在 2021/4/3 21:33, wenxu 写道: > 在 2021/4/3 3:54, Pablo Neira Ayuso 写道: >> On Fri, Apr 02, 2021 at 03:13:52PM +0800, wenxu@xxxxxxxxx wrote: >>> From: wenxu <wenxu@xxxxxxxxx> >>> >>> vlan_tpid of flow_dissector_key_vlan should be set as h_vlan_proto >>> but not h_vlan_encapsulated_proto. >> Probably this patch instead? > I don't think so. The vlan_tpid in flow_dissector_key_vlan should be the > > vlan proto (such as ETH_P_8021Q or ETH_P_8021AD) but not h_vlan_encapsulated_proto (for next header proto). > > But this is a problem that the vlan_h_proto is the same as offsetof(struct ethhdr, h_proto) The design of flow_dissector_key_basic->n_porto should be set as next header proto(ipv4/6) for vlan packet which is h_vlan_encapsulated_proto in the vlan header. (check from fl_set_key and skb_flow_dissect) Maybe the patch should as following? diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c index cb1c8c2..84c5ecc 100644 --- a/net/netfilter/nft_payload.c +++ b/net/netfilter/nft_payload.c @@ -233,8 +233,8 @@ static int nft_payload_offload_ll(struct nft_offload_ctx *ctx, if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) return -EOPNOTSUPP; - NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_VLAN, vlan, - vlan_tpid, sizeof(__be16), reg); + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, + n_proto, sizeof(__be16), reg); nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK); break; case offsetof(struct vlan_ethhdr, h_vlan_TCI) + sizeof(struct vlan_hdr): @@ -249,8 +249,8 @@ static int nft_payload_offload_ll(struct nft_offload_ctx *ctx, if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) return -EOPNOTSUPP; - NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_CVLAN, vlan, - vlan_tpid, sizeof(__be16), reg); + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, + n_proto, sizeof(__be16), reg); break; default: return -EOPNOTSUPP; > > >
