GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/2216603/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2216603,
    "url": "http://patchwork.ozlabs.org/api/patches/2216603/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260326223023.741604-1-pablo@netfilter.org/",
    "project": {
        "id": 26,
        "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api",
        "name": "Netfilter Development",
        "link_name": "netfilter-devel",
        "list_id": "netfilter-devel.vger.kernel.org",
        "list_email": "netfilter-devel@vger.kernel.org",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260326223023.741604-1-pablo@netfilter.org>",
    "list_archive_url": null,
    "date": "2026-03-26T22:30:23",
    "name": "[nf,v2] netfilter: flowtable: strictly check for maximum number of actions",
    "commit_ref": null,
    "pull_url": null,
    "state": "accepted",
    "archived": true,
    "hash": "28fd2e4687b1d9fa3bbbed04711bda963ab39a3b",
    "submitter": {
        "id": 1315,
        "url": "http://patchwork.ozlabs.org/api/people/1315/?format=api",
        "name": "Pablo Neira Ayuso",
        "email": "pablo@netfilter.org"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260326223023.741604-1-pablo@netfilter.org/mbox/",
    "series": [
        {
            "id": 497663,
            "url": "http://patchwork.ozlabs.org/api/series/497663/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=497663",
            "date": "2026-03-26T22:30:23",
            "name": "[nf,v2] netfilter: flowtable: strictly check for maximum number of actions",
            "version": 2,
            "mbox": "http://patchwork.ozlabs.org/series/497663/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2216603/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2216603/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "\n <netfilter-devel+bounces-11473-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "netfilter-devel@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=M+8edxZc;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11473-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"M+8edxZc\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124",
            "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org",
            "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"
        ],
        "Received": [
            "from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fhdyZ1rQBz1xy1\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 27 Mar 2026 09:40:22 +1100 (AEDT)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 130C5310BD12\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 26 Mar 2026 22:34:23 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 7C79E31E823;\n\tThu, 26 Mar 2026 22:30:37 +0000 (UTC)",
            "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 4BDF321255A\n\tfor <netfilter-devel@vger.kernel.org>; Thu, 26 Mar 2026 22:30:35 +0000 (UTC)",
