diff mbox series

[SRU,F:linux-bluefield] net/sched: act_ct: Fix flow table lookup failure with no originating ifindex

Message ID 1649173115-24255-1-git-send-email-bodong@nvidia.com
State New
Headers show
Series [SRU,F:linux-bluefield] net/sched: act_ct: Fix flow table lookup failure with no originating ifindex | expand

Commit Message

Bodong Wang April 5, 2022, 3:38 p.m. UTC 
From: Paul Blakey <paulb@nvidia.com>

BugLink: https://bugs.launchpad.net/bugs/1967892

After cited commit optimizted hw insertion, flow table entries are
populated with ifindex information which was intended to only be used
for HW offload. This tuple ifindex is hashed in the flow table key, so
it must be filled for lookup to be successful. But tuple ifindex is only
relevant for the netfilter flowtables (nft), so it's not filled in
act_ct flow table lookup, resulting in lookup failure, and no SW
offload and no offload teardown for TCP connection FIN/RST packets.

To fix this, add new tc ifindex field to tuple, which will
only be used for offloading, not for lookup, as it will not be
part of the tuple hash.

Fixes: 9795ded7f924 ("net/sched: act_ct: Fill offloading tuple iifidx")
Signed-off-by: Paul Blakey <paulb@nvidia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(backported from commit db6140e5e35a48405e669353bd54042c1d4c3841)
[Oz: Add missing enum ]
Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
Signed-off-by: Bodong Wang <bodong@nvidia.com>
---
 include/net/netfilter/nf_flow_table.h | 16 ++++++++++++++++
 net/netfilter/nf_flow_table_offload.c |  6 +++++-
 net/sched/act_ct.c                    | 13 +++++++++----
 3 files changed, 30 insertions(+), 5 deletions(-)

Comments

Bodong Wang April 5, 2022, 3:45 p.m. UTC | #1 
On 4/5/2022 10:38 AM, Bodong Wang wrote:
> From: Paul Blakey <paulb@nvidia.com>
>
> BugLink: https://bugs.launchpad.net/bugs/1967892
>
> After cited commit optimizted hw insertion, flow table entries are
> populated with ifindex information which was intended to only be used
> for HW offload. This tuple ifindex is hashed in the flow table key, so
> it must be filled for lookup to be successful. But tuple ifindex is only
> relevant for the netfilter flowtables (nft), so it's not filled in
> act_ct flow table lookup, resulting in lookup failure, and no SW
> offload and no offload teardown for TCP connection FIN/RST packets.
>
> To fix this, add new tc ifindex field to tuple, which will
> only be used for offloading, not for lookup, as it will not be
> part of the tuple hash.
>
> Fixes: 9795ded7f924 ("net/sched: act_ct: Fill offloading tuple iifidx")
> Signed-off-by: Paul Blakey <paulb@nvidia.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (backported from commit db6140e5e35a48405e669353bd54042c1d4c3841)
> [Oz: Add missing enum ]
> Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
> Signed-off-by: Bodong Wang <bodong@nvidia.com>
> ---
>   include/net/netfilter/nf_flow_table.h | 16 ++++++++++++++++
>   net/netfilter/nf_flow_table_offload.c |  6 +++++-
>   net/sched/act_ct.c                    | 13 +++++++++----
>   3 files changed, 30 insertions(+), 5 deletions(-)
>
> diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
> index b40772f..a0c11bc 100644
> --- a/include/net/netfilter/nf_flow_table.h
> +++ b/include/net/netfilter/nf_flow_table.h
> @@ -88,6 +88,14 @@ enum flow_offload_tuple_dir {
>   	FLOW_OFFLOAD_DIR_MAX = IP_CT_DIR_MAX
>   };
>   
> +enum flow_offload_xmit_type {
> +	FLOW_OFFLOAD_XMIT_UNSPEC	= 0,
> +	FLOW_OFFLOAD_XMIT_NEIGH,
> +	FLOW_OFFLOAD_XMIT_XFRM,
> +	FLOW_OFFLOAD_XMIT_DIRECT,
> +	FLOW_OFFLOAD_XMIT_TC,
> +};
> +
>   struct flow_offload_tuple {
>   	union {
>   		struct in_addr		src_v4;
> @@ -111,6 +119,14 @@ struct flow_offload_tuple {
>   	u16				mtu;
>   
>   	struct dst_entry		*dst_cache;
> +
> +	/* fix conflicting upstream commit db6140e5e35a48405e669353bd54042c1d4c3841 */
> +	u8				xmit_type;
> +	union {
> +		struct {
> +			u32		iifidx;
> +		} tc;
> +	};
>   };
>   
>   struct flow_offload_tuple_rhash {
> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
> index b6421a8..e41b5c5 100644
> --- a/net/netfilter/nf_flow_table_offload.c
> +++ b/net/netfilter/nf_flow_table_offload.c
> @@ -103,7 +103,11 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
>   		nf_flow_rule_lwt_match(match, tun_info);
>   	}
>   
> -	key->meta.ingress_ifindex = tuple->iifidx;
> +	if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_TC)
> +		key->meta.ingress_ifindex = tuple->tc.iifidx;
> +	else
> +		key->meta.ingress_ifindex = tuple->iifidx;
> +
>   	mask->meta.ingress_ifindex = 0xffffffff;
>   
>   	switch (tuple->l3proto) {
> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> index a54ba2e..ed310be 100644
> --- a/net/sched/act_ct.c
> +++ b/net/sched/act_ct.c
> @@ -356,6 +356,13 @@ static void tcf_ct_flow_table_put(struct tcf_ct_params *params)
>   	}
>   }
>   
> +static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry,
> +				 struct nf_conn_act_ct_ext *act_ct_ext, u8 dir)
> +{
> +	entry->tuplehash[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_TC;
> +	entry->tuplehash[dir].tuple.tc.iifidx = act_ct_ext->ifindex[dir];
> +}
> +
>   static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
>   				  struct nf_conn *ct,
>   				  bool tcp)
> @@ -380,10 +387,8 @@ static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
>   
>   	act_ct_ext = nf_conn_act_ct_ext_find(ct);
>   	if (act_ct_ext) {
> -		entry->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.iifidx =
> -			act_ct_ext->ifindex[IP_CT_DIR_ORIGINAL];
> -		entry->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.iifidx =
> -			act_ct_ext->ifindex[IP_CT_DIR_REPLY];
> +		tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_ORIGINAL);
> +		tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_REPLY);
>   	}
>   
>   	err = flow_offload_add(&ct_ft->nf_ft, entry);

