[RFC PATCH] kernel: fix flow offload with IPv6 policy-based routing

DENG Qingfang dqfext at gmail.com
Mon May 31 12:57:32 PDT 2021 

Sync iptables FLOWOFFLOAD target with upstream nft_flow_offload.c, which
fixes the issue.

Fixes: FS#3649
Signed-off-by: DENG Qingfang <dqfext at gmail.com>
---
Note: I am by no means an expert on Netfilter subsystem. I just kind of
copied and pasted upstream nft_flow_offload.c here, which seemed to work.
A fix for kernel 5.10 is also required.

 .../650-netfilter-add-xt_OFFLOAD-target.patch         | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch
index d584cb5c6c..567ebe4528 100644
--- a/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch
+++ b/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,427 @@
+@@ -0,0 +1,422 @@
 +/*
 + * Copyright (C) 2018 Felix Fietkau <nbd at nbd.name>
 + *
@@ -315,7 +315,6 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
 +		fl.u.ip4.flowi4_oif = ifindex;
 +		break;
 +	case NFPROTO_IPV6:
-+		fl.u.ip6.saddr = ct->tuplehash[dir].tuple.dst.u3.in6;
 +		fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
 +		fl.u.ip6.flowi6_oif = ifindex;
 +		break;
@@ -333,13 +332,13 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
 +{
 +	struct dst_entry *this_dst, *other_dst;
 +
-+	this_dst = xt_flowoffload_dst(ct, !dir, par, xt_out(par)->ifindex);
++	this_dst = skb_dst(skb);
 +	other_dst = xt_flowoffload_dst(ct, dir, par, xt_in(par)->ifindex);
 +
 +	route->tuple[dir].dst		= this_dst;
 +	route->tuple[!dir].dst		= other_dst;
 +
-+	if (!this_dst || !other_dst)
++	if (!other_dst)
 +		return -ENOENT;
 +
 +	if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
@@ -390,9 +389,6 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
 +	if (!nf_ct_is_confirmed(ct))
 +		return XT_CONTINUE;
 +
-+	if (!xt_in(par) || !xt_out(par))
-+		return XT_CONTINUE;
-+
 +	if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status))
 +		return XT_CONTINUE;
 +
@@ -401,7 +397,6 @@ Signed-off-by: Felix Fietkau <nbd at nbd.name>
 +	if (xt_flowoffload_route(skb, ct, par, &route, dir) == 0)
 +		flow = flow_offload_alloc(ct, &route);
 +
-+	dst_release(route.tuple[dir].dst);
 +	dst_release(route.tuple[!dir].dst);
 +
 +	if (!flow)
-- 
2.25.1

More information about the openwrt-devel mailing list