kernel: fix xtables flow offload issues
- avoid using garbage stack values as dst pointer if lookup fails - provide the source address for ipv6 dst lookup Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit is contained in:
Felix Fietkau
@@ -70,7 +70,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|||||||
help
|
help
|
||||||
This option adds the flow table core infrastructure.
|
This option adds the flow table core infrastructure.
|
||||||
|
|
||||||
@@ -959,6 +958,15 @@ config NETFILTER_XT_TARGET_NOTRACK
|
@@ -968,6 +967,15 @@ config NETFILTER_XT_TARGET_NOTRACK
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
select NETFILTER_XT_TARGET_CT
|
select NETFILTER_XT_TARGET_CT
|
||||||
|
|
||||||
@@ -88,7 +88,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
--- a/net/netfilter/Makefile
|
--- a/net/netfilter/Makefile
|
||||||
+++ b/net/netfilter/Makefile
|
+++ b/net/netfilter/Makefile
|
||||||
@@ -133,6 +133,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIF
|
@@ -134,6 +134,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIF
|
||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
|
||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
|
||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
|
||||||
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/net/netfilter/xt_FLOWOFFLOAD.c
|
+++ b/net/netfilter/xt_FLOWOFFLOAD.c
|
||||||
@@ -0,0 +1,364 @@
|
@@ -0,0 +1,365 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
|
+ * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
|
||||||
+ *
|
+ *
|
||||||
@@ -295,7 +295,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|||||||
+xt_flowoffload_dst(const struct nf_conn *ct, enum ip_conntrack_dir dir,
|
+xt_flowoffload_dst(const struct nf_conn *ct, enum ip_conntrack_dir dir,
|
||||||
+ const struct xt_action_param *par)
|
+ const struct xt_action_param *par)
|
||||||
+{
|
+{
|
||||||
+ struct dst_entry *dst;
|
+ struct dst_entry *dst = NULL;
|
||||||
+ struct flowi fl;
|
+ struct flowi fl;
|
||||||
+
|
+
|
||||||
+ memset(&fl, 0, sizeof(fl));
|
+ memset(&fl, 0, sizeof(fl));
|
||||||
@@ -304,6 +304,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|||||||
+ fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
|
+ fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
|
||||||
+ break;
|
+ break;
|
||||||
+ case NFPROTO_IPV6:
|
+ case NFPROTO_IPV6:
|
||||||
|
+ fl.u.ip6.saddr = ct->tuplehash[dir].tuple.dst.u3.in6;
|
||||||
+ fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
|
+ fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
|
|||||||
Reference in New Issue
Block a user