Tim, can we apply this critical fix asap? We're closing the release but 
current SRU cycle(April) is too late for us.
Tim Gardner April 5, 2022, 6:51 p.m. UTC | #2 
Acked-by: Tim Gardner <tim.gardner@canonical.com>

Your backport note neglected to mention that you also changed the bit 
width of xmit_type from 3 to 8.

On 4/5/22 09:38, Bodong Wang wrote:
> From: Paul Blakey <paulb@nvidia.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1967892
> 
> After cited commit optimizted hw insertion, flow table entries are
> populated with ifindex information which was intended to only be used
> for HW offload. This tuple ifindex is hashed in the flow table key, so
> it must be filled for lookup to be successful. But tuple ifindex is only
> relevant for the netfilter flowtables (nft), so it's not filled in
> act_ct flow table lookup, resulting in lookup failure, and no SW
> offload and no offload teardown for TCP connection FIN/RST packets.
> 
> To fix this, add new tc ifindex field to tuple, which will
> only be used for offloading, not for lookup, as it will not be
> part of the tuple hash.
> 
> Fixes: 9795ded7f924 ("net/sched: act_ct: Fill offloading tuple iifidx")
> Signed-off-by: Paul Blakey <paulb@nvidia.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (backported from commit db6140e5e35a48405e669353bd54042c1d4c3841)
> [Oz: Add missing enum ]
> Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
> Signed-off-by: Bodong Wang <bodong@nvidia.com>
> ---
>   include/net/netfilter/nf_flow_table.h | 16 ++++++++++++++++
>   net/netfilter/nf_flow_table_offload.c |  6 +++++-
>   net/sched/act_ct.c                    | 13 +++++++++----
>   3 files changed, 30 insertions(+), 5 deletions(-)
> 
> diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
> index b40772f..a0c11bc 100644
> --- a/include/net/netfilter/nf_flow_table.h
> +++ b/include/net/netfilter/nf_flow_table.h
> @@ -88,6 +88,14 @@ enum flow_offload_tuple_dir {
>   	FLOW_OFFLOAD_DIR_MAX = IP_CT_DIR_MAX
>   };
>   
> +enum flow_offload_xmit_type {
> +	FLOW_OFFLOAD_XMIT_UNSPEC	= 0,
> +	FLOW_OFFLOAD_XMIT_NEIGH,
> +	FLOW_OFFLOAD_XMIT_XFRM,
> +	FLOW_OFFLOAD_XMIT_DIRECT,
> +	FLOW_OFFLOAD_XMIT_TC,
> +};
> +
>   struct flow_offload_tuple {
>   	union {
>   		struct in_addr		src_v4;
> @@ -111,6 +119,14 @@ struct flow_offload_tuple {
>   	u16				mtu;
>   
>   	struct dst_entry		*dst_cache;
> +
> +	/* fix conflicting upstream commit db6140e5e35a48405e669353bd54042c1d4c3841 */
> +	u8				xmit_type;
> +	union {
> +		struct {
> +			u32		iifidx;
> +		} tc;
> +	};
>   };
>   
>   struct flow_offload_tuple_rhash {
> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
> index b6421a8..e41b5c5 100644
> --- a/net/netfilter/nf_flow_table_offload.c
> +++ b/net/netfilter/nf_flow_table_offload.c
> @@ -103,7 +103,11 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
>   		nf_flow_rule_lwt_match(match, tun_info);
>   	}
>   
> -	key->meta.ingress_ifindex = tuple->iifidx;
> +	if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_TC)
> +		key->meta.ingress_ifindex = tuple->tc.iifidx;
> +	else
> +		key->meta.ingress_ifindex = tuple->iifidx;
> +
>   	mask->meta.ingress_ifindex = 0xffffffff;
>   
>   	switch (tuple->l3proto) {
> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> index a54ba2e..ed310be 100644
> --- a/net/sched/act_ct.c
> +++ b/net/sched/act_ct.c
> @@ -356,6 +356,13 @@ static void tcf_ct_flow_table_put(struct tcf_ct_params *params)
>   	}
>   }
>   
> +static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry,
> +				 struct nf_conn_act_ct_ext *act_ct_ext, u8 dir)
> +{
> +	entry->tuplehash[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_TC;
> +	entry->tuplehash[dir].tuple.tc.iifidx = act_ct_ext->ifindex[dir];
> +}
> +
>   static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
>   				  struct nf_conn *ct,
>   				  bool tcp)
> @@ -380,10 +387,8 @@ static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
>   
>   	act_ct_ext = nf_conn_act_ct_ext_find(ct);
>   	if (act_ct_ext) {
> -		entry->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.iifidx =
> -			act_ct_ext->ifindex[IP_CT_DIR_ORIGINAL];
> -		entry->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.iifidx =
> -			act_ct_ext->ifindex[IP_CT_DIR_REPLY];
> +		tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_ORIGINAL);
> +		tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_REPLY);
>   	}
>   
>   	err = flow_offload_add(&ct_ft->nf_ft, entry);
Bodong Wang April 5, 2022, 8:49 p.m. UTC | #3 
On 4/5/2022 1:51 PM, Tim Gardner wrote:
> Acked-by: Tim Gardner <tim.gardner@canonical.com>
>
> Your backport note neglected to mention that you also changed the bit 
> width of xmit_type from 3 to 8.
>
>
Do I need to send v1 or we're ok?
Tim Gardner April 5, 2022, 11:40 p.m. UTC | #4 
I'm good with it, but you really ought to be more thorough. These 
backport details could well be an important clue to someone debugging 
regressions. Its one thing to adjust for context differences, but 
actually changing code is quite another.

rtg

On 4/5/22 2:49 PM, Bodong Wang wrote:
> On 4/5/2022 1:51 PM, Tim Gardner wrote:
>> Acked-by: Tim Gardner <tim.gardner@canonical.com>
>>
>> Your backport note neglected to mention that you also changed the bit 
>> width of xmit_type from 3 to 8.
>>
>>
> Do I need to send v1 or we're ok?
> 
>
Zachary Tahenakos April 6, 2022, 4:24 p.m. UTC | #5 
Acked-by: Zachary Tahenakos <zachary.tahenakos@canonical.com>

