[openwrt/openwrt] kernel: more fixes for flow offload

LEDE Commits lede-commits at lists.infradead.org
Sun Feb 25 09:32:12 PST 2018 

nbd pushed a commit to openwrt/openwrt.git, branch master:
https://git.lede-project.org/a5aee46fb7071d2de26941092ecad3ac1fae38b2

commit a5aee46fb7071d2de26941092ecad3ac1fae38b2
Author: Felix Fietkau <nbd at nbd.name>
AuthorDate: Sun Feb 25 18:22:41 2018 +0100

    kernel: more fixes for flow offload
    
    - fix TCP connection state
    - fix checksum error on DNAT
    
    Signed-off-by: Felix Fietkau <nbd at nbd.name>
---
 ...f_flow_table-add-a-new-flow-state-for-tea.patch | 29 ++++++++----
 ...f_flow_table-in-flow_offload_lookup-skip-.patch |  2 +-
 ...f_flow_table-add-support-for-sending-flow.patch | 55 ++++++++++++++++++----
 ...f_flow_table-fix-checksum-when-handling-D.patch | 19 ++++++++
 4 files changed, 84 insertions(+), 21 deletions(-)

diff --git a/target/linux/generic/backport-4.14/361-netfilter-nf_flow_table-add-a-new-flow-state-for-tea.patch b/target/linux/generic/backport-4.14/361-netfilter-nf_flow_table-add-a-new-flow-state-for-tea.patch
index 83751d8..30cebfa 100644
--- a/target/linux/generic/backport-4.14/361-netfilter-nf_flow_table-add-a-new-flow-state-for-tea.patch
+++ b/target/linux/generic/backport-4.14/361-netfilter-nf_flow_table-add-a-new-flow-state-for-tea.patch
@@ -19,21 +19,30 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
  
  struct flow_offload {
  	struct flow_offload_tuple_rhash		tuplehash[FLOW_OFFLOAD_DIR_MAX];
-@@ -108,6 +109,11 @@ static inline void flow_offload_dead(str
+@@ -103,6 +104,7 @@ void nf_flow_table_cleanup(struct net *n
+ int nf_flow_table_init(struct nf_flowtable *flow_table);
+ void nf_flow_table_free(struct nf_flowtable *flow_table);
+ 
++void flow_offload_teardown(struct flow_offload *flow);
+ static inline void flow_offload_dead(struct flow_offload *flow)
+ {
  	flow->flags |= FLOW_OFFLOAD_DYING;
+--- a/net/netfilter/nf_flow_table_core.c
++++ b/net/netfilter/nf_flow_table_core.c
+@@ -174,6 +174,12 @@ static void flow_offload_del(struct nf_f
+ 	flow_offload_free(flow);
  }
  
-+static inline void flow_offload_teardown(struct flow_offload *flow)
++void flow_offload_teardown(struct flow_offload *flow)
 +{
 +	flow->flags |= FLOW_OFFLOAD_TEARDOWN;
 +}
++EXPORT_SYMBOL_GPL(flow_offload_teardown);
 +
- int nf_flow_snat_port(const struct flow_offload *flow,
- 		      struct sk_buff *skb, unsigned int thoff,
- 		      u8 protocol, enum flow_offload_tuple_dir dir);
---- a/net/netfilter/nf_flow_table_core.c
-+++ b/net/netfilter/nf_flow_table_core.c
-@@ -226,11 +226,6 @@ static inline bool nf_flow_has_expired(c
+ struct flow_offload_tuple_rhash *
+ flow_offload_lookup(struct nf_flowtable *flow_table,
+ 		    struct flow_offload_tuple *tuple)
+@@ -226,11 +232,6 @@ static inline bool nf_flow_has_expired(c
  	return (__s32)(flow->timeout - (u32)jiffies) <= 0;
  }
  
@@ -45,7 +54,7 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
  static int nf_flow_offload_gc_step(struct nf_flowtable *flow_table)
  {
  	struct flow_offload_tuple_rhash *tuplehash;
-@@ -258,7 +253,8 @@ static int nf_flow_offload_gc_step(struc
+@@ -258,7 +259,8 @@ static int nf_flow_offload_gc_step(struc
  		flow = container_of(tuplehash, struct flow_offload, tuplehash[0]);
  
  		if (nf_flow_has_expired(flow) ||
@@ -55,7 +64,7 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
  			flow_offload_del(flow_table, flow);
  	}
  out:
-@@ -419,10 +415,14 @@ static void nf_flow_table_do_cleanup(str
+@@ -419,10 +421,14 @@ static void nf_flow_table_do_cleanup(str
  {
  	struct net_device *dev = data;
  
diff --git a/target/linux/generic/backport-4.14/362-netfilter-nf_flow_table-in-flow_offload_lookup-skip-.patch b/target/linux/generic/backport-4.14/362-netfilter-nf_flow_table-in-flow_offload_lookup-skip-.patch
index e6d7dd8..d14ac97 100644
--- a/target/linux/generic/backport-4.14/362-netfilter-nf_flow_table-in-flow_offload_lookup-skip-.patch
+++ b/target/linux/generic/backport-4.14/362-netfilter-nf_flow_table-in-flow_offload_lookup-skip-.patch
@@ -10,7 +10,7 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
 
