From a5aee46fb7071d2de26941092ecad3ac1fae38b2 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sun, 25 Feb 2018 18:22:41 +0100 Subject: [PATCH] kernel: more fixes for flow offload - fix TCP connection state - fix checksum error on DNAT Signed-off-by: Felix Fietkau --- ...w_table-add-a-new-flow-state-for-tea.patch | 29 ++++++---- ...w_table-in-flow_offload_lookup-skip-.patch | 2 +- ...w_table-add-support-for-sending-flow.patch | 55 +++++++++++++++---- ...w_table-fix-checksum-when-handling-D.patch | 19 +++++++ 4 files changed, 84 insertions(+), 21 deletions(-) create mode 100644 target/linux/generic/backport-4.14/365-netfilter-nf_flow_table-fix-checksum-when-handling-D.patch diff --git a/target/linux/generic/backport-4.14/361-netfilter-nf_flow_table-add-a-new-flow-state-for-tea.patch b/target/linux/generic/backport-4.14/361-netfilter-nf_flow_table-add-a-new-flow-state-for-tea.patch index 83751d8cb1..30cebfac60 100644 --- a/target/linux/generic/backport-4.14/361-netfilter-nf_flow_table-add-a-new-flow-state-for-tea.patch +++ b/target/linux/generic/backport-4.14/361-netfilter-nf_flow_table-add-a-new-flow-state-for-tea.patch @@ -19,21 +19,30 @@ Signed-off-by: Felix Fietkau struct flow_offload { struct flow_offload_tuple_rhash tuplehash[FLOW_OFFLOAD_DIR_MAX]; -@@ -108,6 +109,11 @@ static inline void flow_offload_dead(str +@@ -103,6 +104,7 @@ void nf_flow_table_cleanup(struct net *n + int nf_flow_table_init(struct nf_flowtable *flow_table); + void nf_flow_table_free(struct nf_flowtable *flow_table); + ++void flow_offload_teardown(struct flow_offload *flow); + static inline void flow_offload_dead(struct flow_offload *flow) + { flow->flags |= FLOW_OFFLOAD_DYING; +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -174,6 +174,12 @@ static void flow_offload_del(struct nf_f + flow_offload_free(flow); } -+static inline void flow_offload_teardown(struct flow_offload *flow) ++void flow_offload_teardown(struct flow_offload *flow) +{ + flow->flags |= FLOW_OFFLOAD_TEARDOWN; +} ++EXPORT_SYMBOL_GPL(flow_offload_teardown); + - int nf_flow_snat_port(const struct flow_offload *flow, - struct sk_buff *skb, unsigned int thoff, - u8 protocol, enum flow_offload_tuple_dir dir); ---- a/net/netfilter/nf_flow_table_core.c -+++ b/net/netfilter/nf_flow_table_core.c -@@ -226,11 +226,6 @@ static inline bool nf_flow_has_expired(c + struct flow_offload_tuple_rhash * + flow_offload_lookup(struct nf_flowtable *flow_table, + struct flow_offload_tuple *tuple) +@@ -226,11 +232,6 @@ static inline bool nf_flow_has_expired(c return (__s32)(flow->timeout - (u32)jiffies) <= 0; } @@ -45,7 +54,7 @@ Signed-off-by: Felix Fietkau static int nf_flow_offload_gc_step(struct nf_flowtable *flow_table) { struct flow_offload_tuple_rhash *tuplehash; -@@ -258,7 +253,8 @@ static int nf_flow_offload_gc_step(struc +@@ -258,7 +259,8 @@ static int nf_flow_offload_gc_step(struc flow = container_of(tuplehash, struct flow_offload, tuplehash[0]); if (nf_flow_has_expired(flow) || @@ -55,7 +64,7 @@ Signed-off-by: Felix Fietkau flow_offload_del(flow_table, flow); } out: -@@ -419,10 +415,14 @@ static void nf_flow_table_do_cleanup(str +@@ -419,10 +421,14 @@ static void nf_flow_table_do_cleanup(str { struct net_device *dev = data; diff --git a/target/linux/generic/backport-4.14/362-netfilter-nf_flow_table-in-flow_offload_lookup-skip-.patch b/target/linux/generic/backport-4.14/362-netfilter-nf_flow_table-in-flow_offload_lookup-skip-.patch index e6d7dd8fc8..d14ac97a59 100644 --- a/target/linux/generic/backport-4.14/362-netfilter-nf_flow_table-in-flow_offload_lookup-skip-.patch +++ b/target/linux/generic/backport-4.14/362-netfilter-nf_flow_table-in-flow_offload_lookup-skip-.patch @@ -10,7 +10,7 @@ Signed-off-by: Felix Fietkau --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c -@@ -178,8 +178,21 @@ struct flow_offload_tuple_rhash * +@@ -184,8 +184,21 @@ struct flow_offload_tuple_rhash * flow_offload_lookup(struct nf_flowtable *flow_table, struct flow_offload_tuple *tuple) { diff --git a/target/linux/generic/backport-4.14/363-netfilter-nf_flow_table-add-support-for-sending-flow.patch b/target/linux/generic/backport-4.14/363-netfilter-nf_flow_table-add-support-for-sending-flow.patch index b4d80a911b..905880fead 100644 --- a/target/linux/generic/backport-4.14/363-netfilter-nf_flow_table-add-support-for-sending-flow.patch +++ b/target/linux/generic/backport-4.14/363-netfilter-nf_flow_table-add-support-for-sending-flow.patch @@ -13,10 +13,17 @@ Signed-off-by: Felix Fietkau --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c -@@ -100,6 +100,36 @@ err_ct_refcnt: +@@ -100,6 +100,43 @@ err_ct_refcnt: } EXPORT_SYMBOL_GPL(flow_offload_alloc); ++static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp) ++{ ++ tcp->state = TCP_CONNTRACK_ESTABLISHED; ++ tcp->seen[0].td_maxwin = 0; ++ tcp->seen[1].td_maxwin = 0; ++} ++ +static void flow_offload_fixup_ct_state(struct nf_conn *ct) +{ + const struct nf_conntrack_l4proto *l4proto; @@ -26,6 +33,9 @@ Signed-off-by: Felix Fietkau + int l4num; + + l4num = nf_ct_protonum(ct); ++ if (l4num == IPPROTO_TCP) ++ flow_offload_fixup_tcp(&ct->proto.tcp); ++ + l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), l4num); + if (!l4proto) + return; @@ -34,31 +44,56 @@ Signed-off-by: Felix Fietkau + if (!timeouts) + return; + -+ if (l4num == IPPROTO_TCP) { ++ if (l4num == IPPROTO_TCP) + timeout = timeouts[TCP_CONNTRACK_ESTABLISHED]; -+ ct->proto.tcp.state = TCP_CONNTRACK_IGNORE; -+ } else if (l4num == IPPROTO_UDP) { ++ else if (l4num == IPPROTO_UDP) + timeout = timeouts[UDP_CT_REPLIED]; -+ } else { ++ else + return; -+ } + + ct->timeout = nfct_time_stamp + timeout; -+ clear_bit(IPS_OFFLOAD_BIT, &ct->status); +} + void flow_offload_free(struct flow_offload *flow) { struct flow_offload_entry *e; -@@ -107,7 +137,10 @@ void flow_offload_free(struct flow_offlo +@@ -107,7 +144,8 @@ void flow_offload_free(struct flow_offlo dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_cache); dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_cache); e = container_of(flow, struct flow_offload_entry, flow); - nf_ct_delete(e->ct, 0, 0); + if (flow->flags & FLOW_OFFLOAD_DYING) + nf_ct_delete(e->ct, 0, 0); -+ else -+ flow_offload_fixup_ct_state(e->ct); nf_ct_put(e->ct); kfree_rcu(e, rcu_head); } +@@ -164,6 +202,8 @@ EXPORT_SYMBOL_GPL(flow_offload_add); + static void flow_offload_del(struct nf_flowtable *flow_table, + struct flow_offload *flow) + { ++ struct flow_offload_entry *e; ++ + rhashtable_remove_fast(&flow_table->rhashtable, + &flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].node, + nf_flow_offload_rhash_params); +@@ -171,12 +211,20 @@ static void flow_offload_del(struct nf_f + &flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].node, + nf_flow_offload_rhash_params); + ++ e = container_of(flow, struct flow_offload_entry, flow); ++ clear_bit(IPS_OFFLOAD_BIT, &e->ct->status); ++ + flow_offload_free(flow); + } + + void flow_offload_teardown(struct flow_offload *flow) + { ++ struct flow_offload_entry *e; ++ + flow->flags |= FLOW_OFFLOAD_TEARDOWN; ++ ++ e = container_of(flow, struct flow_offload_entry, flow); ++ flow_offload_fixup_ct_state(e->ct); + } + EXPORT_SYMBOL_GPL(flow_offload_teardown); + diff --git a/target/linux/generic/backport-4.14/365-netfilter-nf_flow_table-fix-checksum-when-handling-D.patch b/target/linux/generic/backport-4.14/365-netfilter-nf_flow_table-fix-checksum-when-handling-D.patch new file mode 100644 index 0000000000..372c8d59ef --- /dev/null +++ b/target/linux/generic/backport-4.14/365-netfilter-nf_flow_table-fix-checksum-when-handling-D.patch @@ -0,0 +1,19 @@ +From: Felix Fietkau +Date: Sun, 25 Feb 2018 17:22:55 +0100 +Subject: [PATCH] netfilter: nf_flow_table: fix checksum when handling DNAT + +Add a missing call to csum_replace4 like on SNAT + +Signed-off-by: Felix Fietkau +--- + +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -130,6 +130,7 @@ static int nf_flow_dnat_ip(const struct + default: + return -1; + } ++ csum_replace4(&iph->check, addr, new_addr); + + return nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr); + }