On Tue, Apr 5, 2022 at 11:39 AM Bodong Wang <bodong@nvidia.com> wrote:

> From: Paul Blakey <paulb@nvidia.com>
>
> BugLink: https://bugs.launchpad.net/bugs/1967892
>
> After cited commit optimizted hw insertion, flow table entries are
> populated with ifindex information which was intended to only be used
> for HW offload. This tuple ifindex is hashed in the flow table key, so
> it must be filled for lookup to be successful. But tuple ifindex is only
> relevant for the netfilter flowtables (nft), so it's not filled in
> act_ct flow table lookup, resulting in lookup failure, and no SW
> offload and no offload teardown for TCP connection FIN/RST packets.
>
> To fix this, add new tc ifindex field to tuple, which will
> only be used for offloading, not for lookup, as it will not be
> part of the tuple hash.
>
> Fixes: 9795ded7f924 ("net/sched: act_ct: Fill offloading tuple iifidx")
> Signed-off-by: Paul Blakey <paulb@nvidia.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (backported from commit db6140e5e35a48405e669353bd54042c1d4c3841)
> [Oz: Add missing enum ]
> Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
> Signed-off-by: Bodong Wang <bodong@nvidia.com>
> ---
>  include/net/netfilter/nf_flow_table.h | 16 ++++++++++++++++
>  net/netfilter/nf_flow_table_offload.c |  6 +++++-
>  net/sched/act_ct.c                    | 13 +++++++++----
>  3 files changed, 30 insertions(+), 5 deletions(-)
>
> diff --git a/include/net/netfilter/nf_flow_table.h
> b/include/net/netfilter/nf_flow_table.h
> index b40772f..a0c11bc 100644
> --- a/include/net/netfilter/nf_flow_table.h
> +++ b/include/net/netfilter/nf_flow_table.h
> @@ -88,6 +88,14 @@ enum flow_offload_tuple_dir {
>         FLOW_OFFLOAD_DIR_MAX = IP_CT_DIR_MAX
>  };
>
> +enum flow_offload_xmit_type {
> +       FLOW_OFFLOAD_XMIT_UNSPEC        = 0,
> +       FLOW_OFFLOAD_XMIT_NEIGH,
> +       FLOW_OFFLOAD_XMIT_XFRM,
> +       FLOW_OFFLOAD_XMIT_DIRECT,
> +       FLOW_OFFLOAD_XMIT_TC,
> +};
> +
>  struct flow_offload_tuple {
>         union {
>                 struct in_addr          src_v4;
> @@ -111,6 +119,14 @@ struct flow_offload_tuple {
>         u16                             mtu;
>
>         struct dst_entry                *dst_cache;
> +
> +       /* fix conflicting upstream commit
> db6140e5e35a48405e669353bd54042c1d4c3841 */
> +       u8                              xmit_type;
> +       union {
> +               struct {
> +                       u32             iifidx;
> +               } tc;
> +       };
>  };
>
>  struct flow_offload_tuple_rhash {
> diff --git a/net/netfilter/nf_flow_table_offload.c
> b/net/netfilter/nf_flow_table_offload.c
> index b6421a8..e41b5c5 100644
> --- a/net/netfilter/nf_flow_table_offload.c
> +++ b/net/netfilter/nf_flow_table_offload.c
> @@ -103,7 +103,11 @@ static int nf_flow_rule_match(struct nf_flow_match
> *match,
>                 nf_flow_rule_lwt_match(match, tun_info);
>         }
>
> -       key->meta.ingress_ifindex = tuple->iifidx;
> +       if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_TC)
