diff mbox series

[net] netfilter: nf_tables: fix bidirectional offload regression

Message ID 20240214144235.70341-1-nbd@nbd.name (mailing list archive)
State Accepted
Commit 84443741faab9045d53f022a9ac6a6633067a481
Delegated to: Netdev Maintainers
Headers show
Series [net] netfilter: nf_tables: fix bidirectional offload regression | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 976 this patch: 976
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 10 of 10 maintainers
netdev/build_clang success Errors and warnings before: 993 this patch: 993
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 993 this patch: 993
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 7 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-02-15--00-00 (tests: 1443)

Commit Message

Felix Fietkau Feb. 14, 2024, 2:42 p.m. UTC 
Commit 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules")
made unidirectional flow offload possible, while completely ignoring (and
breaking) bidirectional flow offload for nftables.
Add the missing flag that was left out as an exercise for the reader :)

Cc: Vlad Buslov <vladbu@nvidia.com>
Fixes: 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules")
Reported-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 net/netfilter/nft_flow_offload.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Pablo Neira Ayuso Feb. 14, 2024, 3:40 p.m. UTC | #1 
On Wed, Feb 14, 2024 at 03:42:35PM +0100, Felix Fietkau wrote:
> Commit 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules")
> made unidirectional flow offload possible, while completely ignoring (and
> breaking) bidirectional flow offload for nftables.
> Add the missing flag that was left out as an exercise for the reader :)

Thanks for fixing up this, patch is fine.

> Cc: Vlad Buslov <vladbu@nvidia.com>
> Fixes: 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules")
> Reported-by: Daniel Golle <daniel@makrotopia.org>
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
> ---
>  net/netfilter/nft_flow_offload.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
> index 397351fa4d5f..ab9576098701 100644
> --- a/net/netfilter/nft_flow_offload.c
> +++ b/net/netfilter/nft_flow_offload.c
> @@ -361,6 +361,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
>  		ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
>  	}
>  
> +	__set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags);
>  	ret = flow_offload_add(flowtable, flow);
>  	if (ret < 0)
>  		goto err_flow_add;
> -- 
> 2.43.0
> 
>
patchwork-bot+netdevbpf@kernel.org Feb. 15, 2024, noon UTC | #2 
Hello:

This patch was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Wed, 14 Feb 2024 15:42:35 +0100 you wrote:
> Commit 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules")
> made unidirectional flow offload possible, while completely ignoring (and
> breaking) bidirectional flow offload for nftables.
> Add the missing flag that was left out as an exercise for the reader :)
> 
> Cc: Vlad Buslov <vladbu@nvidia.com>
> Fixes: 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules")
> Reported-by: Daniel Golle <daniel@makrotopia.org>
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
> 
> [...]

Here is the summary with links:
  - [net] netfilter: nf_tables: fix bidirectional offload regression
    https://git.kernel.org/netdev/net/c/84443741faab

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 397351fa4d5f..ab9576098701 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -361,6 +361,7 @@  static void nft_flow_offload_eval(const struct nft_expr *expr,
 		ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
 	}
 
+	__set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags);
 	ret = flow_offload_add(flowtable, flow);
 	if (ret < 0)
 		goto err_flow_add;