From 2f3b1dddeaef82ed8c69d697570ece5bd903f702 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 5 Jun 2018 10:16:49 +0200 Subject: [PATCH] kernel: backport patch to fix dst handling for offloaded connections Signed-off-by: Felix Fietkau --- ...ter-nf_flow_table-attach-dst-to-skbs.patch | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch diff --git a/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch b/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch new file mode 100644 index 00000000000..35d099097aa --- /dev/null +++ b/target/linux/generic/backport-4.14/369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch @@ -0,0 +1,49 @@ +From: "Jason A. Donenfeld" +Date: Wed, 30 May 2018 20:43:15 +0200 +Subject: [PATCH] netfilter: nf_flow_table: attach dst to skbs + +Some drivers, such as vxlan and wireguard, use the skb's dst in order to +determine things like PMTU. They therefore loose functionality when flow +offloading is enabled. So, we ensure the skb has it before xmit'ing it +in the offloading path. + +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Pablo Neira Ayuso +--- + +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -220,7 +220,7 @@ nf_flow_offload_ip_hook(void *priv, stru + enum flow_offload_tuple_dir dir; + struct flow_offload *flow; + struct net_device *outdev; +- const struct rtable *rt; ++ struct rtable *rt; + unsigned int thoff; + struct iphdr *iph; + __be32 nexthop; +@@ -241,7 +241,7 @@ nf_flow_offload_ip_hook(void *priv, stru + + dir = tuplehash->tuple.dir; + flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); +- rt = (const struct rtable *)flow->tuplehash[!dir].tuple.dst_cache; ++ rt = (struct rtable *)flow->tuplehash[!dir].tuple.dst_cache; + + if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) && + (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0) +@@ -264,6 +264,7 @@ nf_flow_offload_ip_hook(void *priv, stru + + skb->dev = outdev; + nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr); ++ skb_dst_set_noref(skb, &rt->dst); + neigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb); + + return NF_STOLEN; +@@ -480,6 +481,7 @@ nf_flow_offload_ipv6_hook(void *priv, st + + skb->dev = outdev; + nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6); ++ skb_dst_set_noref(skb, &rt->dst); + neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb); + + return NF_STOLEN; -- 2.30.2