From patchwork Mon May 31 19:57:32 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Qingfang Deng <dqfext@gmail.com>
X-Patchwork-Id: 1485773
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
 (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Gf2EK3Zs;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=bBCFtEk5;
	dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Fv5jV01P7z9sVb
	for <incoming@patchwork.ozlabs.org>; Tue,  1 Jun 2021 05:59:41 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=a8TRw3GBWVE4yXdWEwuOwuI/5+7oJM4wcJqpY4VzeBs=; b=Gf2EK3ZsmCaHMI
	Zyoyo/TZ8TIFpS4tpvYqDVIghpWWcCHRsPzBsnTg9JScwSvne+mXcshj93w/h6f/WjT6N+vsTlJWw
	tiDo4zLiu/maKGGPnpcG/UWMJBXldARW8vvI09mvInbR7Ie2DZE5mKiUvNeb1gXnP00HpgKx4ZfnD
	I3CHIvycrH3TNFlTD2rGUDiK1dTiWHS5bh2Gbk8NGtbiszYZRbHoPUyf7VRwFZZtk0WpwcML9v+De
	mkEIXV54nBIg2Yn8WzOy+gvyJrievYJedHEFHkqYJjcex4kTEbQumXWX9XOiinzXUHbzHbmQNWjQO
	2nX78yB4aYR1l+7Cm17g==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1lno2i-00DHnz-8h; Mon, 31 May 2021 19:57:44 +0000
Received: from mail-pj1-x1035.google.com ([2607:f8b0:4864:20::1035])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1lno2f-00DHnL-3X
 for openwrt-devel@lists.openwrt.org; Mon, 31 May 2021 19:57:42 +0000
Received: by mail-pj1-x1035.google.com with SMTP id
 m13-20020a17090b068db02901656cc93a75so144767pjz.3
 for <openwrt-devel@lists.openwrt.org>; Mon, 31 May 2021 12:57:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=VzA7vpQqbv15KUyKF42uMih/l4FPBbX69wAWpvcO+gc=;
 b=bBCFtEk5+qUcXB7JS3ch5ODRXNb9NYLBthpFwOmtIdvh1WTsrF4DNJgLPXsOYeNyaE
 kbMJMM0fpzMsfrYk1NzB7HiPLTIUUxNwi8yYUywd5DQ3kHfjYms/ZIyCjLS/cQFr8iog
 K09dK5PQGhKIgNdL66bs23tPwOB3kW0OjALXT67qJ8X8BOPYaL/hesgHUXKsiG/tuSDS
 RjKqnfjuaES9h2mAQyJMvpDnUmuUutqqueO/uAIoa3Pe4uZ5xeLcxXUrCM1zVbO+WPrp
 y2NNlNK9KzYEVuZR/loIAdMGyItZix3gHiQAAcNo+vCkv0hzi634cNMH/iRKPlBGD+ZY
 isaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=VzA7vpQqbv15KUyKF42uMih/l4FPBbX69wAWpvcO+gc=;
 b=GCqNqaBkuqSPg3s8y1rbOh6WTRH3yC+cKvQgwZqNPYtvCeFfZzAPLZrYf5m6mA8jMW
 hNmPXb7ty8XXdQ4UoueI1lSSDI36MlXCRBmgFH9g9y1AKXQCYu7/YADA6Zkrsn4ZzYTN
 C5UCml2MgZBXi3ZOmVe4OJJIDa3Yd/wEDQsGBL//IwUhH+4aS0KuwsnoO3bGTt8b56V7
 QFylTe7xzV8Z37+B/V2jaMq7Lm2fqY85yViTAerLlrXfYHst+eClaMG1q3ncKbLwK8FP
 zFUNgDQhHvkjDpo5RSmbRFGaZccs87vUoqb+R5Aq1TFXW8WRlDKKo4/wZugu4NeOOuKA
 rqLg==
X-Gm-Message-State: AOAM530bnXLodyU7xNGu4BlNrRW06d0AQmZfgSluWuk0EQY/Xnyita/r
 MfDiVkInYkhP4CHFNKqtlfJ2K7wDR/Nwgg==
X-Google-Smtp-Source: 
 ABdhPJwL0G6SxHC9yfIDWbJX8mRZLu4PRZ3p0mfYuOGKYYK0SF3NRzN0XwdbtRIegr3GW3EooJ4Suw==
X-Received: by 2002:a17:90a:aa0a:: with SMTP id
 k10mr21147542pjq.33.1622491059121;
 Mon, 31 May 2021 12:57:39 -0700 (PDT)
Received: from localhost.localdomain ([138.197.212.246])
 by smtp.gmail.com with ESMTPSA id md24sm190123pjb.43.2021.05.31.12.57.35
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 31 May 2021 12:57:38 -0700 (PDT)
From: DENG Qingfang <dqfext@gmail.com>
To: openwrt-devel@lists.openwrt.org
Cc: Rui Salvaterra <rsalvaterra@gmail.com>,
 Stijn Tintel <stijn@linux-ipv6.be>,
 Felix Fietkau <nbd@nbd.name>
Subject: [RFC PATCH] kernel: fix flow offload with IPv6 policy-based routing
Date: Tue,  1 Jun 2021 03:57:32 +0800
Message-Id: <20210531195732.522580-1-dqfext@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210531_125741_171860_4A0DFD1E 
X-CRM114-Status: GOOD (  11.84  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Sync iptables FLOWOFFLOAD target with upstream
 nft_flow_offload.c,
 which fixes the issue. Fixes: FS#3649 Signed-off-by: DENG Qingfang --- Note:
 I am by no means an expert on Netfilter subsystem. I just kind of copied
 and pasted upstream nft_flow_offload.c here, which seemed to work. A fi [...]
 Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [2607:f8b0:4864:20:0:0:0:1035 listed in]
 [list.dnswl.org]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [dqfext[at]gmail.com]
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

