From patchwork Mon Mar 25 10:27:35 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Qingfang Deng <dqfext@gmail.com>
X-Patchwork-Id: 1915500
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=VhkQy75I;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=iAxdORNs;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
 (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=patchwork.ozlabs.org)
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:3::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4V38MX3QDtz1yWy
	for <incoming@patchwork.ozlabs.org>; Mon, 25 Mar 2024 21:30:15 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=b9BhxJjVqX7TEyZOXQfnIN2ITjJTclESTI6/1ScE0RE=; b=VhkQy75IBCkxDC
	W0DApf++qaDtAKpyjLDTNAf6l2yRAOeqnsT2yeT4LzGtBCNQFq3+Y+VMMQtxoEgKkos6t+jNBD0h6
	zHJxrYAyQ2A2UO9hidFm4nZT749t0TzbiaWgj/8Zx4eWzhZiYDNvXUnZTttFjArzAhk7hFKTRyPFJ
	Iia2yB1MT/4PLXtE/s29ArORWhQr7WPQab35nDXNiirE1KFhwvEXJv7I4rfgqlfcmF192FSbm81UJ
	TeQhuTASijlIL0j2d3qq03n6+ymY2NA48PglHA5yUMFeBa3zrAvc4P0mjyNjuM7Ty3sUkSpTNx2O4
	xYWAB1+nPAkaEqOhusZw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux))
	id 1rohYe-0000000Gk41-1pUz;
	Mon, 25 Mar 2024 10:28:00 +0000
Received: from mail-pl1-x634.google.com ([2607:f8b0:4864:20::634])
	by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux))
	id 1rohYZ-0000000Gk1m-0GHi
	for openwrt-devel@lists.openwrt.org;
	Mon, 25 Mar 2024 10:27:57 +0000
Received: by mail-pl1-x634.google.com with SMTP id
 d9443c01a7336-1dddb160a37so27522295ad.2
        for <openwrt-devel@lists.openwrt.org>;
 Mon, 25 Mar 2024 03:27:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1711362473; x=1711967273;
 darn=lists.openwrt.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=DorB8ysjZkkmPlnk3LUsqzR4nVn36yXoC/p4tNO3OUw=;
        b=iAxdORNsgad2IOyPCnTMa8lmP8qVdIssQc/8waBxZhNH0yEjJLzzT1yY9acYWqQUt0
         1Ogi1vKmeYZ7lGJsT06fF7XrEYblfEqgZYXF9yVxdigXAK1ct5x5/WJSi33zzLuIhvsq
         cSP2iYlAFJtnifdrAno7p3mTn7bxbNWSI3usCfAcaMWaKM1sjZqzmJmjYhlEN5AXx7AO
         dnDXmeYs2pKsPtobOP2untkgfT9SMsOfLUPii0ZQJFGiL+PBHCUXD/ik087J6Ia9woar
         SkZDy5q8rKNpvrguLNEhhDCxDMrXe+xEj4gV9Eze27Oz4VqyJv2HSFO0IZByQgwd0uOE
         lVlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711362473; x=1711967273;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=DorB8ysjZkkmPlnk3LUsqzR4nVn36yXoC/p4tNO3OUw=;
        b=qP7Wlzg+MMcazKcjojaq1CJKTBllAIdyD2uwyqrhg45wWp+phmgbyFbb/szbBdx4fF
         4+Eed9u0adbIdoRZL0YtugoSQOZonfqWHRXyJ4GvfOUyrnOsnVqoQZ8c2U7B1Wj+lvzv
         W+0ZWJPDGf7oUcuyeDTv4KpP3zVgSQBZ4Hr/RvgBFMF+jz+5a/vm0anpVpuBrYrv+D41
         MW/ASRuEZ4Ggw86bbJPXbmznlAVUfwMkKiEnQCOlVjHKeYRte5EZ9PGSBdCsccb6xLNP
         TJnz0XywyQVFjDIgNf5gwAIqf4TxAAiUOru7q9vdsL0dFlG0MO8uhkvdPeBRkVb7Yxua
         y5bQ==
X-Gm-Message-State: AOJu0YwZRkreTrYIYxso3D/FkGDNTbHdc3kf9kidLreM2YQ9UpqqDqUC
	QZVcxx4RCE59QdgAMAJ7Wh8nwhUVwit25KcFIfbV8UcMQnnvYOM1xbsBkoqInrBw3hnB
X-Google-Smtp-Source: 
 AGHT+IGjXjLFjemMG30XIeg8txg4d8ZH7QR1TczWRw8XaG7xgNsB420G4R+PGKWwsnMScZ20zGWd2Q==
X-Received: by 2002:a17:903:11c4:b0:1e0:be50:26b8 with SMTP id
 q4-20020a17090311c400b001e0be5026b8mr3170592plh.3.1711362472671;
        Mon, 25 Mar 2024 03:27:52 -0700 (PDT)
