From patchwork Wed Mar 5 10:29:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002365 Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com [209.85.218.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED7A5207DF4; Wed, 5 Mar 2025 10:30:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170607; cv=none; b=Pl9kn1mAY3a901LuOKkObhy+dM6l51eN22H3/h2xcGmqfHpEjAdJLnaN9wYXC03bwR5M1ntfDmLYbSQftrqAzWnXVtc1FyTX7CkgKyj4VQ3ZF0/E8m7xuyXt6ZEdyo71EbTN+J3/3GFiW72tqvfGNURpoDx7XYZ84rX2hfPRzE4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170607; c=relaxed/simple; bh=4chn1/0IJNSwJ1oT95Yplw/ROsSLsSsjiBPzOuAxsgg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FLuf036whkFwBSP0IDKx3sKFmlcUIAzONFQhVMPEqR3H5ucJWzRLSLDTMSYpIdOvMF0K83mUeWwyLzbTTJrOrv+07vSP56Y2a+f4ywxEEJOl/dANO5NxCWQeHhqoFYmFI+vjtUTJlKVUik+JW1XfwjX0n4n5Tex/x+lg70pBg5Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=G9eChVED; arc=none smtp.client-ip=209.85.218.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="G9eChVED" Received: by mail-ej1-f44.google.com with SMTP id a640c23a62f3a-abf48293ad0so699086466b.0; Wed, 05 Mar 2025 02:30:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170604; x=1741775404; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UWSHNbB5JKEbeWuUj8vjDFfUx12Bd6PhpeoYLsDsQTU=; b=G9eChVEDb0pzmzecohmxB2UWNYUHEeHbNEzsTRJwRJ8HUkvHe739KZLX3cnG7APQUr CQjLe65k1VoNwbaf7Ym0Uz6qnxhL0he+GpriYlHwAtLiJNiRNkSMMDZdHNdP0zYqmL6M hgnR8DxjLN+ekrYKDzopwThFlFQIHYeILmvLku4soTubRMrD01T/9QPrMbXsYDFMjKUs /QyekwrgmTRu0YwUsQHN6R468TEd1by4LnO8GHWn8EIyv08XEUoU+aZXn3JbLRBJzxXs z+/seNEXQ4JoEKB94Y4tahaHsObRPJsh3Od1nTNlfunqmNV9bd3ynlYzFSdv9ncG8MPy dJsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170604; x=1741775404; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UWSHNbB5JKEbeWuUj8vjDFfUx12Bd6PhpeoYLsDsQTU=; b=nuLqGTt+/ZVURJkQSWMTivl1fv6BGmzRWrG1FzII7YMoFQl5pTzRgE7/7vdxdXLfIK f7T0EC0U1iRMmHF2SDdxwF6GDG9ZpYkYYGKHmKjPRbztjZnUXgFlK1UayxHp7ZhhlOXN a7m9lp1nsR1SybykJPymuwqNhVrVBAGDLa4Kkg5EBZ7y8AchIiR2CETAzKUp0Nj9KDX5 BkeMO3VSztd+vGHi5jiz9WYbqtSgkbncoJ8+bkXHipGhpDGnLlQjeS8H+9XL74g33SYg hRT94Qpb4bz1h3icHAdqVEStBEBFVPd5w1zTQlZrAAJcTH+7pRKQJXtucYNvwS1e9IuG DPyQ== X-Forwarded-Encrypted: i=1; AJvYcCUV+U440nfcvmHUyGQgbBcbt64lsezXZ56fYySACbY2BkIeDraDpuw44HvPOMigd9BafB80jtWSizlXDzOM4bKf@vger.kernel.org, AJvYcCVa5Qsk1UGrqgQgvTC7ODLSUQkb5/HMFJAS1KYycA3c5KKI56smcDF1fo2tUcVXvNYBBH1W2y2/O1nDP+dw@vger.kernel.org, AJvYcCXYBosG1+b9vc6dXIuyz+0Utj0h7zTdj2Wz+0D+IuhmI0AOnldm/xMkNleQNw2qrrG7gyQjc6WEruxCw739xOs=@vger.kernel.org X-Gm-Message-State: AOJu0Yz9OH4gwc64JqSyiXZybrXe++3Am0obZAhl3+WYsEdk751Z9jNd aChXVMxHAZ3Q7BA2SoxzFRUnJlo3YnidEIUBntjD1sw5D8vta/g0 X-Gm-Gg: ASbGncufJdkALghjrX1NPtZKjC+vqZY8FKvxILLVi5UjKRUKAJQnPctqvZoB2KL/tk4 cUZYbYUOkWC30Reur3WtEuS/rGKOpBIpKyNlJLxYEnGKVkmC5O5GgDLgflQp7JDUgZERlIVypIH epSmp5+KjCnwCOM/16Pi2k9aqit1xKohN3HnVEUhwrTsM3FqZZmafXEhjE4LA0cCkBlA71u13Gf OitfwYfIxRNZNv9taoKSbO10RbtC7v/YofPyaQaKJOdWvfVWXVgxCfLXCA4XUiydW4v0DABBvDf 21XqurD9uonVpOJHeFh4baxy7/HZyxm8gu9McqA9blVc3GoQBOltHUvOKsjAvJMHxs8hFCbLWgJ OUyPh+ehjD5GSQAurq+ulOMYGb9EhCX6oVS1eveFKgUSkhjnafdu4PAEb8NedSA== X-Google-Smtp-Source: AGHT+IFmOl+znPOCyIBVoWXbUGUsHEWWessyONqSdjDiGli0zSAoB+kKDiPnSaw44bEm0nFmaT3VhQ== X-Received: by 2002:a17:907:3f0a:b0:ac1:ddaa:2c03 with SMTP id a640c23a62f3a-ac20d036458mr300465466b.0.1741170603887; Wed, 05 Mar 2025 02:30:03 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:03 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 01/15] net: pppoe: avoid zero-length arrays in struct pppoe_hdr Date: Wed, 5 Mar 2025 11:29:35 +0100 Message-ID: <20250305102949.16370-2-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Jakub Kicinski suggested following patch: W=1 C=1 GCC build gives us: net/bridge/netfilter/nf_conntrack_bridge.c: note: in included file (through ../include/linux/if_pppox.h, ../include/uapi/linux/netfilter_bridge.h, ../include/linux/netfilter_bridge.h): include/uapi/linux/if_pppox.h: 153:29: warning: array of flexible structures It doesn't like that hdr has a zero-length array which overlaps proto. The kernel code doesn't currently need those arrays. PPPoE connection is functional after applying this patch. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- drivers/net/ppp/pppoe.c | 2 +- include/uapi/linux/if_pppox.h | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c index 68e631718ab0..17946af6a8cf 100644 --- a/drivers/net/ppp/pppoe.c +++ b/drivers/net/ppp/pppoe.c @@ -882,7 +882,7 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m, skb->protocol = cpu_to_be16(ETH_P_PPP_SES); ph = skb_put(skb, total_len + sizeof(struct pppoe_hdr)); - start = (char *)&ph->tag[0]; + start = (char *)ph + sizeof(*ph); error = memcpy_from_msg(start, m, total_len); if (error < 0) { diff --git a/include/uapi/linux/if_pppox.h b/include/uapi/linux/if_pppox.h index 9abd80dcc46f..29b804aa7474 100644 --- a/include/uapi/linux/if_pppox.h +++ b/include/uapi/linux/if_pppox.h @@ -122,7 +122,9 @@ struct sockaddr_pppol2tpv3in6 { struct pppoe_tag { __be16 tag_type; __be16 tag_len; +#ifndef __KERNEL__ char tag_data[]; +#endif } __attribute__ ((packed)); /* Tag identifiers */ @@ -150,7 +152,9 @@ struct pppoe_hdr { __u8 code; __be16 sid; __be16 length; +#ifndef __KERNEL__ struct pppoe_tag tag[]; +#endif } __packed; /* Length of entire PPPoE + PPP header */ From patchwork Wed Mar 5 10:29:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002367 Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B9685207E07; Wed, 5 Mar 2025 10:30:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170610; cv=none; b=TWmoHlJg+hdKeEKbNjExYzZ7wyawVIJkYqLBv8YOZuOTrQirnPUGKjXjAqc6cuG1BhSBhzcS4XXgdcbxWt0xgMB85LHqWDwRtQBx16oRZyb0LRPnYatqyh1Fkh0cs7FrMnkAzlr596Rrovu2YWfxGbV3kyR9FazqGzgXsmp+nu4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170610; c=relaxed/simple; bh=wMUZpUs1MP0v4aGWSuV5DzAXHNdRlbpPAoNl+5GV7TA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VKbyAKxsQrkhFuWVb8sYLQiwf/As66nqXD53HTwC3wRk5OIAShHs6MhoeNzLTEvY4RjIEnrpQgG4EHbEbum06hoYE3JZW40WGZN7Ah7ep17LsVfTJZdhbUpOeJ0St5yrK83I8+JW54xT8UBysW6HEEwZKNIy4lvhwTL6JwKtpDc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YHNx/iit; arc=none smtp.client-ip=209.85.208.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YHNx/iit" Received: by mail-ed1-f46.google.com with SMTP id 4fb4d7f45d1cf-5e0373c7f55so10236497a12.0; Wed, 05 Mar 2025 02:30:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170606; x=1741775406; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VGr0DGFtdF9vUQZNuQxbjKzErqMA9pCa8F2vVWAZr6U=; b=YHNx/iit5N+ABn69tPwh5Mb4w7Z7j3sF9l3PUxToKwTzXTwr3OrrWm+N1Q8fbrU9KZ tMLS9qJWCFCliCWyCvBjIHQZDZaIFGllFzWvF1ELWPXzrnlK1zlHzgIidYbkVu8CZ8oX p/Bh8gZZFIsea4BATPonEJu4VJi9J2SKC+ki/EN+npD1YKD2nEPxhYBAEfqZ8JeyWfIZ tQybpdKKWORzZ/3q/5nf9ahnvAs0pxImJBae8xe5jcRHAk2KRUmSOvUo2qGXADO49cmH rWKpcoS7Nr/3k/e6c1bA4MvQzpamWx1SWjXgUrBErs5ocXogGsH+zCejT4pQMAhM37yU YAqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170606; x=1741775406; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VGr0DGFtdF9vUQZNuQxbjKzErqMA9pCa8F2vVWAZr6U=; b=HKX34gEVMouvcou/fqmMR82pHyDOkKXnAV/8ubB8ZaFPrfCiJ5hJL8z1rqSkLYe8Zc K4NTb8X/K/oMBvbLdc8/Yfb1NVBOangRntIENu7zj19z4SK9Qf5ASK3EABs/zDel+Px0 uJ3/3zVQzEbZTBeQk7OXri59Y5QIwTtLnZ3vSuJi0NcrpE5+sfJQv613pUtM1wMjsPlJ i7sVBqU9RucuuKs2VX/2ggw53HTi2kqiH4ezmcMVOQqAMzZRjoMzCVpg0r2P6yZK6r9Y YJw2pb7yommm445p6A6j1Ky6SC+QZ6btL2mTfUEtAiLwJuFzLmh1HagsY3CbX5NR4+VX e1/g== X-Forwarded-Encrypted: i=1; AJvYcCWHa0a5bNOqmTdqvi/Ymj953cCs7dYdSyyESzx7mbKb0tUduMo37paiMJUU3bcVJTgyyMVhlda3D0bu4kF8hngG@vger.kernel.org, AJvYcCWO2Rlh/VO9v9f/cDN7xgl4Iyu7lkksxhFVArO314HuqEiaQo5AF27Bunjt4CaJPTVWmWsHycNaon6HLU6j@vger.kernel.org, AJvYcCXPUSct3JAOKLRMdBKszHrJvZiboid4IYLJ/jtehiWdoaduUXyrnsXo75y6aXk3cSCq4NlUns5acWwOfFEp1yo=@vger.kernel.org X-Gm-Message-State: AOJu0YwsVBlbb6KoZDjMpIGm7Fj9dxfz9/ORdaQqH2ntPR2CcVDhCglq 2ouPXEgyigFq4KfjSrmAcxDleaRCFvIJDer7PmNiRUdHdEEQzQxa X-Gm-Gg: ASbGncucPTrvllLxU81bTEW5bx0g+Q1+KZlBOUDl2XzNwE0DhNy5aSXOt7WJGcCYQwu hnGl49KYRJ0sBVCJEfvpVbXr4q9vzpTM/JFM7bqXZkODb6ZMk30pf0o25F+F0dxK2QhhHBXzuRM ns4+F+5LfU7a+/VI7JNjfecMCBCBplS3gUioRYKFcyDzDpri6FPooIQJnQnuMpd5boSoDle3rBo x8juKDsNOgwVsVZ0rYlpE5/c6ITm2RRsCWjy5yFagg5Eu99v4/FRDWcINum2tKAEzAB9Fj8MQ5n zClc13mkxiQluszWSRImHZBCuZVVZpPWjCFyrs0B4Ds5eDLFO/epd3OGRo0vR4MD3CZwYimoFBI KuJwqzMA8iciD0awID8Ch/EyULY7g6FlJiBYJMTSJ+UHr7fpcULO1vZqzsyn1pQ== X-Google-Smtp-Source: AGHT+IHy767DUvvq2GdNzFTZgEtw2mmlhPb8tvwjOW0NV0rTz/8fH6TDIbFvmbmwfZNkQ6dAvscC7w== X-Received: by 2002:a17:907:7e8b:b0:ac1:ea5c:8711 with SMTP id a640c23a62f3a-ac20d97e6cfmr241289466b.1.1741170605663; Wed, 05 Mar 2025 02:30:05 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:04 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 02/15] netfilter: nf_flow_table_offload: Add nf_flow_encap_push() for xmit direct Date: Wed, 5 Mar 2025 11:29:36 +0100 Message-ID: <20250305102949.16370-3-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Loosely based on wenxu's patches: "nf_flow_table_offload: offload the vlan/PPPoE encap in the flowtable". Fixed double vlan and pppoe packets, almost entirely rewriting the patch. After this patch, it is possible to transmit packets in the fastpath with outgoing encaps, without using vlan- and/or pppoe-devices. This makes it possible to use more different kinds of network setups. For example, when bridge tagging is used to egress vlan tagged packets using the forward fastpath. Another example is passing 802.1q tagged packets through a bridge using the bridge fastpath. This also makes the software fastpath process more similar to the hardware offloaded fastpath process, where encaps are also pushed. After applying this patch, always info->outdev = info->hw_outdev, so the netfilter code can be further cleaned up by removing: * hw_outdev from struct nft_forward_info * out.hw_ifindex from struct nf_flow_route * out.hw_ifidx from struct flow_offload_tuple Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nf_flow_table_ip.c | 96 +++++++++++++++++++++++++++++++- net/netfilter/nft_flow_offload.c | 6 +- 2 files changed, 96 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index 8cd4cf7ae211..d0c3c459c4d2 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -306,6 +306,92 @@ static bool nf_flow_skb_encap_protocol(struct sk_buff *skb, __be16 proto, return false; } +static int nf_flow_vlan_inner_push(struct sk_buff *skb, __be16 proto, u16 id) +{ + struct vlan_hdr *vhdr; + + if (skb_cow_head(skb, VLAN_HLEN)) + return -1; + + __skb_push(skb, VLAN_HLEN); + skb_reset_network_header(skb); + + vhdr = (struct vlan_hdr *)(skb->data); + vhdr->h_vlan_TCI = htons(id); + vhdr->h_vlan_encapsulated_proto = skb->protocol; + skb->protocol = proto; + + return 0; +} + +static int nf_flow_ppoe_push(struct sk_buff *skb, u16 id) +{ + struct ppp_hdr { + struct pppoe_hdr hdr; + __be16 proto; + } *ph; + int data_len = skb->len + 2; + __be16 proto; + + if (skb_cow_head(skb, PPPOE_SES_HLEN)) + return -1; + + if (skb->protocol == htons(ETH_P_IP)) + proto = htons(PPP_IP); + else if (skb->protocol == htons(ETH_P_IPV6)) + proto = htons(PPP_IPV6); + else + return -1; + + __skb_push(skb, PPPOE_SES_HLEN); + skb_reset_network_header(skb); + + ph = (struct ppp_hdr *)(skb->data); + ph->hdr.ver = 1; + ph->hdr.type = 1; + ph->hdr.code = 0; + ph->hdr.sid = htons(id); + ph->hdr.length = htons(data_len); + ph->proto = proto; + skb->protocol = htons(ETH_P_PPP_SES); + + return 0; +} + +static int nf_flow_encap_push(struct sk_buff *skb, + struct flow_offload_tuple_rhash *tuplehash, + unsigned short *type) +{ + int i = 0, ret = 0; + + if (!tuplehash->tuple.encap_num) + return 0; + + if (tuplehash->tuple.encap[i].proto == htons(ETH_P_8021Q) || + tuplehash->tuple.encap[i].proto == htons(ETH_P_8021AD)) { + __vlan_hwaccel_put_tag(skb, tuplehash->tuple.encap[i].proto, + tuplehash->tuple.encap[i].id); + i++; + if (i >= tuplehash->tuple.encap_num) + return 