From patchwork Mon Oct 8 17:59:48 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taehee Yoo X-Patchwork-Id: 980706 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="W3K6mxmA"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42TSnK5TWZz9sj6 for ; Tue, 9 Oct 2018 05:00:05 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726418AbeJIBM5 (ORCPT ); Mon, 8 Oct 2018 21:12:57 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:35678 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726291AbeJIBM5 (ORCPT ); Mon, 8 Oct 2018 21:12:57 -0400 Received: by mail-pl1-f193.google.com with SMTP id f8-v6so10415294plb.2 for ; Mon, 08 Oct 2018 11:00:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=N4I3WWCYXjdXKNHz6SBsEjF1Pxg83XzV81jc8lLF2vM=; b=W3K6mxmAgKD24sxHZsqzcK8RrIUTVoX4XqbamJydwHU+oMa8iY+w3qopYqCfvwX2Qi ltZgutt8xBfjOjFd/5XiNDRdymqDfcszT/Z4ysxsNM61EDpX1Nm/SpRL3mu+PF0UlPbk wWRqm3X89oZJtepO9ayejXJf84bYVD+wZWRZ4pOT4pppFnGgxaIrh8jve1gnkgzHOThO PUu/U0IX9aF96fnZwf7IawxqRF7pcnLrzteZ7c/RGZe8mu8N3cwo4EJNmQVBcQYE2eh8 NNaFeGkKEPcgZajkZZzx22dz9VwE+Saea/OgtLSTLvmEaqTq3AZcgUBYcEkq8HYXm4Cd 78FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=N4I3WWCYXjdXKNHz6SBsEjF1Pxg83XzV81jc8lLF2vM=; b=XAeecP4x6tRyUhK8TP2gqsfnttA3vq6CAPP9yzKV/Lu8NdBQGg7ElHQWNllXmbiMoL cqbyhNbezYcXD3lpIf05K8QVV4YxwHpnh9y34rvCbc/6y/DUt+VdrbiXJVgd2Gli4tIh +uqj9/IzO8aYBe2TpQaqSzD/1Q9UhZVXNU+QCGkzOq9WM3pRalWufFIJxtMaOd3o594S 4oiwKCrPgORzfhXfkEcr+xETanJZBOlR1E46bEsHRjTgZBLlybSOE7Vaxcs8l9YvY6NY 57nDbzum6yJKnat01k1zPzSyyb9kpcwmGw7qSc7bOCMZWwHsuzumpvVM2N6lh9m60u+T FssA== X-Gm-Message-State: ABuFfoi7xfKIajCHjbw7FXrDjpD9uRlp58bnfc4MKI7PicuPG4/2Caj8 dSqlG4z/3HAgfqxA9uC1SL1ARkwy X-Google-Smtp-Source: ACcGV60ecEVHF5FPanpXxJVO4yDQFccHJOApvznc+vwKZp86IufJfSu48FJ/VY260O0DD1sDSeCZcg== X-Received: by 2002:a17:902:6a2:: with SMTP id 31-v6mr24038476plh.1.1539021603900; Mon, 08 Oct 2018 11:00:03 -0700 (PDT) Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([125.130.197.10]) by smtp.gmail.com with ESMTPSA id 68-v6sm39229159pfg.136.2018.10.08.11.00.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Oct 2018 11:00:03 -0700 (PDT) From: Taehee Yoo To: pablo@netfilter.org, netfilter-devel@vger.kernel.org Cc: ap420073@gmail.com Subject: [PATCH nf] netfilter: nf_flow_table: do not remove offload when other netns's interface is down Date: Tue, 9 Oct 2018 02:59:48 +0900 Message-Id: <20181008175949.28348-1-ap420073@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When interface is down, offload cleanup function(nf_flow_table_do_cleanup) is called and that checks whether interface index of offload and index of link down interface is same. but only interface index checking is not enough because flowtable is not pernet list. So that, if other netns's interface that has index is same with offload is down, that offload will be removed. This patch adds netns checking code to the offload cleanup routine. And it also removes unnecessary parameter of nf_flow_table_cleanup(). Fixes: 59c466dd68e7 ("netfilter: nf_flow_table: add a new flow state for tearing down offloading") Signed-off-by: Taehee Yoo --- include/net/netfilter/nf_flow_table.h | 2 +- net/netfilter/nf_flow_table_core.c | 10 +++++++--- net/netfilter/nft_flow_offload.c | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index 0e355f4a3d76..77e2761d4f2f 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -99,7 +99,7 @@ int nf_flow_table_iterate(struct nf_flowtable *flow_table, void (*iter)(struct flow_offload *flow, void *data), void *data); -void nf_flow_table_cleanup(struct net *net, struct net_device *dev); +void nf_flow_table_cleanup(struct net_device *dev); int nf_flow_table_init(struct nf_flowtable *flow_table); void nf_flow_table_free(struct nf_flowtable *flow_table); diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index d8125616edc7..88aae0ae499c 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -478,14 +478,18 @@ EXPORT_SYMBOL_GPL(nf_flow_table_init); static void nf_flow_table_do_cleanup(struct flow_offload *flow, void *data) { struct net_device *dev = data; + struct flow_offload_entry *e; + + e = container_of(flow, struct flow_offload_entry, flow); if (!dev) { flow_offload_teardown(flow); return; } - if (flow->tuplehash[0].tuple.iifidx == dev->ifindex || - flow->tuplehash[1].tuple.iifidx == dev->ifindex) + if (net_eq(nf_ct_net(e->ct), dev_net(dev)) && + (flow->tuplehash[0].tuple.iifidx == dev->ifindex || + flow->tuplehash[1].tuple.iifidx == dev->ifindex)) flow_offload_dead(flow); } @@ -496,7 +500,7 @@ static void nf_flow_table_iterate_cleanup(struct nf_flowtable *flowtable, flush_delayed_work(&flowtable->gc_work); } -void nf_flow_table_cleanup(struct net *net, struct net_device *dev) +void nf_flow_table_cleanup(struct net_device *dev) { struct nf_flowtable *flowtable; diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index d6bab8c3cbb0..e82d9a966c45 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -201,7 +201,7 @@ static int flow_offload_netdev_event(struct notifier_block *this, if (event != NETDEV_DOWN) return NOTIFY_DONE; - nf_flow_table_cleanup(dev_net(dev), dev); + nf_flow_table_cleanup(dev); return NOTIFY_DONE; }