netfilter: nf_flow_table: fix offload for flows that are subject to xfrm (589b474a) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit 589b474a authored Jul 30, 2019 by

Florian Westphal Committed by Pablo Neira Ayuso Aug 05, 2019

netfilter: nf_flow_table: fix offload for flows that are subject to xfrm



This makes the previously added 'encap test' pass.
Because its possible that the xfrm dst entry becomes stale while such
a flow is offloaded, we need to call dst_check() -- the notifier that
handles this for non-tunneled traffic isn't sufficient, because SA or
or policies might have changed.

If dst becomes stale the flow offload entry will be tagged for teardown
and packets will be passed to 'classic' forwarding path.

Removing the entry right away is problematic, as this would
introduce a race condition with the gc worker.

In case flow is long-lived, it could eventually be offloaded again
once the gc worker removes the entry from the flow table.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 0ca1bbb7

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 701b8990
· Sep 10, 2019

mentioned in commit 701b8990

mentioned in commit 701b89908ba1cf65929dee667a982b325fc2d372

Toggle commit list

Please register or to comment