            "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id 1033E600B5;\n\tThu, 26 Mar 2026 23:30:26 +0100 (CET)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774564237; cv=none;\n b=XWa8GREPaMHvYaXl97oGR0KKrq60vfJ+0wkG+fvrvEpZzGcAnPhWcZPNF8ODIjGVFirajRdnykIEJ+GY42GuX779wLXnozvZxTtbFLTdlpROQu9Uwb/SoPYH9RUm8L6l7vcZntdY+k/oCxm639L83lyLuUV2craegju+RyUwdKY=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774564237; c=relaxed/simple;\n\tbh=nag61m8kooVbpWfF38KEE4SpYTifwGLshwIWg8txrAo=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=rpZXqxNSmVcZaDD9JuWgcBnZMFF5Zsa5x367VGzktUCKMu3R0SFaWYJMyhHab544icDEF0w9wTscPOYpY3ml+RO/bm6i2tvtFnOSaqq0JWf5dJ2yv+FOD7guaIHmrKO9VI75KLARB5BKK674TZAdMs2o2ESolHMIkhi6uF5sUmc=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=M+8edxZc; arc=none smtp.client-ip=217.70.190.124",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1774564227;\n\tbh=d90RBxQOVwp+ck/sjvINB27rippVMBeqnszV4wKCXEY=;\n\th=From:To:Cc:Subject:Date:From;\n\tb=M+8edxZcUepAoE4upkL9l9C01AblE8+NAxQcDZKXJkf9cPjwO1DzEYeFtARGa7QK9\n\t LjIfXWGV+OQ8gqtt/RcULMteFtvV2ZoZLjflC5Qr9KlWG/+RPc21NIdc63DQ4xPA5W\n\t Lu0nisgU1nACYQxiR+HmkzxVnOGYQdEN0xa+kFfQRoQDHgoXhA2sIYOpqCllFdATL3\n\t vauKlP0ympzPIGbX5uEqsce728O1meeFuHddLu2NtFxjlCHrjzBRiDI1jTC8eZmV0m\n\t KStmF2Kc6BOACJM8GqO0+NCuucQISlLC0RbwRLrZkzQAUWBiehNLgRkl8dKk2T7ifg\n\t t2qLylPZmuSWQ==",
        "From": "Pablo Neira Ayuso <pablo@netfilter.org>",
        "To": "netfilter-devel@vger.kernel.org",
        "Cc": "fw@strlen.de,\n\tfmancera@suse.de",
        "Subject": "[PATCH nf,v2] netfilter: flowtable: strictly check for maximum number\n of actions",
        "Date": "Thu, 26 Mar 2026 23:30:23 +0100",
        "Message-ID": "<20260326223023.741604-1-pablo@netfilter.org>",
        "X-Mailer": "git-send-email 2.47.3",
        "Precedence": "bulk",
        "X-Mailing-List": "netfilter-devel@vger.kernel.org",
        "List-Id": "<netfilter-devel.vger.kernel.org>",
        "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit"
    },
    "content": "The maximum number of flowtable hardware offload actions in IPv6 is:\n\n* ethernet mangling (4 payload actions, 2 for each ethernet address)\n* SNAT (4 payload actions)\n* DNAT (4 payload actions)\n* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)\n  for QinQ.\n* Redirect (1 action)\n\nWhich makes 17, while the maximum is 16. But act_ct supports for tunnels\nactions too. Note that payload action operates at 32-bit word level, so\nmangling an IPv6 address take 4 payload actions.\n\nUpdate flow_action_entry_next() calls to check for the maximum number of\nsupported actions.\n\nWhile at it, rise the maximum number of actions per flow from 16 to 24\nso this works fine with IPv6 setups.\n\nFixes: c29f74e0df7a (\"netfilter: nf_flow_table: hardware offload support\")\nReported-by: Hyunwoo Kim <imv4bel@gmail.com>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\nv2: fix issues reported by Fernando.\n\n net/netfilter/nf_flow_table_offload.c | 194 +++++++++++++++++---------\n 1 file changed, 128 insertions(+), 66 deletions(-)",