> +               key->meta.ingress_ifindex = tuple->tc.iifidx;
> +       else
> +               key->meta.ingress_ifindex = tuple->iifidx;
> +
>         mask->meta.ingress_ifindex = 0xffffffff;
>
>         switch (tuple->l3proto) {
> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> index a54ba2e..ed310be 100644
> --- a/net/sched/act_ct.c
> +++ b/net/sched/act_ct.c
> @@ -356,6 +356,13 @@ static void tcf_ct_flow_table_put(struct
> tcf_ct_params *params)
>         }
>  }
>
> +static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry,
> +                                struct nf_conn_act_ct_ext *act_ct_ext, u8
> dir)
> +{
> +       entry->tuplehash[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_TC;
> +       entry->tuplehash[dir].tuple.tc.iifidx = act_ct_ext->ifindex[dir];
> +}
> +
>  static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
>                                   struct nf_conn *ct,
>                                   bool tcp)
> @@ -380,10 +387,8 @@ static void tcf_ct_flow_table_add(struct
> tcf_ct_flow_table *ct_ft,
>
>         act_ct_ext = nf_conn_act_ct_ext_find(ct);
>         if (act_ct_ext) {
> -               entry->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.iifidx =
> -                       act_ct_ext->ifindex[IP_CT_DIR_ORIGINAL];
> -               entry->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.iifidx =
> -                       act_ct_ext->ifindex[IP_CT_DIR_REPLY];
> +               tcf_ct_flow_tc_ifidx(entry, act_ct_ext,
> FLOW_OFFLOAD_DIR_ORIGINAL);
> +               tcf_ct_flow_tc_ifidx(entry, act_ct_ext,
> FLOW_OFFLOAD_DIR_REPLY);
>         }
>
>         err = flow_offload_add(&ct_ft->nf_ft, entry);
> --
> 1.8.3.1
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
Kleber Sacilotto de Souza April 6, 2022, 4:29 p.m. UTC | #6 
On 05.04.22 17:38, Bodong Wang wrote:
> From: Paul Blakey <paulb@nvidia.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1967892
> 
> After cited commit optimizted hw insertion, flow table entries are
> populated with ifindex information which was intended to only be used
> for HW offload. This tuple ifindex is hashed in the flow table key, so
> it must be filled for lookup to be successful. But tuple ifindex is only
> relevant for the netfilter flowtables (nft), so it's not filled in
> act_ct flow table lookup, resulting in lookup failure, and no SW
> offload and no offload teardown for TCP connection FIN/RST packets.
> 
> To fix this, add new tc ifindex field to tuple, which will
> only be used for offloading, not for lookup, as it will not be
> part of the tuple hash.
> 
> Fixes: 9795ded7f924 ("net/sched: act_ct: Fill offloading tuple iifidx")
> Signed-off-by: Paul Blakey <paulb@nvidia.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (backported from commit db6140e5e35a48405e669353bd54042c1d4c3841)
> [Oz: Add missing enum ]
> Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
> Signed-off-by: Bodong Wang <bodong@nvidia.com>


