<div dir="ltr"><div>Acked-by: Zachary Tahenakos <<a href="mailto:zachary.tahenakos@canonical.com">zachary.tahenakos@canonical.com</a>></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 5, 2022 at 11:39 AM Bodong Wang <<a href="mailto:bodong@nvidia.com">bodong@nvidia.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From: Paul Blakey <<a href="mailto:paulb@nvidia.com" target="_blank">paulb@nvidia.com</a>><br>
<br>
BugLink: <a href="https://bugs.launchpad.net/bugs/1967892" rel="noreferrer" target="_blank">https://bugs.launchpad.net/bugs/1967892</a><br>
<br>
After cited commit optimizted hw insertion, flow table entries are<br>
populated with ifindex information which was intended to only be used<br>
for HW offload. This tuple ifindex is hashed in the flow table key, so<br>
it must be filled for lookup to be successful. But tuple ifindex is only<br>
relevant for the netfilter flowtables (nft), so it's not filled in<br>
act_ct flow table lookup, resulting in lookup failure, and no SW<br>
offload and no offload teardown for TCP connection FIN/RST packets.<br>
<br>
To fix this, add new tc ifindex field to tuple, which will<br>
only be used for offloading, not for lookup, as it will not be<br>
part of the tuple hash.<br>
<br>
Fixes: 9795ded7f924 ("net/sched: act_ct: Fill offloading tuple iifidx")<br>
Signed-off-by: Paul Blakey <<a href="mailto:paulb@nvidia.com" target="_blank">paulb@nvidia.com</a>><br>
Signed-off-by: Pablo Neira Ayuso <<a href="mailto:pablo@netfilter.org" target="_blank">pablo@netfilter.org</a>><br>
(backported from commit db6140e5e35a48405e669353bd54042c1d4c3841)<br>
[Oz: Add missing enum ]<br>
Signed-off-by: Oz Shlomo <<a href="mailto:ozsh@nvidia.com" target="_blank">ozsh@nvidia.com</a>><br>
Signed-off-by: Bodong Wang <<a href="mailto:bodong@nvidia.com" target="_blank">bodong@nvidia.com</a>><br>
---<br>
 include/net/netfilter/nf_flow_table.h | 16 ++++++++++++++++<br>
 net/netfilter/nf_flow_table_offload.c |  6 +++++-<br>
 net/sched/act_ct.c                    | 13 +++++++++----<br>
 3 files changed, 30 insertions(+), 5 deletions(-)<br>
<br>
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h<br>
index b40772f..a0c11bc 100644<br>
--- a/include/net/netfilter/nf_flow_table.h<br>
+++ b/include/net/netfilter/nf_flow_table.h<br>
@@ -88,6 +88,14 @@ enum flow_offload_tuple_dir {<br>
        FLOW_OFFLOAD_DIR_MAX = IP_CT_DIR_MAX<br>
 };<br>
<br>
+enum flow_offload_xmit_type {<br>
+       FLOW_OFFLOAD_XMIT_UNSPEC        = 0,<br>
+       FLOW_OFFLOAD_XMIT_NEIGH,<br>
+       FLOW_OFFLOAD_XMIT_XFRM,<br>
+       FLOW_OFFLOAD_XMIT_DIRECT,<br>
+       FLOW_OFFLOAD_XMIT_TC,<br>
+};<br>
+<br>
 struct flow_offload_tuple {<br>
        union {<br>
                struct in_addr          src_v4;<br>
@@ -111,6 +119,14 @@ struct flow_offload_tuple {<br>
        u16                             mtu;<br>
<br>
        struct dst_entry                *dst_cache;<br>
+<br>
+       /* fix conflicting upstream commit db6140e5e35a48405e669353bd54042c1d4c3841 */<br>
+       u8                              xmit_type;<br>
+       union {<br>
+               struct {<br>
+                       u32             iifidx;<br>
+               } tc;<br>
+       };<br>
 };<br>
<br>
 struct flow_offload_tuple_rhash {<br>
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c<br>
index b6421a8..e41b5c5 100644<br>
--- a/net/netfilter/nf_flow_table_offload.c<br>
+++ b/net/netfilter/nf_flow_table_offload.c<br>
@@ -103,7 +103,11 @@ static int nf_flow_rule_match(struct nf_flow_match *match,<br>
                nf_flow_rule_lwt_match(match, tun_info);<br>
        }<br>
<br>
-       key->meta.ingress_ifindex = tuple->iifidx;<br>
+       if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_TC)<br>
+               key->meta.ingress_ifindex = tuple->tc.iifidx;<br>
+       else<br>
+               key->meta.ingress_ifindex = tuple->iifidx;<br>
+<br>
        mask->meta.ingress_ifindex = 0xffffffff;<br>
<br>
        switch (tuple->l3proto) {<br>
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c<br>
index a54ba2e..ed310be 100644<br>
--- a/net/sched/act_ct.c<br>
+++ b/net/sched/act_ct.c<br>
@@ -356,6 +356,13 @@ static void tcf_ct_flow_table_put(struct tcf_ct_params *params)<br>
        }<br>
 }<br>
<br>
+static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry,<br>
+                                struct nf_conn_act_ct_ext *act_ct_ext, u8 dir)<br>
+{<br>
+       entry->tuplehash[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_TC;<br>
+       entry->tuplehash[dir].tuple.tc.iifidx = act_ct_ext->ifindex[dir];<br>
+}<br>
+<br>
 static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,<br>
                                  struct nf_conn *ct,<br>
                                  bool tcp)<br>
@@ -380,10 +387,8 @@ static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft,<br>
<br>
        act_ct_ext = nf_conn_act_ct_ext_find(ct);<br>
        if (act_ct_ext) {<br>
-               entry->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.iifidx =<br>
-                       act_ct_ext->ifindex[IP_CT_DIR_ORIGINAL];<br>
-               entry->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.iifidx =<br>
-                       act_ct_ext->ifindex[IP_CT_DIR_REPLY];<br>
+               tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_ORIGINAL);<br>
+               tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_REPLY);<br>
        }<br>
<br>
        err = flow_offload_add(&ct_ft->nf_ft, entry);<br>
-- <br>
1.8.3.1<br>
<br>
<br>
-- <br>
kernel-team mailing list<br>
<a href="mailto:kernel-team@lists.ubuntu.com" target="_blank">kernel-team@lists.ubuntu.com</a><br>
<a href="https://lists.ubuntu.com/mailman/listinfo/kernel-team" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/kernel-team</a><br>
</blockquote></div></div>