    "diff": "diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c\nindex 9b677e116487..83659f7eff5d 100644\n--- a/net/netfilter/nf_flow_table_offload.c\n+++ b/net/netfilter/nf_flow_table_offload.c\n@@ -14,6 +14,8 @@\n #include <net/netfilter/nf_conntrack_core.h>\n #include <net/netfilter/nf_conntrack_tuple.h>\n \n+#define NF_FLOW_RULE_ACTION_MAX\t24\n+\n static struct workqueue_struct *nf_flow_offload_add_wq;\n static struct workqueue_struct *nf_flow_offload_del_wq;\n static struct workqueue_struct *nf_flow_offload_stats_wq;\n@@ -216,7 +218,12 @@ static void flow_offload_mangle(struct flow_action_entry *entry,\n static inline struct flow_action_entry *\n flow_action_entry_next(struct nf_flow_rule *flow_rule)\n {\n-\tint i = flow_rule->rule->action.num_entries++;\n+\tint i;\n+\n+\tif (unlikely(flow_rule->rule->action.num_entries >= NF_FLOW_RULE_ACTION_MAX))\n+\t\treturn NULL;\n+\n+\ti = flow_rule->rule->action.num_entries++;\n \n \treturn &flow_rule->rule->action.entries[i];\n }\n@@ -234,6 +241,9 @@ static int flow_offload_eth_src(struct net *net,\n \tu32 mask, val;\n \tu16 val16;\n \n+\tif (!entry0 || !entry1)\n+\t\treturn -E2BIG;\n+\n \tthis_tuple = &flow->tuplehash[dir].tuple;\n \n \tswitch (this_tuple->xmit_type) {\n@@ -284,6 +294,9 @@ static int flow_offload_eth_dst(struct net *net,\n \tu8 nud_state;\n \tu16 val16;\n \n+\tif (!entry0 || !entry1)\n+\t\treturn -E2BIG;\n+\n \tthis_tuple = &flow->tuplehash[dir].tuple;\n \n \tswitch (this_tuple->xmit_type) {\n@@ -325,16 +338,19 @@ static int flow_offload_eth_dst(struct net *net,\n \treturn 0;\n }\n \n-static void flow_offload_ipv4_snat(struct net *net,\n-\t\t\t\t   const struct flow_offload *flow,\n-\t\t\t\t   enum flow_offload_tuple_dir dir,\n-\t\t\t\t   struct nf_flow_rule *flow_rule)\n+static int flow_offload_ipv4_snat(struct net *net,\n+\t\t\t\t  const struct flow_offload *flow,\n+\t\t\t\t  enum flow_offload_tuple_dir dir,\n+\t\t\t\t  struct nf_flow_rule *flow_rule)\n {\n \tstruct flow_action_entry *entry = flow_action_entry_next(flow_rule);\n \tu32 mask = ~htonl(0xffffffff);\n \t__be32 addr;\n \tu32 offset;\n \n+\tif (!entry)\n+\t\treturn -E2BIG;\n+\n \tswitch (dir) {\n \tcase FLOW_OFFLOAD_DIR_ORIGINAL:\n \t\taddr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_v4.s_addr;\n@@ -345,23 +361,27 @@ static void flow_offload_ipv4_snat(struct net *net,\n \t\toffset = offsetof(struct iphdr, daddr);\n \t\tbreak;\n \tdefault:\n-\t\treturn;\n+\t\treturn -EOPNOTSUPP;\n \t}\n \n \tflow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP4, offset,\n \t\t\t    &addr, &mask);\n+\treturn 0;\n }\n \n-static void flow_offload_ipv4_dnat(struct net *net,\n-\t\t\t\t   const struct flow_offload *flow,\n-\t\t\t\t   enum flow_offload_tuple_dir dir,\n-\t\t\t\t   struct nf_flow_rule *flow_rule)\n+static int flow_offload_ipv4_dnat(struct net *net,\n+\t\t\t\t  const struct flow_offload *flow,\n+\t\t\t\t  enum flow_offload_tuple_dir dir,\n+\t\t\t\t  struct nf_flow_rule *flow_rule)\n {\n \tstruct flow_action_entry *entry = flow_action_entry_next(flow_rule);\n \tu32 mask = ~htonl(0xffffffff);\n \t__be32 addr;\n \tu32 