diff --git a/include/kernel-build.mk b/include/kernel-build.mk index 66a9f64c8..cc651f29b 100644 --- a/include/kernel-build.mk +++ b/include/kernel-build.mk @@ -132,6 +132,7 @@ define BuildKernel $(LINUX_DIR)/.modules: export STAGING_PREFIX=$$(STAGING_DIR_HOST) $(LINUX_DIR)/.modules: export PKG_CONFIG_PATH=$$(STAGING_DIR_HOST)/lib/pkgconfig $(LINUX_DIR)/.modules: export PKG_CONFIG_LIBDIR=$$(STAGING_DIR_HOST)/lib/pkgconfig + $(LINUX_DIR)/.modules: export FAIL_ON_UNCONFIGURED=1 $(LINUX_DIR)/.modules: $(STAMP_CONFIGURED) $(LINUX_DIR)/.config FORCE $(Kernel/CompileModules) touch $$@ @@ -161,7 +162,6 @@ define BuildKernel $(LINUX_RECONF_CMD) > $(LINUX_DIR)/.config $(_SINGLE)$(KERNEL_MAKE) \ $(if $(findstring Darwin,$(HOST_OS)), \ - HOST_LOADLIBES="-L$(STAGING_DIR_HOST)/lib -lncurses" \ HOSTLDLIBS_mconf="-L$(STAGING_DIR_HOST)/lib -lncurses" \ filechk_conf_cfg=" :" \ ) \ diff --git a/include/kernel.mk b/include/kernel.mk index e4074a48f..01b737f13 100644 --- a/include/kernel.mk +++ b/include/kernel.mk @@ -110,8 +110,7 @@ KERNEL_MAKE_FLAGS = \ KBUILD_BUILD_HOST="$(call qstrip,$(CONFIG_KERNEL_BUILD_DOMAIN))" \ KBUILD_BUILD_TIMESTAMP="$(KBUILD_BUILD_TIMESTAMP)" \ KBUILD_BUILD_VERSION="0" \ - HOST_LOADLIBES="-L$(STAGING_DIR_HOST)/lib" \ - KBUILD_HOSTLDLIBS="-L$(STAGING_DIR_HOST)/lib" \ + KBUILD_HOSTLDFLAGS="-L$(STAGING_DIR_HOST)/lib" \ CONFIG_SHELL="$(BASH)" \ $(if $(findstring c,$(OPENWRT_VERBOSE)),V=1,V='') \ $(if $(PKG_BUILD_ID),LDFLAGS_MODULE=--build-id=0x$(PKG_BUILD_ID)) \ diff --git a/target/linux/generic/backport-5.10/610-v5.18-netfilter-flowtable-move-dst_check-to-packet-path.patch b/target/linux/generic/backport-5.10/610-v5.18-netfilter-flowtable-move-dst_check-to-packet-path.patch new file mode 100644 index 000000000..99e40b937 --- /dev/null +++ b/target/linux/generic/backport-5.10/610-v5.18-netfilter-flowtable-move-dst_check-to-packet-path.patch @@ -0,0 +1,99 @@ +From 2738d9d963bd1f06d5114c2b4fa5771a95703991 Mon Sep 17 00:00:00 2001 +From: Ritaro Takenaka +Date: Tue, 17 May 2022 12:55:30 +0200 +Subject: [PATCH] netfilter: flowtable: move dst_check to packet path + +Fixes sporadic IPv6 packet loss when flow offloading is enabled. + +IPv6 route GC and flowtable GC are not synchronized. +When dst_cache becomes stale and a packet passes through the flow before +the flowtable GC teardowns it, the packet can be dropped. +So, it is necessary to check dst every time in packet path. + +Fixes: 227e1e4d0d6c ("netfilter: nf_flowtable: skip device lookup from interface index") +Signed-off-by: Ritaro Takenaka +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/nf_flow_table_core.c | 23 +---------------------- + net/netfilter/nf_flow_table_ip.c | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+), 22 deletions(-) + +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -433,33 +433,12 @@ nf_flow_table_iterate(struct nf_flowtabl + return err; + } + +-static bool flow_offload_stale_dst(struct flow_offload_tuple *tuple) +-{ +- struct dst_entry *dst; +- +- if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_NEIGH || +- tuple->xmit_type == FLOW_OFFLOAD_XMIT_XFRM) { +- dst = tuple->dst_cache; +- if (!dst_check(dst, tuple->dst_cookie)) +- return true; +- } +- +- return false; +-} +- +-static bool nf_flow_has_stale_dst(struct flow_offload *flow) +-{ +- return flow_offload_stale_dst(&flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple) || +- flow_offload_stale_dst(&flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple); +-} +- + static void nf_flow_offload_gc_step(struct flow_offload *flow, void *data) + { + struct nf_flowtable *flow_table = data; + + if (nf_flow_has_expired(flow) || +- nf_ct_is_dying(flow->ct) || +- nf_flow_has_stale_dst(flow)) ++ nf_ct_is_dying(flow->ct)) + set_bit(NF_FLOW_TEARDOWN, &flow->flags); + + if (test_bit(NF_FLOW_TEARDOWN, &flow->flags)) { +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -229,6 +229,15 @@ static bool nf_flow_exceeds_mtu(const st + return true; + } + ++static inline bool nf_flow_dst_check(struct flow_offload_tuple *tuple) ++{ ++ if (tuple->xmit_type != FLOW_OFFLOAD_XMIT_NEIGH && ++ tuple->xmit_type != FLOW_OFFLOAD_XMIT_XFRM) ++ return true; ++ ++ return dst_check(tuple->dst_cache, tuple->dst_cookie); ++} ++ + static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb, + const struct nf_hook_state *state, + struct dst_entry *dst) +@@ -364,6 +373,11 @@ nf_flow_offload_ip_hook(void *priv, stru + if (nf_flow_state_check(flow, iph->protocol, skb, thoff)) + return NF_ACCEPT; + ++ if (!nf_flow_dst_check(&tuplehash->tuple)) { ++ flow_offload_teardown(flow); ++ return NF_ACCEPT; ++ } ++ + if (skb_try_make_writable(skb, thoff + hdrsize)) + return NF_DROP; + +@@ -600,6 +614,11 @@ nf_flow_offload_ipv6_hook(void *priv, st + if (nf_flow_state_check(flow, ip6h->nexthdr, skb, thoff)) + return NF_ACCEPT; + ++ if (!nf_flow_dst_check(&tuplehash->tuple)) { ++ flow_offload_teardown(flow); ++ return NF_ACCEPT; ++ } ++ + if (skb_try_make_writable(skb, thoff + hdrsize)) + return NF_DROP; + diff --git a/target/linux/generic/hack-5.10/650-netfilter-add-xt_FLOWOFFLOAD-target.patch b/target/linux/generic/hack-5.10/650-netfilter-add-xt_FLOWOFFLOAD-target.patch index 0f0bf8eae..a69c9fa1a 100644 --- a/target/linux/generic/hack-5.10/650-netfilter-add-xt_FLOWOFFLOAD-target.patch +++ b/target/linux/generic/hack-5.10/650-netfilter-add-xt_FLOWOFFLOAD-target.patch @@ -782,7 +782,7 @@ Signed-off-by: Felix Fietkau } +EXPORT_SYMBOL_GPL(nf_flow_table_iterate); - static bool flow_offload_stale_dst(struct flow_offload_tuple *tuple) + static void nf_flow_offload_gc_step(struct flow_offload *flow, void *data) { --- /dev/null +++ b/include/uapi/linux/netfilter/xt_FLOWOFFLOAD.h