projects / platform / kernel / linux-starfive.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 79b9b68)
netfilter: flowtable: restrict flow dissector match on meta ingress device
authorPablo Neira Ayuso <pablo@netfilter.org>
Mon, 6 Jan 2020 11:42:55 +0000 (12:42 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Thu, 16 Jan 2020 14:51:48 +0000 (15:51 +0100)
Set on FLOW_DISSECTOR_KEY_META meta key using flow tuple ingress interface.

Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_flow_table_offload.c patch | blob | history

diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 4d1e81e..b879e67 100644 (file)
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -24,6 +24,7 @@ struct flow_offload_work {
 };
 
 struct nf_flow_key {
+       struct flow_dissector_key_meta                  meta;
        struct flow_dissector_key_control               control;
        struct flow_dissector_key_basic                 basic;
        union {
@@ -55,6 +56,7 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
        struct nf_flow_key *mask = &match->mask;
        struct nf_flow_key *key = &match->key;
 
+       NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_META, meta);
        NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_CONTROL, control);
        NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_BASIC, basic);
        NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4);
@@ -62,6 +64,9 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
        NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_TCP, tcp);
        NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_PORTS, tp);
 
+       key->meta.ingress_ifindex = tuple->iifidx;
+       mask->meta.ingress_ifindex = 0xffffffff;
+
        switch (tuple->l3proto) {
        case AF_INET:
                key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
@@ -105,7 +110,8 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
        key->tp.dst = tuple->dst_port;
        mask->tp.dst = 0xffff;
 
-       match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL) |
+       match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_META) |
+                                     BIT(FLOW_DISSECTOR_KEY_CONTROL) |
                                      BIT(FLOW_DISSECTOR_KEY_BASIC) |
                                      BIT(FLOW_DISSECTOR_KEY_PORTS);
        return 0;
Domain: System / Kernel;