offset;\n \n+\tif (!entry)\n+\t\treturn -E2BIG;\n+\n \tswitch (dir) {\n \tcase FLOW_OFFLOAD_DIR_ORIGINAL:\n \t\taddr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_v4.s_addr;\n@@ -372,14 +392,15 @@ static void flow_offload_ipv4_dnat(struct net *net,\n \t\toffset = offsetof(struct iphdr, saddr);\n \t\tbreak;\n \tdefault:\n-\t\treturn;\n+\t\treturn -EOPNOTSUPP;\n \t}\n \n \tflow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP4, offset,\n \t\t\t    &addr, &mask);\n+\treturn 0;\n }\n \n-static void flow_offload_ipv6_mangle(struct nf_flow_rule *flow_rule,\n+static int flow_offload_ipv6_mangle(struct nf_flow_rule *flow_rule,\n \t\t\t\t     unsigned int offset,\n \t\t\t\t     const __be32 *addr, const __be32 *mask)\n {\n@@ -388,15 +409,20 @@ static void flow_offload_ipv6_mangle(struct nf_flow_rule *flow_rule,\n \n \tfor (i = 0; i < sizeof(struct in6_addr) / sizeof(u32); i++) {\n \t\tentry = flow_action_entry_next(flow_rule);\n+\t\tif (!entry)\n+\t\t\treturn -E2BIG;\n+\n \t\tflow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP6,\n \t\t\t\t    offset + i * sizeof(u32), &addr[i], mask);\n \t}\n+\n+\treturn 0;\n }\n \n-static void flow_offload_ipv6_snat(struct net *net,\n-\t\t\t\t   const struct flow_offload *flow,\n-\t\t\t\t   enum flow_offload_tuple_dir dir,\n-\t\t\t\t   struct nf_flow_rule *flow_rule)\n+static int flow_offload_ipv6_snat(struct net *net,\n+\t\t\t\t  const struct flow_offload *flow,\n+\t\t\t\t  enum flow_offload_tuple_dir dir,\n+\t\t\t\t  struct nf_flow_rule *flow_rule)\n {\n \tu32 mask = ~htonl(0xffffffff);\n \tconst __be32 *addr;\n@@ -412,16 +438,16 @@ static void flow_offload_ipv6_snat(struct net *net,\n \t\toffset = offsetof(struct ipv6hdr, daddr);\n \t\tbreak;\n \tdefault:\n-\t\treturn;\n+\t\treturn -EOPNOTSUPP;\n \t}\n \n-\tflow_offload_ipv6_mangle(flow_rule, offset, addr, &mask);\n+\treturn flow_offload_ipv6_mangle(flow_rule, offset, addr, &mask);\n }\n \n-static void flow_offload_ipv6_dnat(struct net *net,\n-\t\t\t\t   const struct flow_offload *flow,\n-\t\t\t\t   enum flow_offload_tuple_dir dir,\n-\t\t\t\t   struct nf_flow_rule *flow_rule)\n+static int flow_offload_ipv6_dnat(struct net *net,\n+\t\t\t\t  const struct flow_offload *flow,\n+\t\t\t\t  enum flow_offload_tuple_dir dir,\n+\t\t\t\t  struct nf_flow_rule *flow_rule)\n {\n \tu32 mask = ~htonl(0xffffffff);\n \tconst __be32 *addr;\n@@ -437,10 +463,10 @@ static void flow_offload_ipv6_dnat(struct net *net,\n \t\toffset = offsetof(struct ipv6hdr, saddr);\n \t\tbreak;\n \tdefault:\n-\t\treturn;\n+\t\treturn -EOPNOTSUPP;\n \t}\n \n-\tflow_offload_ipv6_mangle(flow_rule, offset, addr, &mask);\n+\treturn flow_offload_ipv6_mangle(flow_rule, offset, addr, &mask);\n }\n \n static int flow_offload_l4proto(const struct flow_offload *flow)\n@@ -462,15 +488,18 @@ static int flow_offload_l4proto(const struct flow_offload *flow)\n \treturn type;\n }\n \n-static void flow_offload_port_snat(struct net *net,\n-\t\t\t\t   const struct flow_offload *flow,\n-\t\t\t\t   enum flow_offload_tuple_dir dir,\n-\t\t\t\t   struct nf_flow_rule *flow_rule)\n+static int flow_offload_port_snat(struct net *net,\n+\t\t\t\t  const struct flow_offload *flow,\n+\t\t\t\t  enum flow_offload_tuple_dir dir,\n+\t\t\t\t  struct nf_flow_rule *flow_rule)\n {\n \tstruct flow_action_entry *entry = flow_action_entry_next(flow_rule);\n \tu32 mask, port;\n \tu32 offset;\n \n+\tif (!entry)\n+\t\treturn -E2BIG;\n+\n \tswitch (dir) {\n \tcase FLOW_OFFLOAD_DIR_ORIGINAL:\n \t\tport = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port);\n@@ -485,22 +514,26 @@ static void flow_offload_port_snat(struct net *net,\n \t\tmask = ~htonl(0xffff);\n \t\tbreak;\n \tdefault:\n-\t\treturn;\n+\t\treturn -EOPNOTSUPP;\n \t}\n \n \tflow_offload_mangle(entry, flow_offload_l4proto(flow), offset,\n \t\t\t    &port, &mask);\n+\treturn 0;\n }\n \n-static void flow_offload_port_dnat(struct net *net,\n-\t\t\t\t   const struct flow_offload *flow,\n-\t\t\t\t   enum flow_offload_tuple_dir dir,\n-\t\t\t\t   struct nf_flow_rule *flow_rule)\n+static int flow_offload_port_dnat(struct net *net,\n+\t\t\t\t  const struct flow_offload *flow,\n+\t\t\t\t  enum flow_offload_tuple_dir dir,\n+\t\t\t\t  struct nf_flow_rule *flow_rule)\n {\n \tstruct flow_action_entry *entry = flow_action_entry_next(flow_rule);\n \tu32 mask, port;\n \tu32 offset;\n \n+\tif (!entry)\n+\t\treturn -E2BIG;\n+\n \tswitch (dir) {\n \tcase FLOW_OFFLOAD_DIR_ORIGINAL:\n \t\tport = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_port);\n@@ -515,20 +548,24 @@ static void flow_offload_port_dnat(struct net *net,\n \t\tmask = ~htonl(0xffff0000);\n \t\tbreak;\n \tdefault:\n-\t\treturn;\n+\t\treturn -EOPNOTSUPP;\n \t}\n \n \tflow_offload_mangle(entry, flow_offload_l4proto(flow), offset,\n \t\t\t    &port, &mask);\n+\treturn 0;\n }\n \n-static void flow_offload_ipv4_checksum(struct net *net,\n-\t\t\t\t       const struct flow_offload *flow,\n-\t\t\t\t       struct nf_flow_rule *flow_rule)\n+static int flow_offload_ipv4_checksum(struct net *net,\n+\t\t\t\t      const struct flow_offload *flow,\n+\t\t\t\t      struct nf_flow_rule *flow_rule)\n {\n \tu8 protonum = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.l4proto;\n \tstruct flow_action_entry *entry = flow_action_entry_next(flow_rule);\n \n+\tif (!entry)\n+\t\treturn -E2BIG;\n+\n \tentry->id = FLOW_ACTION_CSUM;\n \tentry->csum_flags = TCA_CSUM_UPDATE_FLAG_IPV4HDR;\n \n@@ -540,12 +577,14 @@ static void flow_offload_ipv4_checksum(struct net *net,\n \t\tentry->csum_flags |= TCA_CSUM_UPDATE_FLAG_UDP;\n \t\tbreak;\n \t}\n+\n+\treturn 0;\n }\n \n-static void flow_offload_redirect(struct net *net,\n-\t\t\t\t  const struct flow_offload *flow,\n-\t\t\t\t  enum flow_offload_tuple_dir dir,\n-\t\t\t\t  struct nf_flow_rule *flow_rule)\n+static int flow_offload_redirect(struct net *net,\n+\t\t\t\t const struct flow_offload *flow,\n+\t\t\t\t enum flow_offload_tuple_dir dir,\n+\t\t\t\t struct nf_flow_rule *flow_rule)\n {\n \tconst struct flow_offload_tuple *this_tuple, *other_tuple;\n \tstruct flow_action_entry *entry;\n@@ -563,21 +602,26 @@ static void flow_offload_redirect(struct