| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Feb 2022 11:34:24 +0200
From: Paul Blakey <paulb@...dia.com>
To: Paul Blakey <paulb@...dia.com>, <dev@...nvswitch.org>,
<netdev@...r.kernel.org>, Jamal Hadi Salim <jhs@...atatu.com>,
<davem@...emloft.net>, Jiri Pirko <jiri@...dia.com>,
Cong Wang <xiyou.wangcong@...il.com>,
Jakub Kicinski <kuba@...nel.org>,
<netfilter-devel@...r.kernel.org>,
Pablo Neira Ayuso <pablo@...filter.org>,
Jozsef Kadlecsik <kadlec@...filter.org>
CC: Oz Shlomo <ozsh@...dia.com>, Vlad Buslov <vladbu@...dia.com>,
Roi Dayan <roid@...dia.com>,
Ariel Levkovich <lariel@...dia.com>, <coreteam@...filter.org>
Subject: [PATCH net 1/1] net/sched: act_ct: Fix flow table lookup failure with no originating ifindex
After cited commit optimizted hw insertion, flow table entries are
populated with ifindex information which was intended to only be used
for HW offload. This tuple ifindex is hashed in the flow table key, so
it must be filled for lookup to be successful. But tuple ifindex is only
relevant for the netfilter flowtables (nft), so it's not filled in
act_ct flow table lookup, resulting in lookup failure, and no SW
offload and no offload teardown for TCP connection FIN/RST packets.
To fix this, allow flow tables that don't hash the ifindex.
Netfilter flow tables will keep using ifindex for a more specific
offload, while act_ct will not.
Fixes: 9795ded7f924 ("net/sched: act_ct: Fill offloading tupledx")
Signed-off-by: Paul Blakey <paulb@...dia.com>
---
include/net/netfilter/nf_flow_table.h | 8 ++++----
net/netfilter/nf_flow_table_core.c | 6 ++++++
net/sched/act_ct.c | 3 ++-
3 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index a3647fadf1cc..9b474414a936 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -64,8 +64,9 @@ struct nf_flowtable_type {
};
enum nf_flowtable_flags {
- NF_FLOWTABLE_HW_OFFLOAD = 0x1, /* NFT_FLOWTABLE_HW_OFFLOAD */
- NF_FLOWTABLE_COUNTER = 0x2, /* NFT_FLOWTABLE_COUNTER */
+ NF_FLOWTABLE_HW_OFFLOAD = 0x1, /* NFT_FLOWTABLE_HW_OFFLOAD */
+ NF_FLOWTABLE_COUNTER = 0x2, /* NFT_FLOWTABLE_COUNTER */
+ NF_FLOWTABLE_NO_IFINDEX_FILTERING = 0x4, /* Only used by act_ct */
};
struct nf_flowtable {
@@ -114,8 +115,6 @@ struct flow_offload_tuple {
__be16 dst_port;
};
- int iifidx;
-
u8 l3proto;
u8 l4proto;
struct {
@@ -126,6 +125,7 @@ struct flow_offload_tuple {
/* All members above are keys for lookups, see flow_offload_hash(). */
struct { } __hash;
+ int iifidx;
u8 dir:2,
xmit_type:2,
encap_num:2,
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index b90eca7a2f22..f0cb2c7075c0 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -254,9 +254,15 @@ static u32 flow_offload_hash_obj(const void *data, u32 len, u32 seed)
static int flow_offload_hash_cmp(struct rhashtable_compare_arg *arg,
const void *ptr)
{
+ const struct nf_flowtable *flow_table = container_of(arg->ht, struct nf_flowtable,
+ rhashtable);
const struct flow_offload_tuple *tuple = arg->key;
const struct flow_offload_tuple_rhash *x = ptr;
+ if (!(flow_table->flags & NF_FLOWTABLE_NO_IFINDEX_FILTERING) &&
+ x->tuple.iifidx != tuple->iifidx)
+ return 1;
+
if (memcmp(&x->tuple, tuple, offsetof(struct flow_offload_tuple, __hash)))
return 1;
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index f99247fc6468..22cd32ec9889 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -305,7 +305,8 @@ static int tcf_ct_flow_table_get(struct tcf_ct_params *params)
ct_ft->nf_ft.type = &flowtable_ct;
ct_ft->nf_ft.flags |= NF_FLOWTABLE_HW_OFFLOAD |
- NF_FLOWTABLE_COUNTER;
+ NF_FLOWTABLE_COUNTER |
+ NF_FLOWTABLE_NO_IFINDEX_FILTERING;
err = nf_flow_table_init(&ct_ft->nf_ft);
if (err)
goto err_init;
--
2.30.1
Powered by blists - more mailing lists