From patchwork Fri Feb 28 20:15:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997077 Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com [209.85.218.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B8E0D1C7018; Fri, 28 Feb 2025 20:16:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773781; cv=none; b=C4QPmHDbxqC31TyoFpt9mpSRlRiJWDaPUM5+91LeBhxE6o0XqpCk2ATbarC8nvsvPeXLo70JlgGKIugb0FCIF13FhfObrnvWZ6PENiYFRNRRYF/L9oBmurrJshBt+a4TZ8pkC6/vDafFTNt1krunBiNuVoIV81QZG6YVHlFHogs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773781; c=relaxed/simple; bh=Fbp3oCenr8igYjoHqNHoL3I5wq9RcaWF0Ekl0eI6nvU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ueeuym4QSjv92BDgcm6rWW8qrWq9knuWnwAgH0QLFSdGxireqc/4v+vh429fEdOd9btSEesv4bK/KGV3q4lcXiLVg5OONC7PzSB+HP/Z/aTO4HCrnf4eMdXV04Mhzk+BsXFhj3trxMMb+bCCXOjf7DjHQAbFVQEPaSJsKoeiBNs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=F934oh3J; arc=none smtp.client-ip=209.85.218.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="F934oh3J" Received: by mail-ej1-f44.google.com with SMTP id a640c23a62f3a-abf4d756135so23811966b.1; Fri, 28 Feb 2025 12:16:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773778; x=1741378578; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fA9Vmw88RokN6ZVcNFAMZ81OI6e/RLQJpo3MGu4wt9I=; b=F934oh3JoHqH4pA0xRajUqpm5kuMDzWBKONQ+tdXA4KoFio5YNPcfOFoc3uqpqj/vW G8ZkX3ctCW3l4WOu4XKhsZN5MCYwyR6675Ini3cjK859tNyglV8dIBl+9P4Gfd71kON5 IPUOl74H1bAGL58XjcQxA3ta+44TTHN7uFM/6vzTLT/BhMSdTape42uS++ewEKs7jmbz UESERnDzmZFT3b+klSV/H5NgPLsKJ+Wbikb5ZJkk/nNeBGPZnd4bGKp+dzdZMIzy2hZW Zqv149VSmgc+s7K+2VXeBO/nIuJIsZrU7o3lmi9vKZIHf1xRP3+SY+uquIZ9fUJeyVXP seuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773778; x=1741378578; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fA9Vmw88RokN6ZVcNFAMZ81OI6e/RLQJpo3MGu4wt9I=; b=PlHrVX/o5poaJMU5KM1sin+Zail4fLPwTiOJnZirJsrYj2FIj6gUatynX1T/qvguzx tEe4oLuNVUPjX9GMVOR5RecJeEoeYaoo43A6KAgPiGjxX1xkRrIvxXgylnpRZGOXou1j g7cVdw71nE73TMjvvV6fdFAFVsPn18r4w4sOIQJQO/tc+RgIKai0nhJLgTUDWOAOKK9i Lr7DKtSBj2gy9+BDNouZfT0SbLYT6lGWNGpcvxDeHe2tMihfMIxMDUrQTwRetmfN4zYz Z7CXygReGHSRDQ2S21XXpRTd+mMKQO1PYojxJ0wweFt9bLQ3kBSyB2BmdAl9mZSVJNDi AGYQ== X-Forwarded-Encrypted: i=1; AJvYcCU1/crzf7LWBxwPflKSDXPoQwssBZiTOAnhnNZu6iEgdaEKBOSr7faZ+caozFxSY8A/7ewJXPZPO2uLfHoBksk=@vger.kernel.org, AJvYcCWKuqnuriYyJ7qJcYwAX6oWjbn4EbJUTbilUWxwmpuRigeNjqlLf5s+NAeWm8s4Ez5DNyB4Zzyph53rZVeB@vger.kernel.org, AJvYcCXDyvASwzTa0B+lS7xGoD0cbsa1QLniG5pa99QtYRkX5In6wWJrx55Sgb+YPKd/ZWWBelUnmnZMant7moO8qE4u@vger.kernel.org X-Gm-Message-State: AOJu0Yzao1akpwHGK+YrhWYIyAxxl2T8uS9pjh8LdvFtcI3vfhebNsCv mu2UvferwLMS2xRoN2UP41wUtjM0ny4y3F9RZ85XCX/jTuGbtACS X-Gm-Gg: ASbGncsGD9hKELuZEi9KccFeMU+inI9p41Mn/wnkSKg7NMpfDBTNitQLOetzQGLwz5q viAuqfVEpdE9A9e/9WLC2lenc/Z02PgbYfruRiikdBRuzdT7eQEPE+z6QoJ19JNEw9vHvu85v8v Od4NoFnVDPY8u3BslLp97aiwpOYnTfBgA/YBm4LD01CB2LwRYGW0tAMQlvGrNnohMsE314H3ou2 0DDo63b4jR6b+UCiWnIYPKax0zYEp45LoaBiNGTvboLrlxtMtMke5myO2ETKTwCipAyl8NwJnM+ JgtynIkaTJst4CYtKuvqB1P/BwwDLa03G83Eru8fmi4Tx+QC5VqeVH0/R6EuIBnA5/x2h8Qd1Cr swvTpR7jbDlC7H2UpNQ/fjmWVDn2GuifXTFAxMvCQ5VY= X-Google-Smtp-Source: AGHT+IG9CXfC9QShMuEkr891X2vbkzQ2uh+igw8zIKBPddpTAHKgNLtJZSPLkYYg96Gm41ClW4AX7A== X-Received: by 2002:a17:907:3206:b0:abe:e981:f152 with SMTP id a640c23a62f3a-abf265a2a06mr522572366b.37.1740773777757; Fri, 28 Feb 2025 12:16:17 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:17 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 01/15] net: pppoe: avoid zero-length arrays in struct pppoe_hdr Date: Fri, 28 Feb 2025 21:15:19 +0100 Message-ID: <20250228201533.23836-2-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Jakub Kicinski suggested following patch: W=1 C=1 GCC build gives us: net/bridge/netfilter/nf_conntrack_bridge.c: note: in included file (through ../include/linux/if_pppox.h, ../include/uapi/linux/netfilter_bridge.h, ../include/linux/netfilter_bridge.h): include/uapi/linux/if_pppox.h: 153:29: warning: array of flexible structures It doesn't like that hdr has a zero-length array which overlaps proto. The kernel code doesn't currently need those arrays. PPPoE connection is functional after applying this patch. Signed-off-by: Eric Woudstra --- drivers/net/ppp/pppoe.c | 2 +- include/uapi/linux/if_pppox.h | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c index 2ea4f4890d23..cb86b78de429 100644 --- a/drivers/net/ppp/pppoe.c +++ b/drivers/net/ppp/pppoe.c @@ -881,7 +881,7 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m, skb->protocol = cpu_to_be16(ETH_P_PPP_SES); ph = skb_put(skb, total_len + sizeof(struct pppoe_hdr)); - start = (char *)&ph->tag[0]; + start = (char *)ph + sizeof(*ph); error = memcpy_from_msg(start, m, total_len); if (error < 0) { diff --git a/include/uapi/linux/if_pppox.h b/include/uapi/linux/if_pppox.h index 9abd80dcc46f..29b804aa7474 100644 --- a/include/uapi/linux/if_pppox.h +++ b/include/uapi/linux/if_pppox.h @@ -122,7 +122,9 @@ struct sockaddr_pppol2tpv3in6 { struct pppoe_tag { __be16 tag_type; __be16 tag_len; +#ifndef __KERNEL__ char tag_data[]; +#endif } __attribute__ ((packed)); /* Tag identifiers */ @@ -150,7 +152,9 @@ struct pppoe_hdr { __u8 code; __be16 sid; __be16 length; +#ifndef __KERNEL__ struct pppoe_tag tag[]; +#endif } __packed; /* Length of entire PPPoE + PPP header */ From patchwork Fri Feb 28 20:15:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997078 Received: from mail-ej1-f46.google.com (mail-ej1-f46.google.com [209.85.218.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 29653202973; Fri, 28 Feb 2025 20:16:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773783; cv=none; b=hznVkCm77OlcY8Eyhso/z+LQOfI1ZII2etKTrN3uou5k/x4TlRPzZIywwHm0HUrhL29+gS9kUkEg59va4QQRPJ4DsxTh+DL1b+LRz0m4oczsYtU42z4z2RgY9jjFPCV9zmS6qyT7NHFXLky+ENj8jxCeZFA9EloCqANCeIsGBE0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773783; c=relaxed/simple; bh=wMUZpUs1MP0v4aGWSuV5DzAXHNdRlbpPAoNl+5GV7TA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=svCixIZgh3uzJ4Ju6jocNztEjaa3TFZtqR+SDNKSH/gGYZ8TvvCSxxNNpM8pimez8utE/YJyqcZ39q4OHLOwfFuucrScbpAtciPqfVQJE6RydxEb17uy2iad87moLkyzHS0BFr2z5xaNxbrPNdetEuT1HFKpD8h+viVl9IpfVRs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=l7pkLaYU; arc=none smtp.client-ip=209.85.218.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l7pkLaYU" Received: by mail-ej1-f46.google.com with SMTP id a640c23a62f3a-ab771575040so642977866b.1; Fri, 28 Feb 2025 12:16:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773779; x=1741378579; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VGr0DGFtdF9vUQZNuQxbjKzErqMA9pCa8F2vVWAZr6U=; b=l7pkLaYUJIATSTCwI9rrSDOI0c210iDrWzk0HwUFFJOwVA13YX8weMOzfMb1RiikBK MKIKX4zYGz1nrw1I+jgANnq6pyDlNQA055dYFsrNsZqIO9U6MPzSZ1kkuGlW9DE/laqB zu/XZIeId/GawyPUCbnAuZBcRd2PIuGhPS0/0xoN5I4KI2undJmCKpnBrfNnj45BjLJa SIb/X5fdTW7jIbeeG/DXajV8esaw80mbbFmV58grcoVX/ZrMs8yLQI0BR/3wcDGON1mF 82EN63ZYkJ6mR0+EtV3Zx4TDITqflB2RNoASDMYRPw+xlXGmwFf7sxDnTSHaa6f3tMHf FmMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773779; x=1741378579; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VGr0DGFtdF9vUQZNuQxbjKzErqMA9pCa8F2vVWAZr6U=; b=WIPXfcqZ/cn4Z4GFvqhcJbhjuLKqss8sq8HkmcfA6GBUHdRCyqbdeZwNjhRB6vyG3T uaOucROwdpuujlwPmx/Ig8tcR58MNuyuGcs+GKG51WI1CTv1IXQkXVLuYaQsuzj6ws+/ 9F2E81AeM0qqJIjiN1Fx1QJOnR+VdiiOSwHzAdO5o72wedKTVcQXpqNxL7xozDqjU2rr Ut1mcsUqhwFRc0nPnPPUJFzQq8KqFzf8JVwhjTkzGw8VN5YNCRui1aPJKSghnI4iOuvm 3T7Ub7UcwA0pFpAM2b9W8ovyVPD4oUn6SbyN6NkPaqmVLB1qYby+2O//iW7amNnmII8h TMTQ== X-Forwarded-Encrypted: i=1; AJvYcCVLodwQxj9fuCqrpQYSBpTKkGLbxfg9C8pVfiUwV4Tu9Y1hMoh9RgCqvabTVqF4soCy6pr8cMKDsBd5Ax31uR/E@vger.kernel.org, AJvYcCVSiyGTqkYNf68mT1DEP57SxA8BIWGA5UkwfFS0bFrjs5I193Pll60OA8lQSbp6ubNDNdTo6T5rFYtULjbvFMg=@vger.kernel.org, AJvYcCX4qGnr+EBe4UxLcK0k/RmUuIpfOiX2J9f7lqmaQ/X/g+cuDYK8f3qHhQgk9Yyidk7lqmpq2A9MIpsNtPBG@vger.kernel.org X-Gm-Message-State: AOJu0Yw2Z1ScOI5DJF+GDvYiOzOoQf/p3QPgx7pxnRTNCWDe8zQT2mXl R5NrU2dbJ2vbWitDpbGiqjZCn2Fvq0Wr9YQO11hHz9hzc3Xug6Dp X-Gm-Gg: ASbGncvTFahyv/ky/dwgYOxTtlDaPod8m8lm4GhbSGdLvIoJ4nz3wuFM8QeZRLfAIAa P+E3uu6xWFq553F4tIvccJaM1udfIaJehKe0a3dvkQj+ZI2lCRl+PcpgAvzRQwD6dB17dvfV3TV +iLIHPSvRzBupJ2sLaon72tpfneqxlUMkWtVGnjO9/Qgpc6FO0uMm73tZwphBsBDU1/+owKHDTC 2jh/3CxNQRr11PceKEF6b9e2gdg5B0qucIRdFNrW0MqzD6gqsl0SbfBQI2wKXjPXhX9XKgWYzNt +5j28HKkBV9iWoijjy6P68s7CvH8ChxVMuhN1WB4JyTaOXioz8ESiFULCll3cNH4ABY6e5Wp6cs 5cfDfmUfyd4nd1/Jc+zGtiNe8HFqGt7a1qsRnOQPzJTw= X-Google-Smtp-Source: AGHT+IFSsO0D6FLoaTBr5CsWmwmRlLw+sSkoUxgYwd46U2pqe5KcLEx75Cg5UhavDa3o6cjGcNQ8Ug== X-Received: by 2002:a17:907:a4c7:b0:abb:af33:d0ac with SMTP id a640c23a62f3a-abf0605eec7mr944542066b.16.1740773779092; Fri, 28 Feb 2025 12:16:19 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:18 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 02/15] netfilter: nf_flow_table_offload: Add nf_flow_encap_push() for xmit direct Date: Fri, 28 Feb 2025 21:15:20 +0100 Message-ID: <20250228201533.23836-3-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Loosely based on wenxu's patches: "nf_flow_table_offload: offload the vlan/PPPoE encap in the flowtable". Fixed double vlan and pppoe packets, almost entirely rewriting the patch. After this patch, it is possible to transmit packets in the fastpath with outgoing encaps, without using vlan- and/or pppoe-devices. This makes it possible to use more different kinds of network setups. For example, when bridge tagging is used to egress vlan tagged packets using the forward fastpath. Another example is passing 802.1q tagged packets through a bridge using the bridge fastpath. This also makes the software fastpath process more similar to the hardware offloaded fastpath process, where encaps are also pushed. After applying this patch, always info->outdev = info->hw_outdev, so the netfilter code can be further cleaned up by removing: * hw_outdev from struct nft_forward_info * out.hw_ifindex from struct nf_flow_route * out.hw_ifidx from struct flow_offload_tuple Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nf_flow_table_ip.c | 96 +++++++++++++++++++++++++++++++- net/netfilter/nft_flow_offload.c | 6 +- 2 files changed, 96 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index 8cd4cf7ae211..d0c3c459c4d2 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -306,6 +306,92 @@ static bool nf_flow_skb_encap_protocol(struct sk_buff *skb, __be16 proto, return false; } +static int nf_flow_vlan_inner_push(struct sk_buff *skb, __be16 proto, u16 id) +{ + struct vlan_hdr *vhdr; + + if (skb_cow_head(skb, VLAN_HLEN)) + return -1; + + __skb_push(skb, VLAN_HLEN); + skb_reset_network_header(skb); + + vhdr = (struct vlan_hdr *)(skb->data); + vhdr->h_vlan_TCI = htons(id); + vhdr->h_vlan_encapsulated_proto = skb->protocol; + skb->protocol = proto; + + return 0; +} + +static int nf_flow_ppoe_push(struct sk_buff *skb, u16 id) +{ + struct ppp_hdr { + struct pppoe_hdr hdr; + __be16 proto; + } *ph; + int data_len = skb->len + 2; + __be16 proto; + + if (skb_cow_head(skb, PPPOE_SES_HLEN)) + return -1; + + if (skb->protocol == htons(ETH_P_IP)) + proto = htons(PPP_IP); + else if (skb->protocol == htons(ETH_P_IPV6)) + proto = htons(PPP_IPV6); + else + return -1; + + __skb_push(skb, PPPOE_SES_HLEN); + skb_reset_network_header(skb); + + ph = (struct ppp_hdr *)(skb->data); + ph->hdr.ver = 1; + ph->hdr.type = 1; + ph->hdr.code = 0; + ph->hdr.sid = htons(id); + ph->hdr.length = htons(data_len); + ph->proto = proto; + skb->protocol = htons(ETH_P_PPP_SES); + + return 0; +} + +static int nf_flow_encap_push(struct sk_buff *skb, + struct flow_offload_tuple_rhash *tuplehash, + unsigned short *type) +{ + int i = 0, ret = 0; + + if (!tuplehash->tuple.encap_num) + return 0; + + if (tuplehash->tuple.encap[i].proto == htons(ETH_P_8021Q) || + tuplehash->tuple.encap[i].proto == htons(ETH_P_8021AD)) { + __vlan_hwaccel_put_tag(skb, tuplehash->tuple.encap[i].proto, + tuplehash->tuple.encap[i].id); + i++; + if (i >= tuplehash->tuple.encap_num) + return 0; + } + + switch (tuplehash->tuple.encap[i].proto) { + case htons(ETH_P_8021Q): + *type = ETH_P_8021Q; + ret = nf_flow_vlan_inner_push(skb, + tuplehash->tuple.encap[i].proto, + tuplehash->tuple.encap[i].id); + break; + case htons(ETH_P_PPP_SES): + *type = ETH_P_PPP_SES; + ret = nf_flow_ppoe_push(skb, + tuplehash->tuple.encap[i].id); + break; + } + return ret; +} + static void nf_flow_encap_pop(struct sk_buff *skb, struct flow_offload_tuple_rhash *tuplehash) { @@ -335,6 +421,7 @@ static void nf_flow_encap_pop(struct sk_buff *skb, static unsigned int nf_flow_queue_xmit(struct net *net, struct sk_buff *skb, const struct flow_offload_tuple_rhash *tuplehash, + struct flow_offload_tuple_rhash *other_tuplehash, unsigned short type) { struct net_device *outdev; @@ -343,6 +430,9 @@ static unsigned int nf_flow_queue_xmit(struct net *net, struct sk_buff *skb, if (!outdev) return NF_DROP; + if (nf_flow_encap_push(skb, other_tuplehash, &type) < 0) + return NF_DROP; + skb->dev = outdev; dev_hard_header(skb, skb->dev, type, tuplehash->tuple.out.h_dest, tuplehash->tuple.out.h_source, skb->len); @@ -462,7 +552,8 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, ret = NF_STOLEN; break; case FLOW_OFFLOAD_XMIT_DIRECT: - ret = nf_flow_queue_xmit(state->net, skb, tuplehash, ETH_P_IP); + ret = nf_flow_queue_xmit(state->net, skb, tuplehash, + &flow->tuplehash[!dir], ETH_P_IP); if (ret == NF_DROP) flow_offload_teardown(flow); break; @@ -757,7 +848,8 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, ret = NF_STOLEN; break; case FLOW_OFFLOAD_XMIT_DIRECT: - ret = nf_flow_queue_xmit(state->net, skb, tuplehash, ETH_P_IPV6); + ret = nf_flow_queue_xmit(state->net, skb, tuplehash, + &flow->tuplehash[!dir], ETH_P_IPV6); if (ret == NF_DROP) flow_offload_teardown(flow); break; diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 46a6d280b09c..b4baee519e18 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -124,13 +124,12 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, info->indev = NULL; break; } - if (!info->outdev) - info->outdev = path->dev; info->encap[info->num_encaps].id = path->encap.id; info->encap[info->num_encaps].proto = path->encap.proto; info->num_encaps++; if (path->type == DEV_PATH_PPPOE) memcpy(info->h_dest, path->encap.h_dest, ETH_ALEN); + info->xmit_type = FLOW_OFFLOAD_XMIT_DIRECT; break; case DEV_PATH_BRIDGE: if (is_zero_ether_addr(info->h_source)) @@ -158,8 +157,7 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, break; } } - if (!info->outdev) - info->outdev = info->indev; + info->outdev = info->indev; info->hw_outdev = info->indev; From patchwork Fri Feb 28 20:15:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997079 Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com [209.85.218.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DD99202996; Fri, 28 Feb 2025 20:16:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773784; cv=none; b=gxpAnBj4YeYmM+yJOHL+lZ9cwxwH9hQCT4IqNon1DJ8ZNndyNT8HPXS6Zn/PgLbw4D0cBRZY4iYBO+ZYWZxing9BDCUw+qnHnlB0rkhaoaEFMHe3Ns5Jmf1Osc2B7FpfrHOmrVfAr5tooEfSopw1gWqJGk5RK/e4uR0lTBfQD/I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773784; c=relaxed/simple; bh=G4AeYP9zNF3PKma7qNeEx/0jubqtWO3LgYnYYjWH/PA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NcYpqKAjo5U4tSKouR7fFwoU26aVjyHtvmI1i778fGMS5IAzy/y3yqQ7bN0SQ7ryl6WnEJ+Z4MmPqHRl5AUMfI6VCW5hdm8kdOawljXKj2fSwtaetQdsSIKH3DFBrvwSgrHKTkE0onjsERZEw3wX30nYTANzRGpfdCTcdI3589c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HUPqnLx/; arc=none smtp.client-ip=209.85.218.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HUPqnLx/" Received: by mail-ej1-f50.google.com with SMTP id a640c23a62f3a-abee54ae370so357715566b.3; Fri, 28 Feb 2025 12:16:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773780; x=1741378580; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=h3xV3TA0ockrC7/s5OEcRj/pNoR8pLIoTTKhN2eYQLw=; b=HUPqnLx/0+akIo5H1gR7Z0JqANMghphM7LJuD43KSN5iDfcFd47vzDEKlWiLh6NMl8 27rWNNyoDqsfG3xmZA/cWa7RoPUrnFsI4+FvgswWhWYNpyT/AEpecQvY2rfyODEQTVxg Nw9p19wAXnRq72VoP9Pv82EqwJrR7l1338dIPlad1OqR9bCutSx12zV8Ijetr4iyRuq3 QNOS5H89iQmr/agDN/OVQIved90lFbZ0SGZXxtpcTORQiP9EiQ5l7I5+y9Mbr480W984 L9r2rHBUWc4P3OlX/3Mgx5KdGCJGZgsMRqAF6QykKCe+XTT7X+E5Wxbg/knM/pICQ6VP YAsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773780; x=1741378580; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=h3xV3TA0ockrC7/s5OEcRj/pNoR8pLIoTTKhN2eYQLw=; b=htETL6pv4ICBRL2IdjJH9Z34FtZk0Qt2BbzfkjwhrfLDTI1SKfAhghxUlPMK3BIG9s Dx3EYdLYMWfYoxzEjB4/CQZT8dSP3REP+b/YJZKiTSeHTMzkUuqWDaOUJe9QamB7DJVY 0pbDMVcEDT8CWJn3xQ2zcNODVa37lxv1frgu55jFA0umwHnqXl6yQBB0ZNlSmvxaSPlN Vf2mqF69AqwsDwFO4OVNS5lnuIyCqbf906CSZOvqI9vDWA8j8xf0ThCVZKUCNwxM8OI4 HsHLhs/t+hxH5HGx73Xjnyj2HJORJYHErsepmdFNx0KHFgsDYnvoA4GoIW0emF4fgnkI O7RA== X-Forwarded-Encrypted: i=1; AJvYcCVIvcwa7s8J3B5wZ2sYF9dqKzZRyRJVOEHDzHJyjhBTJxrso3/rZLSVZ7L0q+Jfm2LqMQI1JZNs2cskNNDm@vger.kernel.org, AJvYcCVbf3nROvHEbQ2f2j5LYIsP2LaapjD6Z7VrZteu7a1YNyrNawLUne8waAFFFRSTr1Fe/3a+dtvP79HA03cb4JM=@vger.kernel.org, AJvYcCX7fMntI+6Vr2eplR3JUbv8ahe4b3Tdw5VGLU9nxcX+xYiuBAT61vd5BVZyXtaJoS7wl0mOvMji5LKyeq1aVNXT@vger.kernel.org X-Gm-Message-State: AOJu0YyE+uRhEddkQIyImza5rVTznLFhvEBAl7Fum/ImtKxS6bH/8uYY v3ABegsgsTnwHbLsOLI2+9tiJM0rhqdBf/KIbDKeRyGZJtD0ycTe X-Gm-Gg: ASbGncs4RszgcD3X79buu2KSoAWTuALlmcLKZDEb/asyfanj1BmQ/vSTcE19rn35gnF TKRPcess50IZv8fiTS2K0P5zKjzNBysvkpPq1x1bttUoAk59NxXbvHjWvOkVTxF6WV/V0nod1fn rJIi7fCC74lAOCDhyLt9qPvPGUuQ6rNvd7j5GJxMGcP3F0rZBSAjsU++4Qr34m8+IisCDWfVw1M bLySkQ5MwI1Ok9fwUK///Mu91eBMTiwgoAMJv4UH/PF9QZt5UZ+Af5Jncr2Xz8yknAamg/U6M0q rEhStHxENECZf0yKHsyE1U5DDDrJowg4hN8RnxteQ99VbJiqP8CMGoFEqj6bfPWs+C9CN8XLVWu cLy5nUKjcyLdxJwsNh4qdiMj0jmitYeaPHBo4WSxVUpM= X-Google-Smtp-Source: AGHT+IEiUtc0XSpuKyIKeLozoVWm4Sd50Qjo2FMlO/4dpvxhs03yVO3P9mswx5jt1Mq2Z2AMyoPXJw== X-Received: by 2002:a17:907:9408:b0:abf:19ac:76d with SMTP id a640c23a62f3a-abf269b9a91mr541954866b.51.1740773780345; Fri, 28 Feb 2025 12:16:20 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:19 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 03/15] netfilter: flow: remove hw_outdev, out.hw_ifindex and out.hw_ifidx Date: Fri, 28 Feb 2025 21:15:21 +0100 Message-ID: <20250228201533.23836-4-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Now always info->outdev == info->hw_outdev, so the netfilter code can be further cleaned up by removing: * hw_outdev from struct nft_forward_info * out.hw_ifindex from struct nf_flow_route * out.hw_ifidx from struct flow_offload_tuple Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- include/net/netfilter/nf_flow_table.h | 2 -- net/netfilter/nf_flow_table_core.c | 1 - net/netfilter/nf_flow_table_offload.c | 2 +- net/netfilter/nft_flow_offload.c | 4 ---- 4 files changed, 1 insertion(+), 8 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index d711642e78b5..4ab32fb61865 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -145,7 +145,6 @@ struct flow_offload_tuple { }; struct { u32 ifidx; - u32 hw_ifidx; u8 h_source[ETH_ALEN]; u8 h_dest[ETH_ALEN]; } out; @@ -211,7 +210,6 @@ struct nf_flow_route { } in; struct { u32 ifindex; - u32 hw_ifindex; u8 h_source[ETH_ALEN]; u8 h_dest[ETH_ALEN]; } out; diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 9d8361526f82..1e5d3735c028 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -127,7 +127,6 @@ static int flow_offload_fill_route(struct flow_offload *flow, memcpy(flow_tuple->out.h_source, route->tuple[dir].out.h_source, ETH_ALEN); flow_tuple->out.ifidx = route->tuple[dir].out.ifindex; - flow_tuple->out.hw_ifidx = route->tuple[dir].out.hw_ifindex; dst_release(dst); break; case FLOW_OFFLOAD_XMIT_XFRM: diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index e06bc36f49fe..d8f7bfd60ac6 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -555,7 +555,7 @@ static void flow_offload_redirect(struct net *net, switch (this_tuple->xmit_type) { case FLOW_OFFLOAD_XMIT_DIRECT: this_tuple = &flow->tuplehash[dir].tuple; - ifindex = this_tuple->out.hw_ifidx; + ifindex = this_tuple->out.ifidx; break; case FLOW_OFFLOAD_XMIT_NEIGH: other_tuple = &flow->tuplehash[!dir].tuple; diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index b4baee519e18..5ef2f4ba7ab8 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -80,7 +80,6 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route, struct nft_forward_info { const struct net_device *indev; const struct net_device *outdev; - const struct net_device *hw_outdev; struct id { __u16 id; __be16 proto; @@ -159,8 +158,6 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, } info->outdev = info->indev; - info->hw_outdev = info->indev; - if (nf_flowtable_hw_offload(flowtable) && nft_is_valid_ether_device(info->indev)) info->xmit_type = FLOW_OFFLOAD_XMIT_DIRECT; @@ -212,7 +209,6 @@ static void nft_dev_forward_path(struct nf_flow_route *route, memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN); memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN); route->tuple[dir].out.ifindex = info.outdev->ifindex; - route->tuple[dir].out.hw_ifindex = info.hw_outdev->ifindex; route->tuple[dir].xmit_type = info.xmit_type; } } From patchwork Fri Feb 28 20:15:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997080 Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 955D125D90D; Fri, 28 Feb 2025 20:16:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773786; cv=none; b=PepS2MBNlXy84VLKlRVqmC00skNplUfBKrbwEEcUXQXZl5ZdfpDxwfNZwyjfxerGkqbyYSGfo0AofsS/XYy0Wl61ywsN5fYwk0476EAdrzeB/kSM/5uROKU4R5tzKIMZNSfJbprUWVRBcBYUCnSWSH/r49eqJG+9uu842HHREH0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773786; c=relaxed/simple; bh=Cv52Ysjt2lko9sBWDja1ONZ3DhITuFZz/l5ensZZgPc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=U0yLnk3G0B8C6qtlesiJsPxFvZMJCFw5OlZP7iQjF6pVh3DDsvw6qPSDu3Le+6Ham8ql5RVfLZ+X7t8ulQ25u/CQQm8MDf2DPSSzOIXNmd0ULoy/hcu0PW32Fa8vdmzbZKiDDFYsF81EPUHeKv7MwiSOVIhWo+d7DN16a6zt7bw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Z1qIqjdQ; arc=none smtp.client-ip=209.85.208.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Z1qIqjdQ" Received: by mail-ed1-f43.google.com with SMTP id 4fb4d7f45d1cf-5e4ebc78da5so2016986a12.2; Fri, 28 Feb 2025 12:16:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773782; x=1741378582; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+rhlCg4/52AHm6e8tJsmpQptNUxepmsLI5spztxpn6c=; b=Z1qIqjdQ+Jva57vhx+g61kjhIsuCNK+WSypXwbvfZYPvg2+RyLej/KTmXW6nKzv6jk yO+XMHsfJqAmMYyOtexPwsuipAMI6DEmPp9sv4Obti+qcEJ4pZsqdwu1b+XWvtU4ze1o E5Eo6Hv30iO50ONP9ftKgWS08a25t76pe3I9Z8m5Rbf6b7zLzc35b2xrfYLS1/Cqr5MN ni2iyrteZo5NbDO9bOd/ZBR8IyBf5M6sbVJU4MESliHElkLlcIYGXccYSOpJOY2LV9Re W5PNOa8LY8SRIhf0jLNP3rxKNBf544uwgYfgenZRRyjK4qrEdr/xaZnRQjR5Am+tv6Hl L0yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773782; x=1741378582; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+rhlCg4/52AHm6e8tJsmpQptNUxepmsLI5spztxpn6c=; b=jZDUeD6cFT8UOWBcj8VH6NQEa40yfVmdqfIQ7srlGMvVAZLfRvYy8KOj2PFV0RCDXo JWy2Y3PiSNQSYQo4RwtFuimhBZJqB7Ega+3P40osvBr/Yg2fikiOo78/lzeqbA9lKELU Eho4jVmobEiK81y2ZBCWEQXxkMjgY6c4QDb1GmBFVxQ3Mlz6VRp3dFRlvvcUD5T6UgHl egAFHMRYrQkto+wCiNfiC6DYCizEiNgFU6/yzLjpljk990ex9wIfsbX1HdP/I/Q2xEGM 4zcEz6YjSOQFfb6Bj3EnKobM37R67B0AlbeCfcOuDW9lk0ed/60GGfIp5c0qcA2qeVAL Y3Ag== X-Forwarded-Encrypted: i=1; AJvYcCUVGEDSKrPmmt/QF4tBvCn8zZuuLqavc/NHs7yW0JvDwDtAhtRrPDMNzAeUqgZQTkK9KQqRCINzbCqy8Bz/RNM=@vger.kernel.org, AJvYcCVLHrc0vxgexcuRpm8VfqscvctV3uBw+bBQQk0oZSMhVgcO0uixc9UyJJTDd8FIAq/jaVAkRIiada+ri45N@vger.kernel.org, AJvYcCWZbFDZlBTG5+kONTvFP6fceVC4KqgnYmov97k+S7a6tCJKkDikquLmboJbdBuUFbaDueulhajOTKhsFATlYfnE@vger.kernel.org X-Gm-Message-State: AOJu0YwLkCKN4hiLjGd5DOXhO5T4MqnxHYyQ337bilrUTDUlO1qdyp0f ZWgQHfkQuHGVKRJrm9WU3wh1IodEy8tHG9NnC7YmoCGhlH1U8scY X-Gm-Gg: ASbGncvDoXbsTcmrrAaMHhe6pceFeUoeyiQ9zOjpErzBYk8JOdbjEs4zDnN3HQLzSOf