netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: wenxu <wenxu@ucloud.cn>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf v2 1/3] netfilter: nf_flow_table_offload: fix dst_neigh lookup
Date: Fri, 20 Dec 2019 22:15:10 +0800	[thread overview]
Message-ID: <c8ab1f26-048f-55c0-da4a-111988b4ffcd@ucloud.cn> (raw)
In-Reply-To: <20191220103131.3lddvvq74yk4z3ay@salvia>


在 2019/12/20 18:31, Pablo Neira Ayuso 写道:
> On Fri, Dec 20, 2019 at 05:19:12PM +0800, wenxu wrote:
>> On 12/20/2019 5:13 PM, Pablo Neira Ayuso wrote:
>>> On Fri, Dec 20, 2019 at 11:53:38AM +0800, wenxu wrote:
>>>> Maybe the patch your suggestion is not correct?
>>>>
>>>> On 12/20/2019 6:18 AM, Pablo Neira Ayuso wrote:
>>>>> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
>>>>> index 506aaaf8151d..8680fc56cd7c 100644
>>>>> --- a/net/netfilter/nf_flow_table_offload.c
>>>>> +++ b/net/netfilter/nf_flow_table_offload.c
>>>>> @@ -156,14 +156,14 @@ static int flow_offload_eth_dst(struct net *net,
>>>>>  				enum flow_offload_tuple_dir dir,
>>>>>  				struct nf_flow_rule *flow_rule)
>>>>>  {
>>>>> -	const struct flow_offload_tuple *tuple = &flow->tuplehash[dir].tuple;
>>>>> +	const struct flow_offload_tuple *tuple = &flow->tuplehash[!dir].tuple;
>>>>>  	struct flow_action_entry *entry0 = flow_action_entry_next(flow_rule);
>>>>>  	struct flow_action_entry *entry1 = flow_action_entry_next(flow_rule);
>>>>>  	struct neighbour *n;
>>>>>  	u32 mask, val;
>>>>>  	u16 val16;
>>>>>  
>>>>> -	n = dst_neigh_lookup(tuple->dst_cache, &tuple->dst_v4);
>>>>> +	n = dst_neigh_lookup(tuple->dst_cache, &tuple->src_v4);
>>>>                 The dst_cache should be flow->tuplehash[dir].tuple.dst_cache  but not peer dir's;
>>> Hm, I think this is like your patch, but without the two extra new lines
>>> and new variable definitions.
>> There is a little bit different. The dst_cache should get from  flow->tuplehash[dir].tuple.dst_cache
>>
>> but not flow->tuplehash[!dir].tuple.dst_cache
>                 SNAT       mangling     ether dst
> original        A -> B      C -> B      [!dir].src
> reply           B -> C      B -> A      [!dir].src
>
>                 DNAT       mangling
> original        A -> C      A -> B      [!dir].src
> reply           B -> A      C -> A      [!dir].src
>
>                 SNAT+DNAT  mangling
> original        A -> C2     C1 -> B     [!dir].src
> reply           B -> C1     C2 -> A     [!dir].src

yes, The daddr should always set as [!dir].src  .

The problem I point out is the first parameters of dst_neigh_lookup, the

dst_entry used to find the gateway or daddr neighbor through dst_entry->dev.

This dst_entry should alway set as [dir].dst_entry.


For example :

                DNAT       mangling
original        A -> C      A -> B      [!dir].src
reply           B -> A      C -> A      [!dir].src


for the original dir: device receive from D1 and forward to D2,
So the mangle addr B([!dir].src) should do neigh lookup on D2([dir].dst_entry->dev)

BR
wenxu


>

  reply	other threads:[~2019-12-20 14:15 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-17  8:52 [PATCH nf v2 0/3] netfilter: nf_flow_table_offload: something fixes wenxu
2019-12-17  8:52 ` [PATCH nf v2 1/3] netfilter: nf_flow_table_offload: fix dst_neigh lookup wenxu
2019-12-19 22:18   ` Pablo Neira Ayuso
2019-12-20  1:18     ` Pablo Neira Ayuso
2019-12-20  3:53     ` wenxu
2019-12-20  9:13       ` Pablo Neira Ayuso
2019-12-20  9:19         ` wenxu
2019-12-20 10:31           ` Pablo Neira Ayuso
2019-12-20 14:15             ` wenxu [this message]
2019-12-17  8:52 ` [PATCH nf v2 2/3] netfilter: nf_flow_table_offload: check the status of dst_neigh wenxu
2019-12-17  8:52 ` [PATCH nf v2 3/3] netfilter: nf_flow_table_offload: fix the nat port mangle wenxu
2019-12-19 23:35   ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c8ab1f26-048f-55c0-da4a-111988b4ffcd@ucloud.cn \
    --to=wenxu@ucloud.cn \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).