 --- a/net/netfilter/nf_flow_table_core.c
 +++ b/net/netfilter/nf_flow_table_core.c
-@@ -178,8 +178,21 @@ struct flow_offload_tuple_rhash *
+@@ -184,8 +184,21 @@ struct flow_offload_tuple_rhash *
  flow_offload_lookup(struct nf_flowtable *flow_table,
  		    struct flow_offload_tuple *tuple)
  {
diff --git a/target/linux/generic/backport-4.14/363-netfilter-nf_flow_table-add-support-for-sending-flow.patch b/target/linux/generic/backport-4.14/363-netfilter-nf_flow_table-add-support-for-sending-flow.patch
index b4d80a9..905880f 100644
--- a/target/linux/generic/backport-4.14/363-netfilter-nf_flow_table-add-support-for-sending-flow.patch
+++ b/target/linux/generic/backport-4.14/363-netfilter-nf_flow_table-add-support-for-sending-flow.patch
@@ -13,10 +13,17 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
 
 --- a/net/netfilter/nf_flow_table_core.c
 +++ b/net/netfilter/nf_flow_table_core.c
-@@ -100,6 +100,36 @@ err_ct_refcnt:
+@@ -100,6 +100,43 @@ err_ct_refcnt:
  }
  EXPORT_SYMBOL_GPL(flow_offload_alloc);
  
++static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp)
++{
++	tcp->state = TCP_CONNTRACK_ESTABLISHED;
++	tcp->seen[0].td_maxwin = 0;
++	tcp->seen[1].td_maxwin = 0;
++}
++
 +static void flow_offload_fixup_ct_state(struct nf_conn *ct)
 +{
 +	const struct nf_conntrack_l4proto *l4proto;
@@ -26,6 +33,9 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
 +	int l4num;
 +
 +	l4num = nf_ct_protonum(ct);
++	if (l4num == IPPROTO_TCP)
++		flow_offload_fixup_tcp(&ct->proto.tcp);
++
 +	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), l4num);
 +	if (!l4proto)
 +		return;
@@ -34,31 +44,56 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
 +	if (!timeouts)
 +		return;
 +
-+	if (l4num == IPPROTO_TCP) {
++	if (l4num == IPPROTO_TCP)
 +		timeout = timeouts[TCP_CONNTRACK_ESTABLISHED];
-+		ct->proto.tcp.state = TCP_CONNTRACK_IGNORE;
-+	} else if (l4num == IPPROTO_UDP) {
++	else if (l4num == IPPROTO_UDP)
 +		timeout = timeouts[UDP_CT_REPLIED];
-+	} else {
++	else
 +		return;
-+	}
 +
 +	ct->timeout = nfct_time_stamp + timeout;
-+	clear_bit(IPS_OFFLOAD_BIT, &ct->status);
 +}
 +
  void flow_offload_free(struct flow_offload *flow)
  {
  	struct flow_offload_entry *e;
-@@ -107,7 +137,10 @@ void flow_offload_free(struct flow_offlo
+@@ -107,7 +144,8 @@ void flow_offload_free(struct flow_offlo
  	dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_cache);
  	dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_cache);
  	e = container_of(flow, struct flow_offload_entry, flow);
 -	nf_ct_delete(e->ct, 0, 0);
 +	if (flow->flags & FLOW_OFFLOAD_DYING)
 +		nf_ct_delete(e->ct, 0, 0);
-+	else
-+		flow_offload_fixup_ct_state(e->ct);
  	nf_ct_put(e->ct);
  	kfree_rcu(e, rcu_head);
  }
+@@ -164,6 +202,8 @@ EXPORT_SYMBOL_GPL(flow_offload_add);
+ static void flow_offload_del(struct nf_flowtable *flow_table,
+ 			     struct flow_offload *flow)
+ {
++	struct flow_offload_entry *e;
++
+ 	rhashtable_remove_fast(&flow_table->rhashtable,
+ 			       &flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].node,
+ 			       nf_flow_offload_rhash_params);
+@@ -171,12 +211,20 @@ static void flow_offload_del(struct nf_f
+ 			       &flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].node,
+ 			       nf_flow_offload_rhash_params);
+ 
++	e = container_of(flow, struct flow_offload_entry, flow);
++	clear_bit(IPS_OFFLOAD_BIT, &e->ct->status);
++
+ 	flow_offload_free(flow);
+ }
+ 
+ void flow_offload_teardown(struct flow_offload *flow)
+ {
++	struct flow_offload_entry *e;
++
+ 	flow->flags |= FLOW_OFFLOAD_TEARDOWN;
++
++	e = container_of(flow, struct flow_offload_entry, flow);
++	flow_offload_fixup_ct_state(e->ct);
+ }
+ EXPORT_SYMBOL_GPL(flow_offload_teardown);
+ 
diff --git a/target/linux/generic/backport-4.14/365-netfilter-nf_flow_table-fix-checksum-when-handling-D.patch b/target/linux/generic/backport-4.14/365-netfilter-nf_flow_table-fix-checksum-when-handling-D.patch
new file mode 100644
index 0000000..372c8d5
--- /dev/null
+++ b/target/linux/generic/backport-4.14/365-netfilter-nf_flow_table-fix-checksum-when-handling-D.patch
@@ -0,0 +1,19 @@
+From: Felix Fietkau <nbd at nbd.name>
+Date: Sun, 25 Feb 2018 17:22:55 +0100
+Subject: [PATCH] netfilter: nf_flow_table: fix checksum when handling DNAT
+
+Add a missing call to csum_replace4 like on SNAT
+
+Signed-off-by: Felix Fietkau <nbd at nbd.name>
+---
+
+--- a/net/netfilter/nf_flow_table_ip.c
++++ b/net/netfilter/nf_flow_table_ip.c
+@@ -130,6 +130,7 @@ static int nf_flow_dnat_ip(const struct
+ 	default:
+ 		return -1;
+ 	}
++	csum_replace4(&iph->check, addr, new_addr);
+ 
+ 	return nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr);
+ }

More information about the lede-commits mailing list