Patch "net: sched: act_mirred: Reset ct info when mirror/redirect skb" has been added to the 5.13-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 15 Aug 2021 08:54:01 -0400

This is a note to let you know that I've just added the patch titled

    net: sched: act_mirred: Reset ct info when mirror/redirect skb

to the 5.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-sched-act_mirred-reset-ct-info-when-mirror-redir.patch
and it can be found in the queue-5.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 8223def4179400e69d3e85c8b268306e0a4f1a66
Author: Hangbin Liu <liuhangbin@xxxxxxxxx>
Date:   Mon Aug 9 15:04:55 2021 +0800

    net: sched: act_mirred: Reset ct info when mirror/redirect skb
    
    [ Upstream commit d09c548dbf3b31cb07bba562e0f452edfa01efe3 ]
    
    When mirror/redirect a skb to a different port, the ct info should be reset
    for reclassification. Or the pkts will match unexpected rules. For example,
    with following topology and commands:
    
        -----------
                  |
           veth0 -+-------
                  |
           veth1 -+-------
                  |
       ------------
    
     tc qdisc add dev veth0 clsact
     # The same with "action mirred egress mirror dev veth1" or "action mirred ingress redirect dev veth1"
     tc filter add dev veth0 egress chain 1 protocol ip flower ct_state +trk action mirred ingress mirror dev veth1
     tc filter add dev veth0 egress chain 0 protocol ip flower ct_state -inv action ct commit action goto chain 1
     tc qdisc add dev veth1 clsact
     tc filter add dev veth1 ingress chain 0 protocol ip flower ct_state +trk action drop
    
     ping <remove ip via veth0> &
     tc -s filter show dev veth1 ingress
    
    With command 'tc -s filter show', we can find the pkts were dropped on
    veth1.
    
    Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
    Signed-off-by: Roi Dayan <roid@xxxxxxxxxx>
    Signed-off-by: Hangbin Liu <liuhangbin@xxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index 7153c67f641e..2ef4cd2c848b 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -273,6 +273,9 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
 			goto out;
 	}
 
+	/* All mirred/redirected skbs should clear previous ct info */
+	nf_reset_ct(skb2);
+
 	want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
 
 	expects_nh = want_ingress || !m_mac_header_xmit;






