[PATCH] nf_flowtable: ensure dst.dev is not blackhole

Ritaro Takenaka <ritarot634@xxxxxxxxx> · Mon, 25 Apr 2022 17:08:38 +0900

Fixes sporadic IPv6 packet loss when flow offloading is enabled.
IPv6 route GC calls dst_dev_put() which makes dst.dev blackhole_netdev
even if dst is cached in flow offload. If a packet passes through this
invalid flow, packet loss will occur.
This is from Commit 227e1e4d0d6c (netfilter: nf_flowtable: skip device
lookup from interface index), as outdev was cached independently before.
Packet loss is reported on OpenWrt with Linux 5.4 and later.

Signed-off-by: Ritaro Takenaka <ritarot634@xxxxxxxxx>
---
 net/netfilter/nf_flow_table_ip.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 32c0eb1b4..12f81661d 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -624,6 +624,11 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
 	if (nf_flow_state_check(flow, ip6h->nexthdr, skb, thoff))
 		return NF_ACCEPT;
 
+	if (unlikely(tuplehash->tuple.dst_cache->dev == blackhole_netdev)) {
+		flow_offload_teardown(flow);
+		return NF_ACCEPT;
+	}
+
 	if (skb_try_make_writable(skb, thoff + hdrsize))
 		return NF_DROP;
 
-- 
2.25.1







