From 6d891adf390dd232c63fa77a8e71750495c04159 Mon Sep 17 00:00:00 2001
From: Ritaro Takenaka <ritarot634@gmail.com>
Date: Wed, 25 May 2022 15:55:48 +0900
Subject: kernel: check dst of flow offloading table

Flow offload dst can become invalid after the route cache is created.
dst_check() in packet path is necessary to prevent packet drop.

Signed-off-by: Ritaro Takenaka <ritarot634@gmail.com>
---
 ...er-nf_flow_table-add-hardware-offload-support.patch | 18 +++++++++---------
 ...er-nf_flow_table-support-hw-offload-through-v.patch |  2 +-
 ...er-nf_flow_table-rework-hardware-offload-time.patch |  4 ++--
 ...lter-nf_flow_table-rework-private-driver-data.patch |  2 +-
 ...7-net-dsa-support-hardware-flow-table-offload.patch |  4 ++--
 5 files changed, 15 insertions(+), 15 deletions(-)

(limited to 'target/linux/generic/pending-5.4')

diff --git a/target/linux/generic/pending-5.4/640-netfilter-nf_flow_table-add-hardware-offload-support.patch b/target/linux/generic/pending-5.4/640-netfilter-nf_flow_table-add-hardware-offload-support.patch
index 1dbf49a97f..6192df9319 100644
--- a/target/linux/generic/pending-5.4/640-netfilter-nf_flow_table-add-hardware-offload-support.patch
+++ b/target/linux/generic/pending-5.4/640-netfilter-nf_flow_table-add-hardware-offload-support.patch
@@ -77,7 +77,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  };
  
  enum flow_offload_tuple_dir {
-@@ -68,6 +74,7 @@ struct flow_offload_tuple_rhash {
+@@ -71,6 +77,7 @@ struct flow_offload_tuple_rhash {
  #define FLOW_OFFLOAD_DNAT	0x2
  #define FLOW_OFFLOAD_DYING	0x4
  #define FLOW_OFFLOAD_TEARDOWN	0x8
@@ -85,7 +85,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  struct flow_offload {
  	struct flow_offload_tuple_rhash		tuplehash[FLOW_OFFLOAD_DIR_MAX];
-@@ -120,6 +127,22 @@ unsigned int nf_flow_offload_ip_hook(voi
+@@ -123,6 +130,22 @@ unsigned int nf_flow_offload_ip_hook(voi
  unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
  				       const struct nf_hook_state *state);
  
@@ -156,7 +156,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
 --- a/net/netfilter/nf_flow_table_core.c
 +++ b/net/netfilter/nf_flow_table_core.c
-@@ -248,10 +248,16 @@ static inline bool nf_flow_has_expired(c
+@@ -261,10 +261,16 @@ static inline bool nf_flow_has_expired(c
  	return nf_flow_timeout_delta(flow->timeout) <= 0;
  }
  
@@ -173,7 +173,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  
  	rhashtable_remove_fast(&flow_table->rhashtable,
  			       &flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].node,
-@@ -271,6 +277,9 @@ static void flow_offload_del(struct nf_f
+@@ -284,6 +290,9 @@ static void flow_offload_del(struct nf_f
  	if (!(flow->flags & FLOW_OFFLOAD_TEARDOWN))
  		flow_offload_fixup_ct_state(e->ct);
  
@@ -183,7 +183,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	flow_offload_free(flow);
  }
  
-@@ -361,6 +370,9 @@ static void nf_flow_offload_gc_step(stru
+@@ -374,6 +383,9 @@ static void nf_flow_offload_gc_step(stru
  	if (!teardown)
  		nf_ct_offload_timeout(flow);
  
@@ -193,7 +193,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	if (nf_flow_has_expired(flow) || teardown)
  		flow_offload_del(flow_table, flow);
  }
-@@ -490,10 +502,43 @@ int nf_flow_dnat_port(const struct flow_
+@@ -503,10 +515,43 @@ int nf_flow_dnat_port(const struct flow_
  }
  EXPORT_SYMBOL_GPL(nf_flow_dnat_port);
  
@@ -237,7 +237,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  	INIT_DEFERRABLE_WORK(&flowtable->gc_work, nf_flow_offload_work_gc);
  
  	err = rhashtable_init(&flowtable->rhashtable,
-@@ -534,6 +579,8 @@ static void nf_flow_table_iterate_cleanu
+@@ -547,6 +592,8 @@ static void nf_flow_table_iterate_cleanu
  {
  	nf_flow_table_iterate(flowtable, nf_flow_table_do_cleanup, dev);
  	flush_delayed_work(&flowtable->gc_work);
@@ -246,7 +246,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  }
  
  void nf_flow_table_cleanup(struct net_device *dev)
-@@ -547,6 +594,26 @@ void nf_flow_table_cleanup(struct net_de
+@@ -560,6 +607,26 @@ void nf_flow_table_cleanup(struct net_de
  }
  EXPORT_SYMBOL_GPL(nf_flow_table_cleanup);
  