fvrWk/lcJItr1KUREOnRexXA9ROOPYdzp1sPRwpu8XhTIFu/dO+BP/6MNh5FxHxQhWyC93nOW/g 5M2c81FL0jpvWl3bn01Mb0II49D3Ezn8D1N4YQUQrc2U/P+z0IYG50S7XUXqRuuPcx5U/sQ3dwJ niaVR51wPQWIjgYhorjKe7gKnU0U2qLRtyB4q7aC0SLe8VYAWQwxjGtIzBuKXl8wsLk76sM1oO0 MD8rYtdYvjHr7E7cFlQmIyeKqhh9DhTgl+fhHaBWN9yBlRj2puSDAsZFyUvp4IgYEUItlflYlQQ coJUwAjR7EQ5ccEPWOb+tGHTZRLoD640p3Xv534EFC50= X-Google-Smtp-Source: AGHT+IGiUhgcy0UU2Q21kNRFUyXsV4EZ5JKfRHYY7rLJLVAwzjlILW+HrVFwXhJC9gDCOjiMIMoAKA== X-Received: by 2002:a17:907:2d90:b0:ab7:8930:5669 with SMTP id a640c23a62f3a-abf25fbb482mr535437266b.18.1740773781534; Fri, 28 Feb 2025 12:16:21 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:21 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 04/15] netfilter: bridge: Add conntrack double vlan and pppoe Date: Fri, 28 Feb 2025 21:15:22 +0100 Message-ID: <20250228201533.23836-5-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This adds the capability to conntrack 802.1ad, QinQ, PPPoE and PPPoE-in-Q packets that are passing a bridge. Signed-off-by: Eric Woudstra --- net/bridge/netfilter/nf_conntrack_bridge.c | 83 ++++++++++++++++++---- 1 file changed, 71 insertions(+), 12 deletions(-) diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c index 816bb0fde718..4b4e3751fb13 100644 --- a/net/bridge/netfilter/nf_conntrack_bridge.c +++ b/net/bridge/netfilter/nf_conntrack_bridge.c @@ -242,53 +242,112 @@ static unsigned int nf_ct_bridge_pre(void *priv, struct sk_buff *skb, { struct nf_hook_state bridge_state = *state; enum ip_conntrack_info ctinfo; + int ret, offset = 0; struct nf_conn *ct; - u32 len; - int ret; + __be16 outer_proto; + u32 len, data_len; ct = nf_ct_get(skb, &ctinfo); if ((ct && !nf_ct_is_template(ct)) || ctinfo == IP_CT_UNTRACKED) return NF_ACCEPT; + switch (skb->protocol) { + case htons(ETH_P_PPP_SES): { + struct ppp_hdr { + struct pppoe_hdr hdr; + __be16 proto; + } *ph; + + offset = PPPOE_SES_HLEN; + if (!pskb_may_pull(skb, offset)) + return NF_ACCEPT; + outer_proto = skb->protocol; + ph = (struct ppp_hdr *)(skb->data); + switch (ph->proto) { + case htons(PPP_IP): + skb->protocol = htons(ETH_P_IP); + break; + case htons(PPP_IPV6): + skb->protocol = htons(ETH_P_IPV6); + break; + default: + nf_ct_set(skb, NULL, IP_CT_UNTRACKED); + return NF_ACCEPT; + } + data_len = ntohs(ph->hdr.length) - 2; + skb_pull_rcsum(skb, offset); + skb_reset_network_header(skb); + break; + } + case htons(ETH_P_8021Q): { + struct vlan_hdr *vhdr; + + offset = VLAN_HLEN; + if (!pskb_may_pull(skb, offset)) + return NF_ACCEPT; + outer_proto = skb->protocol; + vhdr = (struct vlan_hdr *)(skb->data); + skb->protocol = vhdr->h_vlan_encapsulated_proto; + data_len = U32_MAX; + skb_pull_rcsum(skb, offset); + skb_reset_network_header(skb); + break; + } + default: + data_len = U32_MAX; + break; + } + + ret = NF_ACCEPT; switch (skb->protocol) { case htons(ETH_P_IP): if (!pskb_may_pull(skb, sizeof(struct iphdr))) - return NF_ACCEPT; + goto do_not_track; len = skb_ip_totlen(skb); + if (data_len < len) + len = data_len; if (pskb_trim_rcsum(skb, len)) - return NF_ACCEPT; + goto do_not_track; if (nf_ct_br_ip_check(skb)) - return NF_ACCEPT; + goto do_not_track; bridge_state.pf = NFPROTO_IPV4; ret = nf_ct_br_defrag4(skb, &bridge_state); break; case htons(ETH_P_IPV6): if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) - return NF_ACCEPT; + goto do_not_track; len = sizeof(struct ipv6hdr) + ntohs(ipv6_hdr(skb)->payload_len); + if (data_len < len) + len = data_len; if (pskb_trim_rcsum(skb, len)) - return NF_ACCEPT; + goto do_not_track; if (nf_ct_br_ipv6_check(skb)) - return NF_ACCEPT; + goto do_not_track; bridge_state.pf = NFPROTO_IPV6; ret = nf_ct_br_defrag6(skb, &bridge_state); break; default: nf_ct_set(skb, NULL, IP_CT_UNTRACKED); - return NF_ACCEPT; + goto do_not_track; } - if (ret != NF_ACCEPT) - return ret; + if (ret == NF_ACCEPT) + ret = nf_conntrack_in(skb, &bridge_state); - return nf_conntrack_in(skb, &bridge_state); +do_not_track: + if (offset) { + skb_push_rcsum(skb, offset); + skb_reset_network_header(skb); + skb->protocol = outer_proto; + } + return ret; } static unsigned int nf_ct_bridge_in(void *priv, struct sk_buff *skb, From patchwork Fri Feb 28 20:15:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997081 Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com [209.85.218.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C9ABC276048; Fri, 28 Feb 2025 20:16:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773786; cv=none; b=MWLtA07tLKfBGhZXW7+jdr1aHJcGiou1Ibr/LTL67QkCy8xCUpHPanb6R/AA6etMl4c5r+Z3qLuPrI6feYxqqMFCTnJjsvikMbgEmv+I3BP7+GIgEFmioRL98Q8rxJ+fnXU1DdzbwbwW5cji3+Hqu3p/YECODUyugLTS+ZPtAN4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773786; c=relaxed/simple; bh=WOvVk2IW6QUSaxpGvpwW6W6ywpdv9Y60/i896yobQ+k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fgdGuTqYWflDygh9otcPww5Tas1g0rYnfM9hhI9LGafBBYxeoUxNQvUk1Y5p+lb8cR2v3qo7b15e8r86xtWy6kke1SB26pH8Po0wBcb6JvDjbV40kYx/7LPSSh4cYp1LU+SyUZaq6ovdEQkkd5qh6gd6P2sCvtPzE3NfKOtaowE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PYqtsMwo; arc=none smtp.client-ip=209.85.218.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PYqtsMwo" Received: by mail-ej1-f47.google.com with SMTP id a640c23a62f3a-aaec61d0f65so517566066b.1; Fri, 28 Feb 2025 12:16:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773783; x=1741378583; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ukwtTV0ExXBJKM7v4LhbJXSMG6hQJqW8GgzzDxNF23M=; b=PYqtsMwo55Ka9ZfioqSdLw4/uGYCkziRwrZX5FK2yf4zB9IqrhSYruMwqQRQNDOBWp p+20/FMn85m77XtFL40JPL91kkpuFhDfS6Fk4C3HFEPRX4agudMbO4/nR6XYVRdVojhE 17kR2VGczg0Cni7SjUdyNzaYH7hDZPXr1YYm+1J+x197bAqz94Icb3M7qPntUuCPg9hl BjDaT5TCdPl+zXNBiug6cFcmmEzoaJhP3+rBSOq+VTQmJNVyWGxx8DR7ynkM+3wB4wdR 0vKg24e9jhR5FNy+CZTj9Vl3+38wZWstwDxlRJ/hL0m4+2FVF1kQmh4gY7sfvUF6qzjn urqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773783; x=1741378583; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ukwtTV0ExXBJKM7v4LhbJXSMG6hQJqW8GgzzDxNF23M=; b=B+V1xnT3HU++EZDld3UjQQI5BoQgZ8hp/kV81UqRUSwf5M5MA+xwJw1CCPJnibyBcN ZGZVaboF4jmNucgRyEJlexdcdP+5EQ9df4pP4uZ3tVGrRALDAFv2hG//7sM4kkTK/0uY OmTHX+BclcS+adykKNYw2uvKI6sXtifwb1aWMZiIkl7c/8Bo5/8M9aSS9tlaapNOPX9Q oHqlFMn1yoqLvBwR+8MQyO3NNpFbLzm4awm+M4QVLOBR0x1JBJbH31Lo4X6k4Y873X9k bespUUZgxsAVQkayS/SQKFKXCIOB7DuIoefKoZ4PPrQfEoiTPb6XnkzlFJBDnEuV5mz7 RN4Q== X-Forwarded-Encrypted: i=1; AJvYcCV20N83tC8EBGd8UCm6ArT8mB+znQIjxdA+uAVz6/hU6fTNLE1UhM876hgN/BKYVs/4NhTTOmEsifR/Hwst5wg=@vger.kernel.org, AJvYcCVZc/21MnJ4GxNnhk62EgZ7HSV5iT8vSbQ2e7Oir3vRoG11wNRAEeaTt2ADCGMghJKbs+fYPJjPx0AHHeWJ@vger.kernel.org, AJvYcCXXAI7IFJjZXIOxFqth8gyBVwgBozKLipYXpW9fH7Z50ePziFh/7ZB2hXWjhDVFze2oQ2RNe6jLEylXv5/L5cmv@vger.kernel.org X-Gm-Message-State: AOJu0YxzC45eccq8EHCUanUKlJ8ov2o3Oyj247WIofyKOsoa+JRQ8c64 jKpQ4giOHD+jAl9+sDzGOYkzM3EqruyFhPuePeMn1KM4tjPfrLp6 X-Gm-Gg: ASbGncve5hQHYqgxQWqbpftg2vyoJpH4r8cnoiSoU5qaPNYkD9M08gTii9Iqjho5pUN nmJoJk+qAtsIIMQd4VYqkxDk5I3woJIGzLaaMiIMwC0qe3Nex/PrmuJiyZYKmFO3NYHwEFWEtWE a3leiN0oavP042+uVYLHDSXJKGeExzY9PtOzgjiwERsJuXdk7fKIUdXDOqwSvaIs8azS76wN4MY EAeI4ZYcbC1rvWUzC9KbZpNhRHBSLd/6IiI9+AaB/uDF/unfNfauSGP2ydGv1UgAid+w/YMoBnN Auax12zDSLRsB8wuQFbDayOQFOg8N4DRWE3s7fNQ/nHaecrLVLS381WaV7NkgUzyFa0mxbrcjFY tFOyx4WuDS8J5j8denX0XG8scqS5W6VTSeo8cu2uVM1M= X-Google-Smtp-Source: AGHT+IFuUzdbgaD/IFSs5QLipx4iHpbTunJtFdHt4pWJCQ/QSyvZEmN8DMfkaEXDfQkozt/2Pfk6qg== X-Received: by 2002:a17:906:6a05:b0:abf:16f8:5190 with SMTP id a640c23a62f3a-abf26822611mr449155566b.44.1740773782957; Fri, 28 Feb 2025 12:16:22 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:22 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 05/15] netfilter: nft_chain_filter: Add bridge double vlan and pppoe Date: Fri, 28 Feb 2025 21:15:23 +0100 Message-ID: <20250228201533.23836-6-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This adds the capability to evaluate 802.1ad, QinQ, PPPoE and PPPoE-in-Q packets in the bridge filter chain. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nft_chain_filter.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index 19a553550c76..7c7080c1a67d 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -232,11 +232,27 @@ nft_do_chain_bridge(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { + struct ethhdr *ethh = eth_hdr(skb); struct nft_pktinfo pkt; + int thoff; nft_set_pktinfo(&pkt, skb, state); - switch (eth_hdr(skb)->h_proto) { + switch (ethh->h_proto) { + case htons(ETH_P_PPP_SES): + thoff = PPPOE_SES_HLEN; + ethh += thoff; + break; + case htons(ETH_P_8021Q): + thoff = VLAN_HLEN; + ethh += thoff; + break; + default: + thoff = 0; + break; + } + + switch (ethh->h_proto) { case htons(ETH_P_IP): nft_set_pktinfo_ipv4_validate(&pkt); break; @@ -248,6 +264,8 @@ nft_do_chain_bridge(void *priv, break; } + pkt.thoff += thoff; + return nft_do_chain(&pkt, priv); } From patchwork Fri Feb 28 20:15:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997082 Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com [209.85.218.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2775E277026; Fri, 28 Feb 2025 20:16:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773788; cv=none; b=qXpHTRMSxKc3oGXqiRI/NapjXmblRwrx3RMVq+w8V/AF9n1/ZMyPNyy4vK7a6ojJ0sEngOFPQDH7ZwFlRKHgpdUxqqDVihGKKIAe0s6dE2vUGzNhnMHMHBmTUZkqt7+j1z0zq78XSb1/3WlaacDA6h7qGi8uR0gOJOCrDvmDJCI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773788; c=relaxed/simple; bh=sq5lC5Lgg2lgUcbphMYliAhopUKVFEXA0PcFARtTXys=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GcOQw4UhrFMPYGvqn34YUimzMTIcvO7LawHzOimEqqgHNjuODZRHSB1H/jl/8KaEPLBIz9cg+CCra1hrolTE3fh1bBEifgOKtn44mk7TUdkD2QJES68TXqlIF3O31yl+nh+8ZB0C0kd6Zb/c3sOcDxvMLErlG4kq5aqnz1unwww= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=IRtzfacz; arc=none smtp.client-ip=209.85.218.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IRtzfacz" Received: by mail-ej1-f50.google.com with SMTP id a640c23a62f3a-aaecf50578eso481652466b.2; Fri, 28 Feb 2025 12:16:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773784; x=1741378584; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=glD7coNk2GO9/l1adKLN+uo1Xfh2D3YWudU7CjoMsSA=; b=IRtzfacz46VJ374t78G6uz7RnBuIICVMduand3LL9qAgeOPeXoAetvBwuBVoy/q19a oDuzTEOKUtxQfoRUVHOWaRvGTjRwNgzb2WJk4C65pTxFFHR8VjiLQ/nxtTAvofLLZfo1 qDYN8BKh5AE9xkB2PuQPPaoORWhDCG2KXGywXHLJPHyY7uYZFe49hYwLXDv6Z+tl4Cax BjZZb9V6K29UqaxCd7PG0KV1OlWBJXkiQLgxuvlY2qir7EH27qPNFaBqlmV3/ZUG8LhK n3HDC11p1rSicMf50PzJ9Ghyv+krddPUJL0M8wNsj/DOSqmotzgdUzldLxCheOxJNZ5e k0Uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773784; x=1741378584; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=glD7coNk2GO9/l1adKLN+uo1Xfh2D3YWudU7CjoMsSA=; b=CVkAydH63KgBsxtKONOgQ4DOkEor2xT8MUh8buA6YEeEtdR2/Ue5x59Cebm4TxQ4GR Sh0TaFGtXv6NgYl96pH499GVlwL/1OSbN/Gs+nLuS8PuOfIF45c/D31iLh2pFsyqIg2c /VD30DK5LtrPlqs6ueoHc+eKugBwLOhxtESitq1LU5nO+xYE+Qz9+Qr29TC+WAN00DW1 DJPfKzNKavYMCZ3sDKXftKM1mhfG/1+vbQ3oJD2MaotnjNSkeTFdX4VliZEz6WPxApUW GbKX2q/JpuPXBlKKUuhEGS9MvQvp+yU4QB7J7uxDGsUTCJCasTdyB3l+3bLUICUKxX93 9mSg== X-Forwarded-Encrypted: i=1; AJvYcCUI8yPreoMsYwWvIDqmA4Pl2HL19BRKOJLCiocuz2UysLWp7B41PAlwKBJVyVJSCceMa9w/I/bUSZPMbY2m@vger.kernel.org, AJvYcCVONUFe2g5BXPNfOiHrfhiOJ0QONtkByviLyCvTen9zwh1BHTnffIRK79x2QxwaxWWeS5tSX9daRmN9ocofFY8X@vger.kernel.org, AJvYcCX/pE+GPQR1wcfS+zCHIaRwJuiLxQ9RZAR828zwMZMcn/GoS9x1G9LnVCMBqswjkudXnxna/w1KEGLJr6q785M=@vger.kernel.org X-Gm-Message-State: AOJu0YwjtnvIYy/0/cU4T1/Yt0OPwut8g3s6Di25dndgrA4A2ReJg5Di YMuNUKGC8doZ75s8DoSeL9OsoAeA14blMZzYn4YiiDno7QSpJaFS X-Gm-Gg: ASbGncvFFYESp6HUbfi6fpiapRcZjick2Qa3O+zmUOoyBn/gbtqqgSFqV1wA2E5QNL6 CRQsDGytF/zRlG41kgNhsBRRYTPHbSc9Qx2C6kr74J9hN8jZiaBBh7zb0Yd2Aj3OyWA7L0VONxc gAqQOqJkodogxqQievc5WqYnNX8Wpb2VmV3vFxM1/p4lbx7mL8xhd9+u6ZoGABzDhzuA/yyyuWp nhu8zoGUcW2ouXY6OaBXyLrDpiS96TvW/CsH+H6JYkXjp3jPbBvGdtd97a5FxLQ8KtcVQpzJzXS lLWSkfRSufw2yjZ+01k4w44tb8oP8el0/S/r9uX+FbWn6kkIE+czv8iAYZ0tlL0ZXm8/tDUFGui EiG8GH7hwEHmfS0S0HB+pAwXS6XWWBFHwGoNCW2XuHWQ= X-Google-Smtp-Source: AGHT+IEkD4+S63CdkvFhMcDqcuwDe3gQEzkaBi0DoNz6EL4MylQGJKFnzY2Wc6+ZXTl1u9JBQtGaYA== X-Received: by 2002:a17:907:7f27:b0:abe:fa17:12e0 with SMTP id a640c23a62f3a-abf25f8dd1dmr472704766b.11.1740773784160; Fri, 28 Feb 2025 12:16:24 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:23 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 06/15] bridge: Add filling forward path from port to port Date: Fri, 28 Feb 2025 21:15:24 +0100 Message-ID: <20250228201533.23836-7-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 If a port is passed as argument instead of the master, then: At br_fill_forward_path(): find the master and use it to fill the forward path. At br_vlan_fill_forward_path_pvid(): lookup vlan group from port instead. Changed call to br_vlan_group() into br_vlan_group_rcu() while at it. Acked-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/bridge/br_device.c | 19 ++++++++++++++----- net/bridge/br_private.h | 2 ++ net/bridge/br_vlan.c | 6 +++++- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c index 0ab4613aa07a..c7646afc8b96 100644 --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -383,16 +383,25 @@ static int br_del_slave(struct net_device *dev, struct net_device *slave_dev) static int br_fill_forward_path(struct net_device_path_ctx *ctx, struct net_device_path *path) { + struct net_bridge_port *src, *dst; struct net_bridge_fdb_entry *f; - struct net_bridge_port *dst; struct net_bridge *br; - if (netif_is_bridge_port(ctx->dev)) - return -1; + if (netif_is_bridge_port(ctx->dev)) { + struct net_device *br_dev; + + br_dev = netdev_master_upper_dev_get_rcu((struct net_device *)ctx->dev); + if (!br_dev) + return -1; - br = netdev_priv(ctx->dev); + src = br_port_get_rcu(ctx->dev); + br = netdev_priv(br_dev); + } else { + src = NULL; + br = netdev_priv(ctx->dev); + } - br_vlan_fill_forward_path_pvid(br, ctx, path); + br_vlan_fill_forward_path_pvid(br, src, ctx, path); f = br_fdb_find_rcu(br, ctx->daddr, path->bridge.vlan_id); if (!f) diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index 1054b8a88edc..a0b950390a16 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -1584,6 +1584,7 @@ bool br_vlan_can_enter_range(const struct net_bridge_vlan *v_curr, const struct net_bridge_vlan *range_end); void br_vlan_fill_forward_path_pvid(struct net_bridge *br, + struct net_bridge_port *p, struct net_device_path_ctx *ctx, struct net_device_path *path); int br_vlan_fill_forward_path_mode(struct net_bridge *br, @@ -1753,6 +1754,7 @@ static inline int nbp_get_num_vlan_infos(struct net_bridge_port *p, } static inline void br_vlan_fill_forward_path_pvid(struct net_bridge *br, + struct net_bridge_port *p, struct net_device_path_ctx *ctx, struct net_device_path *path) { diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index d9a69ec9affe..a18c7da12ebd 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c @@ -1441,6 +1441,7 @@ int br_vlan_get_pvid_rcu(const struct net_device *dev, u16 *p_pvid) EXPORT_SYMBOL_GPL(br_vlan_get_pvid_rcu); void br_vlan_fill_forward_path_pvid(struct net_bridge *br, + struct net_bridge_port *p, struct net_device_path_ctx *ctx, struct net_device_path *path) { @@ -1453,7 +1454,10 @@ void br_vlan_fill_forward_path_pvid(struct net_bridge *br, if (!br_opt_get(br, BROPT_VLAN_ENABLED)) return; - vg = br_vlan_group(br); + if (p) + vg = nbp_vlan_group_rcu(p); + else + vg = br_vlan_group_rcu(br); if (idx >= 0 && ctx->vlan[idx].proto == br->vlan_proto) { From patchwork Fri Feb 28 20:15:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997083 Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A56227C14D; Fri, 28 Feb 2025 20:16:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773790; cv=none; b=W7T6WrbncbOR4W1mxqCkGl3xvqo3I/6ppzClFpeFnXCRdSLjkXH+kk1s1fnmIw360sHRpUYXloVB8e8W+4q+StIXJxMbZzo8CIlmH4bJBrvd8Q8oQrTXUIKN7AZYI2k8VKBXvtzNXec67E1NRu9oTK0DHQxNEf2ljsgkKficmhQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773790; c=relaxed/simple; bh=/pRWkqhj7p134n2hqX1gCn1werSIKKUl61ZTrfk84RM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EmPh6XKTKEdX5HhX0bgw96GJwtdp3UqwLSBbGnj/QFGG5bDBeGE2s2U2T7o4Q1qhMHf35lUT3IVm92Vw7JAYJW0lHZtbLZ0CL3h+JOnLHRWDyFJi6lGAThaG2Lrhn5YsniECpVbo8xTpSaMqEmsHflop15ANFGprZyf6YqJAC3w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hhSXnLJ8; arc=none smtp.client-ip=209.85.218.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hhSXnLJ8" Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-abee50621ecso339214266b.0; Fri, 28 Feb 2025 12:16:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773787; x=1741378587; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ADjft9sIJBXUW7LiNylDurA6RPlyGDF8xbXsxbaW9C4=; b=hhSXnLJ8s1v1mOOdR5icmPY1rLB+EpKyYtd9/Ir9fsqXb79lGa7ql+PJdLBpzCLUPE 7UkBO6IFs64w3zPjGzoK1KlBz3BjPRzmT+/zqCIYkBQN41S2jUYTSFfqRo6rXFJXnWbG vshN+ycmfF7IGgfDOAh4BQEZZLEzL5+JUR+svznCahhvhzE8QjGM4kpaATlCnJlgPtXb qpZzl2aGzJ7IQLgLYXfYH+MgaaALcNQvBVr28JailR5g6UDbr9hSvS3PNn59PeH3/WM9 /kIajCB21D8HCzuvxmoNSEbEITGySRtzMG5wQjtk3oagy20Aeyr9ooVRzGJ8gKMY8LTq xANQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773787; x=1741378587; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ADjft9sIJBXUW7LiNylDurA6RPlyGDF8xbXsxbaW9C4=; b=LBO37kDfvtmc1T5KmWwxohdV1/5J9irYE4VixyCuAKoqJfE36JWJT+n2PEr9CranZ4 G/Ay+VBmPJCHpm93AM2jaUxmklUGnBGwiy+n9SpN9M07lOUN+0HYDsQ6D8iYXsomAGDC h2Ymrm8U+d4dRIeY+k0V9F+ujJ+zv97wAe34LxlirjeCBiXnIQgIYkS48NJRDV/QAAbf kquBI6CYusA7Xy6uJtKrSiI7cTm6HlakVPO9BoBuu9qQ4Nfj6gL1L9Sk96PxjE6QlK8E VP6ivdje9CYdzrne/n+PD2luR7qYu8TwXPEso03zyAeUTtJetpszJn7TOexDoyLgKq45 fYqw== X-Forwarded-Encrypted: i=1; AJvYcCU+RVhfS2wIQdE+KixC9nOCjyS2fNspmaF/6FaiIavlW+CfLvMoWI7Ub5T4USeV7ZVRacSB1Nn8mYhS4n+E@vger.kernel.org, AJvYcCUTpzJAEAloEL3IZ06wGkoiRJyNQt1pUnwPwmU98gSzepOrpveswjaqdmdku0gfhmXSL5LEJPmsK00zpEFDcR8=@vger.kernel.org, AJvYcCVD4W1tRcF5fCrFYa46OULLHiQLwDiN4Q51I8CAuXlN4QdOfmVu3U1m3f6We8KU0REHreehRoih50Jps2oM+Xpo@vger.kernel.org X-Gm-Message-State: AOJu0YxPPYYwUBev/hRZ/HzGoszwt/fZDofUNZ6/mYbkzpKAmeD0e2rW I2kU+w4HPFIVRGimXSKEDq4tHzM0Wpgw0vXnnjLHqFidwRbfe6jm X-Gm-Gg: ASbGnctNJ/0/OH476nF0M7Y1E2+tBAZxZIQHw8wuZIdRy+uGt23icsa28uSAo1yB1BF /x6RK+69UjHhDfTJ1oAuMsxz4cMqJvmDk/Jl89aCcw1AWirySIehUCLeEugohbLcTJRTtJtyBzT qLusIHmuehIaBH7P427kLjIc69yZVtjHcwRz4H4sBgrSsBGgltOjQl9LSZssp8fZQlc+XpmL+q9 d5QDLVw4zubozpFswU6FttOtDLrjofguEECNthk86NIs+DJT6njmYIhAW/qnrTtTDO7aj5IcSW7 L7LP8Hh4rR1rD7FcGoyPdADtiW3axk3o2Sq/GOyC3q1/GSULpZecQlkFmmNm40jOCZLPZSJZme3 7qgU2BHGGyIlDPx5+vO4eeL9tAuT5swK3yYjVq+d/e8o= X-Google-Smtp-Source: AGHT+IHZr8MBH5e/es5RLH+VA5k1rbbZb9+gMcTnsziiL+DoKdJyx6FLpgBr4j4inN9U+45blgw9TQ== X-Received: by 2002:a17:907:3e8b:b0:abf:1386:fcad with SMTP id a640c23a62f3a-abf261fba23mr582057466b.10.1740773786500; Fri, 28 Feb 2025 12:16:26 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:25 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 07/15] net: core: dev: Add dev_fill_bridge_path() Date: Fri, 28 Feb 2025 21:15:25 +0100 Message-ID: <20250228201533.23836-8-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 New function dev_fill_bridge_path(), similar to dev_fill_forward_path(). It handles starting from a bridge port instead of the bridge master. The structures ctx and nft_forward_info need to be already filled in with the (vlan) encaps. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- include/linux/netdevice.h | 2 ++ net/core/dev.c | 66 +++++++++++++++++++++++++++++++-------- 2 files changed, 55 insertions(+), 13 deletions(-) diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 26a0c4e4d963..2ee53478d9f0 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -3318,6 +3318,8 @@ void dev_remove_offload(struct packet_offload *po); int dev_get_iflink(const struct net_device *dev); int dev_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb); +int dev_fill_bridge_path(struct net_device_path_ctx *ctx, + struct net_device_path_stack *stack); int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr, struct net_device_path_stack *stack); struct net_device *__dev_get_by_flags(struct net *net, unsigned short flags, diff --git a/net/core/dev.c b/net/core/dev.c index d6d68a2d2355..467f98f6ba51 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -714,44 +714,84 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack) return &stack->path[k]; } -int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr, - struct net_device_path_stack *stack) +static int dev_fill_forward_path_common(struct net_device_path_ctx *ctx, + struct net_device_path_stack *stack) { const struct net_device *last_dev; - struct net_device_path_ctx ctx = { - .dev = dev, - }; struct net_device_path *path; int ret = 0; - memcpy(ctx.daddr, daddr, sizeof(ctx.daddr)); - stack->num_paths = 0; - while (ctx.dev && ctx.dev->netdev_ops->ndo_fill_forward_path) { - last_dev = ctx.dev; + while (ctx->dev && ctx->dev->netdev_ops->ndo_fill_forward_path) { + last_dev = ctx->dev; path = dev_fwd_path(stack); if (!path) return -1; memset(path, 0, sizeof(struct net_device_path)); - ret = ctx.dev->netdev_ops->ndo_fill_forward_path(&ctx, path); + ret = ctx->dev->netdev_ops->ndo_fill_forward_path(ctx, path); if (ret < 0) return -1; - if (WARN_ON_ONCE(last_dev == ctx.dev)) + if (WARN_ON_ONCE(last_dev == ctx->dev)) return -1; } - if (!ctx.dev) + if (!ctx->dev) return ret; path = dev_fwd_path(stack); if (!path) return -1; path->type = DEV_PATH_ETHERNET; - path->dev = ctx.dev; + path->dev = ctx->dev; return ret; } + +int dev_fill_bridge_path(struct net_device_path_ctx *ctx, + struct net_device_path_stack *stack) +{ + const struct net_device *last_dev, *br_dev; + struct net_device_path *path; + + stack->num_paths = 0; + + if (!ctx->dev || !netif_is_bridge_port(ctx->dev)) + return -1; + + br_dev = netdev_master_upper_dev_get_rcu((struct net_device *)ctx->dev); + if (!br_dev || !br_dev->netdev_ops->ndo_fill_forward_path) + return -1; + + last_dev = ctx->dev; + path = dev_fwd_path(stack); + if (!path) + return -1; + + memset(path, 0, sizeof(struct net_device_path)); + if (br_dev->netdev_ops->ndo_fill_forward_path(ctx, path) < 0) + return -1; + + if (!ctx->dev || WARN_ON_ONCE(last_dev == ctx->dev)) + return -1; + + return dev_fill_forward_path_common(ctx, stack); +} +EXPORT_SYMBOL_GPL(dev_fill_bridge_path); + +int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr, + struct net_device_path_stack *stack) +{ + struct net_device_path_ctx ctx = { + .dev = dev, + }; + + memcpy(ctx.daddr, daddr, sizeof(ctx.daddr)); + + stack->num_paths = 0; + + return dev_fill_forward_path_common(&ctx, stack); +} EXPORT_SYMBOL_GPL(dev_fill_forward_path); /* must be called under rcu_read_lock(), as we dont take a reference */ From patchwork Fri Feb 28 20:15:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997084 Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com [209.85.218.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA9E327CCE8; Fri, 28 Feb 2025 20:16:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773791; cv=none; b=SBjnZ+jlzMt1BEduzLeaE9CujnqN9fLU9OWaMY9s9DPR/QtI4Rq7VMZwm5m2iA0u3MOqdEP2GBsDoeDJfH39jhFPfGe3iFiE36lWsf3a57j4ioduF7Qsy2JXaaTCvIKtNG5sD5C7nMauxYzW5aDsr4An40cg8cQZKBCqV1OYPrw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773791; c=relaxed/simple; bh=p1IsKiAxwq12F2MM7ABxyO6mLj6RlYFe8Yg33MCLfXU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YWKU+tDdR90IeBmuQExg4WVzZMc/pQS/Ijhe33AMXZ0JYbWgp4PxEpDgSus1CmeTB3NMPV7eLdVADqkXYEinlkpBZC4UQBIEgB1eb38LaqhU0/TnmNhYzbuEVg4SG6PlPAJUgBtMR/gCQu+ARryq1iFj6LYGaszIZ/VVqMg6aO8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UaMCtwWl; arc=none smtp.client-ip=209.85.218.