You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
99 lines
2.8 KiB
99 lines
2.8 KiB
From: Felix Fietkau <nbd@nbd.name>
|
|
Date: Sun, 25 Feb 2018 15:41:11 +0100
|
|
Subject: [PATCH] netfilter: nf_flow_table: add support for sending flows
|
|
back to the slow path
|
|
|
|
Reset the timeout. For TCP, also set the state to indicate to use the
|
|
next incoming packets to reset window tracking.
|
|
This allows the slow path to take over again once the offload state has
|
|
been torn down
|
|
|
|
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
---
|
|
|
|
--- a/net/netfilter/nf_flow_table_core.c
|
|
+++ b/net/netfilter/nf_flow_table_core.c
|
|
@@ -100,6 +100,43 @@ err_ct_refcnt:
|
|
}
|
|
EXPORT_SYMBOL_GPL(flow_offload_alloc);
|
|
|
|
+static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp)
|
|
+{
|
|
+ tcp->state = TCP_CONNTRACK_ESTABLISHED;
|
|
+ tcp->seen[0].td_maxwin = 0;
|
|
+ tcp->seen[1].td_maxwin = 0;
|
|
+}
|
|
+
|
|
+static void flow_offload_fixup_ct_state(struct nf_conn *ct)
|
|
+{
|
|
+ const struct nf_conntrack_l4proto *l4proto;
|
|
+ struct net *net = nf_ct_net(ct);
|
|
+ unsigned int *timeouts;
|
|
+ unsigned int timeout;
|
|
+ int l4num;
|
|
+
|
|
+ l4num = nf_ct_protonum(ct);
|
|
+ if (l4num == IPPROTO_TCP)
|
|
+ flow_offload_fixup_tcp(&ct->proto.tcp);
|
|
+
|
|
+ l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), l4num);
|
|
+ if (!l4proto)
|
|
+ return;
|
|
+
|
|
+ timeouts = l4proto->get_timeouts(net);
|
|
+ if (!timeouts)
|
|
+ return;
|
|
+
|
|
+ if (l4num == IPPROTO_TCP)
|
|
+ timeout = timeouts[TCP_CONNTRACK_ESTABLISHED];
|
|
+ else if (l4num == IPPROTO_UDP)
|
|
+ timeout = timeouts[UDP_CT_REPLIED];
|
|
+ else
|
|
+ return;
|
|
+
|
|
+ ct->timeout = nfct_time_stamp + timeout;
|
|
+}
|
|
+
|
|
void flow_offload_free(struct flow_offload *flow)
|
|
{
|
|
struct flow_offload_entry *e;
|
|
@@ -107,7 +144,8 @@ void flow_offload_free(struct flow_offlo
|
|
dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_cache);
|
|
dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_cache);
|
|
e = container_of(flow, struct flow_offload_entry, flow);
|
|
- nf_ct_delete(e->ct, 0, 0);
|
|
+ if (flow->flags & FLOW_OFFLOAD_DYING)
|
|
+ nf_ct_delete(e->ct, 0, 0);
|
|
nf_ct_put(e->ct);
|
|
kfree_rcu(e, rcu_head);
|
|
}
|
|
@@ -164,6 +202,8 @@ EXPORT_SYMBOL_GPL(flow_offload_add);
|
|
static void flow_offload_del(struct nf_flowtable *flow_table,
|
|
struct flow_offload *flow)
|
|
{
|
|
+ struct flow_offload_entry *e;
|
|
+
|
|
rhashtable_remove_fast(&flow_table->rhashtable,
|
|
&flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].node,
|
|
nf_flow_offload_rhash_params);
|
|
@@ -171,12 +211,20 @@ static void flow_offload_del(struct nf_f
|
|
&flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].node,
|
|
nf_flow_offload_rhash_params);
|
|
|
|
+ e = container_of(flow, struct flow_offload_entry, flow);
|
|
+ clear_bit(IPS_OFFLOAD_BIT, &e->ct->status);
|
|
+
|
|
flow_offload_free(flow);
|
|
}
|
|
|
|
void flow_offload_teardown(struct flow_offload *flow)
|
|
{
|
|
+ struct flow_offload_entry *e;
|
|
+
|
|
flow->flags |= FLOW_OFFLOAD_TEARDOWN;
|
|
+
|
|
+ e = container_of(flow, struct flow_offload_entry, flow);
|
|
+ flow_offload_fixup_ct_state(e->ct);
|
|
}
|
|
EXPORT_SYMBOL_GPL(flow_offload_teardown);
|
|
|
|
|