Re: netfilter: nf_flow_table: attach dst to skbs

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Wed, 6 Jun 2018 14:53:19 +0200

On Wed, Jun 06, 2018 at 02:31:58PM +0200, Jason A. Donenfeld wrote:
> Some drivers, such as vxlan and wireguard, use the skb's dst in order to
> determine things like PMTU. They therefore loose functionality when flow
> offloading is enabled. So, we ensure the skb has it before xmit'ing it
> in the offloading path.
> 
> Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx

Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>

Upstream patch is:

        commit 2a79fd3908acd88e6cb0e620c314d7b1fee56a02
        Author: Jason A. Donenfeld <Jason@xxxxxxxxx>
        Date:   Wed May 30 20:43:15 2018 +0200

This is backport for -stable 4.16.x.

> ---
>  net/netfilter/nf_flow_table_ip.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
> index 82451b7..15ed913 100644
> --- a/net/netfilter/nf_flow_table_ip.c
> +++ b/net/netfilter/nf_flow_table_ip.c
> @@ -220,7 +220,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
>  	enum flow_offload_tuple_dir dir;
>  	struct flow_offload *flow;
>  	struct net_device *outdev;
> -	const struct rtable *rt;
> +	struct rtable *rt;
>  	unsigned int thoff;
>  	struct iphdr *iph;
>  	__be32 nexthop;
> @@ -241,7 +241,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
>  
>  	dir = tuplehash->tuple.dir;
>  	flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
> -	rt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
> +	rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
>  
>  	if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) &&
>  	    (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0)
> @@ -264,6 +264,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
>  
>  	skb->dev = outdev;
>  	nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr);
> +	skb_dst_set_noref(skb, &rt->dst);
>  	neigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb);
>  
>  	return NF_STOLEN;
> @@ -480,6 +481,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
>  
>  	skb->dev = outdev;
>  	nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);
> +	skb_dst_set_noref(skb, &rt->dst);
>  	neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb);
>  
>  	return NF_STOLEN;