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UaMCtwWl" Received: by mail-ej1-f50.google.com with SMTP id a640c23a62f3a-abb90f68f8cso484996166b.3; Fri, 28 Feb 2025 12:16:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773788; x=1741378588; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MAJ1+kbz8lZ4YwPg+OV3VOfAm0Jd01XhEIX1QeYwh3U=; b=UaMCtwWlH77wG9yFpX0M1Bzyq9KiRmdE4/vE+9QyltAyLSXbE/++CsYkHfHVmL+p02 i7gcXFudGDu4piCQsfBpgNa8azuPe4jeWOyAk3JoQKKdLlYRz57vie554kTO131A7yz3 gnN+QXzhFhadgHKwH676GEyvHqM8T0+0pnh2RVyAFnB/TCcKvBpuZu3ngOjB3qm/F8/W 2x+g5S9t6SmISat7D1tAHMfbunsIZNRsxLuSB3YS7wy4FYgeIYeqYvPpiqwqMe21Ec6x E80Vrujk8ocFpRpeZEWT8TxhDLQzPDgYI6TPe+0n780R4fh255WdD2r4lYEUnhpJ7Fr3 Rl4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773788; x=1741378588; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MAJ1+kbz8lZ4YwPg+OV3VOfAm0Jd01XhEIX1QeYwh3U=; b=FNayl0y/n5DgmRNMwi2UlFsOjHTrcJ5yJNP10cADO7CqJ0ZSRvoULe+9g3NAfhdqXy 3k5RaZKHSBWv9dRE4bh/HZm7/xZbQEX/32I6WlmkbpAkn1fN59VEDKFVt+TQycx7lYtn s7Db4+8Nlu74vihYZZnRRVsbQ7KGtVN2MHaHf/w9CVuAcAB55iWG3u//xV7ZxC2hhWob m63m1yIrQclDaHhf2M0XNIEyJKJWfBgE7GJdX3Qf4i4QIgpEQPvb3n6lXKg98P3k3i3S bPP828555BrZ4C17a2AeuYBtUuSwjWuM3MlDcMxvIaILPuV2FKJBfS312jW5r9BvVO8z IFOA== X-Forwarded-Encrypted: i=1; AJvYcCUJqlvBSgKuIlUO5AfAV1uYCsOxubZKzKulmEUoCFLTfitgk4g66UTQli8f2gr4vKPxCKw2tiJNE3JgEnEZz7Z5@vger.kernel.org, AJvYcCVOQCUSxiouyYJFwjjzJCRH33WdELrORV9I3OtQ6tWILP5atH0eamg+xM2CXwKjemSW+4tx+5C2lJ0Cf+giD+c=@vger.kernel.org, AJvYcCWWEiCjhtZYiDuLLit/nbU1BK9nyhln2g7EBt63tG3JeTF0GywUbXcIJGMSFBgYoDjft6PGtyLJT7nswbWX@vger.kernel.org X-Gm-Message-State: AOJu0YxG0i3nAbC9xdGhXyIoMzA3DZx0AjLF+nV0JdTusWPMt/gJA7j6 m171KNUTPFTneTdB9GSUw8AnX2rh8hTXwpjR64r7ivmpumj7KPvK X-Gm-Gg: ASbGnct/TjRtJaaJFVIyAyFcJpRcsx0NKR6rdTLIz/W5DVSTcRfYNxO8BVWZVddPcTF 8x+li5sBPaGEom6NuWpSfcFaLyP3XLEv6ofvwj7Lf5io7NhA59Xh54bdOlAO0EGg7d0bjeVqbo3 XthPKROF6zGkGV+BGluCb93+2uzb0cxpuKMC3K61OW3qPs8A6KWozaeo0dfx1MTcp2TT4oi08xi aIg/LT3tFX8FgVg3HXtlTaKBPd0wjIP8UaKSYm0dkaoefxAyu3W4HNqlIDM931bKDSpLunlp7x3 zUdxaINRiBXgCJX2jqAP87xUjptb203HZbUF4Ok42jKM7jfFPfmKERt4dfjniASVVrfX8muj0dJ 2+DmpKqLWrF4nfsKHrf+kXmrVcpDPGH1HjWvxWGBqRAM= X-Google-Smtp-Source: AGHT+IF4o1r+k6+nG0zNGywKeKcizMy8Myj40MpWCdBkkMqspA1rSJwU0RPTkMPYXpO+ucJWx86obg== X-Received: by 2002:a17:907:3e0e:b0:abb:b12b:e103 with SMTP id a640c23a62f3a-abf26218d27mr558296766b.34.1740773787937; Fri, 28 Feb 2025 12:16:27 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:27 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 08/15] netfilter :nf_flow_table_offload: Add nf_flow_rule_bridge() Date: Fri, 28 Feb 2025 21:15:26 +0100 Message-ID: <20250228201533.23836-9-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add nf_flow_rule_bridge(). It only calls the common rule and adds the redirect. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- include/net/netfilter/nf_flow_table.h | 3 +++ net/netfilter/nf_flow_table_offload.c | 13 +++++++++++++ 2 files changed, 16 insertions(+) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index 4ab32fb61865..a7f5d6166088 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -340,6 +340,9 @@ void nf_flow_table_offload_flush_cleanup(struct nf_flowtable *flowtable); int nf_flow_table_offload_setup(struct nf_flowtable *flowtable, struct net_device *dev, enum flow_block_command cmd); +int nf_flow_rule_bridge(struct net *net, struct flow_offload *flow, + enum flow_offload_tuple_dir dir, + struct nf_flow_rule *flow_rule); int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule); diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index d8f7bfd60ac6..3cc30ebfa6ff 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -679,6 +679,19 @@ nf_flow_rule_route_common(struct net *net, const struct flow_offload *flow, return 0; } +int nf_flow_rule_bridge(struct net *net, struct flow_offload *flow, + enum flow_offload_tuple_dir dir, + struct nf_flow_rule *flow_rule) +{ + if (nf_flow_rule_route_common(net, flow, dir, flow_rule) < 0) + return -1; + + flow_offload_redirect(net, flow, dir, flow_rule); + + return 0; +} +EXPORT_SYMBOL_GPL(nf_flow_rule_bridge); + int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule) From patchwork Fri Feb 28 20:15:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997085 Received: from mail-ej1-f45.google.com (mail-ej1-f45.google.com [209.85.218.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 422C427D775; Fri, 28 Feb 2025 20:16:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773793; cv=none; b=tVUwIIP30un0IrxVvijXacgxEwFsphE2y6D7MRDu19Zcpn3lO871d9UCWvVkj5FGnDIDYQHJomDXBJ1GMgfz7JERRgBMjNGfYvkAI82AF6YhwmtK4UKhKS/s2Wyos4kzk8Ob4gO3LOAhZ5cyX+se3DjZr73McDp6f0SAKMbQj/c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773793; c=relaxed/simple; bh=AihhYJGwJTJyObdFZSI/rxytC55wEnFe8EzDy7l8A+0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CMugv3qpjieDzr8Q5vhSwUXFpBeDVGjUijoCJXTml6aTO9L8dXCg2ExRBsjcGhEBUU7MThUqEW+5qXn7d+nxh2GOZ2kD1xWUzz8F2t86jnG8Rv0Bdhndn8kUm7LVEZ6sTucyJfXy+heDcPgv6UhSVaC5oQfEQvKXy9KYGaSzsAs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hY+6Y5hF; arc=none smtp.client-ip=209.85.218.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hY+6Y5hF" Received: by mail-ej1-f45.google.com with SMTP id a640c23a62f3a-abf4b376f2fso37970966b.3; Fri, 28 Feb 2025 12:16:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773789; x=1741378589; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6/OfFtkDCpNUsNNnB4udxCcQxzWSEZIHYYoj3YjYWKw=; b=hY+6Y5hFEJHkHGrLbAeX9hLOVUW/aKJr4A2z7+v+wIWAaS9TemxIuWRnL/Ja9kfCKw 6gt+Ge5RwFobUWQWqqPeUstEYMavcDy/EnxHF4FTcLC3isMA3BK6DNrOK4KKHuvYaUW9 wXgpZyAZh0Aii1ZRTxkx1U/YluCrc8easzSTN91qdB4HDgfe/A59MFLggloT+2onKw5Q sgLof/YYxc/N7fT9LP2NmCLhPxd19GnnTYWIZdQPIrwyK6dGfsL0uVtZzb5PgQlKkvBs DCkOf+0VwTBpg4gKecPvIinL0rBwn38FEf/tdGMyFaPajIGpb+qtJvdAyXKayUFkni6J edTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773789; x=1741378589; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6/OfFtkDCpNUsNNnB4udxCcQxzWSEZIHYYoj3YjYWKw=; b=O8zG5LlGNxjbxO9GBO21PF+XWeT+mBx/NCaBjD49kOC+QO5ZCrezN/o2cOHHuBRNpz USt5D+7IOQ8fPEr4OhDma/a/T0AJOl/5WGu76OVRAu1vxUcDm7TmaRvWCotCamCPno14 LmlG2xFLqlUaH4BdlOx3J/z3sAVWOgg8RujdsA+9ISSFcQ/NFveq8WLIbxbQ4Hpm5Kum Lk3ayRRH0Wmawzqo+4DVRo3NTjwaZx/IvhpBa/YV89jdw6yvggbQ9F5wrPyX1KPHP3Xd e038wb7buf6/L04CbTvS8uOllESuvQfmmgD31YTUCdwSMP0NAqMK5f9znX743EMqy3Y+ OPhQ== X-Forwarded-Encrypted: i=1; AJvYcCUJCYBUK3NPnnw30vy2CL0e722UsHvXvEq6EOC1wXNLWnooPRQQ7xzoe0oCtqvPIEKI4Y3hUzEC8g7JxhXneYc=@vger.kernel.org, AJvYcCUv/+JzfsnIoOd43GvScFoFEfRVBFlaY45ZS2KbsgoMI5VZqJxSb0J2+096QDuggBd1+dKDfFzU8DG04Nwred/J@vger.kernel.org, AJvYcCXiZiKYyqUm50hu+mHYemgJ/FLbCAzLXMbhOjNJEx/v69t6Fldxhzu3HlVzXJN1ZxeySyZ91SlFfjuAtPbH@vger.kernel.org X-Gm-Message-State: AOJu0YwkhwJ4MRjxtAJy7cCOR/pGSBxjt3EHBszEUrqa1AV8uiBPUnoa wtMBWyc4Mw3zQq1ebe4EVk4UQgAbwhU+4a8UDHHOOGvvKRZJjbZ5 X-Gm-Gg: ASbGnctHyZ9A1E7Zqdyxct4IjChOdbuZco4AjhmyFQVqiy0XMExLUKTSKFAvtYk8wES mwvUByUZ8HBlElwNe/YbJcoq9/j1ZBovooe4YEQxQQeqffmrcXBN0vDJgkYmTzkeNw94/Zm5Gl1 7yXxviECAVqjyy5YeL181j45bFzW1ofpByrqeerTAOACSKeaUa5+HnJI4EshA719nq9pdhavyHq nNmN57nDUBZ++d9xsaqHDIUq4nY+LDEGY8HPwCxxkR15Mhaz3G1tiFn8YbGKaSiR5FpmbafhESY oyrfQesZJ9oYto/WiwnWP0V6/LUgSdMK/6Q6gU0ugatY1N9KPdqbdTJcf/43dW1btRql6ov74c0 LAM2nLTEM+aQGMkY2U3jRTkB/SH4bUdkSEx/TAEROKeLPwRmvkwSnsQ0YRKkHkg== X-Google-Smtp-Source: AGHT+IEQAXatFYtUv180Nd/vAAtHbNFD7uOybxHOrydax27b/c3kzdKVO8+x7rEp/205E7ETT5lLSg== X-Received: by 2002:a17:907:9620:b0:abe:f8c0:c1ab with SMTP id a640c23a62f3a-abf265d3be4mr498901466b.46.1740773789267; Fri, 28 Feb 2025 12:16:29 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:28 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 09/15] netfilter: nf_flow_table_inet: Add nf_flowtable_type flowtable_bridge Date: Fri, 28 Feb 2025 21:15:27 +0100 Message-ID: <20250228201533.23836-10-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This will allow a flowtable to be added to the nft bridge family. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nf_flow_table_inet.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/net/netfilter/nf_flow_table_inet.c b/net/netfilter/nf_flow_table_inet.c index b0f199171932..80b238196f29 100644 --- a/net/netfilter/nf_flow_table_inet.c +++ b/net/netfilter/nf_flow_table_inet.c @@ -65,6 +65,16 @@ static int nf_flow_rule_route_inet(struct net *net, return err; } +static struct nf_flowtable_type flowtable_bridge = { + .family = NFPROTO_BRIDGE, + .init = nf_flow_table_init, + .setup = nf_flow_table_offload_setup, + .action = nf_flow_rule_bridge, + .free = nf_flow_table_free, + .hook = nf_flow_offload_inet_hook, + .owner = THIS_MODULE, +}; + static struct nf_flowtable_type flowtable_inet = { .family = NFPROTO_INET, .init = nf_flow_table_init, @@ -97,6 +107,7 @@ static struct nf_flowtable_type flowtable_ipv6 = { static int __init nf_flow_inet_module_init(void) { + nft_register_flowtable_type(&flowtable_bridge); nft_register_flowtable_type(&flowtable_ipv4); nft_register_flowtable_type(&flowtable_ipv6); nft_register_flowtable_type(&flowtable_inet); @@ -109,6 +120,7 @@ static void __exit nf_flow_inet_module_exit(void) nft_unregister_flowtable_type(&flowtable_inet); nft_unregister_flowtable_type(&flowtable_ipv6); nft_unregister_flowtable_type(&flowtable_ipv4); + nft_unregister_flowtable_type(&flowtable_bridge); } module_init(nf_flow_inet_module_init); @@ -118,5 +130,6 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Pablo Neira Ayuso "); MODULE_ALIAS_NF_FLOWTABLE(AF_INET); MODULE_ALIAS_NF_FLOWTABLE(AF_INET6); +MODULE_ALIAS_NF_FLOWTABLE(AF_BRIDGE); MODULE_ALIAS_NF_FLOWTABLE(1); /* NFPROTO_INET */ MODULE_DESCRIPTION("Netfilter flow table mixed IPv4/IPv6 module"); From patchwork Fri Feb 28 20:15:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997086 Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com [209.85.218.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9788027E1A3; Fri, 28 Feb 2025 20:16:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773794; cv=none; b=k23iExNL+YB7Z6nhIzrBEDiWcsIAqM91yVPIkq36xtHpBX0CbAQAxFiegBokLcJTnugJfhYBbyD+gGqXQ9izZREj30R8dTeGmrBIDZOMTqcDvRnn9DqhGnnmJJga2+IPK/UTyD42fMkwPyjG0l4qe/fhP1XZhuCasDDIM5LlDww= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773794; c=relaxed/simple; bh=Vja1w1A/Wnz062ttT6Bt+MXuQBy3cdFVFTFu9bvZ8Ag=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=a7zBOKVVHLdGEkfMEdA9lWgGlpb5Clvk/Cvk3ijok2xURL13Xw3xxdQ4MLYKbPtRmVguNJD2TWcivUOflBc606Hu2VBsSgURmiIgZoxottejCQZcMVHXvHqXKbLHctrQcGcU1HQOOoST9UggxEalTvyhbUrVot2gcj5UOdRdg2I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lCkKeEjm; arc=none smtp.client-ip=209.85.218.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lCkKeEjm" Received: by mail-ej1-f50.google.com with SMTP id a640c23a62f3a-aaf0f1adef8so489321166b.3; Fri, 28 Feb 2025 12:16:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773791; x=1741378591; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Gr1wMzwLJ3r114jkr+fSh/N13xzOYrfc9OnXbfM4Z7I=; b=lCkKeEjm7rZjF3fNI+tdf0ijLE1TtYA2myW+HQjcyi6CO0fksVHYVb0+qkAWDEXsvv vKVSgOVQ2E61YRHRFt1Ql3okKUUPYE0d0QHCLaqwT2c35sm0meWENUFpi39IRLQBwM+7 TZeef2cFXn/2k3McudVtxMtQokqsaQ7DQMVvMyO94y1Ea++sWlGRTCx6MQD+DFtBK/x6 xg9WNvKGumnoFKYFEp8T/ANC6n8nbUkuwhmMLOybJwLN9OWANBOC63QbCH7TeU1T1YTc ouY1OFEr3nVkV1pQ3szgXGo6fNkj43Pwu69B25bpSMlZZH2yB+kksHqed396SfBjzVbp 25wA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773791; x=1741378591; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Gr1wMzwLJ3r114jkr+fSh/N13xzOYrfc9OnXbfM4Z7I=; b=dxk3nEPEE9ZAr7Djcr8eYQn+bKPCErQSc0o5uJnOTqLwe8gV65+EXhxIcOIqZO1Xs9 9tjdIpEbwyOuTgkQa4W1K1257HJ0vOpcPcVSOsfFZ/YuZDuVtKkjXQD8B5cGl8lYV4aF Hy/DYUEbn+XToIEOZ0Dej3pYyeWCBxyHUQlsVotczLVzbU3a9wT6Oft2Vb8Aaq+dp89O Od09QTIKQ3tEkz+wu5e9pQhqaVqzUW0jLp8KXnb0YPafKb6WfwdH1XOB3XlfioVYt77U ZONfv5HUlVaxpL0xrIXGbR4NUaQUesN7BkCTsbFwokNiQm1yYNHxGcnkp+spCA3zGxsh zijA== X-Forwarded-Encrypted: i=1; AJvYcCWIm4C63LzO4WWU9YviaG1BtWD2iUHok2tmdi1nXOTjiJXJINPucSGu2wwgN3yyr8m7oCBHwZjZObtsQzlcDpM=@vger.kernel.org, AJvYcCXTqoDCXay8xxaCf87dZVkcIOCUxvo2RcFHw9Yu9P4M7EggvFcrE3mH99rEHo8odY6tiLuEbNfMbW5Y+s00@vger.kernel.org, AJvYcCXl8XiLU4gpOHv8Gcb4Xkl7disR0Q1YHDZk+LRWH/uW0BX0Yu1pDclmowf5DiOj6VrDO/MRubClrHLiR/RoUK7d@vger.kernel.org X-Gm-Message-State: AOJu0YyK2ppX9k9kT8n4xXrwJMsaSTVa5bClVVK38aAXjdhdqDA8K9KQ cIG+Kh7LF2S7yLf15FSC1PCMSCtQTefgcIvnhPQ5P/iim6evtuMm X-Gm-Gg: ASbGncsDnV96i4ecKNrN79eEj0Yj91GCtstiRM+Z98IlIIE4mI6IkJz9EUhVNlTmVcL eet0b121eiGFpivzsNLeVMokJPIBxWzl8oYDquY4q9UrCznxZX9UrrYzIkFEIYNEEcFgKd2M4Ux nNEnn0cyCvJJch+xtCYP3YKddJO1qk9gevZh+obm4sAO7JRwGg4hSp/l/L6v9BWO1308ZpttgR4 iDtLp4hl3zs5YhyxDIhG1S2vlMVk1OVXV9+SMfSP2d6h5SlAht3GXTYY+Vs0r88xRnag9Gk9S9d zxmKaYdrkSrbA6VCNWWmwxY/0lr0L6k/dyubrB/WLy3jg75pwbNP080SbzZTsjInLl/MwSc7nSz 9UXSdrqbjlU5wf2eXrbQxc7Qdp4dWzpY+QTn9QXYtsEQ= X-Google-Smtp-Source: AGHT+IGIlmp0gTErSS4DfDNJ2k0q+U7DXk7nnE8hCWt5GhbV6qmR8RoCNHygavxB4lOMiFfar//Acg== X-Received: by 2002:a17:907:3fa4:b0:ab6:d7c5:124 with SMTP id a640c23a62f3a-abf265e8ed2mr386410966b.43.1740773790747; Fri, 28 Feb 2025 12:16:30 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:30 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 10/15] netfilter: nft_flow_offload: Add NFPROTO_BRIDGE to validate Date: Fri, 28 Feb 2025 21:15:28 +0100 Message-ID: <20250228201533.23836-11-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Need to add NFPROTO_BRIDGE to nft_flow_offload_validate() to support the bridge-fastpath. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nft_flow_offload.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 5ef2f4ba7ab8..323c531c7046 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -421,7 +421,8 @@ static int nft_flow_offload_validate(const struct nft_ctx *ctx, if (ctx->family != NFPROTO_IPV4 && ctx->family != NFPROTO_IPV6 && - ctx->family != NFPROTO_INET) + ctx->family != NFPROTO_INET && + ctx->family != NFPROTO_BRIDGE) return -EOPNOTSUPP; return nft_chain_validate_hooks(ctx->chain, hook_mask); From patchwork Fri Feb 28 20:15:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997087 Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB75A27E1CE; Fri, 28 Feb 2025 20:16:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773795; cv=none; b=Pa3MqoQzL2LnyzxGJRNRA0Ozgkxj74qgCgNW4IHkZ1gwhkFN1ys30d40WXICbB2qSA4JEDwadnzpzRqyYo0qZzvvxtW1gax3YEtiZat33VX5w30a6vG5BLL5d+OMW8S18jkzwOu58RIlutPW3aoe7KCV8KXyHgvewFDF1Z99rgA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773795; c=relaxed/simple; bh=Xf5mlATXYp8EYoXU9a3w+XGI157o2p4WZAmB5ikh7tM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fRzRmWR/k3azNAgq+O8UjTSoXgz09p8g7xoh1stBAKqAwJp18RiuXm249LzUZGOtta0yNAb+wBUcJ4HjpZ71CUkaileN3z4HMiUW7mK59kLEXFjfjVNeRMsoV6vLoukjETYs2iJQ8tDZtPSdzR37fNhKj/ipgsHDFWOZYGm/XtQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kLXUD86v; arc=none smtp.client-ip=209.85.208.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kLXUD86v" Received: by mail-ed1-f48.google.com with SMTP id 4fb4d7f45d1cf-5e0573a84fcso3627556a12.2; Fri, 28 Feb 2025 12:16:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773792; x=1741378592; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mNvAyhAv6GepxNEYkCskllQBVi38mrCeZ4SsbbR7WSY=; b=kLXUD86v2yHsrYgUq36gFRlzTev9NbfexU5LtdR72qFpA8vpQBql7vql+nPt7PZm7T A2ltBJMw2m4DcFw1j5JjHA0oA4h4iKvtfYhgPV2FCO3K+y7bFba7wZIScT4dMtwoJWB+ 2i34Q5gJmZqE8mTNe338kITHOUw59gru3vj7CGvFXuBpKPjdKPN8Z3wXeJxivYc1ZHRs zT+69cgbCsEORPW0I4Lh39mrYzNq+bxQcZjCR2qkmZ3QEjV4poNsWSTgScy4wJ+sFx4g 159r36nr2GBOS5YTAFIjzA8imGO5NeXDEOzO5VPLXOSZWoQFHakpMcCQVBSjlREHfzAg S6ZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773792; x=1741378592; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mNvAyhAv6GepxNEYkCskllQBVi38mrCeZ4SsbbR7WSY=; b=dnY25SihqG9W4FgJwFY/OpIAFUvn7y7GHVoR5OqXNh6EHgjPEh6wHhupumPY6Keu88 cex5BSCIae8sed4VxRWreqHQIzVOmItMZXgg3aqa8v+738i1KWMuGrQ3EkItv/7RbX+U eXs4//S3ggdMZ61d+OeAzRcyrkRcNJOgkxHZUGPIFk33olZ/shhE7BA1aQ5c3LSXWjOQ tfD1l+v+nIkugfklcUXDhaYKFfshMQNGWPP+5ItqEJtWGoNtugZo64SetIAjWtva1D// uQpX528mWzj5VrVXAuXF5CdO5ERGlmmnc9AZjI5BH76KtoM8emWDvBQN40scsIK8T2nr LeSA== X-Forwarded-Encrypted: i=1; AJvYcCVKtv6l9tKkTti3MtmltzMzFQ9+u/ZHJZ9/ZcgvwGYzWVtdIBESNpe+mwjIZZh2mtzFljZCAN8VJfrNkmLdd8I=@vger.kernel.org, AJvYcCX+ECcc5hhv4d8hnJsWlWQfw5KF96Jvbd3a5cyJeAp6G6YekfRA71ffFyqfkEpugdGReL71LltDPci72BA0@vger.kernel.org, AJvYcCXmqSKSkNDg+C0qQfAepHyXn3EQ5glmQYilnl41dnXv2UjAgT6RUy0+nQgGxJT60eweKldgvgnnl4lD+giFJdPY@vger.kernel.org X-Gm-Message-State: AOJu0Yy9uL9xwbtlN2s+/jHyqYkI8mugVVWr5oEfbVcKLRcxo/tqgD+S ENNH4ysBnXIt2rqSgEJr2IMaM12y66jbej8iOHmfOlkiSG4WMlOG X-Gm-Gg: ASbGncsDCs2x9NkYuskNmaHeB3taOSMySxt3yotRVJPaAPccqC6QygMPt6z5Y5VUNC8 FHfYLvn8M1qR/Vf8uWJpoSuKboGaDRUicNJy7liVyU0L8aBMSHHAW4G9O6IS9PXgPRcFslDHBZs LCghV6Pjb0WhWuE+mYhULtJULe7NVEYWZ3zB3E1DcAT09+mlR9geyUU0h7ZArqRcyF8xe5QFl9Z 7SXblNIs4I3RlTIxvKjmFwu7da1CZWd3XQDpSo6+vH46bcq5fHPiojbItw/Jgv2AocP9FNL0UP1 Jwe6vfDkzSt++NkRQVJArwqg/rfogEgVBYMpHKDAc3CvM+k34cVIDx79Q0i0iK2NPTby1u6RcT5 RFj3++yC6gBu1NoejZKxbbklW5QYYGNN5/cKd5kVFryk= X-Google-Smtp-Source: AGHT+IGNTRuqBcd8nLuNsVuXSGF1sIcXELw3HlP5Nzemzcrdv1EtIzMkCBIzwqYM1NbqtT6g+Vprpw== X-Received: by 2002:a17:907:9484:b0:abb:b136:a402 with SMTP id a640c23a62f3a-abf26424829mr486626566b.18.1740773792060; Fri, 28 Feb 2025 12:16:32 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:31 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 11/15] netfilter: nft_flow_offload: Add DEV_PATH_MTK_WDMA to nft_dev_path_info() Date: Fri, 28 Feb 2025 21:15:29 +0100 Message-ID: <20250228201533.23836-12-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In case of using mediatek wireless, in nft_dev_fill_forward_path(), the forward path is filled, ending with mediatek wlan1. Because DEV_PATH_MTK_WDMA is unknown inside nft_dev_path_info() it returns with info.indev = NULL. Then nft_dev_forward_path() returns without setting the direct transmit parameters. This results in a neighbor transmit, and direct transmit not possible. But we want to use it for flow between bridged interfaces. So this patch adds DEV_PATH_MTK_WDMA to nft_dev_path_info() and makes direct transmission possible. Signed-off-by: Eric Woudstra --- net/netfilter/nft_flow_offload.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 323c531c7046..b9e6d9e6df66 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -105,6 +105,7 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, switch (path->type) { case DEV_PATH_ETHERNET: case DEV_PATH_DSA: + case DEV_PATH_MTK_WDMA: case DEV_PATH_VLAN: case DEV_PATH_PPPOE: info->indev = path->dev; @@ -117,6 +118,10 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, i = stack->num_paths; break; } + if (path->type == DEV_PATH_MTK_WDMA) { + i = stack->num_paths; + break; + } /* DEV_PATH_VLAN and DEV_PATH_PPPOE */ if (info->num_encaps >= NF_FLOW_TABLE_ENCAP_MAX) { From patchwork Fri Feb 28 20:15:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997088 Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com [209.85.218.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 470C027EC83; Fri, 28 Feb 2025 20:16:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773797; cv=none; b=qU32iIdvGJGW9fje4TFk4gvKD/fSpih6WdbQpXl6dFRA3JEtp0PzUAZEbnBRkfBoeDZV3x9w6fIt8VywSKlbFZSEGENpjkakySQWQKbA3S6gl4CVuWjm2bmB7TSvwEjXETdAoTfb4+TRyKtL05RViskJZv0zayWqL3Z4RCRTz34= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773797; c=relaxed/simple; bh=8dcYAV0MonhKL6O5x+ptHAAw+fbiOOhKssEKku03mBc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=giuSs9Mlg85F7aRZOIZKFuKhBW3Dls8bwGnp2OrZ39Vzrovn/Mhmi7HMhiaCbcOQwGyLMwBpUa3BD+njzRWMQNAup8ol6tsTMlvQUKP1QXSamZqwjfWmI6XWEM+NgUGuGDBMr/kzFhb82yoLGjHFUqzbaaL2AfuocK+DdAvyxUY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=grRfNmvh; arc=none smtp.client-ip=209.85.218.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="grRfNmvh" Received: by mail-ej1-f50.google.com with SMTP id a640c23a62f3a-abf4b376f2fso37979766b.3; Fri, 28 Feb 2025 12:16:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773793; x=1741378593; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BVAkTZii1Gy4XRugZsnKaWDIV+1UdUIxS1E1wVQkwnU=; b=grRfNmvhKZ2HxcKyGVo5hwlInREQ5IFu803p4LVSrCan3zMPJMyvVvWIVSMcbvTS7O 5jCVNA0lwm6N2Tm6humEJo14Rh+W5MerS6TTOMPihw8cDT0xXcLJOCfhd+raKkwiS73s plG8o+6i3VC0H08rAEQMC5+2NoIx2WmfnwKvKT7HEI3EO/THLey+CFv8KuOz7LFxsk1s K7EheSPL6MiuXvuffp8pDL3Zca6ucu2t3qnj8ctbspwgJeip3gr6nhGK1rUYEai6k98e GJ7on9X3CGQintPpeG6WsTbhBiHbsMcQtK4AThJhJfV7raOhQQn13laIW7CzP6mmgoYF 26xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773793; x=1741378593; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BVAkTZii1Gy4XRugZsnKaWDIV+1UdUIxS1E1wVQkwnU=; b=NlyWIWB6mvDyHNT35SraHS0uOdg+JBeChHetUpkKxM1Rhz9Nd30BXoONNpAk8trFfZ MRWqpR23HRF7Z8nUApBszPh6JNa/nEkloto+ZjqGNq2oszAXWsvixy6KuyMvxjhyilBw w562KnDy2RAcjOmCxFQF3FnPXvJs3E8HkK4uwAF4tIlIPLJgLTvXFlJqxTMBHDzL6lSy PcxRycvcGIKdIftoKlCpvsdj19SzpHk8/aAy/IxiiK48chjvWD+8A7fvxYpVTHbe/qO/ SC96JxX29bFqi4cfg00JnfUGbfe8xLFrIBTWY856LZLBZxa48/vM52YtGKieEO430aSZ MAhg== X-Forwarded-Encrypted: i=1; AJvYcCUCXALCKgweMHtdcIpTPhVqRTxHsJS8it0INqO0G+Yh4XeXTqOVq0R+iFJa9nkb1LbWK13njSD2YJzubxF7Tzs=@vger.kernel.org, AJvYcCWi+i3x2yVeBrVmscsaO6SsCjL7eA9Efa4wjH3db1CwNOaBK5OLVX8gd4aqqmP736CwdmLZlGyTOtyUUfbc@vger.kernel.org, AJvYcCXBlK51BwTLNnDebEr566Zk6D2hueRwdVb2iaSz5o1Z0G32l4MvBVDFZMK7T/ivx9WJfvt6myZtwGg1j0eUvaP/@vger.kernel.org X-Gm-Message-State: AOJu0Yy+7dGBhijksDmptrGBSXUesddxajePyE4oWMIs4fZhuPFsjGCU mwo4Zm6pjBrmJl7i9xUm1s6GfaH+oEMpMTlhwyjW0WCb6IHDqlgh X-Gm-Gg: ASbGncs71wSwaE3JjJii/jTVXa4J8bQQGhoIj2bJ5iAFcakv3+ciWZAzN+B+C3a3xEw BPEKeq4teX1emugjg6BI36UjfdvUjDegjjDOTyvwP4iaspK/5ZYiPrwVOi+8/5xwCQtJqzOar0a 7cqEPOoVlPhXbf+Via5q1OFBWna8A1rIArMr0N0Hw1OzavCm8eR8cVCnAnh7nsfKmWDjiWXEJ3x Pxt8srxb3KcuuKXSGBa7tSC52/OvtIkBK4xnSGhqy46akpdu/ZsacaDr3eO3rb6Bu4RDuADu3Kh t3lGmFQuuLoRCbssh4rklEZtomdlu27e0IL/ON9tZnFv9dIy7gyfPDSMxOBrUxBGoM66r09kc2r uezHIIxYtKnCZss+EGr2vvw/1hNO+f0ZxwMszp8tbBWmtWELOj+Nt8beGUEnhHQ== X-Google-Smtp-Source: AGHT+IHTNHcim7XN7hH9c7Sh5FIEX168d0fQlddgi57248KaGuR3JKO3W8QVJ0D+qGDqKD6MfYoZMQ== X-Received: by 2002:a17:907:6d04:b0:abc:29e3:f453 with SMTP id a640c23a62f3a-abf261f2fd0mr480274566b.33.1740773793400; Fri, 28 Feb 2025 12:16:33 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:32 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 12/15] netfilter: nft_flow_offload: No ingress_vlan forward info for dsa user port Date: Fri, 28 Feb 2025 21:15:30 +0100 Message-ID: <20250228201533.23836-13-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The bitfield info->ingress_vlans and corresponding vlan encap are used for a switchdev user port. However, they should not be set for a dsa user port. Reviewed-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- net/netfilter/nft_flow_offload.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index b9e6d9e6df66..c95fad495460 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -116,6 +116,11 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, break; if (path->type == DEV_PATH_DSA) { i = stack->num_paths; + if (!info->num_encaps || + !(info->ingress_vlans & BIT(info->num_encaps - 1))) + break; + info->num_encaps--; + info->ingress_vlans &= ~BIT(info->num_encaps - 1); break; } if (path->type == DEV_PATH_MTK_WDMA) { From patchwork Fri Feb 28 20:15:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997089 Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com [209.85.218.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7646727F4D0; Fri, 28 Feb 2025 20:16:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773798; cv=none; b=Oh7v7g+wwPK7h+xbSozj4z/yz7h4Kz4/9qLTe7FNy4YpyJDS/iVle3wDwokVKSD8phOBgUpSB087m4yb729pOUV6oVf7DZB/V2Xe92aJF4kgoEsJxWkJzhEjL8brcYTsEiJ2RugyXnWAoRpktz7joCQ+M++mz9SJASnmQErXFB4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773798; c=relaxed/simple; bh=7mcwChSKiCve0A+5TUtOf0dA+ljFl2navKj3ueTAL1M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OVmx0MOLRrM9W/Zda3004BezgCmhpI96fNIugL+vYBie5pj26SNKSg3AMAtaL0T2ORr3SQFtAGBjprevxISSfh4T0ADPltJx8My6qVautw0pR9Rbrjw1jr4tY55thk/KvMP6e7rnzlPbn9dk/4+/wvvzJNxyNc8YJuqJTT+2V1A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=au5RnxOJ; arc=none smtp.client-ip=209.85.218.