0; + } + + switch (tuplehash->tuple.encap[i].proto) { + case htons(ETH_P_8021Q): + *type = ETH_P_8021Q; + ret = nf_flow_vlan_inner_push(skb, + tuplehash->tuple.encap[i].proto, + tuplehash->tuple.encap[i].id); + break; + case htons(ETH_P_PPP_SES): + *type = ETH_P_PPP_SES; + ret = nf_flow_ppoe_push(skb, + tuplehash->tuple.encap[i].id); + break; + } + return ret; +} + static void nf_flow_encap_pop(struct sk_buff *skb, struct flow_offload_tuple_rhash *tuplehash) { @@ -335,6 +421,7 @@ static void nf_flow_encap_pop(struct sk_buff *skb, static unsigned int nf_flow_queue_xmit(struct net *net, struct sk_buff *skb, const struct flow_offload_tuple_rhash *tuplehash, + struct flow_offload_tuple_rhash *other_tuplehash, unsigned short type) { struct net_device *outdev; @@ -343,6 +430,9 @@ static unsigned int nf_flow_queue_xmit(struct net *net, struct sk_buff *skb, if (!outdev) return NF_DROP; + if (nf_flow_encap_push(skb, other_tuplehash, &type) < 0) + return NF_DROP; + skb->dev = outdev; dev_hard_header(skb, skb->dev, type, tuplehash->tuple.out.h_dest, tuplehash->tuple.out.h_source, skb->len); @@ -462,7 +552,8 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, ret = NF_STOLEN; break; case FLOW_OFFLOAD_XMIT_DIRECT: - ret = nf_flow_queue_xmit(state->net, skb, tuplehash, ETH_P_IP); + ret = nf_flow_queue_xmit(state->net, skb, tuplehash, + &flow->tuplehash[!dir], ETH_P_IP); if (ret == NF_DROP) flow_offload_teardown(flow); break; @@ -757,7 +848,8 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, ret = NF_STOLEN; break; case FLOW_OFFLOAD_XMIT_DIRECT: - ret = nf_flow_queue_xmit(state->net, skb, tuplehash, ETH_P_IPV6); + ret = nf_flow_queue_xmit(state->net, skb, tuplehash, + &flow->tuplehash[!dir], ETH_P_IPV6); if (ret == NF_DROP) flow_offload_teardown(flow); break; diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 46a6d280b09c..b4baee519e18 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -124,13 +124,12 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, info->indev = NULL; break; } - if (!info->outdev) - info->outdev = path->dev; info->encap[info->num_encaps].id = path->encap.id; info->encap[info->num_encaps].proto = path->encap.proto; info->num_encaps++; if (path->type == DEV_PATH_PPPOE) memcpy(info->h_dest, path->encap.h_dest, ETH_ALEN); + info->xmit_type = FLOW_OFFLOAD_XMIT_DIRECT; break; case DEV_PATH_BRIDGE: if (is_zero_ether_addr(info->h_source)) @@ -158,8 +157,7 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, break; } } - if (!info->outdev) - info->outdev = info->indev; + info->outdev = info->indev; info->hw_outdev = info->indev; From patchwork Wed Mar 5 10:29:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002368 Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com [209.85.218.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DF0C12080EE; Wed, 5 Mar 2025 10:30:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170611; cv=none; b=l0NlJfwNaTsEgZHX1waTM2Xv34MB6xZIjuCK4Q633m8IcyQtV7ujJdz9i5Id63H3Fb0TY+eoXbaKaM2W9pJ/iZBAuZ4/JXMJcCGy3tjTlFn/5WtJcu+Ng9+fbE5bX5JnzJIQGjiIC32ccWjjEIRXZMhN8Q9GWJylQSMbH8ooYXY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170611; c=relaxed/simple; bh=G4AeYP9zNF3PKma7qNeEx/0jubqtWO3LgYnYYjWH/PA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZaOCesn9itTCusvv/LvNDu6qyw+eCZy90RoZhdWBOfjhrac8HodV/U6SzDTkNPDJbmnYagFUbAFudQvYmoQZUjywTpYM0+yTyDVMsG0T7E5UinyUJjcapJolXYrPtYeIhZ/G+HI9KZX5EAfatMHghhHZQu6xzf/rRtInwKSA63Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ixfJQfy9; arc=none smtp.client-ip=209.85.218.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ixfJQfy9" Received: by mail-ej1-f47.google.com with SMTP id a640c23a62f3a-ab7430e27b2so1071216466b.3; Wed, 05 Mar 2025 02:30:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170607; x=1741775407; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=h3xV3TA0ockrC7/s5OEcRj/pNoR8pLIoTTKhN2eYQLw=; b=ixfJQfy9MJv+7CuxtyIDxjSRuUpsZB/J6ZNgXa30O/cF36GsR1ETl/p10XPK4ZrWOH lLxX4tgCzbTCWaE7cbW15qp3rU7tO6SUbWcWxK9JYJd047ul1fLLZpMNJX9pjWRlWGqL s+GKQDCFUnHPMbSpp/0iaU21yV0eR7tMTEU90iixfeJdClGqB0IfxaHn0v9hcPErhIC6 iZcjxjcKSaReXWOKtFq3xk0HaWK1gsWM3RQaHmg9DOfgWQhpD3hkp6f8SRFk+2ud03fL TzCgZH/7lMn80gjqwRh5x1Wbey1HR5t+SnxJZbYqgEXr3QmNqxcFyNmiPPYn/hl6nhba IndQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170607; x=1741775407; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=h3xV3TA0ockrC7/s5OEcRj/pNoR8pLIoTTKhN2eYQLw=; b=Hxo4ohn6YlC3nhd/Cyi/xMmhTYPGRFwR9dqjEip+VtSBcAA2Gw+4fMb8sltiYtq9u6 C87saqR+lMX70wJCv91271QwcC+YL8SbQC911otZYteiE2hYce64wqxdvnfofU5GjyZj w5R2tv7qIcCadJBYUhyazWAfvbJwIJq3ah2ekps5QtumgGERfco7zLSlkAwjMGzG64rN /l+VxsewXRF6rOYf+VszibtQpAfUttiUnj7I/DrMNjN1f3kt8YRq8bh5fxKmQxHMoZHq 8rAXTHIzvkWT33VHEe/+gv1mtVMtj0DWisJah0pfuT8C8wF0XPpjxiPzyvQ2qHrdl+YN ZSig== X-Forwarded-Encrypted: i=1; AJvYcCV8rP3dwAkKy+sDYVsVk9S72pM2O8ClOQ0iG1Cwxf6r3uYwsmkq4bp/GDmCwM6drPj2m03UzocaBb/oX4iF@vger.kernel.org, AJvYcCVkXoJ3sKU3Q4peRixOnxE+OhlLBa9UGn3jj2oGRwgwG16vQ9P7zskRlA9M+nDwh4LMNJh24SqSQFUdFQxCVDEM@vger.kernel.org, AJvYcCWfd/mDEuQpAcXY7Ugr6CBB7FSob8ofDgKGM8euAUtEB3J1v7TbcKRttVmMrvOM+ZDS+JugtD4yORU26R5V8jk=@vger.kernel.org X-Gm-Message-State: AOJu0YzuY7Z41Cce4XZb/X21u6/7zX0g1sKVdMg1hq6h5+wTmSBq9ncZ cXZw4y3l6bIb55Lkt0cWUAVlXyFTwd0cYPoA7zuBV5rIK3kfX1XU X-Gm-Gg: ASbGncskeL2S0Gd2fDv9R9WPR5C6WXxarZJE8lOb0X5XSWSrZVAYI9BPC0Qh3DbhOPi xT6VCkIJzok9YPIGYzoNLjqvlO7qF541KeNyb+GWvRqk+TdrY7luNQMRY2zq/22YsKmeqYoIYlR USbEV+4+AcSDwCwwxbN4J5bZiopOa00mgfFUbzbFg7Rw7pTtL9HmH106uTgpW/DAvQpYuo2ENe2 uMqFLdUzgemeOssxDGp9HidS0B7RFEh+r8T1l04biYWWPsHvsxuXRYDsJHeF+AShPmIuDy2DQvp pAXYa1NP9R8bik2Jcgzr/rl2rHPdLiavIgYOyAMhLJP5uQW/ii57mldiZb5itzVcoV0fxTz3uis s9O2W+W/oC+nQzLuSEac9udACQt1jFnjY7SsDeF8iG0QiGBcf218OJmqpI4PPgg== X-Google-Smtp-Source: AGHT+IFiJqR8AW9q4B4jV0oBAldSkpb3Cory3PfYPngFhkXoybiZBDs5zVQJdJ8Lft/VnBuwHJUAJQ== X-Received: by 2002:a17:907:8b97:b0:abf:4892:b6ea with SMTP id a640c23a62f3a-ac20db37c07mr294449866b.25.1741170606779; Wed, 05 Mar 2025 02:30:06 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:06 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 03/15] netfilter: flow: remove hw_outdev, out.hw_ifindex and out.hw_ifidx Date: Wed, 5 Mar 2025 11:29:37 +0100 Message-ID: <20250305102949.16370-4-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Now always info->outdev == info->hw_outdev, so the netfilter code can be further cleaned up by removing: * hw_outdev from struct nft_forward_info * out.hw_ifindex from struct nf_flow_route * out.hw_ifidx from struct flow_offload_tuple Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- include/net/netfilter/nf_flow_table.h | 2 -- net/netfilter/nf_flow_table_core.c | 1 - net/netfilter/nf_flow_table_offload.c | 2 +- net/netfilter/nft_flow_offload.c | 4 ---- 4 files changed, 1 insertion(+), 8 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index d711642e78b5..4ab32fb61865 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -145,7 +145,6 @@ struct flow_offload_tuple { }; struct { u32 ifidx; - u32 hw_ifidx; u8 h_source[ETH_ALEN]; u8 h_dest[ETH_ALEN]; } out; @@ -211,7 +210,6 @@ struct nf_flow_route { } in; struct { u32 ifindex; - u32 hw_ifindex; u8 h_source[ETH_ALEN]; u8 h_dest[ETH_ALEN]; } out; diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 9d8361526f82..1e5d3735c028 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -127,7 +127,6 @@ static int flow_offload_fill_route(struct flow_offload *flow, memcpy(flow_tuple->out.h_source, route->tuple[dir].out.h_source, ETH_ALEN); flow_tuple->out.ifidx = route->tuple[dir].out.ifindex; - flow_tuple->out.hw_ifidx = route->tuple[dir].out.hw_ifindex; dst_release(dst); break; case FLOW_OFFLOAD_XMIT_XFRM: diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index e06bc36f49fe..d8f7bfd60ac6 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -555,7 +555,7 @@ static void flow_offload_redirect(struct net *net, switch (this_tuple->xmit_type) { case FLOW_OFFLOAD_XMIT_DIRECT: this_tuple = &flow->tuplehash[dir].tuple; - ifindex = this_tuple->out.hw_ifidx; + ifindex = this_tuple->out.ifidx; break; case FLOW_OFFLOAD_XMIT_NEIGH: other_tuple = &flow->tuplehash[!dir].tuple; diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index b4baee519e18..5ef2f4ba7ab8 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -80,7 +80,6 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route, struct nft_forward_info { const struct net_device *indev; const struct net_device *outdev; - const struct net_device *hw_outdev; struct id { __u16 id; __be16 proto; @@ -159,8 +158,6 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, } info->outdev = info->indev; - info->hw_outdev = info->indev; - if (nf_flowtable_hw_offload(flowtable) && nft_is_valid_ether_device(info->indev)) info->xmit_type = FLOW_OFFLOAD_XMIT_DIRECT; @@ -212,7 +209,6 @@ static void nft_dev_forward_path(struct nf_flow_route *route, memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN); memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN); route->tuple[dir].out.ifindex = info.outdev->ifindex; - route->tuple[dir].out.hw_ifindex = info.hw_outdev->ifindex; route->tuple[dir].xmit_type = info.xmit_type; } } From patchwork Wed Mar 5 10:29:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002369 Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C05A20896B; Wed, 5 Mar 2025 10:30:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170612; cv=none; b=PWbMMjxidrl8ySL3sET6AIqzoWlHO/4rO52TEjw1aWe2DfpikHAp9tg2PiEadPGBSbUzb3DWO/KnYYmLbjDrjcwPz3tUKMLAHchmE4iy5q/bJ1qmrFbWX2Pu8sTWwJsr64R+NS8ZPjYgN9IhD8EaALuunCe9dC3YWt0cGnrTIis= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170612; c=relaxed/simple; bh=uRS6L652Q8U04wSm9vVBsJo+AraqGWbdvUpqcrlUEAQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ci8gx+ClEmHbutwHTxxH+QX4xcsi3uSZ/37HB86UMD5I3Yrt54Nck9KaTHSXdiQt0l6k4zrcsvUyc0rbsKQ8Aze3nMDqhgT0GeL9+76RIfiD5hcz8R9DSY4tSFQ8wltV38W8yXnAN+Ugf8NiQP41yQPbn5Cl0bxAo+oS4JoLEOA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kdsizpV7; arc=none smtp.client-ip=209.85.208.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kdsizpV7" Received: by mail-ed1-f49.google.com with SMTP id 4fb4d7f45d1cf-5e549af4927so5418937a12.2; Wed, 05 Mar 2025 02:30:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170608; x=1741775408; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pWKZKslFax2kV4u5PDGKsv4N0lJQ1f1k8yO/foh+po0=; b=kdsizpV79wBAXircupXHOuYWl/UcnfmQjzF2pu1Dj5pbXlHGT+YxrT0D7zww5QNCMa 2YdJGPvtPL7AR4gDmJ/IdR883Qzwm3NwdKDsTeBs0vm8ZpdSslp1WnpF3X6LvTAur628 nHnOeRsrsS0Q2At0XDVm/0IWKcBnq1yOyupJuKCMvwzSQbxxlll5EcgDNgbFYR/pOUAK i9u9FQH5fC5bzPGBVIzbfqdM41K0GkIMaZqjchc51KZcoI1obaihQBTy62LcslAZAVJv wrv+lgcIfIJJOAhcrU1daPsfQdciQ2jnBYgs7xcJ9tVXSoibX0xQbc0XtDj9sNPcNMhx fbag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170608; x=1741775408; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pWKZKslFax2kV4u5PDGKsv4N0lJQ1f1k8yO/foh+po0=; b=BYeJePdLptiG6+0Z5t6hfrJHdwK4MVgxb+wWb4xqXyEoWi8n3EZJpxrX6S2nJIuamY fglif6ojzNY/giOJEB101lOU5eBKpI9Uun1vyEFHd1W1KKRwdekquAHGF7r+smCDPX8z aJImA77qUOy/fFKO5h+dnt+bBKeoIbjg5QbHb2AkAGDBJ0zO2Wul2Vq1j8eV2f1U6mgy dPO/d4f4D9DGvvzZa8WqwMOHI1LfWgIvJcSRua6oMTcLaxwd0SW2AkwT8gvsxh4ksEwn /UL+Yo7Uf+awxPsRB/eoP+ye8usm4PR2oJYRzDvp57pWLsncIeuwS5LIAfGZbNM+qX73 uxXA== X-Forwarded-Encrypted: i=1; AJvYcCU457X691oLLFxJjBiD1IgqV1QOpLREI/Q+FDSHmEAGMu3HjAABiCmgPZjv8O6TDkvU+EaPdFoBJDtvA0Yahziu@vger.kernel.org, AJvYcCVrLXokOwijd5SKZkIZ2R5EK/kZjk0HGMBNEOzVlYECbhdCsczv8rOeit2lZlSBdjwP571G+A5gPgv+3tDOJYk=@vger.kernel.org, AJvYcCVwNc9n1KFh1S2QgrEQmcvXuuGQs7+xN2dt1I/9VuHOiXn/mbpyFadXsJXZyjqIl0yJKl/sgU8by1uL+kya@vger.kernel.org X-Gm-Message-State: AOJu0YwKN/f6Hgmnfej0+j7AS03VVJYod/IqmO/e8khV6NlF8KSmooV5 uq7c20SZYi0tYq7UAon7l+jmQm9kSfFu/UIbfTAE5nSo48gyT+oB X-Gm-Gg: ASbGncu34sK9w/c7K/BpGpMvdcywh5CnagpH++abygTZBlhna02Bixp8waLYc4+GpUA qJdM6tzhavGAsEiTPHR34ITwLr0Nvh2cWLqGkTm4VuBWfnR3WlHE5dwCd0mlQeVwE+NE1u1Exdv zaPIf0NmsWvSnrA7mnxTuVKLgtmGW3FjN6T+m3Z7Cabxz372da2LtaflS44AGr5BTxvLPYhkBqM HCeIpMSejL0Z4bD13HF1PpYZx3MYQGG1NHltajfpOC19XTbVWOId0u+7H8eJDhiQKg++3HhOJ1S 5GDvADntOdFMHE2fdsEsaofQy7EatMxnhWTSu+cbInJOQ/XSWBnvbFOaS8Rqs3z2AHlwR5IAq/2 pO25eDj1T0QjApdcOtnmjP1PExx8iUnEJ89qJ4sX02dIzYjOsvIRiIBpelz5W8w== X-Google-Smtp-Source: AGHT+IFexB2RNevlxHvMPAf8/WCLTLQ9IXmSXZbmZFMdhkY06Emnzf/hwS2/XrsP0oxSe3vo0bLssw== X-Received: by 2002:a17:907:3f15:b0:ac1:509:79b1 with SMTP id a640c23a62f3a-ac20d8bc9a1mr236165766b.20.1741170608493; Wed, 05 Mar 2025 02:30:08 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:07 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 04/15] netfilter: bridge: Add conntrack double vlan and pppoe Date: Wed, 5 Mar 2025 11:29:38 +0100 Message-ID: <20250305102949.16370-5-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This adds the capability to conntrack 802.1ad, QinQ, PPPoE and PPPoE-in-Q packets that are passing a bridge. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/bridge/netfilter/nf_conntrack_bridge.c | 83 ++++++++++++++++++---- 1 file changed, 71 insertions(+), 12 deletions(-) diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c index 816bb0fde718..4b4e3751fb13 100644 --- a/net/bridge/netfilter/nf_conntrack_bridge.c +++ b/net/bridge/netfilter/nf_conntrack_bridge.c @@ -242,53 +242,112 @@ static unsigned int nf_ct_bridge_pre(void *priv, struct sk_buff *skb, { struct nf_hook_state bridge_state = *state; enum ip_conntrack_info ctinfo; + int ret, offset = 0; struct nf_conn *ct; - u32 len; - int ret; + __be16 outer_proto; + u32 len, data_len; ct = nf_ct_get(skb, &ctinfo); if ((ct && !nf_ct_is_template(ct)) || ctinfo == IP_CT_UNTRACKED) return NF_ACCEPT; + switch (skb->protocol) { + case htons(ETH_P_PPP_SES): { + struct ppp_hdr { + struct pppoe_hdr hdr; + __be16 proto; + } *ph; + + offset = PPPOE_SES_HLEN; + if (!pskb_may_pull(skb, offset)) + return NF_ACCEPT; + outer_proto = skb->protocol; + ph = (struct ppp_hdr *)(skb->data); + switch (ph->proto) { + case htons(PPP_IP): + skb->protocol = htons(ETH_P_IP); + break; + case htons(PPP_IPV6): + skb->protocol = htons(ETH_P_IPV6); + break; + default: + nf_ct_set(skb, NULL, IP_CT_UNTRACKED); + return NF_ACCEPT; + } + data_len = ntohs(ph->hdr.length) - 2; + skb_pull_rcsum(skb, offset); + skb_reset_network_header(skb); + break; + } + case htons(ETH_P_8021Q): { + struct vlan_hdr *vhdr; + + offset = VLAN_HLEN; + if (!pskb_may_pull(skb, offset)) + return NF_ACCEPT; + outer_proto = skb->protocol; + vhdr = (struct vlan_hdr *)(skb->data); + skb->protocol = vhdr->h_vlan_encapsulated_proto; + data_len = U32_MAX; + skb_pull_rcsum(skb, offset); + skb_reset_network_header(skb); + break; + } + default: + data_len = U32_MAX; + break; + } + + ret = NF_ACCEPT; switch (skb->protocol) { case htons(ETH_P_IP): if (!pskb_may_pull(skb, sizeof(struct iphdr))) - return NF_ACCEPT; + goto do_not_track; len = skb_ip_totlen(skb); + if (data_len < len) + len = data_len; if (pskb_trim_rcsum(skb, len)) - return NF_ACCEPT; + goto do_not_track; if (nf_ct_br_ip_check(skb)) - return NF_ACCEPT; + goto do_not_track; bridge_state.pf = NFPROTO_IPV4; ret = nf_ct_br_defrag4(skb, &bridge_state); break; case htons(ETH_P_IPV6): if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) - return NF_ACCEPT; + goto do_not_track; len = sizeof(struct ipv6hdr) + ntohs(ipv6_hdr(skb)->payload_len); + if (data_len < len) + len = data_len; if (pskb_trim_rcsum(skb, len)) - return NF_ACCEPT; + goto do_not_track; if (nf_ct_br_ipv6_check(skb)) - return NF_ACCEPT; + goto do_not_track; bridge_state.pf = NFPROTO_IPV6; ret = nf_ct_br_defrag6(skb, &bridge_state); break; default: nf_ct_set(skb, NULL, IP_CT_UNTRACKED); - return NF_ACCEPT; + goto do_not_track; } - if (ret != NF_ACCEPT) - return ret; + if (ret == NF_ACCEPT) + ret = nf_conntrack_in(skb, &bridge_state); - return nf_conntrack_in(skb, &bridge_state); +do_not_track: + if (offset) { + skb_push_rcsum(skb, offset); + skb_reset_network_header(skb); + skb->protocol = outer_proto; + } + return ret; } static unsigned int nf_ct_bridge_in(void *priv, struct sk_buff *skb, From patchwork Wed Mar 5 10:29:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002370 Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A502C209F5F; Wed, 5 Mar 2025 10:30:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170614; cv=none; b=ufWRqdv2r19bL4Jv+xGjaYovXjfpgnLFHKVY+CTk31N+F4xIYBbjayiybAK/CG5dO6N+UeyquUBe/1VvsW9DRAPE0iH/lTJk40FkxFrkuygQHQTMNfe/X/Cwsl5t1pXoLw7SdomV4h9AKdfPGWypl4LISqxiQIW3/QTjTHTx65o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170614; c=relaxed/simple; bh=WOvVk2IW6QUSaxpGvpwW6W6ywpdv9Y60/i896yobQ+k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YHK//LA72xYEOKMxL3l88OKYuAfG9sHHKdXfH3ijk3uprE1kVTbjSiuWFPxPSFei5ZMbkdcLMTqJ1KMudtNiHALJZPjawkC6a58skKSQNL3pu/bvmvzQnUEH/29QACpHOgliXiOd83T5JB3pQ0FlVwKeT2cmwwpnuIMFecZoPn4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PXmWDMMp; arc=none smtp.client-ip=209.85.218.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PXmWDMMp" Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-ac1f5157c90so291427766b.0; Wed, 05 Mar 2025 02:30:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170610; x=1741775410; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ukwtTV0ExXBJKM7v4LhbJXSMG6hQJqW8GgzzDxNF23M=; b=PXmWDMMpyaFdB8RKyprs3/vUc6WxzDtRuN5iaT4YKQNGpWDFTjexdOdlJkrYNNX9Oe coAmECBPuv1iQbnJ1A7zfCZ+8+4YAzOF2pI/ALnSM36ilEfjnNIyRso/MnC/YgUP9VpP /IN5b7CvIMwNKJPojZ36iDk9R8d20BEObc+v+lYqL6VBFHWa55DiZ1q8D9GlS0R5KZSe ckcLYU1wUMNQPxU3JJpg99NGqN12LhE2iWG9TwL0MqX2y2N8pNjX76NV65CJ8n401zJ9 UO7riDBGMiX7tEYvR8AQ8LnH95j5v/wmIyZ9Y+qQa65xOGodG57Lifx9JhwghZ2FocPf 7fYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170610; x=1741775410; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ukwtTV0ExXBJKM7v4LhbJXSMG6hQJqW8GgzzDxNF23M=; b=UG/9TskEzSuj+Th2hYoXTRgjaru6jH0Of27saIuwtqHEj8eKNmr7KWKc4IO2DFjkt4 iTl+IvUSA1t2sHHQ6/SHR8/NsFOHRd1+6fyJrzQZmheEGtH0e7DVorgQrilJf0HyRGFT BWR6prboRJOzmBj06iDw4NHvmArv4cWztllk79cm6eGns9pNoZCg+jHTFa2dbpkClbu2 VrGrKqi0Rexb56tyQTd/ljuC7qUGaVJUsy277QcgvOXTP0RPRlc/WhH3iS20ixr3PX3e 4cgByF3tgm8A6HPf/C1DPbq1v2vwaQXQYcxA9jYEFbg5MVM23NO4xrrgvre8DlOez1+N Wc/Q== X-Forwarded-Encrypted: i=1; AJvYcCVLXwzUQGHMsy5lAEQZmIuXMivrkU4oGKD+vfJFgZlk9s5ZY2oQtlkY+FkmeBdA9ARlh4i1xjbB/0jYf/B8VNA=@vger.kernel.org, AJvYcCWytDEDS+X/uw6rMHiymgPIo27DOVgRQDBdEaWrCaKyn7mbbT3sL3Nwy2LXpI7rZVbiePVkkGBFHpD5fArbeCou@vger.kernel.org, AJvYcCX9vDBq+9JchIdFYNEleIbYlpojayTIDbrEOU4REwvFf0YXMMOS5PeuBNx1tHIEct22z6zqfaZsiZqU6d+0@vger.kernel.org X-Gm-Message-State: AOJu0YxdR/Q7KYxMCf+gUl2UOngEqx1hGgFcwn7IN0kEzW3RgqyU9l0S rtF1fVSH62uflcjZPM+RAG5qKm/6Dmp3vHykl14OQMBu1Q977Dtc X-Gm-Gg: ASbGncvTqQi2N/m46GN5hV6DC3XpU+2g+ZTCKnrJ8MrpsrLb7QtMxhuR0OCCOrZFGDH asTraxBVjI0qWrItDnvbbl7ArBW0y3g/J8ZCSLkBq5hHmpSBp/KZoWv8aSgVbfZdsEz8DOyT3Jl VvuBhS7kERBq0iaeYGIEDKofRriUJ7FrZbO+BOSG3OCH9bK5AizGnVefhYkY1U/kh8avituTjDx Pe6CQLnupA0x682XbFQEN1b5SOLpAA1KVcA4QKnLoOiSkjix51F+62Lu/rf9OyUm8HMAelCdrZf mvx03JZiYB8irCdvZjA/wwJdhDMBMoWiF1Yc39BJ2HnUSJ1xg3xqr8zqNthy0AWiBdABN3MlxbH ePpwBHNB0IGgXNjktPZyGXWK35CqEB0TGBKsRXy6VvM5uFAygu+9CywwoYgDjWQ== X-Google-Smtp-Source: AGHT+IHxPPtoLfRPnCkh6koJ/eG/1JnXDYqS7eXulrdGgVMhsQC/yU7G5LKQ+8CrzPKHzBnta10/cQ== X-Received: by 2002:a17:906:d54c:b0:abf:6f37:57df with SMTP id a640c23a62f3a-ac20e03ab40mr291110966b.51.1741170609587; Wed, 05 Mar 2025 02:30:09 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:09 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 05/15] netfilter: nft_chain_filter: Add bridge double vlan and pppoe Date: Wed, 5 Mar 2025 11:29:39 +0100 Message-ID: <20250305102949.16370-6-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This adds the capability to evaluate 802.1ad, QinQ, PPPoE and PPPoE-in-Q packets in the bridge filter chain. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nft_chain_filter.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index 19a553550c76..7c7080c1a67d 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -232,11 +232,27 @@ nft_do_chain_bridge(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { + struct ethhdr *ethh = eth_hdr(skb); struct nft_pktinfo pkt; + int thoff; nft_set_pktinfo(&pkt, skb, state); - switch (eth_hdr(skb)->h_proto) { + switch (ethh->h_proto) { + case htons(ETH_P_PPP_SES): + thoff = PPPOE_SES_HLEN; + ethh += thoff; + break; + case htons(ETH_P_8021Q): + thoff = VLAN_HLEN; + ethh += thoff; + break; + default: + thoff = 0; + break; + } + + switch (ethh->h_proto) { case htons(ETH_P_IP): nft_set_pktinfo_ipv4_validate(&pkt); break; @@ -248,6 +264,8 @@ nft_do_chain_bridge(void *priv, break; } + pkt.thoff += thoff; + return nft_do_chain(&pkt, priv); } From patchwork Wed Mar 5 10:29:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002371 Received: from mail-ej1-f43.google.com (mail-ej1-f43.google.com [209.85.218.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 127B120ADD6; Wed, 5 Mar 2025 10:30:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170615; cv=none; b=Ue7D6E9RyQ5PColDmT9FBM/cgpXZjMVgEmCj4d/nXq1d98e2iU1gbleiuZFW8POIzx7EFjriw2LfwKvfYanhEOSiheXMNCnnwjA1ugoZ5eKbNDEdBPelJlLf8OrXAXP6yrqa2nAjyGFLVloiM/qEzeSFQguU13JUBv/4JkOyGz0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170615; c=relaxed/simple; bh=xttbzI/pcl6SYlB7PpU+GQoyrB/QS5WPo8yeg4iagTg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qh5i6sOxLX/iaohZF83yju0UVpc50JmJ4c9y6O2pt/skuNF54bSRe1Egae7ePEQe/RlEukTltkl7GEP1FbjY4UHhtSKDQVnoONrURkLl2NRMZ9lqdnoIqlECmGteae1pP2QAQ5PG97v/UxHAPeNwmLP5q2e/24CyfKKj8WI024c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TGCIzTYt; arc=none smtp.client-ip=209.85.218.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TGCIzTYt" Received: by mail-ej1-f43.google.com with SMTP id a640c23a62f3a-abf4cebb04dso136781866b.0; Wed, 05 Mar 2025 02:30:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170611; x=1741775411; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IM1kXQjhThZXDzCIWTKLQoY0aGhS2pSnBiHrFmA8ll0=; b=TGCIzTYtoaxsCbjgmBnyu7JTj0nVY1LIPxobfQ5wQeh/LXSmxC9H8XZQYN/Kdp4eUe STJlX0ASxg5XNIZ6wJYRdDUK8fZcEI64Z599Ew7kerRL2HDBimBmvopcnboLRBQqT2+w EW+rR0u1HulZ+Vb0ctAO75sCDW/k1VA6FYn+j4spuK0jy30SAG5LGlImFTiPAobEM94U ySdUNIKRPlCEKxYMhe1F5QvdW6XZjbKDXul5eRMKwiYb9HYeKghZPRkRzZLzYLVHdqCc 9VZUlZ7ckPqdDBbnoUgJsVWpUYXK9du0gVK/0CVr/y3Xnl6/N5mN46f+hMkCMFn6UaWK AP3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170611; x=1741775411; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IM1kXQjhThZXDzCIWTKLQoY0aGhS2pSnBiHrFmA8ll0=; b=Ua9p9ctDtwtST/tIczuWPMcCP2bRwcZtgQijBsGqEAVeoBE7E9F9Uji9iDN0HLtjQv oNytaRjUWcn/rRbOMLSM79qoF/BNfXT3rACOmlEEpZJPVb344+hnW1i6iajlCrmWvGZF m2TuO+vcUyVXTFdux0LZIB+ydtL9XHpq3RXGW1uqazUD6Yo/WcP7j+26y3hnjqxMlHlu Rgrb2NKPCQiQNinYhYys0gfg6Wr7BbdRCHmUf+4/D/sZqz3MuvZ4WozmDw44omuxAVS9 Y7Wb5eWO+1IdMZyatzMRLDz2bM4w9vWi0NwPmIAS+Hrxwim4qDHI5RkmIubgajt3QO6M EMZQ== X-Forwarded-Encrypted: i=1; AJvYcCVffYqc5PhXFXmkZAqHgLlIJvEdF86bdslcLaIKROZFdhBqy0YX3RyAhPgVf5xPQWkWb9MNaWeJbKrmkLiK@vger.kernel.org, AJvYcCXdrTHtzZFL0fP99PF2FfgVKLR8lPmLoN9Tj0T967DiVLPMU2PL5dvjr4Z+LRQQ6dK3W8V8IIiBfSAISeD3XMH1@vger.kernel.org, AJvYcCXnvMLXqDhaxV3XigSqoDEuFXiECfCgOz7keIg1Ha9Y840pE/F4VJQugbo1UEyBPDJ5zMQzZIGed9cDy9YVtGI=@vger.kernel.org X-Gm-Message-State: AOJu0YzM3zHwp1xof6/4LAz2hvD88zG7y6NkTzGBdnl1wpEqQCzhuy46 RagqjxihIM7bBt7Rdgk8EH6eyaNACaujTKDMYbOOzOOHokhOumuB X-Gm-Gg: ASbGncvr7vX5GUqneVHH1+CCTS7DhHG4qHDBs5yOAfxM5gaHCIZal+zcQge37JopDzG K7NgT5m9bWPUzJkAh71maf0Dkrmioc7NNCCXaj2ga0GQmqh5/9R+WATurFXA4eVAGrDg96I/12L 055gDO34RaXljQf6Kxu3xGR2b+xaqH5+cX8fHr7WPISos80cCxHIwwl1qGbEGGk15/cneA1C31R a7b3PwwnaxuHwRByRuNaEhIBETNqevBRqCEGTOoxBFffROnIYoTZg3LtMWWEdyfkVdJh6G3vfAU DbqCO/tT529/WBaFbDHTQWLuV/pe/Yw78zxoVdvKco4kfDue2SxZnfMuvX7OBxiq3Z4OXSN47A7 sKffwUlTM0S2brMb4Gyqquh3CXkRgtO1QFDBWk4h4HlKa9lStWwq1qBAt28NZ6A== X-Google-Smtp-Source: AGHT+IGUiR/Ewb64RsvjGNeJXBn0Ed+9S8empXfVW8h4ZmJBkjiI9NUn/Px8AChfgHjCFcCWMHNHpA== X-Received: by 2002:a17:907:3f9c:b0:ac1:e08c:6ac8 with SMTP id a640c23a62f3a-ac20ecf947emr220727966b.2.1741170610822; Wed, 05 Mar 2025 02:30:10 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:10 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 06/15] bridge: Add filling forward path from port to port Date: Wed, 5 Mar 2025 11:29:40 +0100 Message-ID: <20250305102949.16370-7-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 If a port is passed as argument instead of the master, then: At br_fill_forward_path(): find the master and use it to fill the forward path. At br_vlan_fill_forward_path_pvid(): lookup vlan group from port instead. Changed call to br_vlan_group() into br_vlan_group_rcu() while at it. Acked-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/bridge/br_device.c | 19 ++++++++++++++----- net/bridge/br_private.h | 2 ++ net/bridge/br_vlan.c | 6 +++++- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c index 9d8c72ed01ab..02eb23e8aab8 100644 --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -383,16 +383,25 @@ static int br_del_slave(struct net_device *dev, struct net_device *slave_dev) static int br_fill_forward_path(struct net_device_path_ctx *ctx, struct net_device_path *path) { + struct net_bridge_port *src, *dst; struct net_bridge_fdb_entry *f; - struct net_bridge_port *dst; struct net_bridge *br; - if (netif_is_bridge_port(ctx->dev)) - return -1; + if (netif_is_bridge_port(ctx->dev)) { + struct net_device *br_dev; + + br_dev = netdev_master_upper_dev_get_rcu((struct net_device *)ctx->dev); + if (!br_dev) + return -1; - br = netdev_priv(ctx->dev); + src = br_port_get_rcu(ctx->dev); + br = netdev_priv(br_dev); + } else { + src = NULL; + br = netdev_priv(ctx->dev); + } - br_vlan_fill_forward_path_pvid(br, ctx, path); + br_vlan_fill_forward_path_pvid(br, src, ctx, path); f = br_fdb_find_rcu(br, ctx->daddr, path->bridge.vlan_id); if (!f) diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index 1054b8a88edc..a0b950390a16 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -1584,6 +1584,7 @@ bool br_vlan_can_enter_range(const struct net_bridge_vlan *v_curr, const struct net_bridge_vlan *range_end); void br_vlan_fill_forward_path_pvid(struct net_bridge *br, + struct net_bridge_port *p, struct net_device_path_ctx *ctx, struct net_device_path *path); int br_vlan_fill_forward_path_mode(struct net_bridge *br, @@ -1753,6 +1754,7 @@ static inline int nbp_get_num_vlan_infos(struct net_bridge_port *p, } static inline void br_vlan_fill_forward_path_pvid(struct net_bridge *br, + struct net_bridge_port *p, struct net_device_path_ctx *ctx, struct net_device_path *path) { diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index d9a69ec9affe..a18c7da12ebd 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c @@ -1441,6 +1441,7 @@ int br_vlan_get_pvid_rcu(const struct net_device *dev, u16 *p_pvid) EXPORT_SYMBOL_GPL(br_vlan_get_pvid_rcu); void br_vlan_fill_forward_path_pvid(struct net_bridge *br, + struct net_bridge_port *p, struct net_device_path_ctx *ctx, struct net_device_path *path) { @@ -1453,7 +1454,10 @@ void br_vlan_fill_forward_path_pvid(struct net_bridge *br, if (!br_opt_get(br, BROPT_VLAN_ENABLED)) return; - vg = br_vlan_group(br); + if (p) + vg = nbp_vlan_group_rcu(p); + else + vg = br_vlan_group_rcu(br); if (idx >= 0 && ctx->vlan[idx].proto == br->vlan_proto) { From patchwork Wed Mar 5 10:29:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002372 Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2D50320AF87; Wed, 5 Mar 2025 10:30:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170616; cv=none; b=TKCXCPGv+U+vH6Yx2K0xr+vYx6r0ebmnNDy7ZDFCHiMtbjOhpIaGk+zHxZ6U2P3MnPeO2dQK7sF3HzQ3xgnyLhcTutATSrl0MlPJiTNqszNpzir1FbpEJ3aE8fjcyUky6VcC7AjNm6B6ad2a5xuNqFeqkZ0M3qxW8600CEAGcZo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170616; c=relaxed/simple; bh=PBHyuPBG/ButhJ6qRcnSF9I0EBwamgj3VpeiHQaqfac=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Rk3K1aXGgShwNNbm+4JE2J50FDghVYhLMy55mN+jg5ZzazrYkh88EJC1Mfih768YmBpJDstjLYMdRLag5fqCkP0a+Nosgk89JbHauAH4RiGhdG8LRkRSpvXd0Ce/PnlHmK8sAfBuU5QjGnYjh4+0GzRFs7uP9odjEh2Y8oalOj8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Du2d5fxw; arc=none smtp.client-ip=209.85.208.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Du2d5fxw" Received: by mail-ed1-f49.google.com with SMTP id 4fb4d7f45d1cf-5e0373c7f55so10236736a12.0; Wed, 05 Mar 2025 02:30:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170612; x=1741775412; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XruRHgHNa4U+aD5EhN/5bdzeM8wMLCsm+ZTeJKtfedw=; b=Du2d5fxw+sTHbEt7g5v1AsnLtViJivvBK6O9L9fqZT5iYJRPXf0pjW4IYDiTSUmYLJ mzMuOEyvx57mY5B7yjVya2jZ/OJ9svshc+G46X0ed59LdFAiOCC7BpD/DtgD2tlosnYc Ug6ANPXr6QdymFScnM8J/umWDVsA4AOQnitkBGXd+VEyWfy7kkCiMh0QFvTu0L70+U52 AD9J7LPECRDaqkRGK6FGGaq+3Im1BXwKpQKh/94sw2oM0UNHgVxwojsftbFK0zBoCaAn Qy2ELqw1ysL9bkCBqGAGRVqpWqiE7cb21v4u7Kmj1q4WO8oSG7i5ro6DPfncjifSmiHS y0Ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170612; x=1741775412; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XruRHgHNa4U+aD5EhN/5bdzeM8wMLCsm+ZTeJKtfedw=; b=fY/UygnKD45qeHvvSoHNnyWUxuYKzS5FdLZaShGJ5zfy+mryRCtW4VlWnhI9DGytEo FkaziFr+XGfyvl25n6OnIGL3FgFyZ0PR/DhSsIbjEj8iaKdewoYmRx/yFGcVw33w0DPH 3uLJjpmcjtwfF6QglJ24sDbcehHFWGifHZwwuWUm6foifY26Ih5RmBxUaQT7cJ26gowf vzBeTI8IrfcEW4LOpNZC+wF8KduNrxQ7ILmX9ila1VW6+HypGbnVcpc4PEwKyBVTH7Tj chngO33edXsrz8KOk65aRUU43u5yVA4Ks5NDrC0JNlY9arRFCAEpBkMx5mLBYkNaaYI3 n6Kw== X-Forwarded-Encrypted: i=1; AJvYcCVQVaJ900svBn1Eh57OsAu2xNn8TugYmYOuiIkkn2mbFIOiVu65H48UEEq6o/iU6+bTbRe+X8mekTNq3MfbpAM/@vger.kernel.org, AJvYcCVZktf8g5fiyamIT6Bek8skbJcnaH/2+CToyr33mBpCBVQepiOv+lszOdJx4q4j71GBUq8pMr4ANs0lLD5m@vger.kernel.org, AJvYcCXY4mA6XcUwEOXMoDOoMzgiMO5r24QqUowMTpQaSlsLJ7gR4zfp0pLjugK22jaAw/qv8Tak4B6eY3YKQ2IPaYI=@vger.kernel.org X-Gm-Message-State: AOJu0Yyk8wvQomwMRc/y4gsHzjyoXqS8M2Y1Gr1FMWOPt4M3UST+9Rkg PFNDebj/xO6zIOdkAlgoy2EbWVcIGswjifzryPLpEbCxSmFiUZO+ X-Gm-Gg: ASbGncvkrvAyg11e1lITiaXnfm3YEbtAhlvWJ/FAOvKLWPNZkuXR0oZmXVisoiGGZSZ CJPvvqMvSd/A5UWFahWiXAWQjasLpH7FRIZ/27QOkf1liXmZ72oKl2yyEkogOun4PSRVatkqBun kY9haGqobn148AsfPkeW1uqqqaUbqqD47N6RxfuRpeljEh0XwpftuE95P6yVcy4RctdieUcyxxa FepZZYtaNLpaXu49415sD4Xr5Mgra91z32zP/rEFwfxBclXO0EhTp5HQeslP/h7wgfiQqakxuOJ 8fki4AlpsyBWgUJn72he1v4LpAFP04BF7jX1A2jZ09eGZAnvItxe5HWpn/MJIXN/PXixTFOOem/ 1WipS4Dfs3uetPSNE04uh8iH7jDIeXLg9PKhc5/lWJOFbmqripVy6gvgetTDVYg== X-Google-Smtp-Source: AGHT+IGWn08A2DSO8MVNqGyk+bS/v/k3a0mXwDhZkKNPGgmv7Ei/GzcOqONoOScVVDEII0Mp72AZ4Q== X-Received: by 2002:a17:907:1c84:b0:ac2:473:7f35 with SMTP id a640c23a62f3a-ac20e03dcc8mr267370466b.55.1741170612157; Wed, 05 Mar 2025 02:30:12 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:11 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 07/15] net: core: dev: Add dev_fill_bridge_path() Date: Wed, 5 Mar 2025 11:29:41 +0100 Message-ID: <20250305102949.16370-8-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 New function dev_fill_bridge_path(), similar to dev_fill_forward_path(). It handles starting from a bridge port instead of the bridge master. The structures ctx and nft_forward_info need to be already filled in with the (vlan) encaps. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- include/linux/netdevice.h | 2 ++ net/core/dev.c | 66 +++++++++++++++++++++++++++++++-------- 2 files changed, 55 insertions(+), 13 deletions(-) diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 7ab86ec228b7..81cdad85d9f1 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -3318,6 +3318,8 @@ void dev_remove_offload(struct packet_offload *po); int dev_get_iflink(const struct net_device *dev); int dev_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb); +int dev_fill_bridge_path(struct net_device_path_ctx *ctx, + struct net_device_path_stack *stack); int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr, struct net_device_path_stack *stack); struct net_device *__dev_get_by_flags(struct net *net, unsigned short flags, diff --git a/net/core/dev.c b/net/core/dev.c index 2dc705604509..d0810f052d3a 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -714,44 +714,84 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) return &stack->path[k]; } -int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr, - struct net_device_path_stack *stack) +static int dev_fill_forward_path_common(struct net_device_path_ctx *ctx, + struct net_device_path_stack *stack) { const struct net_device *last_dev; - struct net_device_path_ctx ctx = { - .dev = dev, - }; struct net_device_path *path; int ret = 0; - memcpy(ctx.daddr, daddr, sizeof(ctx.daddr)); - stack->num_paths = 0; - while (ctx.dev && ctx.dev->netdev_ops->ndo_fill_forward_path) { - last_dev = ctx.dev; + while (ctx->dev && ctx->dev->netdev_ops->ndo_fill_forward_path) { + last_dev = ctx->dev; path = dev_fwd_path(stack); if (!path) return -1; memset(path, 0, sizeof(struct net_device_path)); - ret = ctx.dev->netdev_ops->ndo_fill_forward_path(&ctx, path); + ret = ctx->dev->netdev_ops->ndo_fill_forward_path(ctx, path); if (ret < 0) return -1; - if (WARN_ON_ONCE(last_dev == ctx.dev)) + if (WARN_ON_ONCE(last_dev == ctx->dev)) return -1; } - if (!ctx.dev) + if (!ctx->dev) return ret; path = dev_fwd_path(stack); if (!path) return -1; path->type = DEV_PATH_ETHERNET; - path->dev = ctx.dev; + path->dev = ctx->dev; return ret; } + +int dev_fill_bridge_path(struct net_device_path_ctx *ctx, + struct net_device_path_stack *stack) +{ + const struct net_device *last_dev, *br_dev; + struct net_device_path *path; + + stack->num_paths = 0; + + if (!ctx->dev || !netif_is_bridge_port(ctx->dev)) + return -1; + + br_dev = netdev_master_upper_dev_get_rcu((struct net_device *)ctx->dev); + if (!br_dev || !br_dev->netdev_ops->ndo_fill_forward_path) + return -1; + + last_dev = ctx->dev; + path = dev_fwd_path(stack); + if (!path) + return -1; + + memset(path, 0, sizeof(struct net_device_path)); + if (br_dev->netdev_ops->ndo_fill_forward_path(ctx, path) < 0) + return -1; + + if (!ctx->dev || WARN_ON_ONCE(last_dev == ctx->dev)) + return -1; + + return dev_fill_forward_path_common(ctx, stack); +} +EXPORT_SYMBOL_GPL(dev_fill_bridge_path); + +int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr, + struct net_device_path_stack *stack) +{ + struct net_device_path_ctx ctx = { + .dev = dev, + }; + + memcpy(ctx.daddr, daddr, sizeof(ctx.daddr)); + + stack->num_paths = 0; + + return dev_fill_forward_path_common(&ctx, stack); +} EXPORT_SYMBOL_GPL(dev_fill_forward_path); /* must be called under rcu_read_lock(), as we dont take a reference */ From patchwork Wed Mar 5 10:29:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002373 Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68ECE20B202; Wed, 5 Mar 2025 10:30:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170618; cv=none; b=ajiVZ8nMaDJsBjm7UIlRaMvon7bo5xhImn3ZGC7FFrRImwNJ9yrlVQOM7iDPgfjRns7AU3MgNwHBA24Thlpa8BcE3rxV79FSbBYmYyt7dYaCRQSyIRRYUBCVKh0+UJvR1xH20GxQmYi2A1wAbIqkCECWqfxl4kVp1CJHw9TkEtQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170618; c=relaxed/simple; bh=p1IsKiAxwq12F2MM7ABxyO6mLj6RlYFe8Yg33MCLfXU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cF8vJtIwdYtgvqv1eiFR2Kyg/OEuHBvUYIS3CmP4z2tmq78fQKs2fBgClImGDwvN+tbLcht2e32ttnJAmWucXVV3xZJXUbfCqHnKuCWHFgr62qOUwtaEwbpL5teKLj05VUhwVCT88FXQQ9sT+mnd6p6oooE8/bUgGRWzmWSyjHM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VLsL4snA; arc=none smtp.client-ip=209.85.208.