Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4632249pxj; Wed, 12 May 2021 09:39:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwzDIW5kRiMGWrnX9bdIJ01uJ+69HIWWKfCZVqIJTjRiwO0kCzJeU3dnLgtpcZ8CNhxPMdX X-Received: by 2002:a2e:918e:: with SMTP id f14mr18439520ljg.379.1620837559561; Wed, 12 May 2021 09:39:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620837559; cv=none; d=google.com; s=arc-20160816; b=0/4WaBNwJ2mSbcMMHBahIf12LRIhR6RLX9zz8M03JKs8E5e2KRnL/flFePPXDnTo6u 3I8FC4tIvxCbsBnWbBD2wscKEH3DD3ykGGK6vYwbdr7cDCxdkgJnJD84IcumrHATgc41 M2UKr474HRkc8ojn/uDyrxM0Q+6B7NWHZ6r7ZPDHwke0ESOAW5QM7WR5DugJUXa0I1gN NWL0pdrh7/3ZijHD9FA7lYT/kfwyeZp00Jk1EeTp8hmPXuOO3fzfAiebi4IzN+bmO1OF IUYDQN40wHYPK6/pQFc4yylyvRNxmvhT5VpJzjV83yTgLKANRP6/lJ6M0ZIbXuxfBwyw u9xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rZ6E8bis0vFgVpYTyNsqScjAUgdirs8CgqWLUt7E9Rw=; b=B5E0VT+C8M7ab7zmBa1AWNNNqEgoZhJ/HLl/orndnc0QCMvIgMw67FxV9tPSkfS4oP luxKjm/2m9Mw9SML0G+zxUfHvdSHCKjqY6Ld0wPVl2y7g8hQNK9uZvxh1LJmHng9Q2/q pcMiVIqfBKK+Zr2m/ebc3S034tuHBBIUZx864as8KGUcfAy5MCOXUBY92T/Qfd+WLKVx tYR6x2wTMfv8iBPTW2REhKSx9AVbRDuC6Kr6Uv4JIQ+yJ8ovr3xxA0aTJWwBuHfMV77Y 1vXEedHRX4AegDNEOkvid02wrAJ+P8kCLOcnaUYA6S+K3MyF6H2kZwt8tmVvlPmVuhZX 9bMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=G214uGFL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d3si330265ljj.538.2021.05.12.09.38.49; Wed, 12 May 2021 09:39:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=G214uGFL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237184AbhELQcZ (ORCPT + 99 others); Wed, 12 May 2021 12:32:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:56350 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233747AbhELPlL (ORCPT ); Wed, 12 May 2021 11:41:11 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id AA10B6157F; Wed, 12 May 2021 15:21:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620832890; bh=qdPPJ/JuIsoB/i4uKbZzoghLW9byITxSWLAp6REjdTA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=G214uGFLKdzx4FqPZizKqZI4Sa1s8rYGLKBeaRepWo3S95A/W1us33nWc2UpvnklA SrTQSUQBR2VEl2Jz5Nfa7p1ShhOsMS0LECM15YKyHU24ZZtn12EqxCnc+NYR0aZm8y VAZ5sf+uMvYCYAH9Ku8BdHciBmFY6o22fXNsWPWo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 5.10 464/530] netfilter: nftables_offload: VLAN id needs host byteorder in flow dissector Date: Wed, 12 May 2021 16:49:34 +0200 Message-Id: <20210512144835.019640540@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144819.664462530@linuxfoundation.org> References: <20210512144819.664462530@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pablo Neira Ayuso [ Upstream commit ff4d90a89d3d4d9814e0a2696509a7d495be4163 ] The flow dissector representation expects the VLAN id in host byteorder. Add the NFT_OFFLOAD_F_NETWORK2HOST flag to swap the bytes from nft_cmp. Fixes: a82055af5959 ("netfilter: nft_payload: add VLAN offload support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- include/net/netfilter/nf_tables_offload.h | 11 +++++- net/netfilter/nft_cmp.c | 41 +++++++++++++++++++++-- net/netfilter/nft_payload.c | 10 +++--- 3 files changed, 55 insertions(+), 7 deletions(-) diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h index b4d080061399..434a6158852f 100644 --- a/include/net/netfilter/nf_tables_offload.h +++ b/include/net/netfilter/nf_tables_offload.h @@ -4,11 +4,16 @@ #include #include +enum nft_offload_reg_flags { + NFT_OFFLOAD_F_NETWORK2HOST = (1 << 0), +}; + struct nft_offload_reg { u32 key; u32 len; u32 base_offset; u32 offset; + u32 flags; struct nft_data data; struct nft_data mask; }; @@ -72,13 +77,17 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rul void nft_flow_rule_destroy(struct nft_flow_rule *flow); int nft_flow_rule_offload_commit(struct net *net); -#define NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg) \ +#define NFT_OFFLOAD_MATCH_FLAGS(__key, __base, __field, __len, __reg, __flags) \ (__reg)->base_offset = \ offsetof(struct nft_flow_key, __base); \ (__reg)->offset = \ offsetof(struct nft_flow_key, __base.