Sync iptables FLOWOFFLOAD target with upstream nft_flow_offload.c, which
fixes the issue.

Fixes: FS#3649
Signed-off-by: DENG Qingfang <dqfext@gmail.com>
---
Note: I am by no means an expert on Netfilter subsystem. I just kind of
copied and pasted upstream nft_flow_offload.c here, which seemed to work.
A fix for kernel 5.10 is also required.

 .../650-netfilter-add-xt_OFFLOAD-target.patch         | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch
index d584cb5c6c..567ebe4528 100644
--- a/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch
+++ b/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,427 @@
+@@ -0,0 +1,422 @@
 +/*
 + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
 + *
@@ -315,7 +315,6 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +		fl.u.ip4.flowi4_oif = ifindex;
 +		break;
 +	case NFPROTO_IPV6:
-+		fl.u.ip6.saddr = ct->tuplehash[dir].tuple.dst.u3.in6;
 +		fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
 +		fl.u.ip6.flowi6_oif = ifindex;
 +		break;
@@ -333,13 +332,13 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +{
 +	struct dst_entry *this_dst, *other_dst;
 +
-+	this_dst = xt_flowoffload_dst(ct, !dir, par, xt_out(par)->ifindex);
++	this_dst = skb_dst(skb);
 +	other_dst = xt_flowoffload_dst(ct, dir, par, xt_in(par)->ifindex);
 +
 +	route->tuple[dir].dst		= this_dst;
 +	route->tuple[!dir].dst		= other_dst;
 +
-+	if (!this_dst || !other_dst)
++	if (!other_dst)
 +		return -ENOENT;
 +
 +	if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
@@ -390,9 +389,6 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	if (!nf_ct_is_confirmed(ct))
 +		return XT_CONTINUE;
 +
-+	if (!xt_in(par) || !xt_out(par))
-+		return XT_CONTINUE;
-+
 +	if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status))
 +		return XT_CONTINUE;
 +
@@ -401,7 +397,6 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	if (xt_flowoffload_route(skb, ct, par, &route, dir) == 0)
 +		flow = flow_offload_alloc(ct, &route);
 +
-+	dst_release(route.tuple[dir].dst);
 +	dst_release(route.tuple[!dir].dst);
 +
 +	if (!flow)