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VLsL4snA" Received: by mail-ed1-f41.google.com with SMTP id 4fb4d7f45d1cf-5e058ca6806so10953166a12.3; Wed, 05 Mar 2025 02:30:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170613; x=1741775413; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MAJ1+kbz8lZ4YwPg+OV3VOfAm0Jd01XhEIX1QeYwh3U=; b=VLsL4snANM+SFravaItV2e9WEjP7wxKChRvyYTZ48DWCM2crmWxTiUej6pD2ys7BaY 6evDDLkt+OFhRoBR5zJVm1NhtJwRetV78N+Af3IecWHYv8yGLDgLJMb8aImtSUsygB8S S/LJVNlQBP5wXMzWZndtjUnm9N1L3YsLfXa1zjqD3lisEU4vYHfNMYY/2zynnl+2TyIc Uj9s2XnhtIFhg8FhlpkahhGiYmObH6KskzjrcYP5VnBcXl/x9ypeA2HkPxMCG9yVhb/U OGh1H06ILAaECs5JQRu3pTkMaQ2qOc9acw+WZtuIZFZPBRSJ8IQtbsLPfXo8PL5XYykh wDgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170613; x=1741775413; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MAJ1+kbz8lZ4YwPg+OV3VOfAm0Jd01XhEIX1QeYwh3U=; b=N6p7emeDOf1mFxUNkiFvwRYxrh1/vU+zKnfth0eFX3WMGuEGFZYJyIK5Iiil666ohO 1JM2ln+qgNRxRi8sZnpChZmsCmn/tRU+bDw6MItziNAWRsBxA34eKHWlXorzYvA2+BDL Sc0rXR1oRppblib5jYbuQ10xFEQNfnBENmgjftjuCOjrnqSGUwO5jdcRgwqgIpPB4CyN I26z+uyuV7cyoJ7muIiIowY9g1luD28tM3W/K+0eJHGSxHIAG8oD6gp6nbc4k60wWSor ZUJ5LvUNU3E9EGrEblIu2SZlZPizIgs6kT7+w5WgExJDswMS48WR4GOwXkqIfzrvA9hd HBUQ== X-Forwarded-Encrypted: i=1; AJvYcCWMLzSAcLc7FW8ZG/8+8YEKKFfJSzrufrCvIbg7sDb5reP+3evJZf0ah/fYl0fT5wiaemT+7ENiaoVNifT/VZ10@vger.kernel.org, AJvYcCWStb6dVXCcIbfl0wHs+DiT0SUM7HNqSM69ohiUFWyeMazT5dTvaHGNChfqJyXDFD7m7GPmkWHHjm9ca6tc@vger.kernel.org, AJvYcCWVPzb81S0RlG0MgmprBm1qvx6HBmcCnbzdctyopc6sSWmIo93gapY04/J4/pfVV3J1BN/cg9hdHnYHbQy250c=@vger.kernel.org X-Gm-Message-State: AOJu0YwiNUxM4LOEKQod2WTRw4tvW3xJIPj9YKLAhGsAlOXJV7kBP88N bO2yImJJeDpeNoYshcG4iSnCj6bBY5xgUeIQxN/crv8RQdA6y6BY X-Gm-Gg: ASbGnct/xhQ1R4hqiAuZfMy9RpEniHG9O00uCitxCBiLTcyTlopliP6sM0sOQ4O8/Cr cxlje9xsxsu3Kfqp/JAg1TLhk+BM0gKl/IEeU/c4A7oIBXFpdrNQ+fXWgAuc1l4+8hww9k6GfBy KR6bg7HlnmN5RTEJ6Hb4BBD3sKDCgRtsspMPYtrcJl7vwT1fXUvbVMjMUO0enHBelR39oR2BpqA GEHl3DgH3ZBLSJcIsuS4JrYFOo5tKYKK0rqHsT67aVkuoitFyj2MQaUzly504F3Xeqg9liXekN9 v9xCe3jv1kPet28QtyswxcKrsJZ4LODzc8psyGKJhXSs5gW5VgiFrLqizbZWozsJmSiXPUW+fJl 5XdU5+6tomDCVDqx9IAVrT5noqejJIHT3A9NVp0t7w6eBde0RVG/Kt3/atpRCZg== X-Google-Smtp-Source: AGHT+IHkGwcjTfVbXx6eVRlSW1bPJWg7ABfB6LE3pcI1ePV03v0+a0Kiykk4HhykJH2czK6vrMyHQg== X-Received: by 2002:a17:907:8b9a:b0:ac2:c1e:dff0 with SMTP id a640c23a62f3a-ac20dac2643mr219805866b.19.1741170613297; Wed, 05 Mar 2025 02:30:13 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:12 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 08/15] netfilter :nf_flow_table_offload: Add nf_flow_rule_bridge() Date: Wed, 5 Mar 2025 11:29:42 +0100 Message-ID: <20250305102949.16370-9-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add nf_flow_rule_bridge(). It only calls the common rule and adds the redirect. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- include/net/netfilter/nf_flow_table.h | 3 +++ net/netfilter/nf_flow_table_offload.c | 13 +++++++++++++ 2 files changed, 16 insertions(+) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index 4ab32fb61865..a7f5d6166088 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -340,6 +340,9 @@ void nf_flow_table_offload_flush_cleanup(struct nf_flowtable *flowtable); int nf_flow_table_offload_setup(struct nf_flowtable *flowtable, struct net_device *dev, enum flow_block_command cmd); +int nf_flow_rule_bridge(struct net *net, struct flow_offload *flow, + enum flow_offload_tuple_dir dir, + struct nf_flow_rule *flow_rule); int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule); diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index d8f7bfd60ac6..3cc30ebfa6ff 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -679,6 +679,19 @@ nf_flow_rule_route_common(struct net *net, const struct flow_offload *flow, return 0; } +int nf_flow_rule_bridge(struct net *net, struct flow_offload *flow, + enum flow_offload_tuple_dir dir, + struct nf_flow_rule *flow_rule) +{ + if (nf_flow_rule_route_common(net, flow, dir, flow_rule) < 0) + return -1; + + flow_offload_redirect(net, flow, dir, flow_rule); + + return 0; +} +EXPORT_SYMBOL_GPL(nf_flow_rule_bridge); + int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule) From patchwork Wed Mar 5 10:29:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002374 Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A1D820C013; Wed, 5 Mar 2025 10:30:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170618; cv=none; b=s88gnREYe3KNrZTDzjpfz1/H8+nD4F5lZafnwhImWV4Xw/+RIaMgB90Gn5TGMpFMFwXoJ9Xn8VHGhTdILdqtGLDtCOawa8wwBQZdqVB9pu3NpzjU4YdziYyRcFU3yJSOk0GTTRDaUIFmBGoleKVD8NinICAqEU7v39xKjQHULvQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170618; c=relaxed/simple; bh=AihhYJGwJTJyObdFZSI/rxytC55wEnFe8EzDy7l8A+0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kI0IQ7L0qCBuATOF/ewrUnYtgLE+Af7fAnwMzAS+k0kdUxKdflWw5xZkjVQSwRujyDIQrc2Cn0N59qBYLou4yZxRxUJznkQIT8+K2SRarhxWcqutz8/AZVdnG8LwOExD24JBZ9kR7PQHdZKcqybyaM3GRSj2cvN4XY7C3FEIZqo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Jp9LZkJu; arc=none smtp.client-ip=209.85.208.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Jp9LZkJu" Received: by mail-ed1-f42.google.com with SMTP id 4fb4d7f45d1cf-5e0b70fb1daso11538419a12.1; Wed, 05 Mar 2025 02:30:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170615; x=1741775415; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6/OfFtkDCpNUsNNnB4udxCcQxzWSEZIHYYoj3YjYWKw=; b=Jp9LZkJukQPoHRa/P7gi9+r1Y02ughjN3PjyGAkaMo60lvzgnpmW0KMvI1qMBmNa9n KwDi2lZIEcwEZ3nfFtEmOUHfMaR9YcqmO3ivzy43Sm4SSt/ldD+i3nR7tBDk3UYN8ADm 134KHnIVCwB7h9KjWRVViqaap/APS3/SaXJa9V3B7leC0mirudluxdkcIhpWK3/yGcQS WdYaQPdzW0jKkzlYt2rq0dW6h6d62Goc6sdHS5rxYWMfMK/QDscKZwQCt0rjMjQ3dyyE BqNVEUhJ4Qccb5/mmpbgiTgQ4EWLQfyVqphGqomlVkpNbQh3PvhFeJ04QJRmiIeUyNgk 8uvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170615; x=1741775415; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6/OfFtkDCpNUsNNnB4udxCcQxzWSEZIHYYoj3YjYWKw=; b=j9yZADQ4JOAd3R7rXmtLUjA0E+ciYUL63xfi5PdrOWblTIETo2oecuO51rY6fostSM LeDiXK3qFzdhxZeRGQYZDP7mb/xztL2hk+Q8Ako3+tS6vEPec7tWMtE14ghE2nEDgEvV ZH0V2OqW0lY+qDL/dlpJSOmCzecxic2k7m9Ly/rKxh3iuLwAc9yWPq4n/PPQy27zv4nV w9FbmvOlpAExtVPgBBLfW+Ngji6ZOGzkTI3GKPeAlj2kpwy0slA1bvz9A5JMsJDVo/tl rEgngL24ZNaV34huoTpQD97/ejPCk4EDVfYncZPm4g30/npsIa06nAjo68CGQLnPv5F/ 4+tg== X-Forwarded-Encrypted: i=1; AJvYcCU6obe1WWCjzh9OOeXZeYgVXby5igtllm6cM9Zf8J6q2cnJunZy6k9ONkr7wo10aAQ58AUQcA7iqNLJLdUx@vger.kernel.org, AJvYcCVvsbGKZPdUBX//KydpeJIVnnAuABQsVlTSzVR6pga2QAmzIdAus/ddvqmS0S1xU5i93egdJH9ucO12oJUBV+vY@vger.kernel.org, AJvYcCWEwk7PElHWQWOCL80xY3otAyuftFEnJrxnoJ8MFK1cXQc6IHso3Cuy2B8I+XfJ0A/rHqSDuHzqvOCRgE58WVU=@vger.kernel.org X-Gm-Message-State: AOJu0YwiaTNIcfWDJPhN3V74sGIoJfo/SRMDbzMfZAxvtjNNpQRc6mXE iLbAanmAqUQvPuEJZbiUh3uGHR4T7LJHK2Z3isVxSovIO0jDuAok X-Gm-Gg: ASbGncvf/J/NPnQjqAxf6x3dqAi8G7YhsWeUtibal2d61E4bgU5vApL0rMZ/W2vHLha EPAoigr7qfCIINt55Nv4KgQCGvfXVX8UugX39szBcqmH4nwyDhkgefw3e0DeERFKQYDOBRUM2E+ Wj8Aw/RoifNK/Zd0p5W50O9XgN4dw6qGVTrkku+0v/EY+QXZC2S1ASs8jvDkX4ykHN93KdRYi8o dsicEsv+utkWkncUHTeeI/HufNGNZLtP7A6v3DVlvBpGV09ON+8VevKlKAO77vGesbyHs2qlaL7 FOZgTgJbPjbKEhQeEf5ykGMLExwBW4NZL4b99JfRGkOJa2TdVSsKN+awyD7eN3UhpQ+e7XlOH3j 5JWLri3dUr8L4aheEDnVMNQXbOGDg2oChF98XZJ6A58vZFxauWDm176FtJS4dGA== X-Google-Smtp-Source: AGHT+IE4FBEQwtKjza4fXvfpF7ocHLI/77Iaa2ed5/2y+GnUe2UR6+/DugyKaB64GhmbWBt7MA+dgw== X-Received: by 2002:a17:907:9726:b0:ac1:da09:5d32 with SMTP id a640c23a62f3a-ac20d84621cmr283526366b.6.1741170614628; Wed, 05 Mar 2025 02:30:14 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:14 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 09/15] netfilter: nf_flow_table_inet: Add nf_flowtable_type flowtable_bridge Date: Wed, 5 Mar 2025 11:29:43 +0100 Message-ID: <20250305102949.16370-10-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This will allow a flowtable to be added to the nft bridge family. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nf_flow_table_inet.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/net/netfilter/nf_flow_table_inet.c b/net/netfilter/nf_flow_table_inet.c index b0f199171932..80b238196f29 100644 --- a/net/netfilter/nf_flow_table_inet.c +++ b/net/netfilter/nf_flow_table_inet.c @@ -65,6 +65,16 @@ static int nf_flow_rule_route_inet(struct net *net, return err; } +static struct nf_flowtable_type flowtable_bridge = { + .family = NFPROTO_BRIDGE, + .init = nf_flow_table_init, + .setup = nf_flow_table_offload_setup, + .action = nf_flow_rule_bridge, + .free = nf_flow_table_free, + .hook = nf_flow_offload_inet_hook, + .owner = THIS_MODULE, +}; + static struct nf_flowtable_type flowtable_inet = { .family = NFPROTO_INET, .init = nf_flow_table_init, @@ -97,6 +107,7 @@ static struct nf_flowtable_type flowtable_ipv6 = { static int __init nf_flow_inet_module_init(void) { + nft_register_flowtable_type(&flowtable_bridge); nft_register_flowtable_type(&flowtable_ipv4); nft_register_flowtable_type(&flowtable_ipv6); nft_register_flowtable_type(&flowtable_inet); @@ -109,6 +120,7 @@ static void __exit nf_flow_inet_module_exit(void) nft_unregister_flowtable_type(&flowtable_inet); nft_unregister_flowtable_type(&flowtable_ipv6); nft_unregister_flowtable_type(&flowtable_ipv4); + nft_unregister_flowtable_type(&flowtable_bridge); } module_init(nf_flow_inet_module_init); @@ -118,5 +130,6 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Pablo Neira Ayuso "); MODULE_ALIAS_NF_FLOWTABLE(AF_INET); MODULE_ALIAS_NF_FLOWTABLE(AF_INET6); +MODULE_ALIAS_NF_FLOWTABLE(AF_BRIDGE); MODULE_ALIAS_NF_FLOWTABLE(1); /* NFPROTO_INET */ MODULE_DESCRIPTION("Netfilter flow table mixed IPv4/IPv6 module"); From patchwork Wed Mar 5 10:29:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002375 Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com [209.85.218.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C29720CCCA; Wed, 5 Mar 2025 10:30:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170619; cv=none; b=OPT8WINE0wExvyO5PJmrjPfxdscYfT2ZUeESkiKYbL2xLexeHLlgPMxewhghFO2iXpZeNEvM/pKxbDyYSWVR8a3x+B+6lubNmoEMHPdyMNCZramJwvau+XBVHSt9QUpIluAQi7pnUSQEifOnxOQlUymNahkmZhw97M6y3WOmAP0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170619; c=relaxed/simple; bh=Vja1w1A/Wnz062ttT6Bt+MXuQBy3cdFVFTFu9bvZ8Ag=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EB9Q/Z3OdZkkuhHsoWKpd8IvGX7wTvJlXcGMEOkWoXk3qagiu2G5RDc9Z7jB1t1Hq7kApLOPvxtqOq2v3rd8lJ3PJQHt9DiF+75qgiTP2yxVLyhTxkXc8RmyugRmvUzxfEZMadmc3oRPPfXL+YCE3ECZXcsBNX1LQEj6Nug3jVg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fMMvThXK; arc=none smtp.client-ip=209.85.218.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fMMvThXK" Received: by mail-ej1-f52.google.com with SMTP id a640c23a62f3a-ac21c5d0ea0so34037266b.2; Wed, 05 Mar 2025 02:30:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170616; x=1741775416; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Gr1wMzwLJ3r114jkr+fSh/N13xzOYrfc9OnXbfM4Z7I=; b=fMMvThXKnKY2Clv/iR+X5I1glP3mzuMART4wGq7oKZgc7kiLS0uUK2AztnDf7ilLmI L62WGXeKl+Qy2GZfypVNOoZPsGjdpcbrgnLRxyl7msqMSlXQ4pqEzJ3cBINxmA+NIjU1 MRurK67wRDWZ0Q2YD1P3jBM1TyxW+pFAetKiIRUyEQ7jPEVtv1RPti5r8myKU3APTgyC Bnrlfv+iAbm9dEDbQPjn0O/MWdDKejaUACfzOxHG9QxkFhvp9LM5uhQ/Y1/ZCUCtSaKf s65bKM4xAFRJxJc1a9eXa5Vy9yQFAB1sll7fdXPmtiit9k9VY6bOjn9IkHjXClXWAq8Q RUZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170616; x=1741775416; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Gr1wMzwLJ3r114jkr+fSh/N13xzOYrfc9OnXbfM4Z7I=; b=GtuohwS6GwPxQd/JhyBxxnBfRVa5ehBzGU0lVHRxVmnycD0M6TSuoEjJeoIrin2B5K jFjdtIa6gRSy2aj0MFp+TjJhPZXv15530iRQVJZdm3xBSMCLZVPGAEFokjVUdGl0X5Oz gplOcCpqYUYkqW2ak6fnvuPAKsEECZ+qmDAXKEKmmPE4BTOr7o9++XMKEfa6xatZr6xZ 3f9m7g9IkWIiI/R+17lRu/m5OryB0LkTaUZ0FuB7hIpSgEBRQuDK7mkbaJswTWfX9VS3 EVRUDU3NgM/0nHUUID/Af3qqcLTg/c/qJ+EYjqNsFCowsKlS/XHzrH4MkQ19PRanmd7f lWxg== X-Forwarded-Encrypted: i=1; AJvYcCXCtBzQwS6frq3JQ9myOIM1k3Ok57tpI12RiXS52LH5k7w3RSWy45Codh4xnWpzq4gt4s7XldOjLZfeHs1WN83l@vger.kernel.org, AJvYcCXOtKr20AQEpvGJQj87qvUMWaZBPNjUTanzA4admyLEeTdq6mDt0GrDXGRydY2O6uukgMrSfxA7cl6dmRPUq48=@vger.kernel.org, AJvYcCXUCMK4fGSxnrKQkIdOIB1skwrePN9z/ikcPUKeu084XIkovFxXz9SMeT8MVhUJUFaBsDaP/0030Sw3AAEV@vger.kernel.org X-Gm-Message-State: AOJu0Yy+gx+P/pAFPaXuvgwLPyck5f0Z4Oaf600PtjVXsyurFz3M2RYh KUR/iZOVIb1jVvaj/PNyhMsIFGUNg5N2Aw7qJPmFXfMVFdcx8cRr X-Gm-Gg: ASbGnctNIQy126LWDY2SRMJ6osDZUJj4/dDbVLVQKo29v21WGkykOkO87banPwr3zaa J80SN3ZLLiYWpwVPj0QS6zQFTon0z9LkrzH3P7qUY9ql6B9Aq3vcBrKQUa2kRmG0dTox/lBWDoW tQl/Bbt4FCVl7tsac1VNR/muzR2/oispKVRuAafNY+LwgTdjrZWbqnM/XqkfRsR5FW97XYUQVxI 01gqHvOccdalMQHDGJCtC0n7fN0BLbN3uR9IXL0LDDGsaW4xQEj6D1xA4HGGjw8WRpGFc1baRV+ kM7Xt4ozxc+K8ce+fmHefzKyfoVjyA5yc+m8Dy4R4NSuVL7+sRLzuK7YgJRdYEIElfNUzY2ihAf A8+HmVqnSwepRPrqStxK1JcTg4LQ/pY8iJztquKFybJ7erdEXV0tLNHnNZfwBTQ== X-Google-Smtp-Source: AGHT+IEs4xR9pD9LIK2nl03zhbpQIh0Gipd81ijJP6mFjuSVofHY5Sl1xp/UlJ1W/hq6f/T3nlJWzg== X-Received: by 2002:a05:6402:2688:b0:5e4:9348:72e3 with SMTP id 4fb4d7f45d1cf-5e59f47f008mr5076173a12.21.1741170615734; Wed, 05 Mar 2025 02:30:15 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:15 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 10/15] netfilter: nft_flow_offload: Add NFPROTO_BRIDGE to validate Date: Wed, 5 Mar 2025 11:29:44 +0100 Message-ID: <20250305102949.16370-11-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Need to add NFPROTO_BRIDGE to nft_flow_offload_validate() to support the bridge-fastpath. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nft_flow_offload.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 5ef2f4ba7ab8..323c531c7046 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -421,7 +421,8 @@ static int nft_flow_offload_validate(const struct nft_ctx *ctx, if (ctx->family != NFPROTO_IPV4 && ctx->family != NFPROTO_IPV6 && - ctx->family != NFPROTO_INET) + ctx->family != NFPROTO_INET && + ctx->family != NFPROTO_BRIDGE) return -EOPNOTSUPP; return nft_chain_validate_hooks(ctx->chain, hook_mask); From patchwork Wed Mar 5 10:29:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002376 Received: from mail-ej1-f41.google.com (mail-ej1-f41.google.com [209.85.218.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 52DBB20E003; Wed, 5 Mar 2025 10:30:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170621; cv=none; b=LKhc2UTz15Db8mEr2RX2hGa0rQb67aKx3LrLjMVzkBuYVdz0cCIHhc3YOEGYAGN7mhN0g/72EQVJqVXbPpAuh4xt+ZDk1n8PPACHsZLOWYTel+4s271qmoAKncvzyf0ZMSSCUVUpjLrdYODmuWfuijuyl07eodA8ayG+DZJ43Go= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170621; c=relaxed/simple; bh=nk13k6wj03cZHg9dHsnlBzPD6tzHgIxvMuOve1nbFK4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oU5jbhscZ0p5myckuxdh5eGa5gj7fHj7TTAeaNlyW5fwcHepFn5zYHnDx/PfhRjtuUpVRb8VNUhKVlVe6+XETt1N1SzocTP9muKdt2cilXbNbe+AFWFcs+rnrTEngVcAMx96mtEZhR4qXGWop++xnfhsrWIOmKrEUZFtrKYNDqw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SGqYz3yS; arc=none smtp.client-ip=209.85.218.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SGqYz3yS" Received: by mail-ej1-f41.google.com with SMTP id a640c23a62f3a-abfe7b5fbe8so439083766b.0; Wed, 05 Mar 2025 02:30:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170617; x=1741775417; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZIyBMmpEX16BmxV1lcAMHYOSL+4ClOY5xXpYYnXA1xg=; b=SGqYz3ySFNxI3tABxyFnHBKVpUUY+1aJdV1KS+hf2fMBKIvd0UGwgnZKJbC3U0MeXc az7NzlNdnIwJjl823iRUwrX521wFmdxWYUEbdxXNg51WsNU/Ofd/JZJIyffp/3a6tUY2 i0Ds4xZRVpXVMw7s6X8dTMhbaHcf04hjK64xOSII3zK6smKYe8G9c5ayeOqbF7aaftPd bwh/5w210cSxWRnpOKE0/LygOKDJJY+/ZXMpU8go3aj+mvC72PMWLYt7PjjrfaGM3P3T R75tvfkj+yDGkLktqj5Fgij0f6lA/+/2WTOj3cLdHxMd/wxkXslm4sZaFO5E3VQ/AryK VR6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170617; x=1741775417; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZIyBMmpEX16BmxV1lcAMHYOSL+4ClOY5xXpYYnXA1xg=; b=Oz1CTGgUNS/uj1/HHrlMy3zoQZd/JB4V46XS6b93c1FULSz3i6oIJ8XJp5ofyA5Ds0 jkkHuz4llSXvCfBafSVz692oMWZnxDEqm4T6HowdvCJ+UR0KKcHf6Swt5eEopZLJ1/9/ rj32GnPGmu3C0xMC+3PpBbTNu1g3DrZfPV9/10qOGvOVrzLqg+a4aHiLDTw167mufTqt KdVUOrsz/eTR0Ze5M+QXFJiyqdciw0HisV0VJyV8HFWwZxrq/BfLc5MpZD8MGVz+kNDz eoudnCByW+lMA1oX0IsgJhoBG/3qx8DDce6HR/Cq7JBfSFlfSRVPEGtmEwZq4ru0SvVy Nv3A== X-Forwarded-Encrypted: i=1; AJvYcCUSMbz3hKlERATw6w7C/tKBb9rT5pWXLTIh4Bln4d12tERppGmg/pc8mQIrUojFs4FESqT/pAKElPYBBeEyRb0k@vger.kernel.org, AJvYcCVhid6sa+3oQBje3sndXfLdczjLvehDZTj2wi30qRKLunDilTkjNp6HgQ0JXyD3G14fEIGdQWKzfj9/kXCFOX8=@vger.kernel.org, AJvYcCWcXFdoBn9IUGG5el0D9mTaLdvoCquGNzweyeC60Q68JWWGdy3IFOGxEddU268xZhnsnBO4qq6y5CjSs9qX@vger.kernel.org X-Gm-Message-State: AOJu0Yyn8eYnr/jvvUNMpi4UMv31XXRJfYhd6x1UMrXGiay2nIFWlkiW vDcfV5R68Q2tRHmG2VmrNnYrzWG5RxvFyVlGNc6ytpcRcvvvOKrF X-Gm-Gg: ASbGncujK3jENOUhaQwYeZ/l42eYAuBxJK2OMUz6CDFeWjldUXjAfnyT3tiFHl4ofVJ lvNNafw43JDXy/H+PY9aNLObxc/0ieMGPDIhOMc85WyepvxBSwtgyfVTb8xYZT2GGwII7aMpEQh Z9MKfAs3FbWzTsfpGFQHEeQ8tBf6f0aRUUS/BBL5ItJP9w0r0dwQdRXfjOYeObUf3hPw1zTUXb1 KN8NA82x8cwj2GOxeCDDW4nXxDtiTR9B3ClYVfd/qgBa0MX5mYd7S/71+1sHyNttdJq5YI8U8LJ 6WKk5MduUxAjAVMFcrV8LocRBCGuh1xqzTgJgZyRn/vtRtwpSGWtsw+4B2PfBaQFPp1O4bDhi7s YuJ9AZF55utkD4C/9x8//dSAAlBR145TNZUC+uJ3OMf7xAbZFs7qnPJcnuc/lSQ== X-Google-Smtp-Source: AGHT+IFpDcHd77fpjokL8xxmcGiwz3SLhwhSLzmlQa1UAPVTwjRjFufxV/YyrDHwyugNXvXH+p5hhQ== X-Received: by 2002:a05:6402:5109:b0:5e0:8b68:e2c3 with SMTP id 4fb4d7f45d1cf-5e59f4b6e02mr6129743a12.29.1741170616901; Wed, 05 Mar 2025 02:30:16 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:16 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 11/15] netfilter: nft_flow_offload: Add DEV_PATH_MTK_WDMA to nft_dev_path_info() Date: Wed, 5 Mar 2025 11:29:45 +0100 Message-ID: <20250305102949.16370-12-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In case of using mediatek wireless, in nft_dev_fill_forward_path(), the forward path is filled, ending with mediatek wlan1. Because DEV_PATH_MTK_WDMA is unknown inside nft_dev_path_info() it returns with info.indev = NULL. Then nft_dev_forward_path() returns without setting the direct transmit parameters. This results in a neighbor transmit, and direct transmit not possible. But we want to use it for flow between bridged interfaces. So this patch adds DEV_PATH_MTK_WDMA to nft_dev_path_info() and makes direct transmission possible. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nft_flow_offload.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 323c531c7046..b9e6d9e6df66 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -105,6 +105,7 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, switch (path->type) { case DEV_PATH_ETHERNET: case DEV_PATH_DSA: + case DEV_PATH_MTK_WDMA: case DEV_PATH_VLAN: case DEV_PATH_PPPOE: info->indev = path->dev; @@ -117,6 +118,10 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, i = stack->num_paths; break; } + if (path->type == DEV_PATH_MTK_WDMA) { + i = stack->num_paths; + break; + } /* DEV_PATH_VLAN and DEV_PATH_PPPOE */ if (info->num_encaps >= NF_FLOW_TABLE_ENCAP_MAX) { From patchwork Wed Mar 5 10:29:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002379 Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EDD9820E022; Wed, 5 Mar 2025 10:30:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170624; cv=none; b=iDkReC1Io8DHovojaRfFnYVfWX1Is7OgUf3XUx9+h/aOHgfJh5qKndrGKKpSAwHSvQNJt0INZT7sSEuvzR0Br4EySCltvzbLl2+p0kLlNcaPIf95K6feYQqAKGw7Mega9ph+l4lBPtWbq++Qz3L6U7C34wtnSaYbBktj+XjbAa0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170624; c=relaxed/simple; bh=8dcYAV0MonhKL6O5x+ptHAAw+fbiOOhKssEKku03mBc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jxgybxU2x4ypZ2rO8bodqQoF3Ik+RZMUy7Ob8/L0dzqSZLKzdTk3Kbesl6i21OVwH2CQjBF2Xxblu6tsmHhzvoKOkpwI3sMIn7XgUQ0N4CqrcEBCacKDvQ62KlxRoO73ohsx/wMM/wFnTa2UhHz8XS+kJ6CJ5ODiZysc09bl6lA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MEYOemkm; arc=none smtp.client-ip=209.85.208.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MEYOemkm" Received: by mail-ed1-f45.google.com with SMTP id 4fb4d7f45d1cf-5e5b572e45cso305207a12.0; Wed, 05 Mar 2025 02:30:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170618; x=1741775418; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BVAkTZii1Gy4XRugZsnKaWDIV+1UdUIxS1E1wVQkwnU=; b=MEYOemkm1ju+5EgUW4aopcsBTecQI1DNdLhwz8vift6V+g0R8180S9iCUEpeEzqYhx GNM2oeSmpZCNYsWQaa2KtzpxDMuhsJUE+98NWiNYyst0vOhKv7JvJ0tAuSqW/r4ObpKt muDBiYYY3ry86DI0e68RCrDzVePyWaoAxZONUW4bUm4hD1hIpCuacqbG89XVhC68++na pnc39o9EzDosmXnRrzcR+9D97PM/qwgIwat6jAw9bM7sTfB8VPyvIh5BwbTrXaCMnDUS puaiqgHDKET4cqjx5bHOG0jD974gA3qPKtNs3vfwQbo0to3cQKTgnJStIY8ic7QNk3xp HrtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170618; x=1741775418; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BVAkTZii1Gy4XRugZsnKaWDIV+1UdUIxS1E1wVQkwnU=; b=peWeB/9UYpQPu3LVSFYiyI702rESVTld8rkE7phuQAF2hyutG4uUZgUZnsIpm5ExXh T+XzHWS4OGzMvhpf1cQ9uYWkjBHO2rnTpBq5NLS8Z4b/8nzrzyiApnu42K1jYZtB/azc jFUx1sH+Nvo0tzKkuPxL0B2hRZSVvcrcdNrjjP4PMHrQl+YTUjHNG5KLbHOhr5NJ+S7d le58XIyZf/YRgHTgigU2Sp0XZVQI6BsSkrGs5XZeBuAgZmjdAajo4fI4RCcXmtWw0Q2U usrpZGRSOgM2VMEGLtUg65iq4NFgMcECW9K8eBFT0iFvzT6RkhS0xq+UBC3sJWntqZUF 1tSQ== X-Forwarded-Encrypted: i=1; AJvYcCUtTv3PF9+CW6iqh9xtp9napNDGbNvG6XS7BSXVOyIMyWmaTDlyLRwIJk1efRX27NH3NRHRJbGuROLxbi5p@vger.kernel.org, AJvYcCWkkgB9kpnfaCDu1tJKiS8KAVsfkZNvQkmjBbC5hRJWMleavLyU8Pw8+S8MxxR8L6nZJymBOu6WGL7taFIPli8=@vger.kernel.org, AJvYcCXsv07V/83ymdhWLng/KK8fdPb/JXw3hM7UhexMIZx0cjgz+SDTwhu3s1LcRiry53vBLNQWv0WR4N5Q21REBcdO@vger.kernel.org X-Gm-Message-State: AOJu0Ywo16O8u+UzUwp0jZdriZFGyj02haDIuNaMMBLEiOtbBFruC0Mi 38sw0ZQuhVCkUifgEGvMrlg6ms4anytN4fsy9DNvI/CxXOYyviWk X-Gm-Gg: ASbGnctytxjPRbuvr2udiWPxHf2X63GJFnUY99iWHVUo01OXUnGTmYmG2GuMBCTLjqX WBPUVdZWAtL/+iUKySYJjzrT9Fn8N2oBlhsiER4mV9jyOYQoESDoKYmQrD8ZwsVZuvQpmfmJZx/ fxW/vDQ1T3qJa6MkYMpMIrmWCJKKxGgu/XKiPhWuIichmUpP+fMvhzo/4i/4PLH2d5F0dM6Jwu9 fdOMTCBomTZvxaMfN/B5XIEsYYpemXGTdUyHDXhNWniNLgOTcclr2gK2kvRuVxivsSI41OlcGZM Bvhm69m7OxFL3Q6JU/1Oi65oLZ8rJpAlfMECtR9Lav8U5H8OTCkwfw5ECTAPfDri2ga0FC07DaU gAUT3gokHATsVP0dQQHHvjwueWy0yLkHIS2fTyjjDJdrWkJhmCq/lNraCceRYdQ== X-Google-Smtp-Source: AGHT+IH76j7PuSAp246zNAO/9bTEHz/TOOLWKA15shLvAnk2YElCcj8yD7y6QikO3QGYtioJiV2+DA== X-Received: by 2002:a17:907:6e8f:b0:abf:663b:22c2 with SMTP id a640c23a62f3a-ac20db005edmr280954166b.51.1741170618037; Wed, 05 Mar 2025 02:30:18 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:17 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 12/15] netfilter: nft_flow_offload: No ingress_vlan forward info for dsa user port Date: Wed, 5 Mar 2025 11:29:46 +0100 Message-ID: <20250305102949.16370-13-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The bitfield info->ingress_vlans and corresponding vlan encap are used for a switchdev user port. However, they should not be set for a dsa user port. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nft_flow_offload.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index b9e6d9e6df66..c95fad495460 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -116,6 +116,11 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, break; if (path->type == DEV_PATH_DSA) { i = stack->num_paths; + if (!info->num_encaps || + !(info->ingress_vlans & BIT(info->num_encaps - 1))) + break; + info->num_encaps--; + info->ingress_vlans &= ~BIT(info->num_encaps - 1); break; } if (path->type == DEV_PATH_MTK_WDMA) { From patchwork Wed Mar 5 10:29:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002377 Received: from mail-ej1-f54.google.com (mail-ej1-f54.google.com [209.85.218.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2BE2720F083; Wed, 5 Mar 2025 10:30:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170623; cv=none; b=mZajIFt1R30qSv7oLXBFpuIf2susDGwS7RWTG8e9qzfFa5rJ/CgQt6MMGxuLDIaxEv7QiJn/3tA4qH+lzQUabO3WgFOnGm6H/29Db7euIxlt9J3yiSqzlJRkKC3/B62Gm6MiKQIJov+xAJQua0E9VSRP5FvtB5KaCNV+q40MUHk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170623; c=relaxed/simple; bh=7mcwChSKiCve0A+5TUtOf0dA+ljFl2navKj3ueTAL1M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dorZCYmrl81Y3ewjBQYDKyCqDVkskLHE4Ea1O8G+Adac/+3ZLzOZ5ap5M6ILn0vDcIH0EeqfArm3GlpK9n0FNUc9Bp5NMycWo11ksJreCf2KjhtcSVNYzfv6b4oqAI1vObLbwzQsxDzUGaW8awXs9VE/MWycq4pq92dd9eKkC0Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HlybxtEu; arc=none smtp.client-ip=209.85.218.