kernel: backport patch to fix dst handling for offloaded connections

Signed-off-by: Felix Fietkau <nbd@nbd.name>
6 years ago · 2f3b1dddea
parent 7d8681ccb9
commit 2f3b1dddea
1 changed files with 49 additions and 0 deletions
--- a/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch
+++ b/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch
@ -0,0 +1,49 @@
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 30 May 2018 20:43:15 +0200
+Subject: [PATCH] netfilter: nf_flow_table: attach dst to skbs
+
+Some drivers, such as vxlan and wireguard, use the skb's dst in order to
+determine things like PMTU. They therefore loose functionality when flow
+offloading is enabled. So, we ensure the skb has it before xmit'ing it
+in the offloading path.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+
+--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
+@@ -220,7 +220,7 @@ nf_flow_offload_ip_hook(void *priv, stru
+ 	enum flow_offload_tuple_dir dir;
+ 	struct flow_offload *flow;
+ 	struct net_device *outdev;
+-	const struct rtable *rt;
+	struct rtable *rt;
+ 	unsigned int thoff;
+ 	struct iphdr *iph;
+ 	__be32 nexthop;
+@@ -241,7 +241,7 @@ nf_flow_offload_ip_hook(void *priv, stru
+ 
+ 	dir = tuplehash->tuple.dir;
+ 	flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
+-	rt = (const struct rtable *)flow->tuplehash[!dir].tuple.dst_cache;
+	rt = (struct rtable *)flow->tuplehash[!dir].tuple.dst_cache;
+ 
+ 	if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) &&
+ 	    (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0)
+@@ -264,6 +264,7 @@ nf_flow_offload_ip_hook(void *priv, stru
+ 
+ 	skb->dev = outdev;
+ 	nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr);
+	skb_dst_set_noref(skb, &rt->dst);
+ 	neigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb);
+ 
+ 	return NF_STOLEN;
+@@ -480,6 +481,7 @@ nf_flow_offload_ipv6_hook(void *priv, st
+ 
+ 	skb->dev = outdev;
+ 	nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);
+	skb_dst_set_noref(skb, &rt->dst);
+ 	neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb);
+ 
+ 	return NF_STOLEN;