net *net,\n \t\tifindex = other_tuple->iifidx;\n \t\tbreak;\n \tdefault:\n-\t\treturn;\n+\t\treturn -EOPNOTSUPP;\n \t}\n \n \tdev = dev_get_by_index(net, ifindex);\n \tif (!dev)\n-\t\treturn;\n+\t\treturn -ENODEV;\n \n \tentry = flow_action_entry_next(flow_rule);\n+\tif (!entry)\n+\t\treturn -E2BIG;\n+\n \tentry->id = FLOW_ACTION_REDIRECT;\n \tentry->dev = dev;\n+\n+\treturn 0;\n }\n \n-static void flow_offload_encap_tunnel(const struct flow_offload *flow,\n-\t\t\t\t      enum flow_offload_tuple_dir dir,\n-\t\t\t\t      struct nf_flow_rule *flow_rule)\n+static int flow_offload_encap_tunnel(const struct flow_offload *flow,\n+\t\t\t\t     enum flow_offload_tuple_dir dir,\n+\t\t\t\t     struct nf_flow_rule *flow_rule)\n {\n \tconst struct flow_offload_tuple *this_tuple;\n \tstruct flow_action_entry *entry;\n@@ -585,7 +629,7 @@ static void flow_offload_encap_tunnel(const struct flow_offload *flow,\n \n \tthis_tuple = &flow->tuplehash[dir].tuple;\n \tif (this_tuple->xmit_type == FLOW_OFFLOAD_XMIT_DIRECT)\n-\t\treturn;\n+\t\treturn 0;\n \n \tdst = this_tuple->dst_cache;\n \tif (dst && dst->lwtstate) {\n@@ -594,15 +638,19 @@ static void flow_offload_encap_tunnel(const struct flow_offload *flow,\n \t\ttun_info = lwt_tun_info(dst->lwtstate);\n \t\tif (tun_info && (tun_info->mode & IP_TUNNEL_INFO_TX)) {\n \t\t\tentry = flow_action_entry_next(flow_rule);\n+\t\t\tif (!entry)\n+\t\t\t\treturn -E2BIG;\n \t\t\tentry->id = FLOW_ACTION_TUNNEL_ENCAP;\n \t\t\tentry->tunnel = tun_info;\n \t\t}\n \t}\n+\n+\treturn 0;\n }\n \n-static void flow_offload_decap_tunnel(const struct flow_offload *flow,\n-\t\t\t\t      enum flow_offload_tuple_dir dir,\n-\t\t\t\t      struct nf_flow_rule *flow_rule)\n+static int flow_offload_decap_tunnel(const struct flow_offload *flow,\n+\t\t\t\t     enum flow_offload_tuple_dir dir,\n+\t\t\t\t     struct nf_flow_rule *flow_rule)\n {\n \tconst struct flow_offload_tuple *other_tuple;\n \tstruct flow_action_entry *entry;\n@@ -610,7 +658,7 @@ static void flow_offload_decap_tunnel(const struct flow_offload *flow,\n \n \tother_tuple = &flow->tuplehash[!dir].tuple;\n \tif (other_tuple->xmit_type == FLOW_OFFLOAD_XMIT_DIRECT)\n-\t\treturn;\n+\t\treturn 0;\n \n \tdst = other_tuple->dst_cache;\n \tif (dst && dst->lwtstate) {\n@@ -619,9 +667,13 @@ static void flow_offload_decap_tunnel(const struct flow_offload *flow,\n \t\ttun_info = lwt_tun_info(dst->lwtstate);\n \t\tif (tun_info && (tun_info->mode & IP_TUNNEL_INFO_TX)) {\n \t\t\tentry = flow_action_entry_next(flow_rule);\n+\t\t\tif (!entry)\n+\t\t\t\treturn -E2BIG;\n \t\t\tentry->id = FLOW_ACTION_TUNNEL_DECAP;\n \t\t}\n \t}\n+\n+\treturn 0;\n }\n \n static int\n@@ -633,8 +685,9 @@ nf_flow_rule_route_common(struct net *net, const struct flow_offload *flow,\n \tconst struct flow_offload_tuple *tuple;\n \tint i;\n \n-\tflow_offload_decap_tunnel(flow, dir, flow_rule);\n-\tflow_offload_encap_tunnel(flow, dir, flow_rule);\n+\tif (flow_offload_decap_tunnel(flow, dir, flow_rule) < 0 ||\n+\t    flow_offload_encap_tunnel(flow, dir, flow_rule) < 