload_ip_hook(void *priv, stru
-
- dir = tuplehash->tuple.dir;
- flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
-- rt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
-+ rt = (const struct rtable *)flow->tuplehash[!dir].tuple.dst_cache;
-
- if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) &&
- (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0)
-@@ -455,7 +455,7 @@ nf_flow_offload_ipv6_hook(void *priv, st
-
- dir = tuplehash->tuple.dir;
- flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
-- rt = (struct rt6_info *)flow->tuplehash[dir].tuple.dst_cache;
-+ rt = (struct rt6_info *)flow->tuplehash[!dir].tuple.dst_cache;
-
- if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)))
- return NF_ACCEPT;
---- a/net/netfilter/nft_flow_offload.c
-+++ b/net/netfilter/nft_flow_offload.c
-@@ -17,27 +17,38 @@ struct nft_flow_offload {
- struct nft_flowtable *flowtable;
- };
-
--static int nft_flow_route(const struct nft_pktinfo *pkt,
-- const struct nf_conn *ct,
-- struct nf_flow_route *route,
-- enum ip_conntrack_dir dir)
-+static struct dst_entry *
-+nft_flow_dst(const struct nf_conn *ct, enum ip_conntrack_dir dir,
-+ const struct nft_pktinfo *pkt)
- {
-- struct dst_entry *this_dst = skb_dst(pkt->skb);
-- struct dst_entry *other_dst = NULL;
-+ struct dst_entry *dst;
- struct flowi fl;
-
- memset(&fl, 0, sizeof(fl));
- switch (nft_pf(pkt)) {
- case NFPROTO_IPV4:
-- fl.u.ip4.daddr = ct->tuplehash[!dir].tuple.dst.u3.ip;
-+ fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
- break;
- case NFPROTO_IPV6:
-- fl.u.ip6.daddr = ct->tuplehash[!dir].tuple.dst.u3.in6;
-+ fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
- break;
- }
-
-- nf_route(nft_net(pkt), &other_dst, &fl, false, nft_pf(pkt));
-- if (!other_dst)
-+ nf_route(nft_net(pkt), &dst, &fl, false, nft_pf(pkt));
-+
-+ return dst;
-+}
-+
-+static int nft_flow_route(const struct nft_pktinfo *pkt,
-+ const struct nf_conn *ct,
-+ struct nf_flow_route *route,
-+ enum ip_conntrack_dir dir)
-+{
-+ struct dst_entry *this_dst, *other_dst;
-+
-+ this_dst = nft_flow_dst(ct, dir, pkt);
-+ other_dst = nft_flow_dst(ct, !dir, pkt);
-+ if (!this_dst || !other_dst)
- return -ENOENT;
-
- route->tuple[dir].dst = this_dst;
diff --git a/target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch b/target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch
new file mode 100644
index 0000000000..e91aaa91d7
--- /dev/null
+++ b/target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch
@@ -0,0 +1,39 @@
+From: wenxu <wenxu@ucloud.cn>
+Date: Wed, 9 Jan 2019 10:40:11 +0800
+Subject: [PATCH] netfilter: nft_flow_offload: Fix reverse route lookup
+
+Using the following example:
+
+ client 1.1.1.7 ---> 2.2.2.7 which dnat to 10.0.0.7 server
+
+The first reply packet (ie. syn+ack) uses an incorrect destination
+address for the reverse route lookup since it uses:
+
+ daddr = ct->tuplehash[!dir].tuple.dst.u3.ip;
+
+which is 2.2.2.7 in the scenario that is described above, while this
+should be:
+
+ daddr = ct->tuplehash[dir].tuple.src.u3.ip;
+
+that is 10.0.0.7.
+
+Signed-off-by: wenxu <wenxu@ucloud.cn>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+
+--- a/net/netfilter/nft_flow_offload.c
++++ b/net/netfilter/nft_flow_offload.c
+@@ -29,10 +29,10 @@ static int nft_flow_route(const struct n
+ memset(&fl, 0, sizeof(fl));
+ switch (nft_pf(pkt)) {
+ case NFPROTO_IPV4:
+- fl.u.ip4.daddr = ct->tuplehash[!dir].tuple.dst.u3.ip;
++ fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
+ break;
+ case NFPROTO_IPV6:
+- fl.u.ip6.daddr = ct->tuplehash[!dir].tuple.dst.u3.in6;
++ fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
+ break;
+ }
+
diff --git a/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch b/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch
index 35d099097a..ad72d65c77 100644
--- a/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch
+++ b/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch
@@ -26,8 +26,8 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
dir = tuplehash->tuple.dir;
flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
-- rt = (const struct rtable *)flow->tuplehash[!dir].tuple.dst_cache;
-+ rt = (struct rtable *)flow->tuplehash[!dir].tuple.dst_cache;
+- rt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
++ rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) &&
(ip_hdr(skb)->frag_off & htons(IP_DF)) != 0)
diff --git a/target/linux/generic/backport-4.14/372-netfilter-nft_flow_offload-fix-interaction-with-vrf-.patch b/target/linux/generic/backport-4.14/372-netfilter-nft_flow_offload-fix-interaction-with-vrf-.patch
index cf0a431a58..f0a8b19eec 100644
--- a/target/linux/generic/backport-4.14/372-netfilter-nft_flow_offload-fix-interaction-with-vrf-.patch
+++ b/target/linux/generic/backport-4.14/372-netfilter-nft_flow_offload-fix-interaction-with-vrf-.patch
@@ -62,7 +62,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
-@@ -28,9 +28,11 @@ nft_flow_dst(const struct nf_conn *ct, e
+@@ -30,9 +30,11 @@ static int nft_flow_route(const struct n
switch (nft_pf(pkt)) {
case NFPROTO_IPV4:
fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
@@ -74,7 +74,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
break;
}
-@@ -52,9 +54,7 @@ static int nft_flow_route(const struct n
+@@ -41,9 +43,7 @@ static int nft_flow_route(const struct n
return -ENOENT;
route->tuple[dir].dst = this_dst;
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-11 04:30:31 +0000