From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.toke.dk (mail.toke.dk [45.145.95.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9758C383C69 for ; Mon, 13 Apr 2026 14:40:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.145.95.4 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776091237; cv=none; b=sCKLMwdPcRdyO/ycMS+WORPIUHUDaZ4M6yNEdvtdCJMOOT9eBzzAVn2gegWQHmeg5yexWtcAWbe3ejb/f2BN4YDmYiiwufCJn1wRMSI8Bbvo8866d/nJZaAokzAJPf5SM00n/0j/YkIXor3otRzkpY5m4oYS2TibPhucdAQwQow= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776091237; c=relaxed/simple; bh=ErP/oX1jbT2LjxfaWFU2kJlf23o4t2KHnSim5IV55ec=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=JdSFvUxL9THg2GbpxDgFWMmBkTAT+198J6WuEGu/JGrZAAmwp6jtOEalmoLCEfHN0pk60TFyEoqf58fO5yxRlyKu3yW6xa2YuoAQHL47jQ34aNObUnK0zPeWHZuMlFSAJRUZMbZmprkmPAm8uvwb8LtTU4Ebh0DzQntOpHM1WH8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=toke.dk; spf=pass smtp.mailfrom=toke.dk; arc=none smtp.client-ip=45.145.95.4 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=toke.dk Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=toke.dk From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= Authentication-Results: mail.toke.dk; dkim=none To: Dudu Lu , netdev@vger.kernel.org Cc: jhs@mojatatu.com, jiri@resnulli.us, Dudu Lu Subject: Re: [PATCH v2] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys In-Reply-To: <20260413110041.44704-1-phx0fer@gmail.com> References: <20260413110041.44704-1-phx0fer@gmail.com> Date: Mon, 13 Apr 2026 16:40:31 +0200 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <87eckidiu8.fsf@toke.dk> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Dudu Lu writes: > cake_update_flowkeys() is supposed to update the flow dissector keys > with the NAT-translated addresses and ports from conntrack, so that > CAKE's per-flow fairness correctly identifies post-NAT flows as > belonging to the same connection. > > For the source port, this works correctly: > keys->ports.src =3D port; > > But for the destination port, the assignment is reversed: > port =3D keys->ports.dst; > > This means the NAT destination port is never updated in the flow keys. > As a result, when multiple connections are NATed to the same destination, > CAKE treats them as separate flows because the original (pre-NAT) > destination ports differ. This breaks CAKE's NAT-aware flow isolation > when using the "nat" mode. > > The bug was introduced in commit b0c19ed6088a ("sch_cake: Take advantage > of skb->hash where appropriate") which refactored the original direct > assignment into a compare-and-conditionally-update pattern, but wrote > the destination port update backwards. > > Fix by reversing the assignment direction to match the source port > pattern. > > Fixes: b0c19ed6088a ("sch_cake: Take advantage of skb->hash where appropr= iate") > Signed-off-by: Dudu Lu Thank you for the fix! Acked-by: Toke H=C3=B8iland-J=C3=B8rgensen