| Message ID | 20220220093226.15042-1-paulb@nvidia.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [net,v2,1/1] net/sched: act_ct: Fix flow table lookup failure with no originating ifindex | expand |
Hi Paul, On Sun, Feb 20, 2022 at 11:32:26AM +0200, Paul Blakey wrote: > After cited commit optimizted hw insertion, flow table entries are > populated with ifindex information which was intended to only be used > for HW offload. This tuple ifindex is hashed in the flow table key, so > it must be filled for lookup to be successful. But tuple ifindex is only > relevant for the netfilter flowtables (nft), so it's not filled in > act_ct flow table lookup, resulting in lookup failure, and no SW > offload and no offload teardown for TCP connection FIN/RST packets. > > To fix this, remove ifindex from hash, and allow lookup without > the ifindex. Act ct will lookup without the ifindex filled. I think it is good to add FLOW_OFFLOAD_XMIT_TC (instead of relying on FLOW_OFFLOAD_XMIT_UNSPEC), this allows for more tc specific fields in the future. See attached patch. Thanks.
On Sun, 20 Feb 2022, Pablo Neira Ayuso wrote: > Hi Paul, > > On Sun, Feb 20, 2022 at 11:32:26AM +0200, Paul Blakey wrote: > > After cited commit optimizted hw insertion, flow table entries are > > populated with ifindex information which was intended to only be used > > for HW offload. This tuple ifindex is hashed in the flow table key, so > > it must be filled for lookup to be successful. But tuple ifindex is only > > relevant for the netfilter flowtables (nft), so it's not filled in > > act_ct flow table lookup, resulting in lookup failure, and no SW > > offload and no offload teardown for TCP connection FIN/RST packets. > > > > To fix this, remove ifindex from hash, and allow lookup without > > the ifindex. Act ct will lookup without the ifindex filled. > > I think it is good to add FLOW_OFFLOAD_XMIT_TC (instead of relying on > FLOW_OFFLOAD_XMIT_UNSPEC), this allows for more tc specific fields in > the future. > > See attached patch. > > Thanks. > This patch will fix it, but ifindex which we fill is for the input device and not related to XMIT, exactly what tuple->iifidx means. We don't have XMIT, so I think it was ok to use UNSPEC for now. If I use tuple->tc.iifidx as you suggest, tuple->iifidx will remain unused. I think once we have more fields that are really specific to TC, we can do what you sugguest, right now we can share the ifindex.
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index a3647fadf1cc..61dc5e833557 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -114,8 +114,6 @@ struct flow_offload_tuple { __be16 dst_port; }; - int iifidx; - u8 l3proto; u8 l4proto; struct { @@ -126,6 +124,7 @@ struct flow_offload_tuple { /* All members above are keys for lookups, see flow_offload_hash(). */ struct { } __hash; + int iifidx; u8 dir:2, xmit_type:2, encap_num:2, diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index b90eca7a2f22..01d32f08a1fd 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -257,6 +257,9 @@ static int flow_offload_hash_cmp(struct rhashtable_compare_arg *arg, const struct flow_offload_tuple *tuple = arg->key; const struct flow_offload_tuple_rhash *x = ptr; + if (tuple->iifidx && tuple->iifidx != x->tuple.iifidx) + return 1; + if (memcmp(&x->tuple, tuple, offsetof(struct flow_offload_tuple, __hash))) return 1;
After cited commit optimizted hw insertion, flow table entries are populated with ifindex information which was intended to only be used for HW offload. This tuple ifindex is hashed in the flow table key, so it must be filled for lookup to be successful. But tuple ifindex is only relevant for the netfilter flowtables (nft), so it's not filled in act_ct flow table lookup, resulting in lookup failure, and no SW offload and no offload teardown for TCP connection FIN/RST packets. To fix this, remove ifindex from hash, and allow lookup without the ifindex. Act ct will lookup without the ifindex filled. Fixes: 9795ded7f924 ("net/sched: act_ct: Fill offloading tuple iifidx") Signed-off-by: Paul Blakey <paulb@nvidia.com> --- Changelog: v1->v2: Replaced flag with iifidx being zero at lookup(). Fixed commit msg Fixes header subject include/net/netfilter/nf_flow_table.h | 3 +-- net/netfilter/nf_flow_table_core.c | 3 +++ 2 files changed, 4 insertions(+), 2 deletions(-)