Revision - 9e2b7fa - vrf: Fix fast path output packet handling with async Netfilter rules

Revision 9e2b7fa2df4365e99934901da4fb4af52d81e820 authored by Martin Willi on 06 November 2020, 07:30:30 UTC, committed by Jakub Kicinski on 12 November 2020, 15:47:06 UTC

vrf: Fix fast path output packet handling with async Netfilter rules

VRF devices use an optimized direct path on output if a default qdisc
is involved, calling Netfilter hooks directly. This path, however, does
not consider Netfilter rules completing asynchronously, such as with
NFQUEUE. The Netfilter okfn() is called for asynchronously accepted
packets, but the VRF never passes that packet down the stack to send
it out over the slave device. Using the slower redirect path for this
seems not feasible, as we do not know beforehand if a Netfilter hook
has asynchronously completing rules.

Fix the use of asynchronously completing Netfilter rules in OUTPUT and
POSTROUTING by using a special completion function that additionally
calls dst_output() to pass the packet down the stack. Also, slightly
adjust the use of nf_reset_ct() so that is called in the asynchronous
case, too.

Fixes: dcdd43c41e60 ("net: vrf: performance improvements for IPv4")
Fixes: a9ec54d1b0cd ("net: vrf: performance improvements for IPv6")
Signed-off-by: Martin Willi <martin@strongswan.org>
Link: https://lore.kernel.org/r/20201106073030.3974927-1-martin@strongswan.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

1 parent 52755b6

Files
Changes

Permalinks

Kconfig

# SPDX-License-Identifier: GPL-2.0-only
#
# DECnet configuration
#
config DECNET
	tristate "DECnet Support"
	help
	  The DECnet networking protocol was used in many products made by
	  Digital (now Compaq).  It provides reliable stream and sequenced
	  packet communications over which run a variety of services similar
	  to those which run over TCP/IP.

	  To find some tools to use with the kernel layer support, please
	  look at Patrick Caulfield's web site:
	  <http://linux-decnet.sourceforge.net/>.

	  More detailed documentation is available in
	  <file:Documentation/networking/decnet.rst>.

	  Be sure to say Y to "/proc file system support" and "Sysctl support"
	  below when using DECnet, since you will need sysctl support to aid
	  in configuration at run time.

	  The DECnet code is also available as a module ( = code which can be
	  inserted in and removed from the running kernel whenever you want).
	  The module is called decnet.

config DECNET_ROUTER
	bool "DECnet: router support"
	depends on DECNET
	select FIB_RULES
	help
	  Add support for turning your DECnet Endnode into a level 1 or 2
	  router.  This is an experimental, but functional option.  If you
	  do say Y here, then make sure that you also say Y to "Kernel/User
	  network link driver", "Routing messages" and "Network packet
	  filtering".  The first two are required to allow configuration via
	  rtnetlink (you will need Alexey Kuznetsov's iproute2 package
	  from <ftp://ftp.tux.org/pub/net/ip-routing/>). The "Network packet
	  filtering" option will be required for the forthcoming routing daemon
	  to work.

	  See <file:Documentation/networking/decnet.rst> for more information.

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...