Some drivers, such as vxlan and wireguard, use the skb's dst in order to determine things like PMTU. They therefore loose functionality when flow offloading is enabled. So, we ensure the skb has it before xmit'ing it in the offloading path.
Signed-off-by: Jason A. Donenfeld Jason@zx2c4.com Cc: stable@vger.kernel.org --- net/netfilter/nf_flow_table_ip.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index 82451b7..15ed913 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -220,7 +220,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, enum flow_offload_tuple_dir dir; struct flow_offload *flow; struct net_device *outdev; - const struct rtable *rt; + struct rtable *rt; unsigned int thoff; struct iphdr *iph; __be32 nexthop; @@ -241,7 +241,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
dir = tuplehash->tuple.dir; flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); - rt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache; + rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) && (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0) @@ -264,6 +264,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
skb->dev = outdev; nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr); + skb_dst_set_noref(skb, &rt->dst); neigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb);
return NF_STOLEN; @@ -480,6 +481,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
skb->dev = outdev; nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6); + skb_dst_set_noref(skb, &rt->dst); neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb);
return NF_STOLEN;
On Wed, Jun 06, 2018 at 02:31:58PM +0200, Jason A. Donenfeld wrote:
Some drivers, such as vxlan and wireguard, use the skb's dst in order to determine things like PMTU. They therefore loose functionality when flow offloading is enabled. So, we ensure the skb has it before xmit'ing it in the offloading path.
Signed-off-by: Jason A. Donenfeld Jason@zx2c4.com Cc: stable@vger.kernel.org
Acked-by: Pablo Neira Ayuso pablo@netfilter.org
Upstream patch is:
commit 2a79fd3908acd88e6cb0e620c314d7b1fee56a02 Author: Jason A. Donenfeld Jason@zx2c4.com Date: Wed May 30 20:43:15 2018 +0200
This is backport for -stable 4.16.x.
net/netfilter/nf_flow_table_ip.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index 82451b7..15ed913 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -220,7 +220,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, enum flow_offload_tuple_dir dir; struct flow_offload *flow; struct net_device *outdev;
- const struct rtable *rt;
- struct rtable *rt; unsigned int thoff; struct iphdr *iph; __be32 nexthop;
@@ -241,7 +241,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, dir = tuplehash->tuple.dir; flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
- rt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
- rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) && (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0) @@ -264,6 +264,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, skb->dev = outdev; nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr);
- skb_dst_set_noref(skb, &rt->dst); neigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb);
return NF_STOLEN; @@ -480,6 +481,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, skb->dev = outdev; nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);
- skb_dst_set_noref(skb, &rt->dst); neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb);
return NF_STOLEN;
On Wed, Jun 06, 2018 at 02:53:19PM +0200, Pablo Neira Ayuso wrote:
On Wed, Jun 06, 2018 at 02:31:58PM +0200, Jason A. Donenfeld wrote:
Some drivers, such as vxlan and wireguard, use the skb's dst in order to determine things like PMTU. They therefore loose functionality when flow offloading is enabled. So, we ensure the skb has it before xmit'ing it in the offloading path.
Signed-off-by: Jason A. Donenfeld Jason@zx2c4.com Cc: stable@vger.kernel.org
Acked-by: Pablo Neira Ayuso pablo@netfilter.org
Upstream patch is:
commit 2a79fd3908acd88e6cb0e620c314d7b1fee56a02 Author: Jason A. Donenfeld <Jason@zx2c4.com> Date: Wed May 30 20:43:15 2018 +0200This is backport for -stable 4.16.x.
Ah, thanks for pointing this out, I would not have noticed it.
Jason, next time give me a hint below the --- line what commit this is in Linus's tree and what stable tree(s) you want to see this applied to, so I know what to do.
thanks.
greg k-h
On Wed, Jun 6, 2018 at 3:00 PM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
Ah, thanks for pointing this out, I would not have noticed it.
Jason, next time give me a hint below the --- line what commit this is in Linus's tree and what stable tree(s) you want to see this applied to, so I know what to do.
Sorry about that. Will do.
Jason
On Wed, Jun 06, 2018 at 02:53:19PM +0200, Pablo Neira Ayuso wrote:
On Wed, Jun 06, 2018 at 02:31:58PM +0200, Jason A. Donenfeld wrote:
Some drivers, such as vxlan and wireguard, use the skb's dst in order to determine things like PMTU. They therefore loose functionality when flow offloading is enabled. So, we ensure the skb has it before xmit'ing it in the offloading path.
Signed-off-by: Jason A. Donenfeld Jason@zx2c4.com Cc: stable@vger.kernel.org
Acked-by: Pablo Neira Ayuso pablo@netfilter.org
Upstream patch is:
commit 2a79fd3908acd88e6cb0e620c314d7b1fee56a02 Author: Jason A. Donenfeld <Jason@zx2c4.com> Date: Wed May 30 20:43:15 2018 +0200This is backport for -stable 4.16.x.
Wait, that commit id is not in Linus's tree yet. So I'm assuming it is in DaveM's tree? If so, shouldn't it also go into 4.17.y? What about 4.14.y or older kernels?
thanks,
greg k-h
On Wed, Jun 6, 2018 at 3:01 PM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
Wait, that commit id is not in Linus's tree yet. So I'm assuming it is in DaveM's tree? If so, shouldn't it also go into 4.17.y? What about 4.14.y or older kernels?
It's in net-next and nf-next at the moment: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?i... https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git/commit/?id...
This means indeed it needs to go into 4.17.y., in addition to 4.16.y. 4.14.y doesn't have nf_flow_table_ip.c.
(I had assumed that the stabilization would go through Dave's normal network stable track, but Pablo asked me to submit it to you for whatever reason; maybe Netfilter is different?)
On Wed, Jun 06, 2018 at 03:06:37PM +0200, Jason A. Donenfeld wrote:
On Wed, Jun 6, 2018 at 3:01 PM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
Wait, that commit id is not in Linus's tree yet. So I'm assuming it is in DaveM's tree? If so, shouldn't it also go into 4.17.y? What about 4.14.y or older kernels?
It's in net-next and nf-next at the moment: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?i... https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git/commit/?id...
This means indeed it needs to go into 4.17.y., in addition to 4.16.y. 4.14.y doesn't have nf_flow_table_ip.c.
(I had assumed that the stabilization would go through Dave's normal network stable track, but Pablo asked me to submit it to you for whatever reason; maybe Netfilter is different?)
Jason, I think it's better if you have to wait to see the patch in Linus' tree. Then, specify upstream commit, indicate that this is a backport, and what -stable kernel versions you are targeting too so we make it easier for Greg.
We've been dealing with netfilter -stable submissions ourselves, so CC netfilter-devel@vger.kernel.org and stable@vger.kernel.org.
I think that's all.
Thanks.
Hi Pablo,
Okay, no problem.
Greg - disregard this, and expect to see something more detailed in a few weeks when Linus pulls from Dave.
Jason
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
Jason A. Donenfeld -
Pablo Neira Ayuso