Commit a7521a60 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: flowtable: restrict flow dissector match on meta ingress device 



Set on FLOW_DISSECTOR_KEY_META meta key using flow tuple ingress interface.

Fixes: c29f74e0 ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 79b9b685

net/netfilter/nf_flow_table_offload.c

+7 −1
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ struct flow_offload_work { 
};



struct nf_flow_key {

	struct flow_dissector_key_meta			meta;

	struct flow_dissector_key_control		control;

	struct flow_dissector_key_basic			basic;

	union {
@@ -55,6 +56,7 @@ static int nf_flow_rule_match(struct nf_flow_match *match, 
	struct nf_flow_key *mask = &match->mask;

	struct nf_flow_key *key = &match->key;



	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_META, meta);

	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_CONTROL, control);

	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_BASIC, basic);

	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4);
@@ -62,6 +64,9 @@ static int nf_flow_rule_match(struct nf_flow_match *match, 
	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_TCP, tcp);

	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_PORTS, tp);



	key->meta.ingress_ifindex = tuple->iifidx;

	mask->meta.ingress_ifindex = 0xffffffff;



	switch (tuple->l3proto) {

	case AF_INET:

		key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
@@ -105,7 +110,8 @@ static int nf_flow_rule_match(struct nf_flow_match *match, 
	key->tp.dst = tuple->dst_port;

	mask->tp.dst = 0xffff;



	match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL) |

	match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_META) |

				      BIT(FLOW_DISSECTOR_KEY_CONTROL) |

				      BIT(FLOW_DISSECTOR_KEY_BASIC) |

				      BIT(FLOW_DISSECTOR_KEY_PORTS);

	return 0;

CRA Git | Maintained and supported by SUSTech CRA and CCSE