redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/include/net/netfilter
History
wenxu 10f4e76587 netfilter: nft_flow_offload: fix interaction with vrf slave device 
In the forward chain, the iif is changed from slave device to master vrf
device. Thus, flow offload does not find a match on the lower slave
device.

This patch uses the cached route, ie. dst->dev, to update the iif and
oif fields in the flow entry.

After this patch, the following example works fine:

 # ip addr add dev eth0 1.1.1.1/24
 # ip addr add dev eth1 10.0.0.1/24
 # ip link add user1 type vrf table 1
 # ip l set user1 up
 # ip l set dev eth0 master user1
 # ip l set dev eth1 master user1

 # nft add table firewall
 # nft add flowtable f fb1 { hook ingress priority 0 \; devices = { eth0, eth1 } \; }
 # nft add chain f ftb-all {type filter hook forward priority 0 \; policy accept \; }
 # nft add rule f ftb-all ct zone 1 ip protocol tcp flow offload @fb1
 # nft add rule f ftb-all ct zone 1 ip protocol udp flow offload @fb1

Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 		2019-01-11 00:55:37 +01:00
..
ipv4 netfilter: add missing error handling code for register functions 2018-11-27 00:35:19 +01:00
ipv6 netfilter: add missing error handling code for register functions 2018-11-27 00:35:19 +01:00
br_netfilter.h net: convert bridge_nf to use skb extension infrastructure 2018-12-19 11:21:37 -08:00
nf_conntrack.h netfilter: conntrack: udp: only extend timeout to stream mode after 2s 2018-12-21 00:48:38 +01:00
nf_conntrack_acct.h netfilter: conntrack: remove empty pernet fini stubs 2018-12-21 00:51:54 +01:00
nf_conntrack_core.h netfilter: conntrack: pass nf_hook_state to packet and error handlers 2018-09-20 17:54:37 +02:00
nf_conntrack_count.h netfilter: nf_conncount: speculative garbage collection on empty lists 2018-12-29 02:45:22 +01:00
nf_conntrack_ecache.h netfilter: conntrack: remove empty pernet fini stubs 2018-12-21 00:51:54 +01:00
nf_conntrack_expect.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nf_conntrack_extend.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nf_conntrack_helper.h netfilter: conntrack: remove empty pernet fini stubs 2018-12-21 00:51:54 +01:00
nf_conntrack_l4proto.h netfilter: conntrack: add nf_{tcp,udp,sctp,icmp,dccp,icmpv6,generic}_pernet() 2018-11-03 13:28:02 +01:00
nf_conntrack_labels.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nf_conntrack_seqadj.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nf_conntrack_synproxy.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nf_conntrack_timeout.h netfilter: nf_tables: rework ct timeout set support 2018-08-29 13:04:38 +02:00
nf_conntrack_timestamp.h netfilter: conntrack: remove empty pernet fini stubs 2018-12-21 00:51:54 +01:00
nf_conntrack_tuple.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nf_conntrack_zones.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nf_dup_netdev.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nf_flow_table.h netfilter: nft_flow_offload: fix interaction with vrf slave device 2019-01-11 00:55:37 +01:00
nf_log.h netfilter: check if the socket netns is correct. 2018-06-28 22:21:32 +09:00
nf_nat.h netfilter: nf_nat: add nat hook register functions to nf_nat 2018-05-23 09:14:05 +02:00
nf_nat_core.h netfilter: add struct nf_nat_hook and use it 2018-05-23 09:26:07 +02:00
nf_nat_helper.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nf_nat_l3proto.h netfilter: nat: remove nf_nat_l4proto struct 2018-12-17 23:33:31 +01:00
nf_nat_l4proto.h netfilter: nat: remove nf_nat_l4proto struct 2018-12-17 23:33:31 +01:00
nf_nat_redirect.h netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nf_queue.h netfilter: core: remove synchronize_net call if nfqueue is used 2018-01-08 18:01:06 +01:00
nf_socket.h netfilter: Decrease code duplication regarding transparent socket option 2018-06-03 00:02:01 +02:00
nf_tables.h netfilter: nf_tables: asynchronous release 2018-09-17 11:40:07 +02:00
nf_tables_core.h netfilter: nf_tables: add SECMARK support 2018-09-28 14:28:29 +02:00
nf_tables_ipv4.h netfilter: nf_tables_inet: don't use multihook infrastructure anymore 2018-01-08 18:01:20 +01:00
nf_tables_ipv6.h netfilter: nf_tables_inet: don't use multihook infrastructure anymore 2018-01-08 18:01:20 +01:00
nf_tproxy.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2018-07-20 22:28:28 -07:00
nft_fib.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nft_masq.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nft_redir.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nft_reject.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xt_rateest.h netfilter: make xt_rateest hash table per net 2018-03-05 23:15:44 +01:00