Received: from gmail.com ([2a09:bac5:6249:183c::26a:10])
        by smtp.gmail.com with ESMTPSA id
 x20-20020a170902821400b001ddd0ff99c6sm4374197pln.139.2024.03.25.03.27.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 Mar 2024 03:27:52 -0700 (PDT)
From: Qingfang Deng <dqfext@gmail.com>
To: openwrt-devel@lists.openwrt.org
Cc: Qingfang Deng <qingfang.deng@siflower.com.cn>
Subject: [PATCH] kernel: xt_FLOWOFFLOAD: fix reverse route lookup
Date: Mon, 25 Mar 2024 18:27:35 +0800
Message-Id: <20240325102735.392061-1-dqfext@gmail.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20240325_032755_152070_E89E60AB 
X-CRM114-Status: UNSURE (   8.67  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Qingfang Deng Backport the following changes from
 nft_flow_offload.c:
    3412e1641828 ("netfilter: flowtable: nft_flow_route use more data for
 reverse
    route") 97629b237a8c ("netfilter: flowtable: fix nft_flow_route so [...]
 Content analysis details:   (-0.2 points, 5.0 required)
  pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK
 signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's
                             domain
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider
                             [dqfext(at)gmail.com]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/, no
                             trust
                             [2607:f8b0:4864:20:0:0:0:634 listed in]
                             [list.dnswl.org]
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

From: Qingfang Deng <qingfang.deng@siflower.com.cn>

Backport the following changes from nft_flow_offload.c:
3412e1641828 ("netfilter: flowtable: nft_flow_route use more data for reverse route")
97629b237a8c ("netfilter: flowtable: fix nft_flow_route source address for nat case")

Signed-off-by: Qingfang Deng <qingfang.deng@siflower.com.cn>
---
 .../650-netfilter-add-xt_FLOWOFFLOAD-target.patch   | 13 +++++++++++--
 .../650-netfilter-add-xt_FLOWOFFLOAD-target.patch   | 13 +++++++++++--
 .../650-netfilter-add-xt_FLOWOFFLOAD-target.patch   | 13 +++++++++++--
 3 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch b/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
index ec887539d5..7a3c7cf857 100644
--- a/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
+++ b/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,701 @@
+@@ -0,0 +1,710 @@
 +/*
 + * Copyright (C) 2018-2021 Felix Fietkau <nbd@nbd.name>
 + *
@@ -535,12 +535,21 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	switch (xt_family(par)) {
 +	case NFPROTO_IPV4:
 +		fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
++		fl.u.ip4.saddr = ct->tuplehash[!dir].tuple.src.u3.ip;
 +		fl.u.ip4.flowi4_oif = xt_in(par)->ifindex;
++		fl.u.ip4.flowi4_iif = this_dst->dev->ifindex;
++		fl.u.ip4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos);
++		fl.u.ip4.flowi4_mark = skb->mark;
++		fl.u.ip4.flowi4_flags = FLOWI_FLAG_ANYSRC;
 +		break;
 +	case NFPROTO_IPV6:
-+		fl.u.ip6.saddr = ct->tuplehash[!dir].tuple.dst.u3.in6;
 +		fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
++		fl.u.ip6.saddr = ct->tuplehash[!dir].tuple.src.u3.in6;
 +		fl.u.ip6.flowi6_oif = xt_in(par)->ifindex;
++		fl.u.ip6.flowi6_iif = this_dst->dev->ifindex;
++		fl.u.ip6.flowlabel = ip6_flowinfo(ipv6_hdr(skb));
++		fl.u.ip6.flowi6_mark = skb->mark;
++		fl.u.ip6.flowi6_flags = FLOWI_FLAG_ANYSRC;
 +		break;
 +	}
 +
diff --git a/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch b/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
index 6fdfc79207..972c8f1d31 100644
--- a/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
+++ b/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
@@ -44,7 +44,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,702 @@
+@@ -0,0 +1,711 @@
 +/*
 + * Copyright (C) 2018-2021 Felix Fietkau <nbd@nbd.name>
 + *
@@ -481,12 +481,21 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	switch (xt_family(par)) {
 +	case NFPROTO_IPV4:
 +		fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
++		fl.u.ip4.saddr = ct->tuplehash[!dir].tuple.src.u3.ip;
 +		fl.u.ip4.flowi4_oif = xt_in(par)->ifindex;
++		fl.u.ip4.flowi4_iif = this_dst->dev->ifindex;
++		fl.u.ip4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos);
++		fl.u.ip4.flowi4_mark = skb->mark;
++		fl.u.ip4.flowi4_flags = FLOWI_FLAG_ANYSRC;
 +		break;
 +	case NFPROTO_IPV6:
-+		fl.u.ip6.saddr = ct->tuplehash[!dir].tuple.dst.u3.in6;
 +		fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
++		fl.u.ip6.saddr = ct->tuplehash[!dir].tuple.src.u3.in6;
 +		fl.u.ip6.flowi6_oif = xt_in(par)->ifindex;
++		fl.u.ip6.flowi6_iif = this_dst->dev->ifindex;
++		fl.u.ip6.flowlabel = ip6_flowinfo(ipv6_hdr(skb));
++		fl.u.ip6.flowi6_mark = skb->mark;
++		fl.u.ip6.flowi6_flags = FLOWI_FLAG_ANYSRC;
 +		break;
 +	}
 +
diff --git a/target/linux/generic/hack-6.6/650-netfilter-add-xt_FLOWOFFLOAD-target.patch b/target/linux/generic/hack-6.6/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
index 9735983212..c3ebb90e58 100644
--- a/target/linux/generic/hack-6.6/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
+++ b/target/linux/generic/hack-6.6/650-netfilter-add-xt_FLOWOFFLOAD-target.patch
@@ -44,7 +44,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,702 @@
+@@ -0,0 +1,711 @@
 +/*
 + * Copyright (C) 2018-2021 Felix Fietkau <nbd@nbd.name>
 + *
@@ -481,12 +481,21 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	switch (xt_family(par)) {
 +	case NFPROTO_IPV4:
 +		fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
++		fl.u.ip4.saddr = ct->tuplehash[!dir].tuple.src.u3.ip;
 +		fl.u.ip4.flowi4_oif = xt_in(par)->ifindex;
++		fl.u.ip4.flowi4_iif = this_dst->dev->ifindex;
++		fl.u.ip4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos);
++		fl.u.ip4.flowi4_mark = skb->mark;
++		fl.u.ip4.flowi4_flags = FLOWI_FLAG_ANYSRC;
 +		break;
 +	case NFPROTO_IPV6:
-+		fl.u.ip6.saddr = ct->tuplehash[!dir].tuple.dst.u3.in6;
 +		fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
++		fl.u.ip6.saddr = ct->tuplehash[!dir].tuple.src.u3.in6;
 +		fl.u.ip6.flowi6_oif = xt_in(par)->ifindex;
++		fl.u.ip6.flowi6_iif = this_dst->dev->ifindex;
++		fl.u.ip6.flowlabel = ip6_flowinfo(ipv6_hdr(skb));
++		fl.u.ip6.flowi6_mark = skb->mark;
++		fl.u.ip6.flowi6_flags = FLOWI_FLAG_ANYSRC;
 +		break;
 +	}
 +