• wenxu's avatar
    netfilter: nft_flow_offload: fix interaction with vrf slave device · 6b08e8a0
    wenxu authored
    [ Upstream commit 10f4e765 ]
    
    In the forward chain, the iif is changed from slave device to master vrf
    device. Thus, flow offload does not find a match on the lower slave
    device.
    
    This patch uses the cached route, ie. dst->dev, to update the iif and
    oif fields in the flow entry.
    
    After this patch, the following example works fine:
    
     # ip addr add dev eth0 1.1.1.1/24
     # ip addr add dev eth1 10.0.0.1/24
     # ip link add user1 type vrf table 1
     # ip l set user1 up
     # ip l set dev eth0 master user1
     # ip l set dev eth1 master user1
    
     # nft add table firewall
     # nft add flowtable f fb1 { hook ingress priority 0 \; devices = { eth0, eth1 } \; }
     # nft add chain f ftb-all {type filter hook forward priority 0 \; policy accept \; }
     # nft add rule f ftb-all ct zone 1 ip protocol tcp flow offload @fb1
     # nft add rule f ftb-all ct zone 1 ip protocol udp flow offload @fb1Signed-off-by: 's avatarwenxu <wenxu@ucloud.cn>
    Signed-off-by: 's avatarPablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
    6b08e8a0
Name
Last commit
Last update
..
acpi Loading commit data...
asm-generic Loading commit data...
clocksource Loading commit data...
crypto Loading commit data...
drm Loading commit data...
dt-bindings Loading commit data...
keys Loading commit data...
kvm Loading commit data...
linux Loading commit data...
math-emu Loading commit data...
media Loading commit data...
memory Loading commit data...
misc Loading commit data...
net Loading commit data...
pcmcia Loading commit data...
ras Loading commit data...
rdma Loading commit data...
scsi Loading commit data...
soc Loading commit data...
sound Loading commit data...
target Loading commit data...
trace Loading commit data...
uapi Loading commit data...
video Loading commit data...
xen Loading commit data...