* [PATCH net v4 1/1] net/sched: act_ct: Fix flow table lookup failure with no originating ifindex
@ 2022-02-28 9:23 Paul Blakey
2022-03-01 21:08 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Paul Blakey @ 2022-02-28 9:23 UTC (permalink / raw)
To: Paul Blakey, dev, netdev, Jamal Hadi Salim, davem, Jiri Pirko,
Cong Wang, Jakub Kicinski, netfilter-devel, Pablo Neira Ayuso,
Jozsef Kadlecsik
Cc: Oz Shlomo, Vlad Buslov, Roi Dayan, Ariel Levkovich, coreteam
After cited commit optimizted hw insertion, flow table entries are
populated with ifindex information which was intended to only be used
for HW offload. This tuple ifindex is hashed in the flow table key, so
it must be filled for lookup to be successful. But tuple ifindex is only
relevant for the netfilter flowtables (nft), so it's not filled in
act_ct flow table lookup, resulting in lookup failure, and no SW
offload and no offload teardown for TCP connection FIN/RST packets.
To fix this, add new tc ifindex field to tuple, which will
only be used for offloading, not for lookup, as it will not be
part of the tuple hash.
Fixes: 9795ded7f924 ("net/sched: act_ct: Fill offloading tuple iifidx")
Signed-off-by: Paul Blakey <paulb@nvidia.com>
---
Changelog:
v3->v4:
Accidently sent v2 as v3, Resent with correct patch as v4.
v2->v3:
As suggested by pablo, moved tc specific hardware offload related ifindex
to a tc specific field, so wont be part of hash/lookup.
v1->v2:
Replaced flag withdx being zero at lookup().
Fixed commit msg Fixes header subject
include/net/netfilter/nf_flow_table.h | 6 +++++-
net/netfilter/nf_flow_table_offload.c | 6 +++++-
net/sched/act_ct.c | 13 +++++++++----
3 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index a3647fadf1cc..bd59e950f4d6 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -96,6 +96,7 @@ enum flow_offload_xmit_type {
FLOW_OFFLOAD_XMIT_NEIGH,
FLOW_OFFLOAD_XMIT_XFRM,
FLOW_OFFLOAD_XMIT_DIRECT,
+ FLOW_OFFLOAD_XMIT_TC,
};
#define NF_FLOW_TABLE_ENCAP_MAX 2
@@ -127,7 +128,7 @@ struct flow_offload_tuple {
struct { } __hash;
u8 dir:2,
- xmit_type:2,
+ xmit_type:3,
encap_num:2,
in_vlan_ingress:2;
u16 mtu;
@@ -142,6 +143,9 @@ struct flow_offload_tuple {
u8 h_source[ETH_ALEN];
u8 h_dest[ETH_ALEN];
} out;
+ struct {
+ u32 iifidx;
+ } tc;
};
};
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index b561e0a44a45..fc4265acd9c4 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -110,7 +110,11 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
nf_flow_rule_lwt_match(match, tun_info);
}
- key->meta.ingress_ifindex = tuple->iifidx;
+ if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_TC)
+ key->meta.ingress_ifindex = tuple->tc.iifidx;
+ else
+ key->meta.ingress_ifindex = tuple->iifidx;
+
mask->meta.ingress_ifindex = 0xffffffff;
if (tuple->encap_num > 0 && !(tuple->in_vlan_ingress & BIT(0)) &&
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index f99247fc6468..0d779e48e78d 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -361,6 +361,13 @@ static void tcf_ct_flow_table_put(struct tcf_ct_params *params)
}
}
+static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry,
+ struct nf_conn_act_ct_ext *act_ct_ext, u8 dir)
+{
+ entry->tuplehash[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_TC;
+ entry->tuplehash[dir].tuple.tc.iifidx = act_ct_ext->ifindex[dir];
+}
+
static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
struct nf_conn *ct,
bool tcp)
@@ -385,10 +392,8 @@ static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,
act_ct_ext = nf_conn_act_ct_ext_find(ct);
if (act_ct_ext) {
- entry->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.iifidx =
- act_ct_ext->ifindex[IP_CT_DIR_ORIGINAL];
- entry->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.iifidx =
- act_ct_ext->ifindex[IP_CT_DIR_REPLY];
+ tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_ORIGINAL);
+ tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_REPLY);
}
err = flow_offload_add(&ct_ft->nf_ft, entry);
--
2.30.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net v4 1/1] net/sched: act_ct: Fix flow table lookup failure with no originating ifindex
2022-02-28 9:23 [PATCH net v4 1/1] net/sched: act_ct: Fix flow table lookup failure with no originating ifindex Paul Blakey
@ 2022-03-01 21:08 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2022-03-01 21:08 UTC (permalink / raw)
To: Paul Blakey
Cc: dev, netdev, Jamal Hadi Salim, davem, Jiri Pirko, Cong Wang,
Jakub Kicinski, netfilter-devel, Jozsef Kadlecsik, Oz Shlomo,
Vlad Buslov, Roi Dayan, Ariel Levkovich, coreteam
On Mon, Feb 28, 2022 at 11:23:49AM +0200, Paul Blakey wrote:
> After cited commit optimizted hw insertion, flow table entries are
> populated with ifindex information which was intended to only be used
> for HW offload. This tuple ifindex is hashed in the flow table key, so
> it must be filled for lookup to be successful. But tuple ifindex is only
> relevant for the netfilter flowtables (nft), so it's not filled in
> act_ct flow table lookup, resulting in lookup failure, and no SW
> offload and no offload teardown for TCP connection FIN/RST packets.
>
> To fix this, add new tc ifindex field to tuple, which will
> only be used for offloading, not for lookup, as it will not be
> part of the tuple hash.
Applied, thanks Paul.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-01 21:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-02-28 9:23 [PATCH net v4 1/1] net/sched: act_ct: Fix flow table lookup failure with no originating ifindex Paul Blakey
2022-03-01 21:08 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).