From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 7 Jun 2018 16:14:21 +0000 (+0200)
Subject: 4.16-stable patches
X-Git-Tag: v4.17.1~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b36876f354e269a03f7e28bca1319af2d54e7de;p=thirdparty%2Fkernel%2Fstable-queue.git

4.16-stable patches

added patches:
	netfilter-nf_flow_table-attach-dst-to-skbs.patch
---

diff --git a/queue-4.16/netfilter-nf_flow_table-attach-dst-to-skbs.patch b/queue-4.16/netfilter-nf_flow_table-attach-dst-to-skbs.patch
new file mode 100644
index 00000000000..6f4723baa48
--- /dev/null
+++ b/queue-4.16/netfilter-nf_flow_table-attach-dst-to-skbs.patch
@@ -0,0 +1,62 @@
+From 2a79fd3908acd88e6cb0e620c314d7b1fee56a02 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 30 May 2018 20:43:15 +0200
+Subject: netfilter: nf_flow_table: attach dst to skbs
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 2a79fd3908acd88e6cb0e620c314d7b1fee56a02 upstream.
+
+Some drivers, such as vxlan and wireguard, use the skb's dst in order to
+determine things like PMTU. They therefore loose functionality when flow
+offloading is enabled. So, we ensure the skb has it before xmit'ing it
+in the offloading path.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ net/ipv4/netfilter/nf_flow_table_ipv4.c |    5 +++--
+ net/ipv6/netfilter/nf_flow_table_ipv6.c |    1 +
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_flow_table_ipv4.c
++++ b/net/ipv4/netfilter/nf_flow_table_ipv4.c
+@@ -213,7 +213,7 @@ nf_flow_offload_ip_hook(void *priv, stru
+ 	enum flow_offload_tuple_dir dir;
+ 	struct flow_offload *flow;
+ 	struct net_device *outdev;
+-	const struct rtable *rt;
++	struct rtable *rt;
+ 	struct iphdr *iph;
+ 	__be32 nexthop;
+ 
+@@ -234,7 +234,7 @@ nf_flow_offload_ip_hook(void *priv, stru
+ 	dir = tuplehash->tuple.dir;
+ 	flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
+ 
+-	rt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
++	rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
+ 	if (unlikely(nf_flow_exceeds_mtu(skb, rt)))
+ 		return NF_ACCEPT;
+ 
+@@ -251,6 +251,7 @@ nf_flow_offload_ip_hook(void *priv, stru
+ 
+ 	skb->dev = outdev;
+ 	nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr);
++	skb_dst_set_noref(skb, &rt->dst);
+ 	neigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb);
+ 
+ 	return NF_STOLEN;
+--- a/net/ipv6/netfilter/nf_flow_table_ipv6.c
++++ b/net/ipv6/netfilter/nf_flow_table_ipv6.c
+@@ -243,6 +243,7 @@ nf_flow_offload_ipv6_hook(void *priv, st
+ 
+ 	skb->dev = outdev;
+ 	nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);
++	skb_dst_set_noref(skb, &rt->dst);
+ 	neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb);
+ 
+ 	return NF_STOLEN;
diff --git a/queue-4.16/series b/queue-4.16/series
index d10b5a3337f..24df1d7cb55 100644
--- a/queue-4.16/series
+++ b/queue-4.16/series
@@ -1,2 +1,3 @@
 mmap-introduce-sane-default-mmap-limits.patch
 mmap-relax-file-size-limit-for-regular-files.patch
+netfilter-nf_flow_table-attach-dst-to-skbs.patch
diff --git a/queue-4.17/series b/queue-4.17/series
new file mode 100644
index 00000000000..a8472f6f808
--- /dev/null
+++ b/queue-4.17/series
@@ -0,0 +1 @@
+netfilter-nf_flow_table-attach-dst-to-skbs.patch