| Message ID | 1547103095-8443-1-git-send-email-wenxu@ucloud.cn |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [v2] nft_flow_offload: Make flow offload work with vrf slave device correct | expand |
On Thu, Jan 10, 2019 at 02:51:35PM +0800, wenxu@ucloud.cn wrote: > From: wenxu <wenxu@ucloud.cn> > > In the forward chain the iif is changed from slave device to master vrf > device. It will lead the offload not match on lower slave device. > > This patch the flow table iif and oif based on route cache dst->dev, not > the skb->iif > > This patch make the flollowing example can work correct > > ip addr add dev eth0 1.1.1.1/24 > ip addr add dev eth1 10.0.0.1/24 > ip link add user1 type vrf table 1 > ip l set user1 up > ip l set dev eth0 master user1 > ip l set dev eth1 master user1 > > nft add table firewall > nft add flowtable f fb1 { hook ingress priority 0 \; devices = { eth0, eth1 } \; } > nft add chain f ftb-all {type filter hook forward priority 0 \; policy accept \; } > nft add rule f ftb-all ct zone 1 ip protocol tcp flow offload @fb1 > nft add rule f ftb-all ct zone 1 ip protocol udp flow offload @fb1 v2 looks much better, thanks. Let me revamp this patch title to: netfilter: nft_flow_offload: fix interaction with vrf slave device before applying. Thanks.
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index 7d5cda7..3e370cb 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -84,7 +84,6 @@ struct flow_offload { struct nf_flow_route { struct { struct dst_entry *dst; - int ifindex; } tuple[FLOW_OFFLOAD_DIR_MAX]; }; diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index fa0844e..fc0741b 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -29,6 +29,7 @@ struct flow_offload_entry { struct flow_offload_tuple *ft = &flow->tuplehash[dir].tuple; struct nf_conntrack_tuple *ctt = &ct->tuplehash[dir].tuple; struct dst_entry *dst = route->tuple[dir].dst; + struct dst_entry *other_dst = route->tuple[!dir].dst; ft->dir = dir; @@ -50,8 +51,8 @@ struct flow_offload_entry { ft->src_port = ctt->src.u.tcp.port; ft->dst_port = ctt->dst.u.tcp.port; - ft->iifidx = route->tuple[dir].ifindex; - ft->oifidx = route->tuple[!dir].ifindex; + ft->iifidx = other_dst->dev->ifindex; + ft->oifidx = dst->dev->ifindex; ft->dst_cache = dst; } diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index ccdb8f5..188c6bb 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -30,9 +30,11 @@ static int nft_flow_route(const struct nft_pktinfo *pkt, switch (nft_pf(pkt)) { case NFPROTO_IPV4: fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip; + fl.u.ip4.flowi4_oif = nft_in(pkt)->ifindex; break; case NFPROTO_IPV6: fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6; + fl.u.ip6.flowi6_oif = nft_in(pkt)->ifindex; break; } @@ -41,9 +43,7 @@ static int nft_flow_route(const struct nft_pktinfo *pkt, return -ENOENT; route->tuple[dir].dst = this_dst; - route->tuple[dir].ifindex = nft_in(pkt)->ifindex; route->tuple[!dir].dst = other_dst; - route->tuple[!dir].ifindex = nft_out(pkt)->ifindex; return 0; }