From f903cc8970693eda456a61a0457cb65c5940c969 Mon Sep 17 00:00:00 2001 From: coolsnowwolf Date: Sat, 2 Mar 2024 23:15:24 +0800 Subject: [PATCH] target: generic: fix xt_FLOWOFFLOAD patches Fixes: #11939, #11943 --- ...-netfilter-add-xt_FLOWOFFLOAD-target.patch | 8 +++---- ...-netfilter-add-xt_FLOWOFFLOAD-target.patch | 9 ++++--- ...les-fix-bidirectional-offload-regres.patch | 24 +++++++++++++++++++ 3 files changed, 31 insertions(+), 10 deletions(-) create mode 100644 target/linux/generic/pending-6.1/704-netfilter-nf_tables-fix-bidirectional-offload-regres.patch diff --git a/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch b/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch index 757711140..12974c2dd 100644 --- a/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch +++ b/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch @@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o --- /dev/null +++ b/net/netfilter/xt_FLOWOFFLOAD.c -@@ -0,0 +1,698 @@ +@@ -0,0 +1,696 @@ +/* + * Copyright (C) 2018-2021 Felix Fietkau + * @@ -622,8 +622,7 @@ Signed-off-by: Felix Fietkau + if (!flow) + goto err_flow_alloc; + -+ if (flow_offload_route_init(flow, &route) < 0) -+ goto err_flow_add; ++ flow_offload_route_init(flow, &route); + + if (tcph) { + ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; @@ -642,13 +641,12 @@ Signed-off-by: Felix Fietkau + xt_flowoffload_check_device(table, devs[0]); + xt_flowoffload_check_device(table, devs[1]); + -+ dst_release(route.tuple[!dir].dst); -+ + return XT_CONTINUE; + +err_flow_add: + flow_offload_free(flow); +err_flow_alloc: ++ dst_release(route.tuple[dir].dst); + dst_release(route.tuple[!dir].dst); +err_flow_route: + clear_bit(IPS_OFFLOAD_BIT, &ct->status); diff --git a/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch b/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch index 081df0355..b5120c038 100644 --- a/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch +++ b/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch @@ -59,7 +59,7 @@ Signed-off-by: Felix Fietkau obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o --- /dev/null +++ b/net/netfilter/xt_FLOWOFFLOAD.c -@@ -0,0 +1,698 @@ +@@ -0,0 +1,697 @@ +/* + * Copyright (C) 2018-2021 Felix Fietkau + * @@ -583,8 +583,7 @@ Signed-off-by: Felix Fietkau + if (!flow) + goto err_flow_alloc; + -+ if (flow_offload_route_init(flow, &route) < 0) -+ goto err_flow_add; ++ flow_offload_route_init(flow, &route); + + if (tcph) { + ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; @@ -597,19 +596,19 @@ Signed-off-by: Felix Fietkau + if (!net) + write_pnet(&table->ft.net, xt_net(par)); + ++ __set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags); + if (flow_offload_add(&table->ft, flow) < 0) + goto err_flow_add; + + xt_flowoffload_check_device(table, devs[0]); + xt_flowoffload_check_device(table, devs[1]); + -+ dst_release(route.tuple[!dir].dst); -+ + return XT_CONTINUE; + +err_flow_add: + flow_offload_free(flow); +err_flow_alloc: ++ dst_release(route.tuple[dir].dst); + dst_release(route.tuple[!dir].dst); +err_flow_route: + clear_bit(IPS_OFFLOAD_BIT, &ct->status); diff --git a/target/linux/generic/pending-6.1/704-netfilter-nf_tables-fix-bidirectional-offload-regres.patch b/target/linux/generic/pending-6.1/704-netfilter-nf_tables-fix-bidirectional-offload-regres.patch new file mode 100644 index 000000000..70724cb3a --- /dev/null +++ b/target/linux/generic/pending-6.1/704-netfilter-nf_tables-fix-bidirectional-offload-regres.patch @@ -0,0 +1,24 @@ +From: Felix Fietkau +Date: Wed, 14 Feb 2024 15:24:41 +0100 +Subject: [PATCH] netfilter: nf_tables: fix bidirectional offload regression + +Commit 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules") +made unidirectional flow offload possible, while completely ignoring (and +breaking) bidirectional flow offload for nftables. +Add the missing flag that was left out as an exercise for the reader :) + +Cc: Vlad Buslov +Fixes: 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules") +Signed-off-by: Felix Fietkau +--- + +--- a/net/netfilter/nft_flow_offload.c ++++ b/net/netfilter/nft_flow_offload.c +@@ -357,6 +357,7 @@ static void nft_flow_offload_eval(const + ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; + } + ++ __set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags); + ret = flow_offload_add(flowtable, flow); + if (ret < 0) + goto err_flow_add;