[PATCH nf] netfilter: flowtable: restrict flow dissector match on meta ingress device

[PATCH nf] netfilter: flowtable: restrict flow dissector match on meta ingress device

[Pablo Neira Ayuso]

Set on FLOW_DISSECTOR_KEY_META meta key using flow tuple ingress interface.

Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_flow_table_offload.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 4d1e81e2880f..b879e673953f 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -24,6 +24,7 @@ struct flow_offload_work {
 };
 
 struct nf_flow_key {
+	struct flow_dissector_key_meta			meta;
 	struct flow_dissector_key_control		control;
 	struct flow_dissector_key_basic			basic;
 	union {
@@ -55,6 +56,7 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
 	struct nf_flow_key *mask = &match->mask;
 	struct nf_flow_key *key = &match->key;
 
+	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_META, meta);
 	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_CONTROL, control);
 	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_BASIC, basic);
 	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4);
@@ -62,6 +64,9 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
 	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_TCP, tcp);
 	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_PORTS, tp);
 
+	key->meta.ingress_ifindex = tuple->iifidx;
+	mask->meta.ingress_ifindex = 0xffffffff;
+
 	switch (tuple->l3proto) {
 	case AF_INET:
 		key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
@@ -105,7 +110,8 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
 	key->tp.dst = tuple->dst_port;
 	mask->tp.dst = 0xffff;
 
-	match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL) |
+	match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_META) |
+				      BIT(FLOW_DISSECTOR_KEY_CONTROL) |
 				      BIT(FLOW_DISSECTOR_KEY_BASIC) |
 				      BIT(FLOW_DISSECTOR_KEY_PORTS);
 	return 0;
-- 
2.11.0

Re: [PATCH nf] netfilter: flowtable: restrict flow dissector match on meta ingress device

[wenxu]

Acked-by: wenxu <wenxu@ucloud.cn>


This can avoid the wrong flow install in hardware if there are more than two

forward devices in the flowtables. Because all the devices shared the same

block.

在 2020/1/6 19:47, Pablo Neira Ayuso 写道:
> Set on FLOW_DISSECTOR_KEY_META meta key using flow tuple ingress interface.
>
> Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
>   net/netfilter/nf_flow_table_offload.c | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
> index 4d1e81e2880f..b879e673953f 100644
> --- a/net/netfilter/nf_flow_table_offload.c
> +++ b/net/netfilter/nf_flow_table_offload.c
> @@ -24,6 +24,7 @@ struct flow_offload_work {
>   };
>   
>   struct nf_flow_key {
> +	struct flow_dissector_key_meta			meta;
>   	struct flow_dissector_key_control		control;
>   	struct flow_dissector_key_basic			basic;
>   	union {
> @@ -55,6 +56,7 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
>   	struct nf_flow_key *mask = &match->mask;
>   	struct nf_flow_key *key = &match->key;
>   
> +	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_META, meta);
>   	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_CONTROL, control);
>   	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_BASIC, basic);
>   	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4);
> @@ -62,6 +64,9 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
>   	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_TCP, tcp);
>   	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_PORTS, tp);
>   
> +	key->meta.ingress_ifindex = tuple->iifidx;
> +	mask->meta.ingress_ifindex = 0xffffffff;
> +
>   	switch (tuple->l3proto) {
>   	case AF_INET:
>   		key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
> @@ -105,7 +110,8 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
>   	key->tp.dst = tuple->dst_port;
>   	mask->tp.dst = 0xffff;
>   
> -	match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL) |
> +	match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_META) |
> +				      BIT(FLOW_DISSECTOR_KEY_CONTROL) |
>   				      BIT(FLOW_DISSECTOR_KEY_BASIC) |
>   				      BIT(FLOW_DISSECTOR_KEY_PORTS);
>   	return 0;