@@ -273,7 +273,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  void nf_flow_table_free(struct nf_flowtable *flow_table)
  {
  	mutex_lock(&flowtable_lock);
-@@ -556,9 +623,58 @@ void nf_flow_table_free(struct nf_flowta
+@@ -569,9 +636,58 @@ void nf_flow_table_free(struct nf_flowta
  	nf_flow_table_iterate(flow_table, nf_flow_table_do_cleanup, NULL);
  	nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, flow_table);
  	rhashtable_destroy(&flow_table->rhashtable);
diff --git a/target/linux/generic/pending-5.4/641-netfilter-nf_flow_table-support-hw-offload-through-v.patch b/target/linux/generic/pending-5.4/641-netfilter-nf_flow_table-support-hw-offload-through-v.patch
index b808c0257d..ae9f7f0d83 100644
--- a/target/linux/generic/pending-5.4/641-netfilter-nf_flow_table-support-hw-offload-through-v.patch
+++ b/target/linux/generic/pending-5.4/641-netfilter-nf_flow_table-support-hw-offload-through-v.patch
@@ -55,7 +55,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	int			(*ndo_get_phys_port_id)(struct net_device *dev,
 --- a/include/net/netfilter/nf_flow_table.h
 +++ b/include/net/netfilter/nf_flow_table.h
-@@ -85,6 +85,21 @@ struct flow_offload {
+@@ -88,6 +88,21 @@ struct flow_offload {
  	};
  };
  
diff --git a/target/linux/generic/pending-5.4/645-netfilter-nf_flow_table-rework-hardware-offload-time.patch b/target/linux/generic/pending-5.4/645-netfilter-nf_flow_table-rework-hardware-offload-time.patch
index 3c44c29273..f4efbcdda8 100644
--- a/target/linux/generic/pending-5.4/645-netfilter-nf_flow_table-rework-hardware-offload-time.patch
+++ b/target/linux/generic/pending-5.4/645-netfilter-nf_flow_table-rework-hardware-offload-time.patch
@@ -16,7 +16,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 
 --- a/include/net/netfilter/nf_flow_table.h
 +++ b/include/net/netfilter/nf_flow_table.h
-@@ -75,6 +75,7 @@ struct flow_offload_tuple_rhash {
+@@ -78,6 +78,7 @@ struct flow_offload_tuple_rhash {
  #define FLOW_OFFLOAD_DYING	0x4
  #define FLOW_OFFLOAD_TEARDOWN	0x8
  #define FLOW_OFFLOAD_HW		0x10
@@ -26,7 +26,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  	struct flow_offload_tuple_rhash		tuplehash[FLOW_OFFLOAD_DIR_MAX];
 --- a/net/netfilter/nf_flow_table_core.c
 +++ b/net/netfilter/nf_flow_table_core.c
-@@ -370,7 +370,7 @@ static void nf_flow_offload_gc_step(stru
+@@ -383,7 +383,7 @@ static void nf_flow_offload_gc_step(stru
  	if (!teardown)
  		nf_ct_offload_timeout(flow);
  
diff --git a/target/linux/generic/pending-5.4/646-netfilter-nf_flow_table-rework-private-driver-data.patch b/target/linux/generic/pending-5.4/646-netfilter-nf_flow_table-rework-private-driver-data.patch
index 159ad8a0aa..235f2a3710 100644
--- a/target/linux/generic/pending-5.4/646-netfilter-nf_flow_table-rework-private-driver-data.patch
+++ b/target/linux/generic/pending-5.4/646-netfilter-nf_flow_table-rework-private-driver-data.patch
@@ -11,7 +11,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 
 --- a/include/net/netfilter/nf_flow_table.h
 +++ b/include/net/netfilter/nf_flow_table.h
-@@ -80,9 +80,10 @@ struct flow_offload_tuple_rhash {
+@@ -83,9 +83,10 @@ struct flow_offload_tuple_rhash {
  struct flow_offload {
  	struct flow_offload_tuple_rhash		tuplehash[FLOW_OFFLOAD_DIR_MAX];
  	u32					flags;
diff --git a/target/linux/generic/pending-5.4/647-net-dsa-support-hardware-flow-table-offload.patch b/target/linux/generic/pending-5.4/647-net-dsa-support-hardware-flow-table-offload.patch
index 91aae5b65c..369a09caac 100644
--- a/target/linux/generic/pending-5.4/647-net-dsa-support-hardware-flow-table-offload.patch
+++ b/target/linux/generic/pending-5.4/647-net-dsa-support-hardware-flow-table-offload.patch
@@ -9,7 +9,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 
 --- a/include/net/netfilter/nf_flow_table.h
 +++ b/include/net/netfilter/nf_flow_table.h
-@@ -90,6 +90,7 @@ struct flow_offload {
+@@ -93,6 +93,7 @@ struct flow_offload {
  #define FLOW_OFFLOAD_PATH_ETHERNET	BIT(0)
  #define FLOW_OFFLOAD_PATH_VLAN		BIT(1)
  #define FLOW_OFFLOAD_PATH_PPPOE		BIT(2)
@@ -17,7 +17,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  
  struct flow_offload_hw_path {
  	struct net_device *dev;
-@@ -100,6 +101,7 @@ struct flow_offload_hw_path {
+@@ -103,6 +104,7 @@ struct flow_offload_hw_path {
  	u16 vlan_proto;
  	u16 vlan_id;
  	u16 pppoe_sid;
-- 
cgit v1.2.3