Applied to focal:linux-bluefield. This patch will be included in a re-spin
for the 2022.02.21 SRU cycle.

Thanks,
Kleber


> ---
>   include/net/netfilter/nf_flow_table.h | 16 ++++++++++++++++
>   net/netfilter/nf_flow_table_offload.c |  6 +++++-
>   net/sched/act_ct.c                    | 13 +++++++++----
>   3 files changed, 30 insertions(+), 5 deletions(-)
> 
> diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
> index b40772f..a0c11bc 100644
> --- a/include/net/netfilter/nf_flow_table.h
> +++ b/include/net/netfilter/nf_flow_table.h
> @@ -88,6 +88,14 @@ enum flow_offload_tuple_dir {
>   	FLOW_OFFLOAD_DIR_MAX = IP_CT_DIR_MAX
>   };
>   
> +enum flow_offload_xmit_type {
> +	FLOW_OFFLOAD_XMIT_UNSPEC	= 0,
> +	FLOW_OFFLOAD_XMIT_NEIGH,
> +	FLOW_OFFLOAD_XMIT_XFRM,
> +	FLOW_OFFLOAD_XMIT_DIRECT,
> +	FLOW_OFFLOAD_XMIT_TC,
> +};
> +
>   struct flow_offload_tuple {
>   	union {
>   		struct in_addr		src_v4;
> @@ -111,6 +119,14 @@ struct flow_offload_tuple {
>   	u16				mtu;
>   
>   	struct dst_entry		*dst_cache;
> +
> +	/* fix conflicting upstream commit db6140e5e35a48405e669353bd54042c1d4c3841 */
> +	u8				xmit_type;
> +	union {
> +		struct {
> +			u32		iifidx;
> +		} tc;
> +	};
>   };
>   
>   struct flow_offload_tuple_rhash {
> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
> index b6421a8..e41b5c5 100644
> --- a/net/netfilter/nf_flow_table_offload.c
> +++ b/net/netfilter/nf_flow_table_offload.c
> @@ -103,7 +103,11 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
>   		nf_flow_rule_lwt_match(match, tun_info);
>   	}
>   
> -	key->meta.ingress_ifindex = tuple->iifidx;
> +	if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_TC)
> +		key->meta.ingress_ifindex = tuple->tc.iifidx;
> +	else
> +		key->meta.ingress_ifindex = tuple->iifidx;
> +
>   	mask->meta.ingress_ifindex = 0xffffffff;
>   
>   	switch (tuple->l3proto) {
> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> index a54ba2e..ed310be 100644
> --- a/net/sched/act_ct.c
> +++ b/net/sched/act_ct.c
> @@ -356,6 +356,13 @@ static void tcf_ct_flow_table_put(struct tcf_ct_params *params)
>   	}
>   }
>   
> +static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry,
> +				 struct nf_conn_act_ct_ext *act_ct_ext, u8 dir)
> +{
> +	entry->tuplehash[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_TC;
> +	entry->tuplehash[dir].tuple.tc.iifidx = act_ct_ext->ifindex[dir];
> +}
> +
>   static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
>   				  struct nf_conn *ct,
>   				  bool tcp)
> @@ -380,10 +387,8 @@ static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
>   
>   	act_ct_ext = nf_conn_act_ct_ext_find(ct);
>   	if (act_ct_ext) {
> -		entry->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.iifidx =
> -			act_ct_ext->ifindex[IP_CT_DIR_ORIGINAL];
> -		entry->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.iifidx =
> -			act_ct_ext->ifindex[IP_CT_DIR_REPLY];
> +		tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_ORIGINAL);
> +		tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_REPLY);
>   	}
>   
>   	err = flow_offload_add(&ct_ft->nf_ft, entry);
Kleber Sacilotto de Souza April 7, 2022, 8:13 a.m. UTC | #7 
On 05.04.22 17:45, Bodong Wang wrote:
> On 4/5/2022 10:38 AM, Bodong Wang wrote:
>> From: Paul Blakey <paulb@nvidia.com>
>>
>> BugLink: https://bugs.launchpad.net/bugs/1967892
>>
>> After cited commit optimizted hw insertion, flow table entries are
>> populated with ifindex information which was intended to only be used
>> for HW offload. This tuple ifindex is hashed in the flow table key, so
>> it must be filled for lookup to be successful. But tuple ifindex is only
>> relevant for the netfilter flowtables (nft), so it's not filled in
>> act_ct flow table lookup, resulting in lookup failure, and no SW
>> offload and no offload teardown for TCP connection FIN/RST packets.