__field); \ (__reg)->len = __len; \ (__reg)->key = __key; \ + (__reg)->flags = __flags; + +#define NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg) \ + NFT_OFFLOAD_MATCH_FLAGS(__key, __base, __field, __len, __reg, 0) #define NFT_OFFLOAD_MATCH_EXACT(__key, __base, __field, __len, __reg) \ NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg) \ diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c index 00e563a72d3d..1d42d06f5b64 100644 --- a/net/netfilter/nft_cmp.c +++ b/net/netfilter/nft_cmp.c @@ -115,19 +115,56 @@ nla_put_failure: return -1; } +union nft_cmp_offload_data { + u16 val16; + u32 val32; + u64 val64; +}; + +static void nft_payload_n2h(union nft_cmp_offload_data *data, + const u8 *val, u32 len) +{ + switch (len) { + case 2: + data->val16 = ntohs(*((u16 *)val)); + break; + case 4: + data->val32 = ntohl(*((u32 *)val)); + break; + case 8: + data->val64 = be64_to_cpu(*((u64 *)val)); + break; + default: + WARN_ON_ONCE(1); + break; + } +} + static int __nft_cmp_offload(struct nft_offload_ctx *ctx, struct nft_flow_rule *flow, const struct nft_cmp_expr *priv) { struct nft_offload_reg *reg = &ctx->regs[priv->sreg]; + union nft_cmp_offload_data _data, _datamask; u8 *mask = (u8 *)&flow->match.mask; u8 *key = (u8 *)&flow->match.key; + u8 *data, *datamask; if (priv->op != NFT_CMP_EQ || priv->len > reg->len) return -EOPNOTSUPP; - memcpy(key + reg->offset, &priv->data, reg->len); - memcpy(mask + reg->offset, ®->mask, reg->len); + if (reg->flags & NFT_OFFLOAD_F_NETWORK2HOST) { + nft_payload_n2h(&_data, (u8 *)&priv->data, reg->len); + nft_payload_n2h(&_datamask, (u8 *)®->mask, reg->len); + data = (u8 *)&_data; + datamask = (u8 *)&_datamask; + } else { + data = (u8 *)&priv->data; + datamask = (u8 *)®->mask; + } + + memcpy(key + reg->offset, data, reg->len); + memcpy(mask + reg->offset, datamask, reg->len); flow->match.dissector.used_keys |= BIT(reg->key); flow->match.dissector.offset[reg->key] = reg->base_offset; diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c index e43863a1761f..1ebee25de677 100644 --- a/net/netfilter/nft_payload.c +++ b/net/netfilter/nft_payload.c @@ -226,8 +226,9 @@ static int nft_payload_offload_ll(struct nft_offload_ctx *ctx, if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) return -EOPNOTSUPP; - NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_VLAN, vlan, - vlan_tci, sizeof(__be16), reg); + NFT_OFFLOAD_MATCH_FLAGS(FLOW_DISSECTOR_KEY_VLAN, vlan, + vlan_tci, sizeof(__be16), reg, + NFT_OFFLOAD_F_NETWORK2HOST); break; case offsetof(struct vlan_ethhdr, h_vlan_encapsulated_proto): if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) @@ -241,8 +242,9 @@ static int nft_payload_offload_ll(struct nft_offload_ctx *ctx, if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) return -EOPNOTSUPP; - NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_CVLAN, cvlan, - vlan_tci, sizeof(__be16), reg); + NFT_OFFLOAD_MATCH_FLAGS(FLOW_DISSECTOR_KEY_CVLAN, cvlan, + vlan_tci, sizeof(__be16), reg, + NFT_OFFLOAD_F_NETWORK2HOST); break; case offsetof(struct vlan_ethhdr, h_vlan_encapsulated_proto) + sizeof(struct vlan_hdr): -- 2.30.2