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HlybxtEu" Received: by mail-ej1-f54.google.com with SMTP id a640c23a62f3a-abbb12bea54so1189992366b.0; Wed, 05 Mar 2025 02:30:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170619; x=1741775419; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KGHKkM4qxKd9EB0pt79Yst8lznP4qD+tbsrDkGhaAL8=; b=HlybxtEuQ51/Bmd0Vs0nimd014lN/7RQ9jvp1SIIxaHxtgvpJbTH8TeqwHNYbgwZTn Eou+cEN28tXcPAaf+8c7oSaGOCnjcAAlL/ioZOgxDxzFs+3IRBrZ5n1a30ee2ynbLZaA CzNFbutPMFmEoX9ayaEhc9vdogxzBl7ujOqnyBlrSNSwnDKck95KgIzY6n0UWw8O5YW0 sr0VJlLP83clvFuI/OSS9+nHgmyH0CoYyiLdtYVymAIjdpoPJF9US6nCHSuaa1HaFhEa IPDQ9EsXNEgbPLB+8/Moo+Ww8aPGtpD1w7vSB+AYKMX6AP9vZZ33VTp2Nz6oocs1YXP3 NcgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170619; x=1741775419; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KGHKkM4qxKd9EB0pt79Yst8lznP4qD+tbsrDkGhaAL8=; b=Mo4zi9O/uJdkURF+jBaeKy88acjXQhtR9Y/C0HuRQ1CcZaakQfsK2/1NGkWVWc14x6 beyB09PlipRKzppmhehpXj4xONaH84ZfSWFKVJ82pMQXNRJijR2ea5gMS8mTbTwpcD+d bE3D+9hfeNNyLHpaQNykmmwiPhep7r8yJy8CRXB7NxxVjdk2G3pWsAOcpYYMWmB0nCyZ qY2jJkQudeGgdQf9lDUUDNDa/32Oa8DPNIjWLWLFxHuA8F5o4YMeCQqtudQ4CrzLMYfl +QpBSA9sU3alWFxCKRC3H9ZvhrK0636+XAPpp2lpJ9JoDOQF0Mp9DmyaQNPEpax3sgXK Wk3Q== X-Forwarded-Encrypted: i=1; AJvYcCW6niCo+mtDIH76jcLVVkRBtO01wj122SJ5URnGSUttoVgi7peU5PBPEP2U27pNQ37gNQSY+XkFXzj2jkzJkas=@vger.kernel.org, AJvYcCW9d8Lv8pkz+vrhvLH0dv2I6EJ2H8DGci0nMotLC38kRSddeaiBcGxuwGONpKMZZ3EFyGqAidFUkMiMZXUv0CBB@vger.kernel.org, AJvYcCX6sWFK2nBD4DSU88QaXdwnRLvrwnb5Sz2aZ6i3lSM4/ywHVS6wPT+4Gzm7eaGj8wpBX6vGV7qL54yrI1Gg@vger.kernel.org X-Gm-Message-State: AOJu0Yw5UsWiEd5tVHR8c6dMrFPYJIL1nHdc9X+oYSRAuDAvgeZ/O54q ECjRoJ+UpLvQtzexRYrSIbw2uRxaZOzxmQf//DA4QtMfMtlSnMyH X-Gm-Gg: ASbGncvACsGeAlxyOPBte83T7sZT0y0ak51OPbVtbF3ZNq254dgWf2ya8nGDTrffUTl ZecCZ05c1RkvoCg3AUs+ABXR3PRO8RsXMjaBfG8FbEsVf4x/pWg56csOysOlDo/CPudogcKWd58 PFC5Dc7OdiGp5Bn1n3z2cAgXmWvDPH2MmErpWrtw1yl5+adRxWhgZBpKL5YmaWw3QuoFHjKBNqL v1cFnU/qutAtcBlNU9z9/PiGOwSwQIr5K0KR3PNMwhdNinPC4EpcP8i1Dpi/I0vtUmLuyu7oYIa +0wRPti/jwKWh7zMJ42K82+U4siJdFtqJpNfaZt0KKNsIptuuwCKgHlR/OmC0o25eH7/SRA8/gP mazEOlIEX2Gw/uwdH3HY+Zixd1yPB4WCwU5c9nbxerZwEPpAtszUZ5nr3sIICyg== X-Google-Smtp-Source: AGHT+IGoN/CtSWTsLPGno4XdCpNX/tKcNpIlnQot0PcYBnAP4+pW8eJWUnu6a4Iy0Es/1rYM255M5w== X-Received: by 2002:a17:907:da8:b0:ac1:ebfe:fd90 with SMTP id a640c23a62f3a-ac20d845965mr280745166b.1.1741170619182; Wed, 05 Mar 2025 02:30:19 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:18 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 13/15] bridge: No DEV_PATH_BR_VLAN_UNTAG_HW for dsa foreign Date: Wed, 5 Mar 2025 11:29:47 +0100 Message-ID: <20250305102949.16370-14-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In network setup as below: fastpath bypass .----------------------------------------. / \ | IP - forwarding | | / \ v | / wan ... | / | | | | | brlan.1 | | | +-------------------------------+ | | vlan 1 | | | | | | brlan (vlan-filtering) | | | +---------------+ | | | DSA-SWITCH | | | vlan 1 | | | | to | | | | untagged 1 vlan 1 | | +---------------+---------------+ . / \ ----->wlan1 lan0 . . . ^ ^ vlan 1 tagged packets untagged packets br_vlan_fill_forward_path_mode() sets DEV_PATH_BR_VLAN_UNTAG_HW when filling in from brlan.1 towards wlan1. But it should be set to DEV_PATH_BR_VLAN_UNTAG in this case. Using BR_VLFLAG_ADDED_BY_SWITCHDEV is not correct. The dsa switchdev adds it as a foreign port. The same problem for all foreignly added dsa vlans on the bridge. First add the vlan, trying only native devices. If this fails, we know this may be a vlan from a foreign device. Use BR_VLFLAG_TAGGING_BY_SWITCHDEV to make sure DEV_PATH_BR_VLAN_UNTAG_HW is set only when there if no foreign device involved. Acked-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- include/net/switchdev.h | 1 + net/bridge/br_private.h | 10 ++++++++++ net/bridge/br_switchdev.c | 15 +++++++++++++++ net/bridge/br_vlan.c | 7 ++++++- net/switchdev/switchdev.c | 2 +- 5 files changed, 33 insertions(+), 2 deletions(-) diff --git a/include/net/switchdev.h b/include/net/switchdev.h index 8346b0d29542..ee500706496b 100644 --- a/include/net/switchdev.h +++ b/include/net/switchdev.h @@ -15,6 +15,7 @@ #define SWITCHDEV_F_NO_RECURSE BIT(0) #define SWITCHDEV_F_SKIP_EOPNOTSUPP BIT(1) #define SWITCHDEV_F_DEFER BIT(2) +#define SWITCHDEV_F_NO_FOREIGN BIT(3) enum switchdev_attr_id { SWITCHDEV_ATTR_ID_UNDEFINED, diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index a0b950390a16..b950db453d8d 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -180,6 +180,7 @@ enum { BR_VLFLAG_MCAST_ENABLED = BIT(2), BR_VLFLAG_GLOBAL_MCAST_ENABLED = BIT(3), BR_VLFLAG_NEIGH_SUPPRESS_ENABLED = BIT(4), + BR_VLFLAG_TAGGING_BY_SWITCHDEV = BIT(5), }; /** @@ -2184,6 +2185,8 @@ void br_switchdev_mdb_notify(struct net_device *dev, int type); int br_switchdev_port_vlan_add(struct net_device *dev, u16 vid, u16 flags, bool changed, struct netlink_ext_ack *extack); +int br_switchdev_port_vlan_no_foreign_add(struct net_device *dev, u16 vid, u16 flags, + bool changed, struct netlink_ext_ack *extack); int br_switchdev_port_vlan_del(struct net_device *dev, u16 vid); void br_switchdev_init(struct net_bridge *br); @@ -2267,6 +2270,13 @@ static inline int br_switchdev_port_vlan_add(struct net_device *dev, u16 vid, return -EOPNOTSUPP; } +static inline int br_switchdev_port_vlan_no_foreign_add(struct net_device *dev, u16 vid, + u16 flags, bool changed, + struct netlink_ext_ack *extack) +{ + return -EOPNOTSUPP; +} + static inline int br_switchdev_port_vlan_del(struct net_device *dev, u16 vid) { return -EOPNOTSUPP; diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c index 7b41ee8740cb..efa7a055b8f9 100644 --- a/net/bridge/br_switchdev.c +++ b/net/bridge/br_switchdev.c @@ -187,6 +187,21 @@ int br_switchdev_port_vlan_add(struct net_device *dev, u16 vid, u16 flags, return switchdev_port_obj_add(dev, &v.obj, extack); } +int br_switchdev_port_vlan_no_foreign_add(struct net_device *dev, u16 vid, u16 flags, + bool changed, struct netlink_ext_ack *extack) +{ + struct switchdev_obj_port_vlan v = { + .obj.orig_dev = dev, + .obj.id = SWITCHDEV_OBJ_ID_PORT_VLAN, + .obj.flags = SWITCHDEV_F_NO_FOREIGN, + .flags = flags, + .vid = vid, + .changed = changed, + }; + + return switchdev_port_obj_add(dev, &v.obj, extack); +} + int br_switchdev_port_vlan_del(struct net_device *dev, u16 vid) { struct switchdev_obj_port_vlan v = { diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index a18c7da12ebd..aea94d401a30 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c @@ -109,6 +109,11 @@ static int __vlan_vid_add(struct net_device *dev, struct net_bridge *br, /* Try switchdev op first. In case it is not supported, fallback to * 8021q add. */ + err = br_switchdev_port_vlan_no_foreign_add(dev, v->vid, flags, false, extack); + if (err != -EOPNOTSUPP) { + v->priv_flags |= BR_VLFLAG_ADDED_BY_SWITCHDEV | BR_VLFLAG_TAGGING_BY_SWITCHDEV; + return err; + } err = br_switchdev_port_vlan_add(dev, v->vid, flags, false, extack); if (err == -EOPNOTSUPP) return vlan_vid_add(dev, br->vlan_proto, v->vid); @@ -1491,7 +1496,7 @@ int br_vlan_fill_forward_path_mode(struct net_bridge *br, if (path->bridge.vlan_mode == DEV_PATH_BR_VLAN_TAG) path->bridge.vlan_mode = DEV_PATH_BR_VLAN_KEEP; - else if (v->priv_flags & BR_VLFLAG_ADDED_BY_SWITCHDEV) + else if (v->priv_flags & BR_VLFLAG_TAGGING_BY_SWITCHDEV) path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG_HW; else path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG; diff --git a/net/switchdev/switchdev.c b/net/switchdev/switchdev.c index 6488ead9e464..c48f66643e99 100644 --- a/net/switchdev/switchdev.c +++ b/net/switchdev/switchdev.c @@ -749,7 +749,7 @@ static int __switchdev_handle_port_obj_add(struct net_device *dev, /* Event is neither on a bridge nor a LAG. Check whether it is on an * interface that is in a bridge with us. */ - if (!foreign_dev_check_cb) + if (!foreign_dev_check_cb || port_obj_info->obj->flags & SWITCHDEV_F_NO_FOREIGN) return err; br = netdev_master_upper_dev_get(dev); From patchwork Wed Mar 5 10:29:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002378 Received: from mail-ej1-f46.google.com (mail-ej1-f46.google.com [209.85.218.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5B4BA21322F; Wed, 5 Mar 2025 10:30:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170624; cv=none; b=m6Tv7MLEeJzRSRV08Nc8kPw49whyWvt/qh3j64znk3v8pCVuSWgZmiUw5ch3OS8IstHAAI/YRG78Nq4VNeclQWwjP/4gaI2kMUTfnpqu6jfL/MxGySmwhOzBvyQ4sqXqMXeZHGwW6sI4cmFaaAJiuY5Rw6Y3GDg0m0AkedxbDyQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170624; c=relaxed/simple; bh=p0tnMWIGIA/InZaEbYJ4fAsQNt/ffCRDvXF7e95d80s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AtPN9s1JZnEdjHsmcRKfjzquqbCbXGqUzyLaGotSW2wl39sNyvR6qam34LA/lHxD+3ahZtkBFnzaRApzydds103EL7/qfIHht1d2uwKpAFdsb9aQ4NzASRLzz2m0IMmsUyKRJjSyBCJlhba0lihc7ZVzjx0Ey8Z1JnmenLv31VU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iS2YDNIc; arc=none smtp.client-ip=209.85.218.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iS2YDNIc" Received: by mail-ej1-f46.google.com with SMTP id a640c23a62f3a-aaedd529ba1so775696966b.1; Wed, 05 Mar 2025 02:30:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170620; x=1741775420; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rqdSTt2FRKV/rdzSsxvtYL3VjKNAZZPUvxCgkaQgdZ4=; b=iS2YDNIctBjKxlKDMxuFT3xiXrj2yhHgEYd58OE7PwJKDla7dkc5oMI2iXtar7RFwj bAfq4CHGHdQXXxGqBcKRGCLSPd3ny7MojaMyU6NOO7g8ZTREA/9mrX/GxBSzP9HXOox2 WUvvblWCI11q2iwQvE21/F+pvO1ANcDfhVo5SHl3zeQTA5XhHx3nCrJpbdL/Ymk5nFgY HQiefn/F3hnUIeg8XHwa7qOWdI/VgBaseqatMwxuTE4Qgtloo6H7hZ1426kJdhXSs/tf o3B5KDWDc1+0FvG6tLNCpWWEQwBN7jA5QZ7j/Fh769n23Vm7r5k7PhqE5+Ox18mj0wwO 7wbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170620; x=1741775420; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rqdSTt2FRKV/rdzSsxvtYL3VjKNAZZPUvxCgkaQgdZ4=; b=b4Mr6rmf+dx+pBqk/YNOigVUE9z9AWGntDgOLfRgVPJLTM0HhIESS9zK858XZB0cIE +ZhCgKyigXeuUu5wLC2jck9j6k77S5Y7OQdaxJbbN0Xnq9jYrtTgcaIIXYjUj99atSha X6p/hCdYFdE8Wy3Xk8ksFSuGK4FtF+H9qWQl8HUfoq2ZLcIFcBlgCX00wzr7/nZKySBG foeFgDqDXM0jyy6xqevdf6THrRqBhk84aNRLqHK1mh/gNGxF7PAwKpp6A7ZO73jjqzZU o/e7dpoLGgKqOBykTKsl+fBh4jMEQXziDZhCOdfWxLu7ALk1W08T/mQsSBp3POvR4qbT 6noA== X-Forwarded-Encrypted: i=1; AJvYcCUcJ0g8H42bfmlWjIzzqn3ylW7ZPbHN8kA5Rvrq0HHF2GUXlwjMT6+pBN2zgEqTO8RjlpYMJIlKEcqK53IA@vger.kernel.org, AJvYcCV04OiasbIfVIsooKmailh59iC5QQZTUV0AHFDCVEZMdF9RvBnNCx0DOE87AkMTW6/GWbf2lCvkogvk+8F18tEG@vger.kernel.org, AJvYcCVbU4PQ77stC/sbxUK/GnlCjnAsi3XVolymZ4rFc00P3wyp6BoAO4347tyo1k7lmR4IMfXl9LY4NiyQNHt2t5k=@vger.kernel.org X-Gm-Message-State: AOJu0YzYdX8iTf7PyhfmB2R8IrvLj1vvm1BTcmaQHLj+iWPMRQ/7aaiz unwwEC0M18zfpqTMaZ9W32ksVqY/u4LA4kR5zzFL09GF4MdZlEWw X-Gm-Gg: ASbGncueR+cV/HDfv+V5WytCkDgAxqX44R2VGdtmFu54WQK93vjsYh1NQ4ZN2QmS6o2 iCDFFh6lQ9Nk5xjngi9vYTj5+7b6BklkvZt5dQL7YXJixisGMW3jrqgpkPeL7xNwkrZxV1Qwtyy aNM0SRdWW3EHpyZiZ+mmikbR7mA/6FeZyRYk0b5BhEQwepAU8Bh6vE5EAz0meoMMazb6PqXfuZX 8tKMiFuokZwQTA320JH98ZDSMplFoNE8lrGnParKSsvw8QlJSGUb3DIHqK2DldDdZlvyG38p6/w sV/LrWnOwlXDCHcFvM/YcAEa2e6TqwbwaGQiCeXUabUx1rNxp8RvPflXOd6yubYOITXLuH8dtc4 /Syn5Qk/BGeazsquG95CI8A0Mo5QGmmjo9yuFZeXDPCTyRUA4dGdLCxMiw7OyFA== X-Google-Smtp-Source: AGHT+IEyEAbGkolCRetfSsPG/N4aNUq3eQAwNjiWAcgniXnsiF//es41+w34cXFkZ+c7lQRDgQiBdA== X-Received: by 2002:a05:6402:274a:b0:5e4:92ca:34d0 with SMTP id 4fb4d7f45d1cf-5e59f47f014mr5890447a12.20.1741170620303; Wed, 05 Mar 2025 02:30:20 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:19 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 14/15] bridge: Introduce DEV_PATH_BR_VLAN_KEEP_HW for bridge-fastpath Date: Wed, 5 Mar 2025 11:29:48 +0100 Message-ID: <20250305102949.16370-15-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This patch introduces DEV_PATH_BR_VLAN_KEEP_HW. It is needed in the bridge fastpath for switchdevs supporting SWITCHDEV_OBJ_ID_PORT_VLAN. It is similar to DEV_PATH_BR_VLAN_TAG, with the correcponding bit in ingress_vlans set. In the forward fastpath it is not needed. Acked-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- include/linux/netdevice.h | 1 + net/bridge/br_device.c | 4 ++++ net/bridge/br_vlan.c | 18 +++++++++++------- net/netfilter/nft_flow_offload.c | 3 +++ 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 81cdad85d9f1..1e2f519e8802 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -887,6 +887,7 @@ struct net_device_path { DEV_PATH_BR_VLAN_TAG, DEV_PATH_BR_VLAN_UNTAG, DEV_PATH_BR_VLAN_UNTAG_HW, + DEV_PATH_BR_VLAN_KEEP_HW, } vlan_mode; u16 vlan_id; __be16 vlan_proto; diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c index 02eb23e8aab8..55c64a1d2758 100644 --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -430,6 +430,10 @@ static int br_fill_forward_path(struct net_device_path_ctx *ctx, case DEV_PATH_BR_VLAN_UNTAG: ctx->num_vlans--; break; + case DEV_PATH_BR_VLAN_KEEP_HW: + if (!src) + path->bridge.vlan_mode = DEV_PATH_BR_VLAN_KEEP; + break; case DEV_PATH_BR_VLAN_KEEP: break; } diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index aea94d401a30..114d47d5f90f 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c @@ -1494,13 +1494,17 @@ int br_vlan_fill_forward_path_mode(struct net_bridge *br, if (!