git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 25 Nov 2020 22:50:07 +0000 (23:50 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 11 Dec 2020 12:22:13 +0000 (13:22 +0100)
commit	10208757f7bac16b55b0eaf3b6908482eefc87cb
tree	46c8c42600faf158f226ddc4325a0e4d4af80bb3	tree
parent	182099ac9e83d7218ca373d72e263f62d2a51b76	commit \| diff

netfilter: nftables_offload: set address type in control dissector

commit 3c78e9e0d33a27ab8050e4492c03c6a1f8d0ed6b upstream.

This patch adds nft_flow_rule_set_addr_type() to set the address type
from the nft_payload expression accordingly.

If the address type is not set in the control dissector then a rule that
matches either on source or destination IP address does not work.

After this patch, nft hardware offload generates the flow dissector
configuration as tc-flower does to match on an IP address.

This patch has been also tested functionally to make sure packets are
filtered out by the NIC.

This is also getting the code aligned with the existing netfilter flow
offload infrastructure which is also setting the control dissector.

Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

include/net/netfilter/nf_tables_offload.h		diff \| blob \| blame \| history
net/netfilter/nf_tables_offload.c		diff \| blob \| blame \| history
net/netfilter/nft_payload.c		diff \| blob \| blame \| history