0)\n+\t\treturn -1;\n \n \tif (flow_offload_eth_src(net, flow, dir, flow_rule) < 0 ||\n \t    flow_offload_eth_dst(net, flow, dir, flow_rule) < 0)\n@@ -650,6 +703,8 @@ nf_flow_rule_route_common(struct net *net, const struct flow_offload *flow,\n \n \t\tif (tuple->encap[i].proto == htons(ETH_P_8021Q)) {\n \t\t\tentry = flow_action_entry_next(flow_rule);\n+\t\t\tif (!entry)\n+\t\t\t\treturn -1;\n \t\t\tentry->id = FLOW_ACTION_VLAN_POP;\n \t\t}\n \t}\n@@ -663,6 +718,8 @@ nf_flow_rule_route_common(struct net *net, const struct flow_offload *flow,\n \t\t\tcontinue;\n \n \t\tentry = flow_action_entry_next(flow_rule);\n+\t\tif (!entry)\n+\t\t\treturn -1;\n \n \t\tswitch (other_tuple->encap[i].proto) {\n \t\tcase htons(ETH_P_PPP_SES):\n@@ -688,18 +745,22 @@ int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow,\n \t\treturn -1;\n \n \tif (test_bit(NF_FLOW_SNAT, &flow->flags)) {\n-\t\tflow_offload_ipv4_snat(net, flow, dir, flow_rule);\n-\t\tflow_offload_port_snat(net, flow, dir, flow_rule);\n+\t\tif (flow_offload_ipv4_snat(net, flow, dir, flow_rule) < 0 ||\n+\t\t    flow_offload_port_snat(net, flow, dir, flow_rule) < 0)\n+\t\t\treturn -1;\n \t}\n \tif (test_bit(NF_FLOW_DNAT, &flow->flags)) {\n-\t\tflow_offload_ipv4_dnat(net, flow, dir, flow_rule);\n-\t\tflow_offload_port_dnat(net, flow, dir, flow_rule);\n+\t\tif (flow_offload_ipv4_dnat(net, flow, dir, flow_rule) < 0 ||\n+\t\t    flow_offload_port_dnat(net, flow, dir, flow_rule) < 0)\n+\t\t\treturn -1;\n \t}\n \tif (test_bit(NF_FLOW_SNAT, &flow->flags) ||\n \t    test_bit(NF_FLOW_DNAT, &flow->flags))\n-\t\tflow_offload_ipv4_checksum(net, flow, flow_rule);\n+\t\tif (flow_offload_ipv4_checksum(net, flow, flow_rule) < 0)\n+\t\t\treturn -1;\n \n-\tflow_offload_redirect(net, flow, dir, flow_rule);\n+\tif (flow_offload_redirect(net, flow, dir, flow_rule) < 0)\n+\t\treturn -1;\n \n \treturn 0;\n }\n@@ -713,22 +774,23 @@ int nf_flow_rule_route_ipv6(struct net *net, struct flow_offload *flow,\n \t\treturn -1;\n \n \tif (test_bit(NF_FLOW_SNAT, &flow->flags)) {\n-\t\tflow_offload_ipv6_snat(net, flow, dir, flow_rule);\n-\t\tflow_offload_port_snat(net, flow, dir, flow_rule);\n+\t\tif (flow_offload_ipv6_snat(net, flow, dir, flow_rule) < 0 ||\n+\t\t    flow_offload_port_snat(net, flow, dir, flow_rule) < 0)\n+\t\t\treturn -1;\n \t}\n \tif (test_bit(NF_FLOW_DNAT, &flow->flags)) {\n-\t\tflow_offload_ipv6_dnat(net, flow, dir, flow_rule);\n-\t\tflow_offload_port_dnat(net, flow, dir, flow_rule);\n+\t\tif (flow_offload_ipv6_dnat(net, flow, dir, flow_rule) < 0 ||\n+\t\t    flow_offload_port_dnat(net, flow, dir, flow_rule) < 0)\n+\t\t\treturn -1;\n \t}\n \n-\tflow_offload_redirect(net, flow, dir, flow_rule);\n+\tif (flow_offload_redirect(net, flow, dir, flow_rule) < 0)\n+\t\treturn -1;\n \n \treturn 0;\n }\n EXPORT_SYMBOL_GPL(nf_flow_rule_route_ipv6);\n \n-#define NF_FLOW_RULE_ACTION_MAX\t16\n-\n static struct nf_flow_rule *\n nf_flow_offload_rule_alloc(struct net *net,\n \t\t\t   const struct flow_offload_work *offload,\n",
    "prefixes": [
        "nf",
        "v2"
    ]
}