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="au5RnxOJ" Received: by mail-ej1-f49.google.com with SMTP id a640c23a62f3a-abf42913e95so108840566b.2; Fri, 28 Feb 2025 12:16:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773795; x=1741378595; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KGHKkM4qxKd9EB0pt79Yst8lznP4qD+tbsrDkGhaAL8=; b=au5RnxOJendRdzWYFJ4KRZuSm0VG/InfJ5d48OuU2i6Jb9lhuvKBSUjxOuA7vWgyrC mou9lQM/St4WmqnrDIHqPELh53N0muMt3wupK3U2cuk325UkjabEb3zfXLMb3VQtIwCV 93iS7Me/L+/xtWo++ZsV9mLZu1n95NNi2wkNXgH9igAqRy+CVdTyhy1UqS/pS1+4Wg1v P84tOUHmVHPKBdyvJHMaS63ti9XoJNMV8iA5FTyCzmf4ZfMEXoVO0pNoCkgGCWNLg2sW WFia8DlAw1UDNwiwXmIVh5e05NEntsilT1GM4ytclFyFW5+fpcpV6eD3Vp1+9VFTNEav EvqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773795; x=1741378595; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KGHKkM4qxKd9EB0pt79Yst8lznP4qD+tbsrDkGhaAL8=; b=MR8S7YWin6Sa6Azr1KvmBQvDtz59TTo6y8dAcHDbNjZRa34KIoUkm3TXA5h9ycvaFx 6z+ypvIUAYHZxfB2LVuk0iwxmLE/JKUR7YXZKXF3kuWtZlj213BQ+fssrThUf6tYZNyI nQkZalNkJp7V+IYA6YaL5D/zuzn+XCjfkX2ifiUd6sJcsNQE8kJ6PJu5sR9qX7C1hghg Pgv/C4SbIGX39KlIJBozJAlcR5ecNbHbOiCP3bhP7kpWNfLvPPEyrgFkt/jubrHPs+JT MHVodtNO3J7ENlJ1vQjqCaxGhAx8UvZOjZmj2HG2k4L6k71XmB3CecrG7nfUOpe7f4K9 32Jw== X-Forwarded-Encrypted: i=1; AJvYcCUQ8PMNJRE4QSEdsctC/uf8ESTuXlFuaSKd2UaDOLva7gs2zOEkrpXtuZYQ7b2HH9bkfbMHccV5xx8IYYee@vger.kernel.org, AJvYcCV+hwjejqjMBYLELB6qJMMvNw0vhke9WEGOfBEQvIXzK6Sk12yikoqjEHOYQUX7BdMJ10qdLMPSdLZOBDej2wli@vger.kernel.org, AJvYcCVQkWFozdA6Ps7NLjfwLuSo2tIwJV6GDg1rgN9j140RDdoKlVEZDUI0m8oOS9oSmpPqMGuRyru0xARvP27ZtdU=@vger.kernel.org X-Gm-Message-State: AOJu0Ywe148+LKUsnXD79PJGYtLd6ULn4mWTdXvScQhxvuGxaXNXf2SM RyJVhdi1xpMaTvrRBPv7gbDU50BN3FFAjMsy8l4qC7Sr2bxz9tky X-Gm-Gg: ASbGncuSUqukPxM1/bwsHZpLb336iAAPeKlDeyMLbB5mbRK/0wms66nWGUN3TpIC5Rt /3fd94Z7X/G4cogWZqzYwKM4rOhAUk7XfZOKws7RyZ+VkFyYbCPDK15ubKqODP3DmRuIjPpabGJ Frb4H+rtoPZaPu/20eGo5EClpvnVkHdklcjB0hGFYlDsmcd0cDW8fakvheFc0ZMqOFhqCG2MQzi qc2YqSLhrEM1KhLj71gSf1PDmtM3NPlTRgg1xpRDbsCKn54PMf2faqJ4fB1VDenoLCPVLvG0vmx UEsyAKJDJGgnqgNrRi+m1TtUuPWWdiieV6rcMLMQmXrPt8WLQ+g+keWWRt876tXHRC1iyEDP778 CXWnwGGKALl+goBpZGoShh16e8dNngORuinw//TeTw5s= X-Google-Smtp-Source: AGHT+IEkQhpenLsv9Nobf0wiiAys0Z5V5MCyZxZmQpmyL4y9KNHC8I8jD08d28fmF8UGgHnRX7Un0w== X-Received: by 2002:a17:907:9408:b0:abf:19ac:76d with SMTP id a640c23a62f3a-abf269b9a91mr542028566b.51.1740773794665; Fri, 28 Feb 2025 12:16:34 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:34 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 13/15] bridge: No DEV_PATH_BR_VLAN_UNTAG_HW for dsa foreign Date: Fri, 28 Feb 2025 21:15:31 +0100 Message-ID: <20250228201533.23836-14-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In network setup as below: fastpath bypass .----------------------------------------. / \ | IP - forwarding | | / \ v | / wan ... | / | | | | | brlan.1 | | | +-------------------------------+ | | vlan 1 | | | | | | brlan (vlan-filtering) | | | +---------------+ | | | DSA-SWITCH | | | vlan 1 | | | | to | | | | untagged 1 vlan 1 | | +---------------+---------------+ . / \ ----->wlan1 lan0 . . . ^ ^ vlan 1 tagged packets untagged packets br_vlan_fill_forward_path_mode() sets DEV_PATH_BR_VLAN_UNTAG_HW when filling in from brlan.1 towards wlan1. But it should be set to DEV_PATH_BR_VLAN_UNTAG in this case. Using BR_VLFLAG_ADDED_BY_SWITCHDEV is not correct. The dsa switchdev adds it as a foreign port. The same problem for all foreignly added dsa vlans on the bridge. First add the vlan, trying only native devices. If this fails, we know this may be a vlan from a foreign device. Use BR_VLFLAG_TAGGING_BY_SWITCHDEV to make sure DEV_PATH_BR_VLAN_UNTAG_HW is set only when there if no foreign device involved. Acked-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- include/net/switchdev.h | 1 + net/bridge/br_private.h | 10 ++++++++++ net/bridge/br_switchdev.c | 15 +++++++++++++++ net/bridge/br_vlan.c | 7 ++++++- net/switchdev/switchdev.c | 2 +- 5 files changed, 33 insertions(+), 2 deletions(-) diff --git a/include/net/switchdev.h b/include/net/switchdev.h index 8346b0d29542..ee500706496b 100644 --- a/include/net/switchdev.h +++ b/include/net/switchdev.h @@ -15,6 +15,7 @@ #define SWITCHDEV_F_NO_RECURSE BIT(0) #define SWITCHDEV_F_SKIP_EOPNOTSUPP BIT(1) #define SWITCHDEV_F_DEFER BIT(2) +#define SWITCHDEV_F_NO_FOREIGN BIT(3) enum switchdev_attr_id { SWITCHDEV_ATTR_ID_UNDEFINED, diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index a0b950390a16..b950db453d8d 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -180,6 +180,7 @@ enum { BR_VLFLAG_MCAST_ENABLED = BIT(2), BR_VLFLAG_GLOBAL_MCAST_ENABLED = BIT(3), BR_VLFLAG_NEIGH_SUPPRESS_ENABLED = BIT(4), + BR_VLFLAG_TAGGING_BY_SWITCHDEV = BIT(5), }; /** @@ -2184,6 +2185,8 @@ void br_switchdev_mdb_notify(struct net_device *dev, int type); int br_switchdev_port_vlan_add(struct net_device *dev, u16 vid, u16 flags, bool changed, struct netlink_ext_ack *extack); +int br_switchdev_port_vlan_no_foreign_add(struct net_device *dev, u16 vid, u16 flags, + bool changed, struct netlink_ext_ack *extack); int br_switchdev_port_vlan_del(struct net_device *dev, u16 vid); void br_switchdev_init(struct net_bridge *br); @@ -2267,6 +2270,13 @@ static inline int br_switchdev_port_vlan_add(struct net_device *dev, u16 vid, return -EOPNOTSUPP; } +static inline int br_switchdev_port_vlan_no_foreign_add(struct net_device *dev, u16 vid, + u16 flags, bool changed, + struct netlink_ext_ack *extack) +{ + return -EOPNOTSUPP; +} + static inline int br_switchdev_port_vlan_del(struct net_device *dev, u16 vid) { return -EOPNOTSUPP; diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c index 7b41ee8740cb..efa7a055b8f9 100644 --- a/net/bridge/br_switchdev.c +++ b/net/bridge/br_switchdev.c @@ -187,6 +187,21 @@ int br_switchdev_port_vlan_add(struct net_device *dev, u16 vid, u16 flags, return switchdev_port_obj_add(dev, &v.obj, extack); } +int br_switchdev_port_vlan_no_foreign_add(struct net_device *dev, u16 vid, u16 flags, + bool changed, struct netlink_ext_ack *extack) +{ + struct switchdev_obj_port_vlan v = { + .obj.orig_dev = dev, + .obj.id = SWITCHDEV_OBJ_ID_PORT_VLAN, + .obj.flags = SWITCHDEV_F_NO_FOREIGN, + .flags = flags, + .vid = vid, + .changed = changed, + }; + + return switchdev_port_obj_add(dev, &v.obj, extack); +} + int br_switchdev_port_vlan_del(struct net_device *dev, u16 vid) { struct switchdev_obj_port_vlan v = { diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index a18c7da12ebd..aea94d401a30 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c @@ -109,6 +109,11 @@ static int __vlan_vid_add(struct net_device *dev, struct net_bridge *br, /* Try switchdev op first. In case it is not supported, fallback to * 8021q add. */ + err = br_switchdev_port_vlan_no_foreign_add(dev, v->vid, flags, false, extack); + if (err != -EOPNOTSUPP) { + v->priv_flags |= BR_VLFLAG_ADDED_BY_SWITCHDEV | BR_VLFLAG_TAGGING_BY_SWITCHDEV; + return err; + } err = br_switchdev_port_vlan_add(dev, v->vid, flags, false, extack); if (err == -EOPNOTSUPP) return vlan_vid_add(dev, br->vlan_proto, v->vid); @@ -1491,7 +1496,7 @@ int br_vlan_fill_forward_path_mode(struct net_bridge *br, if (path->bridge.vlan_mode == DEV_PATH_BR_VLAN_TAG) path->bridge.vlan_mode = DEV_PATH_BR_VLAN_KEEP; - else if (v->priv_flags & BR_VLFLAG_ADDED_BY_SWITCHDEV) + else if (v->priv_flags & BR_VLFLAG_TAGGING_BY_SWITCHDEV) path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG_HW; else path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG; diff --git a/net/switchdev/switchdev.c b/net/switchdev/switchdev.c index 6488ead9e464..c48f66643e99 100644 --- a/net/switchdev/switchdev.c +++ b/net/switchdev/switchdev.c @@ -749,7 +749,7 @@ static int __switchdev_handle_port_obj_add(struct net_device *dev, /* Event is neither on a bridge nor a LAG. Check whether it is on an * interface that is in a bridge with us. */ - if (!foreign_dev_check_cb) + if (!foreign_dev_check_cb || port_obj_info->obj->flags & SWITCHDEV_F_NO_FOREIGN) return err; br = netdev_master_upper_dev_get(dev); From patchwork Fri Feb 28 20:15:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997090 Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com [209.85.218.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D942427FE65; Fri, 28 Feb 2025 20:16:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773799; cv=none; b=T9shyQ39eGqiKQ88NnpLOTBH5TQwTKvwUTd2sCxP1WUYdpfkCf/iTgXd8pMOp5DGeGXSAqszdf9mRcGIBzGcaFYLeu5B43+LXwg+0Z4bfjxZfTCqDJzM50+hdBir1Db0pOUhwV19AfmXWballhfR0gAXQbCMlK+MhJNKzL7udGs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773799; c=relaxed/simple; bh=FRvZQmo2Och7IQUxCAdMtvRd1w+tCIzOcwLzMvZg5Uo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mF7+O9jhDrWPbULteS8iBjpwRCxYbqSaITOSevFKxCioQK4vzMffIvxYeuh+nJwpNm8a8PWlw8//wjBR3D4sPzwI4k0n50BL+vIf4XFOL3LvGJCLIHTlXMQd3WJyR1WJdKsw5aXh2y9Lt8vcPdcW73NHAoEqoBY3Ms64Sn8ghF8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CFXX73GE; arc=none smtp.client-ip=209.85.218.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CFXX73GE" Received: by mail-ej1-f52.google.com with SMTP id a640c23a62f3a-abbac134a19so382852666b.0; Fri, 28 Feb 2025 12:16:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773796; x=1741378596; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=h2oeCJos5+VWLjM6O6Ww7CfUdtvRNnO3dpetsG6O99c=; b=CFXX73GEtDkqKkmPA9PAPLuMZMBM8CJQcx6i1xZ7gui82okgkmd1ZFk4rv8AkXMmNW 47A6/3gWlvfzpANSXXx6qzQGpaTxF3bXMI/81uHC8dYJftiIiRoeTDRrBNPKqOdH9528 Ibal9E4pzt7AWMGA4KEjhQ4IQ2gvgE84ujdPXoIDzpPNjLenBpxz7LrdrIVRLhb/D5IF qKe0VLKMpruZypdoLlNfFGHBKeWG7bdSBgJ8PZsgirjr+TOzZH7yzLXFmMTP5lXaFmOc bSc6inrWf9WiK0zZDXb71TqUXLNooTngEwPIUJGvIAUEW50gZc+48G2mQPKyNLk8K5Zt I5bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773796; x=1741378596; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=h2oeCJos5+VWLjM6O6Ww7CfUdtvRNnO3dpetsG6O99c=; b=s6JR3Nu5n00jIbVEFls3Rv0D+zGCleCe/3aRaC5EwBR+Yre9gxuYyu5vCTsk0UxaM/ 3EIVjx4QvleuX1PhXhKmPUd5mlmXbG6wvmAT8AjjCO581U3XZuRtyJoy/2HYPITs8BEC nEbJbEzZF3/wFeD5Z6ft2viPjKA1ZdD1Y356mZ4NAB6GWGkgluleGcHmvsCCSIttVWyh 6oavf2jBLjQy05bCG0zfEFqY6DYsOFvCs871ywODZbbFeZnjsfvEvznFlV0FewloaAc4 gM1KqiLP1OjfdlVgaHrMuNHbrhRHoBYezWW7wU2xQQlZtP+TM/Mg3wMi7XrT6m1MaWps suVg== X-Forwarded-Encrypted: i=1; AJvYcCV/Le4m4G/f/XvIjGdNDl5Qq2jy+mXkOFtZ8eSMuyAybLzNOafix5iJzzXtAFrr1NXCh90oupxf4rhw6afaHmde@vger.kernel.org, AJvYcCXQpFuyB2yoabtEkJIBmmdwNN3j1OxFBNl3C31IXF3xIXsC2ddkLis0kg+rp1NP4USFKXkzdQe8Jmx4cTPx@vger.kernel.org, AJvYcCXiyPhiLxOPYPh2qThxzHSnduEhnuSuQwb2c8j+sbFyzS8VkMen6Qdb+Vsg6oDqb7/1MKfAowCGOKXZh3Ga7fk=@vger.kernel.org X-Gm-Message-State: AOJu0YwDNEZECjq6y3JXF+0AcJVso9zSSKjqT1JV7PfKisnaKtiltKoK yoIIpS7jPhSw2T7OWOBlfNhB8DJxQHpN42sKv2cKLM431jC9abD2 X-Gm-Gg: ASbGncvEKiViCHZAnDyhsoiSmuhg0GjGe16QfPiyJ5z/PAH+4VPyfjqZhe1mSleYIoI YfY2dpVl6gS9z4GRYL3tuI5GsuK/CDf4C9fc9udx/Cf6DqJrnQrx54FSzj0IBIirsPmgBKtzAEx MSxATIe777H4mAPeMa70yhpkJnjdJBfdbP5vBA9mf7nzColBqrk+YL7/y3a0+mAt8YZBCY3ukUg ZxUkXqCGZ0HmnhgrCDE7McOgdnU7bLB0VGPhEnukHav8AoaUDTlcfhTDbTHSdO8vlqGiO2U+ChF CF75cs1mvci/gzHpGvLY3mWwZ7VCC6hpJIqZmrbOuPmrckojyLZrnr9PYDd3UReIQZ945rerRC7 O4rAFllAU6qVIs7klmZTxkiT52JgGP1kaV6/m8OUM47I= X-Google-Smtp-Source: AGHT+IGRd37BcugXvRzWetE0RiFp1sspn48cYfwa0XVMvCj+hDeBReablJgdaX0T/5erZICf63Pa2A== X-Received: by 2002:a17:907:7f91:b0:ab7:c358:2fec with SMTP id a640c23a62f3a-abf25da05d8mr559746666b.5.1740773795955; Fri, 28 Feb 2025 12:16:35 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:35 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 14/15] bridge: Introduce DEV_PATH_BR_VLAN_KEEP_HW for bridge-fastpath Date: Fri, 28 Feb 2025 21:15:32 +0100 Message-ID: <20250228201533.23836-15-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This patch introduces DEV_PATH_BR_VLAN_KEEP_HW. It is needed in the bridge fastpath for switchdevs supporting SWITCHDEV_OBJ_ID_PORT_VLAN. It is similar to DEV_PATH_BR_VLAN_TAG, with the correcponding bit in ingress_vlans set. In the forward fastpath it is not needed. Acked-by: Nikolay Aleksandrov Signed-off-by: Eric Woudstra --- include/linux/netdevice.h | 1 + net/bridge/br_device.c | 4 ++++ net/bridge/br_vlan.c | 18 +++++++++++------- net/netfilter/nft_flow_offload.c | 3 +++ 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 2ee53478d9f0..17d82e4632dd 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -887,6 +887,7 @@ struct net_device_path { DEV_PATH_BR_VLAN_TAG, DEV_PATH_BR_VLAN_UNTAG, DEV_PATH_BR_VLAN_UNTAG_HW, + DEV_PATH_BR_VLAN_KEEP_HW, } vlan_mode; u16 vlan_id; __be16 vlan_proto; diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c index c7646afc8b96..112fd8556217 100644 --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -430,6 +430,10 @@ static int br_fill_forward_path(struct net_device_path_ctx *ctx, case DEV_PATH_BR_VLAN_UNTAG: ctx->num_vlans--; break; + case DEV_PATH_BR_VLAN_KEEP_HW: + if (!src) + path->bridge.vlan_mode = DEV_PATH_BR_VLAN_KEEP; + break; case DEV_PATH_BR_VLAN_KEEP: break; } diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index aea94d401a30..114d47d5f90f 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c @@ -1494,13 +1494,17 @@ int br_vlan_fill_forward_path_mode(struct net_bridge *br, if (!(v->flags & BRIDGE_VLAN_INFO_UNTAGGED)) return 0; - if (path->bridge.vlan_mode == DEV_PATH_BR_VLAN_TAG) - path->bridge.vlan_mode = DEV_PATH_BR_VLAN_KEEP; - else if (v->priv_flags & BR_VLFLAG_TAGGING_BY_SWITCHDEV) - path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG_HW; - else - path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG; - + if (path->bridge.vlan_mode == DEV_PATH_BR_VLAN_TAG) { + if (v->priv_flags & BR_VLFLAG_TAGGING_BY_SWITCHDEV) + path->bridge.vlan_mode = DEV_PATH_BR_VLAN_KEEP_HW; + else + path->bridge.vlan_mode = DEV_PATH_BR_VLAN_KEEP; + } else { + if (v->priv_flags & BR_VLFLAG_TAGGING_BY_SWITCHDEV) + path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG_HW; + else + path->bridge.vlan_mode = DEV_PATH_BR_VLAN_UNTAG; + } return 0; } diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index c95fad495460..c0c310c569cd 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -148,6 +148,9 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, case DEV_PATH_BR_VLAN_UNTAG_HW: info->ingress_vlans |= BIT(info->num_encaps - 1); break; + case DEV_PATH_BR_VLAN_KEEP_HW: + info->ingress_vlans |= BIT(info->num_encaps); + fallthrough; case DEV_PATH_BR_VLAN_TAG: info->encap[info->num_encaps].id = path->bridge.vlan_id; info->encap[info->num_encaps].proto = path->bridge.vlan_proto; From patchwork Fri Feb 28 20:15:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997091 Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65B38280A2E; Fri, 28 Feb 2025 20:16:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773801; cv=none; b=a4duLHZ/GZsKdTSAIjItreKzNlNMe2K9UU26ZmP/Mj5vJDw6bIIDn9/epAQms1XgTjcwj3MiYguP091P6jQ2DI+U2BCL0sxIlvHntCAgF0Yd1EvLAvJzIUZaPhw5gRonFhyFfVv3vTXpb/QM5F5WAnRrP80t6PfaM5+g8w/zXD4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740773801; c=relaxed/simple; bh=ao9814Zv6bDQnM5yUC6g/RI939BnwcO/605XslPLDVA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=K6K8WgL83oOvKDa7pyeYNk5iXO36Hl/8tpYB+eTeFblP65bRGq/xaYq88HB10Nhp9cZqwooINtvDOPxdKi6bk/MfH+zQBTjGD9QmC3t6jCoCsqcGr5dkmI+KRbHIklvnjCQ1WscuxW+YCQjth/hoklSa5DCkv/h67kaQKIVMq4Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fzZrUbyw; arc=none smtp.client-ip=209.85.208.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fzZrUbyw" Received: by mail-ed1-f54.google.com with SMTP id 4fb4d7f45d1cf-5e4f88ea298so1847990a12.2; Fri, 28 Feb 2025 12:16:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773798; x=1741378598; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=E8P5h61gnv0DfF0R+vjh2CpjgGHUfjM4UjNVV+Pbc34=; b=fzZrUbywR0KSwK1PZ35GM4OF5akUVjii+0LyKemXoe8xX0fjTCVzt2eTSzTdr2a5jC jrlmCn+DKLXlN+DwicirpNgk/rkU8pvTcNOkBvhdg5W9YnJ7cA5GqwP0f+z8+ePE4fVB MfYr9dF7PGazfUNI/j/ojMguii3Kn2yZ9+yj4ck2NrFctBeLm8LYw0DhWn8cjQxVActd tNb37cgjIA91UrP8BW5tbiimhT2sVli+X5ZO/jCOOxlOXaHLI7GLni5cE7NQWCqKH0np ejZ/7hUkUK0a36orss0hf5roZVjM5KL/FcB0isn8VLlBeHBuyrjWApVnKtII53y5D5vp +E1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773798; x=1741378598; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E8P5h61gnv0DfF0R+vjh2CpjgGHUfjM4UjNVV+Pbc34=; b=wvGaLC0lCvD2uL30+LdNr29eGc/le2TciF7vqupazuBLEWUAFzuyC8j5SS9Ksqbwyo PDdYY/7tmNy3IpMWeHBzmqap5D64KvW3TTwSgqIojk9Qe9SnmyRXljOGHwaejcWdElF/ y3bIDqLTrmvqX7f+LqAvrFOl5dwuLkFbw/nQCODVo3VD19SiYUhNZHztz3QwqpCbXEJk qACnphumI/wmnWasK8qV7RdX1lwujOps03A4JJalgcIBprRP+zwY13hvKp1HHbq5EFa1 6hOaNoEG3TOa439uYCFosrQryxBpmbkVG4F5nt/W3j7+o0Km7ZPo6QDHVg/XMsSe2oJr DZlw== X-Forwarded-Encrypted: i=1; AJvYcCUK4uRIKCCjXiKZYihvF55pBUS57ATHknsLPrHAZFWEK9IL2/8pV2W06g8UmIPOouxzUEFU6ULluKMRk5uNAgUQ@vger.kernel.org, AJvYcCVow5mqFbF1+/QDxVH1ISvZqKEgSp/HxVFIm3Zu8SDjh9LR6WgDGc6OtNOh1QpHHrCAK9p1uly4GqNgPyMh@vger.kernel.org, AJvYcCXCghogz2VR0xC4HlXFEfZmW7MR1+6NTOfMvht5AxdxULaFqyQGxm9A+V3TPLFsAxsqmOzueikQ5e1/elZc/wY=@vger.kernel.org X-Gm-Message-State: AOJu0Yw8QbJM95VWeYWX0WaDgZp9Dqcjko+hahSqZzKCfOB3gI5rOiTY pZtLfdH5K9rKlzLSbiGtBXJMlldOcr5N4UXpxaGjWT12I3nfoXaY X-Gm-Gg: ASbGncs8D8gGbp52lMH02oNpiRVw/L+sM4uXk1SEOQrrOo646S02xp7nQb1MZDcQP8q Clb8g/32G5NljH5HK59e5HVcqbLzNMaQjUPyczZdV/m9MWcHFwSazJkHpfpJUvPkuj/nn6PSuLQ 3Kye+nNQWL17xdF8a2Yjj28r69t98hgKtZaPN/IxiDipYWIxxzj4M9ZPs6XhGjZ9/PygZ8W+mOy VLiYno8PpBFfUDbiuL5NgG+kwXKFwOtsgeMBkkID1g2QTemB6qgxElT6/R5YLzXFjB2GqzRSqs8 uJeL+8jEVsCrMt8Bl55T+DlHP+p+Jn3WtD8Udo6C22z3SlwZqXgFScZTHGiuDkniLzI1hk0vtlC MX5UoNYS9+68sfr5O13TujmRYsw03WoTNuQkV9ataEjM= X-Google-Smtp-Source: AGHT+IFlmpbX1AaUedxm3P9O6u/RxXNPrF5Q2YDXimBGRC0W9OM/QT4gLwBWJH0mD9PJXhq7sPrRTA== X-Received: by 2002:a17:907:a642:b0:ab7:eff8:f92e with SMTP id a640c23a62f3a-abf25fa93afmr512343166b.21.1740773797389; Fri, 28 Feb 2025 12:16:37 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:36 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 15/15] netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval() Date: Fri, 28 Feb 2025 21:15:33 +0100 Message-ID: <20250228201533.23836-16-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250228201533.23836-1-ericwouds@gmail.com> References: <20250228201533.23836-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Edit nft_flow_offload_eval() to make it possible to handle a flowtable of the nft bridge family. Use nft_flow_offload_bridge_init() to fill the flow tuples. It uses nft_dev_fill_bridge_path() in each direction. Signed-off-by: Eric Woudstra --- net/netfilter/nft_flow_offload.c | 142 +++++++++++++++++++++++++++++-- 1 file changed, 137 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index c0c310c569cd..03a0b5f7e8d2 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -193,6 +193,128 @@ static bool nft_flowtable_find_dev(const struct net_device *dev, return found; } +static int nft_dev_fill_bridge_path(struct flow_offload *flow, + struct nft_flowtable *ft, + enum ip_conntrack_dir dir, + const struct net_device *src_dev, + const struct net_device *dst_dev, + unsigned char *src_ha, + unsigned char *dst_ha) +{ + struct flow_offload_tuple_rhash *th = flow->tuplehash; + struct net_device_path_ctx ctx = {}; + struct net_device_path_stack stack; + struct nft_forward_info info = {}; + int i, j = 0; + + for (i = th[dir].tuple.encap_num - 1; i >= 0 ; i--) { + if (info.num_encaps >= NF_FLOW_TABLE_ENCAP_MAX) + return -1; + + if (th[dir].tuple.in_vlan_ingress & BIT(i)) + continue; + + info.encap[info.num_encaps].id = th[dir].tuple.encap[i].id; + info.encap[info.num_encaps].proto = th[dir].tuple.encap[i].proto; + info.num_encaps++; + + if (th[dir].tuple.encap[i].proto == htons(ETH_P_PPP_SES)) + continue; + + if (ctx.num_vlans >= NET_DEVICE_PATH_VLAN_MAX) + return -1; + ctx.vlan[ctx.num_vlans].id = th[dir].tuple.encap[i].id; + ctx.vlan[ctx.num_vlans].proto = th[dir].tuple.encap[i].proto; + ctx.num_vlans++; + } + ctx.dev = src_dev; + ether_addr_copy(ctx.daddr, dst_ha); + + if (dev_fill_bridge_path(&ctx, &stack) < 0) + return -1; + + nft_dev_path_info(&stack, &info, dst_ha, &ft->data); + + if (!info.indev || info.indev != dst_dev) + return -1; + + th[!dir].tuple.iifidx = info.indev->ifindex; + for (i = info.num_encaps - 1; i >= 0; i--) { + th[!dir].tuple.encap[j].id = info.encap[i].id; + th[!dir].tuple.encap[j].proto = info.encap[i].proto; + if (info.ingress_vlans & BIT(i)) + th[!dir].tuple.in_vlan_ingress |= BIT(j); + j++; + } + th[!dir].tuple.encap_num = info.num_encaps; + + th[dir].tuple.mtu = dst_dev->mtu; + ether_addr_copy(th[dir].tuple.out.h_source, src_ha); + ether_addr_copy(th[dir].tuple.out.h_dest, dst_ha); + th[dir].tuple.out.ifidx = info.outdev->ifindex; + th[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_DIRECT; + + return 0; +} + +static int nft_flow_offload_bridge_init(struct flow_offload *flow, + const struct nft_pktinfo *pkt, + enum ip_conntrack_dir dir, + struct nft_flowtable *ft) +{ + const struct net_device *in_dev, *out_dev; + struct ethhdr *eth = eth_hdr(pkt->skb); + struct flow_offload_tuple *tuple; + struct pppoe_hdr *phdr; + struct vlan_hdr *vhdr; + int err, i = 0; + + in_dev = nft_in(pkt); + if (!in_dev || !nft_flowtable_find_dev(in_dev, ft)) + return -1; + + out_dev = nft_out(pkt); + if (!out_dev || !nft_flowtable_find_dev(out_dev, ft)) + return -1; + + tuple = &flow->tuplehash[!dir].tuple; + + if (skb_vlan_tag_present(pkt->skb)) { + tuple->encap[i].id = skb_vlan_tag_get(pkt->skb); + tuple->encap[i].proto = pkt->skb->vlan_proto; + i++; + } + switch (pkt->skb->protocol) { + case htons(ETH_P_8021Q): + vhdr = (struct vlan_hdr *)skb_network_header(pkt->skb); + tuple->encap[i].id = ntohs(vhdr->h_vlan_TCI); + tuple->encap[i].proto = pkt->skb->protocol; + i++; + break; + case htons(ETH_P_PPP_SES): + phdr = (struct pppoe_hdr *)skb_network_header(pkt->skb); + tuple->encap[i].id = ntohs(phdr->sid); + tuple->encap[i].proto = pkt->skb->protocol; + i++; + break; + } + tuple->encap_num = i; + + err = nft_dev_fill_bridge_path(flow, ft, !dir, out_dev, in_dev, + eth->h_dest, eth->h_source); + if (err < 0) + return err; + + memset(tuple->encap, 0, sizeof(tuple->encap)); + + err = nft_dev_fill_bridge_path(flow, ft, dir, in_dev, out_dev, + eth->h_source, eth->h_dest); + if (err < 0) + return err; + + return 0; +} + static void nft_dev_forward_path(struct nf_flow_route *route, const struct nf_conn *ct, enum ip_conntrack_dir dir, @@ -311,6 +433,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, { struct nft_flow_offload *priv = nft_expr_priv(expr); struct nf_flowtable *flowtable = &priv->flowtable->data; + bool routing = flowtable->type->family != NFPROTO_BRIDGE; struct tcphdr _tcph, *tcph = NULL; struct nf_flow_route route = {}; enum ip_conntrack_info ctinfo; @@ -364,14 +487,21 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, goto out; dir = CTINFO2DIR(ctinfo); - if (nft_flow_route(pkt, ct, &route, dir, priv->flowtable) < 0) - goto err_flow_route; + if (routing) { + if (nft_flow_route(pkt, ct, &route, dir, priv->flowtable) < 0) + goto err_flow_route; + } flow = flow_offload_alloc(ct); if (!flow) goto err_flow_alloc; - flow_offload_route_init(flow, &route); + if (routing) + flow_offload_route_init(flow, &route); + else + if (nft_flow_offload_bridge_init(flow, pkt, dir, priv->flowtable) < 0) + goto err_flow_add; + if (tcph) flow_offload_ct_tcp(ct); @@ -419,8 +549,10 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, err_flow_add: flow_offload_free(flow); err_flow_alloc: - dst_release(route.tuple[dir].dst); - dst_release(route.tuple[!dir].dst); + if (routing) { + dst_release(route.tuple[dir].dst); + dst_release(route.tuple[!dir].dst); + } err_flow_route: clear_bit(IPS_OFFLOAD_BIT, &ct->status); out: