From f9dcdc7fefcab5ec9b15b0f3c87dfebef37ecaa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Tue, 8 May 2018 09:40:43 +0200 Subject: kernel: mark source kernel for netfilter backports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This helps keeping track on patches & adding new kernels in the future. Signed-off-by: Rafał Miłecki --- ...f_flow_table-add-support-for-sending-flow.patch | 99 ++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 target/linux/generic/backport-4.14/363-v4.18-netfilter-nf_flow_table-add-support-for-sending-flow.patch (limited to 'target/linux/generic/backport-4.14/363-v4.18-netfilter-nf_flow_table-add-support-for-sending-flow.patch') diff --git a/target/linux/generic/backport-4.14/363-v4.18-netfilter-nf_flow_table-add-support-for-sending-flow.patch b/target/linux/generic/backport-4.14/363-v4.18-netfilter-nf_flow_table-add-support-for-sending-flow.patch new file mode 100644 index 0000000000..905880fead --- /dev/null +++ b/target/linux/generic/backport-4.14/363-v4.18-netfilter-nf_flow_table-add-support-for-sending-flow.patch @@ -0,0 +1,99 @@ +From: Felix Fietkau +Date: Sun, 25 Feb 2018 15:41:11 +0100 +Subject: [PATCH] netfilter: nf_flow_table: add support for sending flows + back to the slow path + +Reset the timeout. For TCP, also set the state to indicate to use the +next incoming packets to reset window tracking. +This allows the slow path to take over again once the offload state has +been torn down + +Signed-off-by: Felix Fietkau +--- + +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -100,6 +100,43 @@ err_ct_refcnt: + } + EXPORT_SYMBOL_GPL(flow_offload_alloc); + ++static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp) ++{ ++ tcp->state = TCP_CONNTRACK_ESTABLISHED; ++ tcp->seen[0].td_maxwin = 0; ++ tcp->seen[1].td_maxwin = 0; ++} ++ ++static void flow_offload_fixup_ct_state(struct nf_conn *ct) ++{ ++ const struct nf_conntrack_l4proto *l4proto; ++ struct net *net = nf_ct_net(ct); ++ unsigned int *timeouts; ++ unsigned int timeout; ++ int l4num; ++ ++ l4num = nf_ct_protonum(ct); ++ if (l4num == IPPROTO_TCP) ++ flow_offload_fixup_tcp(&ct->proto.tcp); ++ ++ l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), l4num); ++ if (!l4proto) ++ return; ++ ++ timeouts = l4proto->get_timeouts(net); ++ if (!timeouts) ++ return; ++ ++ if (l4num == IPPROTO_TCP) ++ timeout = timeouts[TCP_CONNTRACK_ESTABLISHED]; ++ else if (l4num == IPPROTO_UDP) ++ timeout = timeouts[UDP_CT_REPLIED]; ++ else ++ return; ++ ++ ct->timeout = nfct_time_stamp + timeout; ++} ++ + void flow_offload_free(struct flow_offload *flow) + { + struct flow_offload_entry *e; +@@ -107,7 +144,8 @@ void flow_offload_free(struct flow_offlo + dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_cache); + dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_cache); + e = container_of(flow, struct flow_offload_entry, flow); +- nf_ct_delete(e->ct, 0, 0); ++ if (flow->flags & FLOW_OFFLOAD_DYING) ++ nf_ct_delete(e->ct, 0, 0); + nf_ct_put(e->ct); + kfree_rcu(e, rcu_head); + } +@@ -164,6 +202,8 @@ EXPORT_SYMBOL_GPL(flow_offload_add); + static void flow_offload_del(struct nf_flowtable *flow_table, + struct flow_offload *flow) + { ++ struct flow_offload_entry *e; ++ + rhashtable_remove_fast(&flow_table->rhashtable, + &flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].node, + nf_flow_offload_rhash_params); +@@ -171,12 +211,20 @@ static void flow_offload_del(struct nf_f + &flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].node, + nf_flow_offload_rhash_params); + ++ e = container_of(flow, struct flow_offload_entry, flow); ++ clear_bit(IPS_OFFLOAD_BIT, &e->ct->status); ++ + flow_offload_free(flow); + } + + void flow_offload_teardown(struct flow_offload *flow) + { ++ struct flow_offload_entry *e; ++ + flow->flags |= FLOW_OFFLOAD_TEARDOWN; ++ ++ e = container_of(flow, struct flow_offload_entry, flow); ++ flow_offload_fixup_ct_state(e->ct); + } + EXPORT_SYMBOL_GPL(flow_offload_teardown); + -- cgit v1.2.3