diff options
Diffstat (limited to 'target/linux/generic/backport-4.14')
4 files changed, 43 insertions, 93 deletions
diff --git a/target/linux/generic/backport-4.14/366-netfilter-nf_flow_table-clean-up-and-fix-dst-handlin.patch b/target/linux/generic/backport-4.14/366-netfilter-nf_flow_table-clean-up-and-fix-dst-handlin.patch deleted file mode 100644 index 491f057858..0000000000 --- a/target/linux/generic/backport-4.14/366-netfilter-nf_flow_table-clean-up-and-fix-dst-handlin.patch +++ /dev/null @@ -1,89 +0,0 @@ -From: Felix Fietkau <nbd@nbd.name> -Date: Thu, 15 Mar 2018 18:21:43 +0100 -Subject: [PATCH] netfilter: nf_flow_table: clean up and fix dst handling - -dst handling in the code is inconsistent and possibly wrong. In my test, -skb_dst(skb) holds the dst entry after routing but before NAT, so the -code could possibly return the same dst entry for both directions of a -connection. -Additionally, there was some confusion over the dst entry vs the address -passed as parameter to rt_nexthop/rt6_nexthop. - -Do an explicit dst lookup for both ends of the connection and always use -the source address for it. When running the IP hook, use the dst entry -for the opposite direction for determining the route. - -Signed-off-by: Felix Fietkau <nbd@nbd.name> ---- - ---- a/net/netfilter/nf_flow_table_ip.c -+++ b/net/netfilter/nf_flow_table_ip.c -@@ -238,7 +238,7 @@ nf_flow_offload_ip_hook(void *priv, stru - - dir = tuplehash->tuple.dir; - flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); -- rt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache; -+ rt = (const struct rtable *)flow->tuplehash[!dir].tuple.dst_cache; - - if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) && - (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0) -@@ -455,7 +455,7 @@ nf_flow_offload_ipv6_hook(void *priv, st - - dir = tuplehash->tuple.dir; - flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); -- rt = (struct rt6_info *)flow->tuplehash[dir].tuple.dst_cache; -+ rt = (struct rt6_info *)flow->tuplehash[!dir].tuple.dst_cache; - - if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu))) - return NF_ACCEPT; ---- a/net/netfilter/nft_flow_offload.c -+++ b/net/netfilter/nft_flow_offload.c -@@ -17,27 +17,38 @@ struct nft_flow_offload { - struct nft_flowtable *flowtable; - }; - --static int nft_flow_route(const struct nft_pktinfo *pkt, -- const struct nf_conn *ct, -- struct nf_flow_route *route, -- enum ip_conntrack_dir dir) -+static struct dst_entry * -+nft_flow_dst(const struct nf_conn *ct, enum ip_conntrack_dir dir, -+ const struct nft_pktinfo *pkt) - { -- struct dst_entry *this_dst = skb_dst(pkt->skb); -- struct dst_entry *other_dst = NULL; -+ struct dst_entry *dst; - struct flowi fl; - - memset(&fl, 0, sizeof(fl)); - switch (nft_pf(pkt)) { - case NFPROTO_IPV4: -- fl.u.ip4.daddr = ct->tuplehash[!dir].tuple.dst.u3.ip; -+ fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip; - break; - case NFPROTO_IPV6: -- fl.u.ip6.daddr = ct->tuplehash[!dir].tuple.dst.u3.in6; -+ fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6; - break; - } - -- nf_route(nft_net(pkt), &other_dst, &fl, false, nft_pf(pkt)); -- if (!other_dst) -+ nf_route(nft_net(pkt), &dst, &fl, false, nft_pf(pkt)); -+ -+ return dst; -+} -+ -+static int nft_flow_route(const struct nft_pktinfo *pkt, -+ const struct nf_conn *ct, -+ struct nf_flow_route *route, -+ enum ip_conntrack_dir dir) -+{ -+ struct dst_entry *this_dst, *other_dst; -+ -+ this_dst = nft_flow_dst(ct, dir, pkt); -+ other_dst = nft_flow_dst(ct, !dir, pkt); -+ if (!this_dst || !other_dst) - return -ENOENT; - - route->tuple[dir].dst = this_dst; diff --git a/target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch b/target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch new file mode 100644 index 0000000000..e91aaa91d7 --- /dev/null +++ b/target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch @@ -0,0 +1,39 @@ +From: wenxu <wenxu@ucloud.cn> +Date: Wed, 9 Jan 2019 10:40:11 +0800 +Subject: [PATCH] netfilter: nft_flow_offload: Fix reverse route lookup + +Using the following example: + + client 1.1.1.7 ---> 2.2.2.7 which dnat to 10.0.0.7 server + +The first reply packet (ie. syn+ack) uses an incorrect destination +address for the reverse route lookup since it uses: + + daddr = ct->tuplehash[!dir].tuple.dst.u3.ip; + +which is 2.2.2.7 in the scenario that is described above, while this +should be: + + daddr = ct->tuplehash[dir].tuple.src.u3.ip; + +that is 10.0.0.7. + +Signed-off-by: wenxu <wenxu@ucloud.cn> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + +--- a/net/netfilter/nft_flow_offload.c ++++ b/net/netfilter/nft_flow_offload.c +@@ -29,10 +29,10 @@ static int nft_flow_route(const struct n + memset(&fl, 0, sizeof(fl)); + switch (nft_pf(pkt)) { + case NFPROTO_IPV4: +- fl.u.ip4.daddr = ct->tuplehash[!dir].tuple.dst.u3.ip; ++ fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip; + break; + case NFPROTO_IPV6: +- fl.u.ip6.daddr = ct->tuplehash[!dir].tuple.dst.u3.in6; ++ fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6; + break; + } + diff --git a/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch b/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch index 35d099097a..ad72d65c77 100644 --- a/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch +++ b/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch @@ -26,8 +26,8 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> dir = tuplehash->tuple.dir; flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); -- rt = (const struct rtable *)flow->tuplehash[!dir].tuple.dst_cache; -+ rt = (struct rtable *)flow->tuplehash[!dir].tuple.dst_cache; +- rt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache; ++ rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache; if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) && (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0) diff --git a/target/linux/generic/backport-4.14/372-netfilter-nft_flow_offload-fix-interaction-with-vrf-.patch b/target/linux/generic/backport-4.14/372-netfilter-nft_flow_offload-fix-interaction-with-vrf-.patch index cf0a431a58..f0a8b19eec 100644 --- a/target/linux/generic/backport-4.14/372-netfilter-nft_flow_offload-fix-interaction-with-vrf-.patch +++ b/target/linux/generic/backport-4.14/372-netfilter-nft_flow_offload-fix-interaction-with-vrf-.patch @@ -62,7 +62,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c -@@ -28,9 +28,11 @@ nft_flow_dst(const struct nf_conn *ct, e +@@ -30,9 +30,11 @@ static int nft_flow_route(const struct n switch (nft_pf(pkt)) { case NFPROTO_IPV4: fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip; @@ -74,7 +74,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> break; } -@@ -52,9 +54,7 @@ static int nft_flow_route(const struct n +@@ -41,9 +43,7 @@ static int nft_flow_route(const struct n return -ENOENT; route->tuple[dir].dst = this_dst; |