>>
>> To fix this, add new tc ifindex field to tuple, which will
>> only be used for offloading, not for lookup, as it will not be
>> part of the tuple hash.
>>
>> Fixes: 9795ded7f924 ("net/sched: act_ct: Fill offloading tuple iifidx")
>> Signed-off-by: Paul Blakey <paulb@nvidia.com>
>> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>> (backported from commit db6140e5e35a48405e669353bd54042c1d4c3841)
>> [Oz: Add missing enum ]
>> Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
>> Signed-off-by: Bodong Wang <bodong@nvidia.com>
>> ---
>>    include/net/netfilter/nf_flow_table.h | 16 ++++++++++++++++
>>    net/netfilter/nf_flow_table_offload.c |  6 +++++-
>>    net/sched/act_ct.c                    | 13 +++++++++----
>>    3 files changed, 30 insertions(+), 5 deletions(-)
>>
>> diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
>> index b40772f..a0c11bc 100644
>> --- a/include/net/netfilter/nf_flow_table.h
>> +++ b/include/net/netfilter/nf_flow_table.h
>> @@ -88,6 +88,14 @@ enum flow_offload_tuple_dir {
>>    	FLOW_OFFLOAD_DIR_MAX = IP_CT_DIR_MAX
>>    };
>>    
>> +enum flow_offload_xmit_type {
>> +	FLOW_OFFLOAD_XMIT_UNSPEC	= 0,
>> +	FLOW_OFFLOAD_XMIT_NEIGH,
>> +	FLOW_OFFLOAD_XMIT_XFRM,
>> +	FLOW_OFFLOAD_XMIT_DIRECT,
>> +	FLOW_OFFLOAD_XMIT_TC,
>> +};
>> +
>>    struct flow_offload_tuple {
>>    	union {
>>    		struct in_addr		src_v4;
>> @@ -111,6 +119,14 @@ struct flow_offload_tuple {
>>    	u16				mtu;
>>    
>>    	struct dst_entry		*dst_cache;
>> +
>> +	/* fix conflicting upstream commit db6140e5e35a48405e669353bd54042c1d4c3841 */
>> +	u8				xmit_type;
>> +	union {
>> +		struct {
>> +			u32		iifidx;
>> +		} tc;
>> +	};
>>    };
>>    
>>    struct flow_offload_tuple_rhash {
>> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
>> index b6421a8..e41b5c5 100644
>> --- a/net/netfilter/nf_flow_table_offload.c
>> +++ b/net/netfilter/nf_flow_table_offload.c
>> @@ -103,7 +103,11 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
>>    		nf_flow_rule_lwt_match(match, tun_info);
>>    	}
>>    
>> -	key->meta.ingress_ifindex = tuple->iifidx;
>> +	if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_TC)
>> +		key->meta.ingress_ifindex = tuple->tc.iifidx;
>> +	else
>> +		key->meta.ingress_ifindex = tuple->iifidx;
>> +
>>    	mask->meta.ingress_ifindex = 0xffffffff;
>>    
>>    	switch (tuple->l3proto) {
>> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
>> index a54ba2e..ed310be 100644
>> --- a/net/sched/act_ct.c
>> +++ b/net/sched/act_ct.c
>> @@ -356,6 +356,13 @@ static void tcf_ct_flow_table_put(struct tcf_ct_params *params)
>>    	}
>>    }
>>    
>> +static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry,
>> +				 struct nf_conn_act_ct_ext *act_ct_ext, u8 dir)
>> +{
>> +	entry->tuplehash[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_TC;
>> +	entry->tuplehash[dir].tuple.tc.iifidx = act_ct_ext->ifindex[dir];
>> +}
>> +
>>    static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
>>    				  struct nf_conn *ct,
>>    				  bool tcp)
>> @@ -380,10 +387,8 @@ static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
>>    
>>    	act_ct_ext = nf_conn_act_ct_ext_find(ct);
>>    	if (act_ct_ext) {
>> -		entry->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.iifidx =
>> -			act_ct_ext->ifindex[IP_CT_DIR_ORIGINAL];
>> -		entry->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.iifidx =
>> -			act_ct_ext->ifindex[IP_CT_DIR_REPLY];
>> +		tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_ORIGINAL);
>> +		tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_REPLY);
>>    	}
>>    
>>    	err = flow_offload_add(&ct_ft->nf_ft, entry);
> 
> Tim, can we apply this critical fix asap? We're closing the release but
> current SRU cycle(April) is too late for us.
> 
> 

Hi Bodong,

The commit that this fix claims to address (9795ded7f924 "net/sched: act_ct: Fill offloading tuple iifidx")
is applied and queued to be added to a build in the current SRU cycle (2022.03.21 with release date scheduled
for Apr-18). So if this release date is too late we will need to actually pull that commit and other prerequisites
for a re-spin in the previous SRU cycle (2022.02.21) to be released asap, but the release wouldn't likely happen
more than a week earlier than Apr-18. Is the second option what you need?

Thank you,
Kleber
Bodong Wang April 7, 2022, 4:13 p.m. UTC | #8 
On 4/7/2022 3:13 AM, Kleber Souza wrote:
> On 05.04.22 17:45, Bodong Wang wrote:
>> On 4/5/2022 10:38 AM, Bodong Wang wrote:
>>>
>>
>> Tim, can we apply this critical fix asap? We're closing the release but
>> current SRU cycle(April) is too late for us.
>>
>>
>
> Hi Bodong,
>
> The commit that this fix claims to address (9795ded7f924 "net/sched: 
> act_ct: Fill offloading tuple iifidx")
> is applied and queued to be added to a build in the current SRU cycle 
> (2022.03.21 with release date scheduled
> for Apr-18). So if this release date is too late we will need to 
> actually pull that commit and other prerequisites
> for a re-spin in the previous SRU cycle (2022.02.21) to be released 
> asap, but the release wouldn't likely happen
> more than a week earlier than Apr-18. Is the second option what you need?
>
> Thank you,
> Kleber

Hi Kleber,

It works for us if we can have it inside Apr-18 release.

