Re: [PATCH net] netfilter: nf_tables: fix bidirectional offload regression
From: Pablo Neira Ayuso
Date: Wed Feb 14 2024 - 10:41:21 EST
On Wed, Feb 14, 2024 at 03:42:35PM +0100, Felix Fietkau wrote:
> Commit 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules")
> made unidirectional flow offload possible, while completely ignoring (and
> breaking) bidirectional flow offload for nftables.
> Add the missing flag that was left out as an exercise for the reader :)
Thanks for fixing up this, patch is fine.
> Cc: Vlad Buslov <vladbu@xxxxxxxxxx>
> Fixes: 8f84780b84d6 ("netfilter: flowtable: allow unidirectional rules")
> Reported-by: Daniel Golle <daniel@xxxxxxxxxxxxxx>
> Signed-off-by: Felix Fietkau <nbd@xxxxxxxx>
> ---
> net/netfilter/nft_flow_offload.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
> index 397351fa4d5f..ab9576098701 100644
> --- a/net/netfilter/nft_flow_offload.c
> +++ b/net/netfilter/nft_flow_offload.c
> @@ -361,6 +361,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
> ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
> }
>
> + __set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags);
> ret = flow_offload_add(flowtable, flow);
> if (ret < 0)
> goto err_flow_add;
> --
> 2.43.0
>
>