| Message ID | 20200106114753.7765-1-pablo@netfilter.org |
|---|---|
| State | Superseded |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [nf] netfilter: flowtable: restrict flow dissector match on meta ingress device | expand |
Acked-by: wenxu <wenxu@ucloud.cn> This can avoid the wrong flow install in hardware if there are more than two forward devices in the flowtables. Because all the devices shared the same block. 在 2020/1/6 19:47, Pablo Neira Ayuso 写道: > Set on FLOW_DISSECTOR_KEY_META meta key using flow tuple ingress interface. > > Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support") > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > --- > net/netfilter/nf_flow_table_offload.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c > index 4d1e81e2880f..b879e673953f 100644 > --- a/net/netfilter/nf_flow_table_offload.c > +++ b/net/netfilter/nf_flow_table_offload.c > @@ -24,6 +24,7 @@ struct flow_offload_work { > }; > > struct nf_flow_key { > + struct flow_dissector_key_meta meta; > struct flow_dissector_key_control control; > struct flow_dissector_key_basic basic; > union { > @@ -55,6 +56,7 @@ static int nf_flow_rule_match(struct nf_flow_match *match, > struct nf_flow_key *mask = &match->mask; > struct nf_flow_key *key = &match->key; > > + NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_META, meta); > NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_CONTROL, control); > NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_BASIC, basic); > NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4); > @@ -62,6 +64,9 @@ static int nf_flow_rule_match(struct nf_flow_match *match, > NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_TCP, tcp); > NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_PORTS, tp); > > + key->meta.ingress_ifindex = tuple->iifidx; > + mask->meta.ingress_ifindex = 0xffffffff; > + > switch (tuple->l3proto) { > case AF_INET: > key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; > @@ -105,7 +110,8 @@ static int nf_flow_rule_match(struct nf_flow_match *match, > key->tp.dst = tuple->dst_port; > mask->tp.dst = 0xffff; > > - match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL) | > + match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_META) | > + BIT(FLOW_DISSECTOR_KEY_CONTROL) | > BIT(FLOW_DISSECTOR_KEY_BASIC) | > BIT(FLOW_DISSECTOR_KEY_PORTS); > return 0;
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 4d1e81e2880f..b879e673953f 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -24,6 +24,7 @@ struct flow_offload_work { }; struct nf_flow_key { + struct flow_dissector_key_meta meta; struct flow_dissector_key_control control; struct flow_dissector_key_basic basic; union { @@ -55,6 +56,7 @@ static int nf_flow_rule_match(struct nf_flow_match *match, struct nf_flow_key *mask = &match->mask; struct nf_flow_key *key = &match->key; + NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_META, meta); NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_CONTROL, control); NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_BASIC, basic); NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4); @@ -62,6 +64,9 @@ static int nf_flow_rule_match(struct nf_flow_match *match, NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_TCP, tcp); NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_PORTS, tp); + key->meta.ingress_ifindex = tuple->iifidx; + mask->meta.ingress_ifindex = 0xffffffff; + switch (tuple->l3proto) { case AF_INET: key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; @@ -105,7 +110,8 @@ static int nf_flow_rule_match(struct nf_flow_match *match, key->tp.dst = tuple->dst_port; mask->tp.dst = 0xffff; - match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL) | + match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_META) | + BIT(FLOW_DISSECTOR_KEY_CONTROL) | BIT(FLOW_DISSECTOR_KEY_BASIC) | BIT(FLOW_DISSECTOR_KEY_PORTS); return 0;
Set on FLOW_DISSECTOR_KEY_META meta key using flow tuple ingress interface. Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_flow_table_offload.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)