Skip to content

Commit a0d98b6

Browse files
ummakynesummakynes
committed
netfilter: flowtable: use tuple address to calculate next hop
This simplifies IPIP tunnel support coming in follow up patches. No function changes are intended. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 030feea commit a0d98b6

1 file changed

Lines changed: 12 additions & 4 deletions

File tree

net/netfilter/nf_flow_table_ip.c

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -480,6 +480,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
480480
{
481481
struct flow_offload_tuple_rhash *tuplehash;
482482
struct nf_flowtable *flow_table = priv;
483+
struct flow_offload_tuple *other_tuple;
483484
enum flow_offload_tuple_dir dir;
484485
struct nf_flowtable_ctx ctx = {
485486
.in = state->in,
@@ -488,6 +489,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
488489
struct flow_offload *flow;
489490
struct neighbour *neigh;
490491
struct rtable *rt;
492+
__be32 ip_daddr;
491493
int ret;
492494

493495
tuplehash = nf_flow_offload_lookup(&ctx, flow_table, skb);
@@ -510,8 +512,10 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
510512

511513
dir = tuplehash->tuple.dir;
512514
flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
515+
other_tuple = &flow->tuplehash[!dir].tuple;
516+
ip_daddr = other_tuple->src_v4.s_addr;
513517

514-
if (nf_flow_encap_push(skb, &flow->tuplehash[!dir].tuple) < 0)
518+
if (nf_flow_encap_push(skb, other_tuple) < 0)
515519
return NF_DROP;
516520

517521
switch (tuplehash->tuple.xmit_type) {
@@ -522,7 +526,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
522526
flow_offload_teardown(flow);
523527
return NF_DROP;
524528
}
525-
neigh = ip_neigh_gw4(rt->dst.dev, rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr));
529+
neigh = ip_neigh_gw4(rt->dst.dev, rt_nexthop(rt, ip_daddr));
526530
if (IS_ERR(neigh)) {
527531
flow_offload_teardown(flow);
528532
return NF_DROP;
@@ -787,11 +791,13 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
787791
{
788792
struct flow_offload_tuple_rhash *tuplehash;
789793
struct nf_flowtable *flow_table = priv;
794+
struct flow_offload_tuple *other_tuple;
790795
enum flow_offload_tuple_dir dir;
791796
struct nf_flowtable_ctx ctx = {
792797
.in = state->in,
793798
};
794799
struct nf_flow_xmit xmit = {};
800+
struct in6_addr *ip6_daddr;
795801
struct flow_offload *flow;
796802
struct neighbour *neigh;
797803
struct rt6_info *rt;
@@ -817,8 +823,10 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
817823

818824
dir = tuplehash->tuple.dir;
819825
flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
826+
other_tuple = &flow->tuplehash[!dir].tuple;
827+
ip6_daddr = &other_tuple->src_v6;
820828

821-
if (nf_flow_encap_push(skb, &flow->tuplehash[!dir].tuple) < 0)
829+
if (nf_flow_encap_push(skb, other_tuple) < 0)
822830
return NF_DROP;
823831

824832
switch (tuplehash->tuple.xmit_type) {
@@ -829,7 +837,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
829837
flow_offload_teardown(flow);
830838
return NF_DROP;
831839
}
832-
neigh = ip_neigh_gw6(rt->dst.dev, rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6));
840+
neigh = ip_neigh_gw6(rt->dst.dev, rt6_nexthop(rt, ip6_daddr));
833841
if (IS_ERR(neigh)) {
834842
flow_offload_teardown(flow);
835843
return NF_DROP;

0 commit comments

Comments
 (0)