netfilter: flowtable: use tuple address to calculate next hop (a0d98b64) · Commits · git / linux-net

net/netfilter/nf_flow_table_ip.c

+12 −4

Original line number	Diff line number	Diff line
		@@ -480,6 +480,7 @@ nf_flow_offload_ip_hook(void priv, struct sk_buff skb,
		{
		struct flow_offload_tuple_rhash *tuplehash;
		struct nf_flowtable *flow_table = priv;
		struct flow_offload_tuple *other_tuple;
		enum flow_offload_tuple_dir dir;
		struct nf_flowtable_ctx ctx = {
		.in = state->in,
		@@ -488,6 +489,7 @@ nf_flow_offload_ip_hook(void priv, struct sk_buff skb,
		struct flow_offload *flow;
		struct neighbour *neigh;
		struct rtable *rt;
		__be32 ip_daddr;
		int ret;

		tuplehash = nf_flow_offload_lookup(&ctx, flow_table, skb);
		@@ -510,8 +512,10 @@ nf_flow_offload_ip_hook(void priv, struct sk_buff skb,

		dir = tuplehash->tuple.dir;
		flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
		other_tuple = &flow->tuplehash[!dir].tuple;
		ip_daddr = other_tuple->src_v4.s_addr;

		if (nf_flow_encap_push(skb, &flow->tuplehash[!dir].tuple) < 0)
		if (nf_flow_encap_push(skb, other_tuple) < 0)
		return NF_DROP;

		switch (tuplehash->tuple.xmit_type) {
		@@ -522,7 +526,7 @@ nf_flow_offload_ip_hook(void priv, struct sk_buff skb,
		flow_offload_teardown(flow);
		return NF_DROP;
		}
		neigh = ip_neigh_gw4(rt->dst.dev, rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr));
		neigh = ip_neigh_gw4(rt->dst.dev, rt_nexthop(rt, ip_daddr));
		if (IS_ERR(neigh)) {
		flow_offload_teardown(flow);
		return NF_DROP;
		@@ -787,11 +791,13 @@ nf_flow_offload_ipv6_hook(void priv, struct sk_buff skb,
		{
		struct flow_offload_tuple_rhash *tuplehash;
		struct nf_flowtable *flow_table = priv;
		struct flow_offload_tuple *other_tuple;
		enum flow_offload_tuple_dir dir;
		struct nf_flowtable_ctx ctx = {
		.in = state->in,
		};
		struct nf_flow_xmit xmit = {};
		struct in6_addr *ip6_daddr;
		struct flow_offload *flow;
		struct neighbour *neigh;
		struct rt6_info *rt;
		@@ -817,8 +823,10 @@ nf_flow_offload_ipv6_hook(void priv, struct sk_buff skb,

		dir = tuplehash->tuple.dir;
		flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
		other_tuple = &flow->tuplehash[!dir].tuple;
		ip6_daddr = &other_tuple->src_v6;

		if (nf_flow_encap_push(skb, &flow->tuplehash[!dir].tuple) < 0)
		if (nf_flow_encap_push(skb, other_tuple) < 0)
		return NF_DROP;

		switch (tuplehash->tuple.xmit_type) {
		@@ -829,7 +837,7 @@ nf_flow_offload_ipv6_hook(void priv, struct sk_buff skb,
		flow_offload_teardown(flow);
		return NF_DROP;
		}
		neigh = ip_neigh_gw6(rt->dst.dev, rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6));
		neigh = ip_neigh_gw6(rt->dst.dev, rt6_nexthop(rt, ip6_daddr));
		if (IS_ERR(neigh)) {
		flow_offload_teardown(flow);
		return NF_DROP;