From patchwork Sun Feb 25 17:18:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Fietkau X-Patchwork-Id: 877562 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nbd.name Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=nbd.name header.i=@nbd.name header.b="suT09Dji"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zqBWr0tLtz9s2g for ; Mon, 26 Feb 2018 04:19:04 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751831AbeBYRTA (ORCPT ); Sun, 25 Feb 2018 12:19:00 -0500 Received: from nbd.name ([46.4.11.11]:37216 "EHLO nbd.name" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751710AbeBYRS6 (ORCPT ); Sun, 25 Feb 2018 12:18:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ymorMM0sa2dQlzbsSo560j4UiMbI/e0DnRZh8RQx6p8=; b=suT09Dji8xBEHz+DeMAdzMkP2p XxT/ayETAcv2XojX2qm382U+AI6j84MQVw3d/5kI0n84Hkrpz9vVb6P19s1Uh6nMf7ny4rUb6R7MM XFQslgbH1+rAKba0Hm9Af+YHrotl6/jv4ZBoBMof990DMe4udy7MPOz253rqYOqmyaoc=; Received: by maeck.local (Postfix, from userid 501) id CFC031569C09; Sun, 25 Feb 2018 18:18:52 +0100 (CET) From: Felix Fietkau To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org, nbd@nbd.name Subject: [PATCH v2 1/6] netfilter: nf_flow_table: make flow_offload_dead inline Date: Sun, 25 Feb 2018 18:18:47 +0100 Message-Id: <20180225171852.34446-2-nbd@nbd.name> X-Mailer: git-send-email 2.14.2 In-Reply-To: <20180225171852.34446-1-nbd@nbd.name> References: <20180225171852.34446-1-nbd@nbd.name> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org It is too trivial to keep as a separate exported function Signed-off-by: Felix Fietkau --- include/net/netfilter/nf_flow_table.h | 5 ++++- net/netfilter/nf_flow_table_core.c | 6 ------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index ab408adba688..5aa49524ebef 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -103,7 +103,10 @@ void nf_flow_table_cleanup(struct net *net, struct net_device *dev); int nf_flow_table_init(struct nf_flowtable *flow_table); void nf_flow_table_free(struct nf_flowtable *flow_table); -void flow_offload_dead(struct flow_offload *flow); +static inline void flow_offload_dead(struct flow_offload *flow) +{ + flow->flags |= FLOW_OFFLOAD_DYING; +} int nf_flow_snat_port(const struct flow_offload *flow, struct sk_buff *skb, unsigned int thoff, diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index e761359b56a9..0d38f20fd226 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -113,12 +113,6 @@ void flow_offload_free(struct flow_offload *flow) } EXPORT_SYMBOL_GPL(flow_offload_free); -void flow_offload_dead(struct flow_offload *flow) -{ - flow->flags |= FLOW_OFFLOAD_DYING; -} -EXPORT_SYMBOL_GPL(flow_offload_dead); - static u32 flow_offload_hash(const void *data, u32 len, u32 seed) { const struct flow_offload_tuple *tuple = data; From patchwork Sun Feb 25 17:18:48 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Fietkau X-Patchwork-Id: 877563 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nbd.name Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=nbd.name header.i=@nbd.name header.b="CBBj/FMt"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zqBWr6LCKz9s2h for ; Mon, 26 Feb 2018 04:19:04 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751670AbeBYRS5 (ORCPT ); Sun, 25 Feb 2018 12:18:57 -0500 Received: from nbd.name ([46.4.11.11]:37204 "EHLO nbd.name" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751686AbeBYRS4 (ORCPT ); Sun, 25 Feb 2018 12:18:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=oxw2XHaN0qfv2ugasHpQt3mv3KJ2azNngXjZ/z3vu74=; b=CBBj/FMtFHwjoEzI+U6ZqWYUGw NhEb1pBL9m4rxb4qfolpkCHsQeoFf0YZrkkYzKALPqzPu5mqPaWglXZH6TU2PWiiVdOOkChzdGDbP X1pgTn+yjfmhfPQiZTPGSJpXBmxly639oyIr5lcpzKiVzIlZ0zcAZqhqkG2OhrcK8xH0=; Received: by maeck.local (Postfix, from userid 501) id CF39A1569C07; Sun, 25 Feb 2018 18:18:52 +0100 (CET) From: Felix Fietkau To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org, nbd@nbd.name Subject: [PATCH v2 2/6] netfilter: nf_flow_table: add a new flow state for tearing down offloading Date: Sun, 25 Feb 2018 18:18:48 +0100 Message-Id: <20180225171852.34446-3-nbd@nbd.name> X-Mailer: git-send-email 2.14.2 In-Reply-To: <20180225171852.34446-1-nbd@nbd.name> References: <20180225171852.34446-1-nbd@nbd.name> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Will be used to tear down the offload entry while keeping the conntrack entry alive. Signed-off-by: Felix Fietkau --- include/net/netfilter/nf_flow_table.h | 2 ++ net/netfilter/nf_flow_table_core.c | 22 ++++++++++++++-------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index 5aa49524ebef..ba9fa4592f2b 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -68,6 +68,7 @@ struct flow_offload_tuple_rhash { #define FLOW_OFFLOAD_SNAT 0x1 #define FLOW_OFFLOAD_DNAT 0x2 #define FLOW_OFFLOAD_DYING 0x4 +#define FLOW_OFFLOAD_TEARDOWN 0x8 struct flow_offload { struct flow_offload_tuple_rhash tuplehash[FLOW_OFFLOAD_DIR_MAX]; @@ -103,6 +104,7 @@ void nf_flow_table_cleanup(struct net *net, struct net_device *dev); int nf_flow_table_init(struct nf_flowtable *flow_table); void nf_flow_table_free(struct nf_flowtable *flow_table); +void flow_offload_teardown(struct flow_offload *flow); static inline void flow_offload_dead(struct flow_offload *flow) { flow->flags |= FLOW_OFFLOAD_DYING; diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 0d38f20fd226..5a81e4f771e9 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -174,6 +174,12 @@ static void flow_offload_del(struct nf_flowtable *flow_table, flow_offload_free(flow); } +void flow_offload_teardown(struct flow_offload *flow) +{ + flow->flags |= FLOW_OFFLOAD_TEARDOWN; +} +EXPORT_SYMBOL_GPL(flow_offload_teardown); + struct flow_offload_tuple_rhash * flow_offload_lookup(struct nf_flowtable *flow_table, struct flow_offload_tuple *tuple) @@ -226,11 +232,6 @@ static inline bool nf_flow_has_expired(const struct flow_offload *flow) return (__s32)(flow->timeout - (u32)jiffies) <= 0; } -static inline bool nf_flow_is_dying(const struct flow_offload *flow) -{ - return flow->flags & FLOW_OFFLOAD_DYING; -} - static int nf_flow_offload_gc_step(struct nf_flowtable *flow_table) { struct flow_offload_tuple_rhash *tuplehash; @@ -258,7 +259,8 @@ static int nf_flow_offload_gc_step(struct nf_flowtable *flow_table) flow = container_of(tuplehash, struct flow_offload, tuplehash[0]); if (nf_flow_has_expired(flow) || - nf_flow_is_dying(flow)) + (flow->flags & (FLOW_OFFLOAD_DYING | + FLOW_OFFLOAD_TEARDOWN))) flow_offload_del(flow_table, flow); } out: @@ -419,10 +421,14 @@ static void nf_flow_table_do_cleanup(struct flow_offload *flow, void *data) { struct net_device *dev = data; - if (dev && flow->tuplehash[0].tuple.iifidx != dev->ifindex) + if (!dev) { + flow_offload_teardown(flow); return; + } - flow_offload_dead(flow); + if (flow->tuplehash[0].tuple.iifidx == dev->ifindex || + flow->tuplehash[1].tuple.iifidx == dev->ifindex) + flow_offload_dead(flow); } static void nf_flow_table_iterate_cleanup(struct nf_flowtable *flowtable, From patchwork Sun Feb 25 17:18:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Fietkau X-Patchwork-Id: 877559 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nbd.name Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=nbd.name header.i=@nbd.name header.b="Th5HjZ9f"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zqBWn5bmwz9s2h for ; Mon, 26 Feb 2018 04:19:01 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751768AbeBYRS5 (ORCPT ); Sun, 25 Feb 2018 12:18:57 -0500 Received: from nbd.name ([46.4.11.11]:37200 "EHLO nbd.name" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751670AbeBYRSz (ORCPT ); Sun, 25 Feb 2018 12:18:55 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Jo93HBbovKeePCPRKQAhfAv4HdshjYO8eH9ILIaFoPY=; b=Th5HjZ9fhSVP2u0z8nPi800r7n FpJ6jGwGp1fT7zRPGQHftZ11r5vrRehKUyvFr8MN/R7hnz+pKNBMBK8MB2fWSWExNaGgHwiC8gdwm PcfaCF8o8MVbzYmfh+qTwRbwyJXI1uv/CxRNYkOZCM2ENX+O8nI2XCArg+iAePEu4W1g=; Received: by maeck.local (Postfix, from userid 501) id CA2921569C03; Sun, 25 Feb 2018 18:18:52 +0100 (CET) From: Felix Fietkau To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org, nbd@nbd.name Subject: [PATCH v2 3/6] netfilter: nf_flow_table: in flow_offload_lookup, skip entries being deleted Date: Sun, 25 Feb 2018 18:18:49 +0100 Message-Id: <20180225171852.34446-4-nbd@nbd.name> X-Mailer: git-send-email 2.14.2 In-Reply-To: <20180225171852.34446-1-nbd@nbd.name> References: <20180225171852.34446-1-nbd@nbd.name> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Preparation for sending flows back to the slow path Signed-off-by: Felix Fietkau --- net/netfilter/nf_flow_table_core.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 5a81e4f771e9..ff5e17a15963 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -184,8 +184,21 @@ struct flow_offload_tuple_rhash * flow_offload_lookup(struct nf_flowtable *flow_table, struct flow_offload_tuple *tuple) { - return rhashtable_lookup_fast(&flow_table->rhashtable, tuple, - nf_flow_offload_rhash_params); + struct flow_offload_tuple_rhash *tuplehash; + struct flow_offload *flow; + int dir; + + tuplehash = rhashtable_lookup_fast(&flow_table->rhashtable, tuple, + nf_flow_offload_rhash_params); + if (!tuplehash) + return NULL; + + dir = tuplehash->tuple.dir; + flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); + if (flow->flags & (FLOW_OFFLOAD_DYING | FLOW_OFFLOAD_TEARDOWN)) + return NULL; + + return tuplehash; } EXPORT_SYMBOL_GPL(flow_offload_lookup); From patchwork Sun Feb 25 17:18:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Fietkau X-Patchwork-Id: 877561 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nbd.name Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=nbd.name header.i=@nbd.name header.b="ZavFDMba"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zqBWq30zdz9s2h for ; Mon, 26 Feb 2018 04:19:03 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751829AbeBYRS7 (ORCPT ); Sun, 25 Feb 2018 12:18:59 -0500 Received: from nbd.name ([46.4.11.11]:37220 "EHLO nbd.name" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751821AbeBYRS6 (ORCPT ); Sun, 25 Feb 2018 12:18:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=IitfT/ItUtCNKK0CYStSDyh55s+J46Q6gAG4YNeLvPE=; b=ZavFDMbapofi4wffDHXMgHXiNz 8kt+i4FR1hezUgzLPjrSg1mjAhSrctQ58mZ6zMiS9s2pvl8iZodbBG1Ko6Iw/ihd2piHnkCqhEO48 yuMBLwKY70hVjTEoTRUW8jmoMhpiH7tzXHT76CEnkfDf3w94bY/AXc16riEXCZbG+gU0=; Received: by maeck.local (Postfix, from userid 501) id CEA9B1569C05; Sun, 25 Feb 2018 18:18:52 +0100 (CET) From: Felix Fietkau To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org, nbd@nbd.name Subject: [PATCH v2 4/6] netfilter: nf_flow_table: add support for sending flows back to the slow path Date: Sun, 25 Feb 2018 18:18:50 +0100 Message-Id: <20180225171852.34446-5-nbd@nbd.name> X-Mailer: git-send-email 2.14.2 In-Reply-To: <20180225171852.34446-1-nbd@nbd.name> References: <20180225171852.34446-1-nbd@nbd.name> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Reset the timeout. For TCP, also set the state to indicate to use the next incoming packets to reset window tracking. This allows the slow path to take over again once the offload state has been torn down Signed-off-by: Felix Fietkau --- net/netfilter/nf_flow_table_core.c | 50 +++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index ff5e17a15963..0699981a8511 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -100,6 +100,43 @@ flow_offload_alloc(struct nf_conn *ct, struct nf_flow_route *route) } EXPORT_SYMBOL_GPL(flow_offload_alloc); +static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp) +{ + tcp->state = TCP_CONNTRACK_ESTABLISHED; + tcp->seen[0].td_maxwin = 0; + tcp->seen[1].td_maxwin = 0; +} + +static void flow_offload_fixup_ct_state(struct nf_conn *ct) +{ + const struct nf_conntrack_l4proto *l4proto; + struct net *net = nf_ct_net(ct); + unsigned int *timeouts; + unsigned int timeout; + int l4num; + + l4num = nf_ct_protonum(ct); + if (l4num == IPPROTO_TCP) + flow_offload_fixup_tcp(&ct->proto.tcp); + + l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), l4num); + if (!l4proto) + return; + + timeouts = l4proto->get_timeouts(net); + if (!timeouts) + return; + + if (l4num == IPPROTO_TCP) + timeout = timeouts[TCP_CONNTRACK_ESTABLISHED]; + else if (l4num == IPPROTO_UDP) + timeout = timeouts[UDP_CT_REPLIED]; + else + return; + + ct->timeout = nfct_time_stamp + timeout; +} + void flow_offload_free(struct flow_offload *flow) { struct flow_offload_entry *e; @@ -107,7 +144,8 @@ void flow_offload_free(struct flow_offload *flow) dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_cache); dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_cache); e = container_of(flow, struct flow_offload_entry, flow); - nf_ct_delete(e->ct, 0, 0); + if (flow->flags & FLOW_OFFLOAD_DYING) + nf_ct_delete(e->ct, 0, 0); nf_ct_put(e->ct); kfree_rcu(e, rcu_head); } @@ -164,6 +202,8 @@ EXPORT_SYMBOL_GPL(flow_offload_add); static void flow_offload_del(struct nf_flowtable *flow_table, struct flow_offload *flow) { + struct flow_offload_entry *e; + rhashtable_remove_fast(&flow_table->rhashtable, &flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].node, nf_flow_offload_rhash_params); @@ -171,12 +211,20 @@ static void flow_offload_del(struct nf_flowtable *flow_table, &flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].node, nf_flow_offload_rhash_params); + e = container_of(flow, struct flow_offload_entry, flow); + clear_bit(IPS_OFFLOAD_BIT, &e->ct->status); + flow_offload_free(flow); } void flow_offload_teardown(struct flow_offload *flow) { + struct flow_offload_entry *e; + flow->flags |= FLOW_OFFLOAD_TEARDOWN; + + e = container_of(flow, struct flow_offload_entry, flow); + flow_offload_fixup_ct_state(e->ct); } EXPORT_SYMBOL_GPL(flow_offload_teardown); From patchwork Sun Feb 25 17:18:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Fietkau X-Patchwork-Id: 877560 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nbd.name Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=nbd.name header.i=@nbd.name header.b="SEqVGC4N"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zqBWp4vxqz9s2g for ; Mon, 26 Feb 2018 04:19:02 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751726AbeBYRS6 (ORCPT ); Sun, 25 Feb 2018 12:18:58 -0500 Received: from nbd.name ([46.4.11.11]:37208 "EHLO nbd.name" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751689AbeBYRS5 (ORCPT ); Sun, 25 Feb 2018 12:18:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ummT9suJCaqzfdjUAHB9sDESGtd/w50rKvhVcQXcdgU=; b=SEqVGC4Nh9bPFjj8JYzbvpjhkO 8MHzZoLASLdWGBqtBYNaltJ43xJvnsO7Zg8jwpc/JNP0sdpQIiDEkr0PrTc6KDluCs5V3iAvMF00F wgTetQw3sal53jUXRs4lbisXB/bVrCS0laeV3lIWIPTHisL5fmLHCF/dhBIrobljELM8=; Received: by maeck.local (Postfix, from userid 501) id CE5F31569C04; Sun, 25 Feb 2018 18:18:52 +0100 (CET) From: Felix Fietkau To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org, nbd@nbd.name Subject: [PATCH v2 5/6] netfilter: nf_flow_table: tear down TCP flows if RST or FIN was seen Date: Sun, 25 Feb 2018 18:18:51 +0100 Message-Id: <20180225171852.34446-6-nbd@nbd.name> X-Mailer: git-send-email 2.14.2 In-Reply-To: <20180225171852.34446-1-nbd@nbd.name> References: <20180225171852.34446-1-nbd@nbd.name> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Allow the slow path to handle the shutdown of the connection with proper timeouts Signed-off-by: Felix Fietkau --- net/netfilter/nf_flow_table_ip.c | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index fc6f00c42d48..df58ed8be330 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -15,6 +15,23 @@ #include #include +static int nf_flow_tcp_state_check(struct flow_offload *flow, + struct sk_buff *skb, unsigned int thoff) +{ + struct tcphdr *tcph; + + if (!pskb_may_pull(skb, thoff + sizeof(*tcph))) + return -1; + + tcph = (void *)(skb_network_header(skb) + thoff); + if (unlikely(tcph->fin || tcph->rst)) { + flow_offload_teardown(flow); + return -1; + } + + return 0; +} + static int nf_flow_nat_ip_tcp(struct sk_buff *skb, unsigned int thoff, __be32 addr, __be32 new_addr) { @@ -118,10 +135,9 @@ static int nf_flow_dnat_ip(const struct flow_offload *flow, struct sk_buff *skb, } static int nf_flow_nat_ip(const struct flow_offload *flow, struct sk_buff *skb, - enum flow_offload_tuple_dir dir) + unsigned int thoff, enum flow_offload_tuple_dir dir) { struct iphdr *iph = ip_hdr(skb); - unsigned int thoff = iph->ihl * 4; if (flow->flags & FLOW_OFFLOAD_SNAT && (nf_flow_snat_port(flow, skb, thoff, iph->protocol, dir) < 0 || @@ -201,6 +217,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, struct flow_offload *flow; struct net_device *outdev; const struct rtable *rt; + unsigned int thoff; struct iphdr *iph; __be32 nexthop; @@ -229,8 +246,12 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, if (skb_try_make_writable(skb, sizeof(*iph))) return NF_DROP; + thoff = ip_hdr(skb)->ihl * 4; + if (nf_flow_tcp_state_check(flow, skb, thoff)) + return NF_ACCEPT; + if (flow->flags & (FLOW_OFFLOAD_SNAT | FLOW_OFFLOAD_DNAT) && - nf_flow_nat_ip(flow, skb, dir) < 0) + nf_flow_nat_ip(flow, skb, thoff, dir) < 0) return NF_DROP; flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT; @@ -438,6 +459,9 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu))) return NF_ACCEPT; + if (nf_flow_tcp_state_check(flow, skb, sizeof(*ip6h))) + return NF_ACCEPT; + if (skb_try_make_writable(skb, sizeof(*ip6h))) return NF_DROP; From patchwork Sun Feb 25 17:18:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Fietkau X-Patchwork-Id: 877564 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nbd.name Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=nbd.name header.i=@nbd.name header.b="IM0QgcTZ"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zqBWs4G7vz9s2g for ; Mon, 26 Feb 2018 04:19:05 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751832AbeBYRTC (ORCPT ); Sun, 25 Feb 2018 12:19:02 -0500 Received: from nbd.name ([46.4.11.11]:37212 "EHLO nbd.name" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751805AbeBYRS5 (ORCPT ); Sun, 25 Feb 2018 12:18:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=mMuz1xB/BdWc37Ga9Ran/7plEoVJjGhBr8qioud65d4=; b=IM0QgcTZmwC5AYvD2cqVtpylMK Ca6ei7T7DaySQ2Ypsv3wxd3X0yhfEjHKVIscQC8z+nWBEiQyO0DBeJwCcm189feeu4kPdrRlyWwSn WcAlIQcEpuFKNdZmF27vrC4IZRmeXY/tYjWU8HuLVW1LDLMijzHpAMJu9kq83UZ8gLY4=; Received: by maeck.local (Postfix, from userid 501) id CF7EE1569C08; Sun, 25 Feb 2018 18:18:52 +0100 (CET) From: Felix Fietkau To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org, nbd@nbd.name Subject: [PATCH v2 6/6] netfilter: nf_flow_table: fix checksum when handling DNAT Date: Sun, 25 Feb 2018 18:18:52 +0100 Message-Id: <20180225171852.34446-7-nbd@nbd.name> X-Mailer: git-send-email 2.14.2 In-Reply-To: <20180225171852.34446-1-nbd@nbd.name> References: <20180225171852.34446-1-nbd@nbd.name> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Add a missing call to csum_replace4 like on SNAT Signed-off-by: Felix Fietkau --- net/netfilter/nf_flow_table_ip.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index df58ed8be330..6d9d4b0599cc 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -130,6 +130,7 @@ static int nf_flow_dnat_ip(const struct flow_offload *flow, struct sk_buff *skb, default: return -1; } + csum_replace4(&iph->check, addr, new_addr); return nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr); }