Thanks,

Bodong
Kleber Sacilotto de Souza April 8, 2022, 7:51 a.m. UTC | #9 
On 07.04.22 18:13, Bodong Wang wrote:
> On 4/7/2022 3:13 AM, Kleber Souza wrote:
>> On 05.04.22 17:45, Bodong Wang wrote:
>>> On 4/5/2022 10:38 AM, Bodong Wang wrote:
>>>>
>>>
>>> Tim, can we apply this critical fix asap? We're closing the release but
>>> current SRU cycle(April) is too late for us.
>>>
>>>
>>
>> Hi Bodong,
>>
>> The commit that this fix claims to address (9795ded7f924 "net/sched:
>> act_ct: Fill offloading tuple iifidx")
>> is applied and queued to be added to a build in the current SRU cycle
>> (2022.03.21 with release date scheduled
>> for Apr-18). So if this release date is too late we will need to
>> actually pull that commit and other prerequisites
>> for a re-spin in the previous SRU cycle (2022.02.21) to be released
>> asap, but the release wouldn't likely happen
>> more than a week earlier than Apr-18. Is the second option what you need?
>>
>> Thank you,
>> Kleber
> 
> Hi Kleber,
> 
> It works for us if we can have it inside Apr-18 release.
> 
> Thanks,
> 
> Bodong
> 

Hi Bodong,

Thank you for the clarification.


Kleber
diff mbox series

Patch

diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index b40772f..a0c11bc 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -88,6 +88,14 @@  enum flow_offload_tuple_dir {
 	FLOW_OFFLOAD_DIR_MAX = IP_CT_DIR_MAX
 };
 
+enum flow_offload_xmit_type {
+	FLOW_OFFLOAD_XMIT_UNSPEC	= 0,
+	FLOW_OFFLOAD_XMIT_NEIGH,
+	FLOW_OFFLOAD_XMIT_XFRM,
+	FLOW_OFFLOAD_XMIT_DIRECT,
+	FLOW_OFFLOAD_XMIT_TC,
+};
+
 struct flow_offload_tuple {
 	union {
 		struct in_addr		src_v4;
@@ -111,6 +119,14 @@  struct flow_offload_tuple {
 	u16				mtu;
 
 	struct dst_entry		*dst_cache;
+
+	/* fix conflicting upstream commit db6140e5e35a48405e669353bd54042c1d4c3841 */
+	u8				xmit_type;
+	union {
+		struct {
+			u32		iifidx;
+		} tc;
+	};
 };
 
 struct flow_offload_tuple_rhash {
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index b6421a8..e41b5c5 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -103,7 +103,11 @@  static int nf_flow_rule_match(struct nf_flow_match *match,
 		nf_flow_rule_lwt_match(match, tun_info);
 	}
 
-	key->meta.ingress_ifindex = tuple->iifidx;
+	if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_TC)
+		key->meta.ingress_ifindex = tuple->tc.iifidx;
+	else
+		key->meta.ingress_ifindex = tuple->iifidx;
+
 	mask->meta.ingress_ifindex = 0xffffffff;
 
 	switch (tuple->l3proto) {
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index a54ba2e..ed310be 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -356,6 +356,13 @@  static void tcf_ct_flow_table_put(struct tcf_ct_params *params)
 	}
 }
 
+static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry,
+				 struct nf_conn_act_ct_ext *act_ct_ext, u8 dir)
+{
+	entry->tuplehash[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_TC;
+	entry->tuplehash[dir].tuple.tc.iifidx = act_ct_ext->ifindex[dir];
+}
+
 static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
 				  struct nf_conn *ct,
 				  bool tcp)
@@ -380,10 +387,8 @@  static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
 
 	act_ct_ext = nf_conn_act_ct_ext_find(ct);
 	if (act_ct_ext) {
-		entry->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.iifidx =
-			act_ct_ext->ifindex[IP_CT_DIR_ORIGINAL];
-		entry->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.iifidx =
-			act_ct_ext->ifindex[IP_CT_DIR_REPLY];
+		tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_ORIGINAL);
+		tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_REPLY);
 	}
 
 	err = flow_offload_add(&ct_ft->nf_ft, entry);