(v->flags & BRIDGE_VLAN_INFO_UNTAGGED)) return 0; - if (path->bridge.vlan_mode == DEV_PATH_BR_VLAN_TAG) - path->bridge.vlan_mode = DEV_PATH_BR_VLAN_KEEP; - else if (v->priv_flags & BR_VLFLAG_TAGGING_BY_SWITCHDEV) - path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG_HW; - else - path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG; - + if (path->bridge.vlan_mode == DEV_PATH_BR_VLAN_TAG) { + if (v->priv_flags & BR_VLFLAG_TAGGING_BY_SWITCHDEV) + path->bridge.vlan_mode = DEV_PATH_BR_VLAN_KEEP_HW; + else + path->bridge.vlan_mode = DEV_PATH_BR_VLAN_KEEP; + } else { + if (v->priv_flags & BR_VLFLAG_TAGGING_BY_SWITCHDEV) + path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG_HW; + else + path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG; + } return 0; } diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index c95fad495460..c0c310c569cd 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -148,6 +148,9 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, case DEV_PATH_BR_VLAN_UNTAG_HW: info->ingress_vlans |= BIT(info->num_encaps - 1); break; + case DEV_PATH_BR_VLAN_KEEP_HW: + info->ingress_vlans |= BIT(info->num_encaps); + fallthrough; case DEV_PATH_BR_VLAN_TAG: info->encap[info->num_encaps].id = path->bridge.vlan_id; info->encap[info->num_encaps].proto = path->bridge.vlan_proto; From patchwork Wed Mar 5 10:29:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 14002380 Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com [209.85.218.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 715512144B9; Wed, 5 Mar 2025 10:30:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170625; cv=none; b=akHtNL1IlBrCbgWcbuiVV15fYtRxZaYX//aOkkZnl56FNgAhgK6HgLfLgWWsoRRVBnAg6l4PtId2j8UYg9TnUWj7esWdKcNhi0VFzdivFQroIibluQCbNp3Mqw/TpCGuz761Ur/A3aE3yIn2RYvSWUYjG8tw/KcdpC7RMBc7aZQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741170625; c=relaxed/simple; bh=hlWUZMMjuKADtGppUZMtaNFacTd6nV0tzjbOD4afBPU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OJlHbsfs5PS5k/6PZJbPj0vbjteZF3L6a7zLH9LkStn0cm0iYbGvqRxo/cehlHwuRv2NY3zyLXvlsMO3EqWEV70Dg+yYDRrqoTB5ZvQLBYBw6Rtpz1dw1KZOhDQx2hePU3qNIOOgal/PcSH7LmwotCbe69T+8jOBGzQsfpcaCVs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=F3+Im8ai; arc=none smtp.client-ip=209.85.218.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="F3+Im8ai" Received: by mail-ej1-f52.google.com with SMTP id a640c23a62f3a-abf45d8db04so680584566b.1; Wed, 05 Mar 2025 02:30:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741170622; x=1741775422; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zyT2Mi/6pyGYcArKqE9jEC5bRVJkRpNfVbm3I9wiTzQ=; b=F3+Im8aifsZa8YbOMy4BMx8wKnw9kMjny0SVlpMD7ovs1Ca+QTxMZ1EHSdHzR+vBRi j2a8foVX/K7fbNQbAxHhaqZhFfOvp+Q8c3R2bnzaix5cwguoFPAGTv9C0k6KTJVUctQF DEedCNbFaiQmGNyvAsuEddWPtuE4TcG5cX6rPUWPtTzLocYUMUiFomnvSKNs4dQLwxDc VZdmwhBQN4+MIQmS/6RqtnAkKRVatGDyuQDagcPAngkC4xoDSXN7yr+p06Fr7SboevLC jg0pNgGGkvxzX4XJ29pg07cxohYrLZiEywfVqXAqGAAlYdMjDGhbqnAOAdNxvKPdOk7Y mimQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741170622; x=1741775422; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zyT2Mi/6pyGYcArKqE9jEC5bRVJkRpNfVbm3I9wiTzQ=; b=w3iui7sk+UMze3qWWb9KHor1LcdLEmIQMZf60Ld9UJbQ+kahyimPCw0evi2RIgkbb8 WWIlzysrv+46nQjD0XayTTwl2g4LJHy1+Vka4JOMJnIXioGBTZo/Y6Wuk0gkmOxDcmJ4 POR8PhkRMStv6P/a88NZbWco4eeWTxEosKaF9hA5f4zwokP0ImavOvTTWecdlDVAIHVY 9gKEwkQQIe9diJwrg7a2JPL71MHq2fK7/2u79ERVZuf35eq/UqTbI0s78RXkgRQmwY1K EYEu8ZgDV7eEPGr9nPcpWnr+c0Gv/LAal+X0Kw96+FXHLw2lXjRqk0xvz5cAeJsM1RfC AwiA== X-Forwarded-Encrypted: i=1; AJvYcCV6IaNqRzkW4JaK/tC5PSKWqEhm5V+87leZ74H56RrcCxOeFE8KIL/jM2lHeERDfxAXKyBbPl43r7FKGL/1H+U=@vger.kernel.org, AJvYcCWi4bpfPbraPfJ4H/Ir2g+vgBOfLjXiWbwXpAcrLjpC3Z4ezIv++PpNmAkYOQuNMQv0ktdoYTw4CYsah91Vv88a@vger.kernel.org, AJvYcCXdXFf6VATBGLyjOZ7HMYYERKjFz9zr0OP18p2/pTMGMHqzufrtzixmSOTHF+fyK4Bq3jPu+6cURqCtSg0D@vger.kernel.org X-Gm-Message-State: AOJu0Yy4g7jX76p9sXinfhCZdjJJe2/B+Q+ryiMW+cTCekVECyfuQmye AWtQsdYM8evGGOilpndgfumNL0rly8E/avFtcXkz92H9jG2jWaUo X-Gm-Gg: ASbGnctxB7oZyEAjA+P1Y/jMh1F3XMyZsPnrUsvYVoUjPnCueVLAQ5yS18SL3jpJpmZ KuPlKw0EJdbrwo75XJVLkSGD3QAN+lpAgvckL/WS0XaRaTDWIvk1eBgAhaCir23888M1583roQr mqFdSSFSqhyCAW4knHSGtnEb0ljz2UTjiDb6v1q5yFtIgxsriBq3ex+9IJjytL9FW0vdtQH/czY LwWbSR70VUE5F3tb/pB+C0DzPEyIa5YdyzZh3aF/UNu0bPvySPhFfnX4XlXeTLPWjtzsr2CleOM qb3baYsR+uUbQv+w5TP2ELPJatU36moEVqpQLW28FnlNXVSSo7ltL3YW9xlp0pPT0mwd+k9+57o prdJDxOYYYQE2PSPuCPZhLX8q/7uLpkxWZImIZCfwMV/4xdA1kfonDXksAJLBiQ== X-Google-Smtp-Source: AGHT+IEYoyIO/7Ua8QChf7dL+PueD75+tHKS8ttknXnuhde+EClQAHkSCbndwT05/pBTf0yKshUXyA== X-Received: by 2002:a17:907:7dab:b0:ac0:9b39:32aa with SMTP id a640c23a62f3a-ac20d8bd056mr192767866b.23.1741170621433; Wed, 05 Mar 2025 02:30:21 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ac1f7161a4esm247154266b.161.2025.03.05.02.30.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 02:30:21 -0800 (PST) From: Eric Woudstra To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v9 nf 15/15] netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval() Date: Wed, 5 Mar 2025 11:29:49 +0100 Message-ID: <20250305102949.16370-16-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250305102949.16370-1-ericwouds@gmail.com> References: <20250305102949.16370-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Edit nft_flow_offload_eval() to make it possible to handle a flowtable of the nft bridge family. Use nft_flow_offload_bridge_init() to fill the flow tuples. It uses nft_dev_fill_bridge_path() in each direction. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nft_flow_offload.c | 142 +++++++++++++++++++++++++++++-- 1 file changed, 137 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index c0c310c569cd..03a0b5f7e8d2 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -193,6 +193,128 @@ static bool nft_flowtable_find_dev(const struct net_device *dev, return found; } +static int nft_dev_fill_bridge_path(struct flow_offload *flow, + struct nft_flowtable *ft, + enum ip_conntrack_dir dir, + const struct net_device *src_dev, + const struct net_device *dst_dev, + unsigned char *src_ha, + unsigned char *dst_ha) +{ + struct flow_offload_tuple_rhash *th = flow->tuplehash; + struct net_device_path_ctx ctx = {}; + struct net_device_path_stack stack; + struct nft_forward_info info = {}; + int i, j = 0; + + for (i = th[dir].tuple.encap_num - 1; i >= 0 ; i--) { + if (info.num_encaps >= NF_FLOW_TABLE_ENCAP_MAX) + return -1; + + if (th[dir].tuple.in_vlan_ingress & BIT(i)) + continue; + + info.encap[info.num_encaps].id = th[dir].tuple.encap[i].id; + info.encap[info.num_encaps].proto = th[dir].tuple.encap[i].proto; + info.num_encaps++; + + if (th[dir].tuple.encap[i].proto == htons(ETH_P_PPP_SES)) + continue; + + if (ctx.num_vlans >= NET_DEVICE_PATH_VLAN_MAX) + return -1; + ctx.vlan[ctx.num_vlans].id = th[dir].tuple.encap[i].id; + ctx.vlan[ctx.num_vlans].proto = th[dir].tuple.encap[i].proto; + ctx.num_vlans++; + } + ctx.dev = src_dev; + ether_addr_copy(ctx.daddr, dst_ha); + + if (dev_fill_bridge_path(&ctx, &stack) < 0) + return -1; + + nft_dev_path_info(&stack, &info, dst_ha, &ft->data); + + if (!info.indev || info.indev != dst_dev) + return -1; + + th[!dir].tuple.iifidx = info.indev->ifindex; + for (i = info.num_encaps - 1; i >= 0; i--) { + th[!dir].tuple.encap[j].id = info.encap[i].id; + th[!dir].tuple.encap[j].proto = info.encap[i].proto; + if (info.ingress_vlans & BIT(i)) + th[!dir].tuple.in_vlan_ingress |= BIT(j); + j++; + } + th[!dir].tuple.encap_num = info.num_encaps; + + th[dir].tuple.mtu = dst_dev->mtu; + ether_addr_copy(th[dir].tuple.out.h_source, src_ha); + ether_addr_copy(th[dir].tuple.out.h_dest, dst_ha); + th[dir].tuple.out.ifidx = info.outdev->ifindex; + th[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_DIRECT; + + return 0; +} + +static int nft_flow_offload_bridge_init(struct flow_offload *flow, + const struct nft_pktinfo *pkt, + enum ip_conntrack_dir dir, + struct nft_flowtable *ft) +{ + const struct net_device *in_dev, *out_dev; + struct ethhdr *eth = eth_hdr(pkt->skb); + struct flow_offload_tuple *tuple; + struct pppoe_hdr *phdr; + struct vlan_hdr *vhdr; + int err, i = 0; + + in_dev = nft_in(pkt); + if (!in_dev || !nft_flowtable_find_dev(in_dev, ft)) + return -1; + + out_dev = nft_out(pkt); + if (!out_dev || !nft_flowtable_find_dev(out_dev, ft)) + return -1; + + tuple = &flow->tuplehash[!dir].tuple; + + if (skb_vlan_tag_present(pkt->skb)) { + tuple->encap[i].id = skb_vlan_tag_get(pkt->skb); + tuple->encap[i].proto = pkt->skb->vlan_proto; + i++; + } + switch (pkt->skb->protocol) { + case htons(ETH_P_8021Q): + vhdr = (struct vlan_hdr *)skb_network_header(pkt->skb); + tuple->encap[i].id = ntohs(vhdr->h_vlan_TCI); + tuple->encap[i].proto = pkt->skb->protocol; + i++; + break; + case htons(ETH_P_PPP_SES): + phdr = (struct pppoe_hdr *)skb_network_header(pkt->skb); + tuple->encap[i].id = ntohs(phdr->sid); + tuple->encap[i].proto = pkt->skb->protocol; + i++; + break; + } + tuple->encap_num = i; + + err = nft_dev_fill_bridge_path(flow, ft, !dir, out_dev, in_dev, + eth->h_dest, eth->h_source); + if (err < 0) + return err; + + memset(tuple->encap, 0, sizeof(tuple->encap)); + + err = nft_dev_fill_bridge_path(flow, ft, dir, in_dev, out_dev, + eth->h_source, eth->h_dest); + if (err < 0) + return err; + + return 0; +} + static void nft_dev_forward_path(struct nf_flow_route *route, const struct nf_conn *ct, enum ip_conntrack_dir dir, @@ -311,6 +433,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, { struct nft_flow_offload *priv = nft_expr_priv(expr); struct nf_flowtable *flowtable = &priv->flowtable->data; + bool routing = flowtable->type->family != NFPROTO_BRIDGE; struct tcphdr _tcph, *tcph = NULL; struct nf_flow_route route = {}; enum ip_conntrack_info ctinfo; @@ -364,14 +487,21 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, goto out; dir = CTINFO2DIR(ctinfo); - if (nft_flow_route(pkt, ct, &route, dir, priv->flowtable) < 0) - goto err_flow_route; + if (routing) { + if (nft_flow_route(pkt, ct, &route, dir, priv->flowtable) < 0) + goto err_flow_route; + } flow = flow_offload_alloc(ct); if (!flow) goto err_flow_alloc; - flow_offload_route_init(flow, &route); + if (routing) + flow_offload_route_init(flow, &route); + else + if (nft_flow_offload_bridge_init(flow, pkt, dir, priv->flowtable) < 0) + goto err_flow_add; + if (tcph) flow_offload_ct_tcp(ct); @@ -419,8 +549,10 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, err_flow_add: flow_offload_free(flow); err_flow_alloc: - dst_release(route.tuple[dir].dst); - dst_release(route.tuple[!dir].dst); + if (routing) { + dst_release(route.tuple[dir].dst); + dst_release(route.tuple[!dir].dst); + } err_flow_route: clear_bit(IPS_OFFLOAD_BIT, &ct->status); out: