netfilter: nf_tables: fix bidirectional offload regression

nbd168 · frank-w · commit 93238fb9dcd2 · 2024-02-17T10:36:57.000+01:00
Commit 8f84780 ("netfilter: flowtable: allow unidirectional rules") made unidirectional flow offload possible, while completely ignoring (and breaking) bidirectional flow offload for nftables. Add the missing flag that was left out as an exercise for the reader :) Cc: Vlad Buslov <vladbu@nvidia.com> Fixes: 8f84780 ("netfilter: flowtable: allow unidirectional rules") Reported-by: Daniel Golle <daniel@makrotopia.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
@@ -361,6 +361,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
 		ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
 	}
 
+	__set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags);
 	ret = flow_offload_add(flowtable, flow);
 	if (ret < 0)
 		goto err_flow_add;

Original file line number	Diff line number	Diff line change
`@@ -361,6 +361,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,`
`361`	`361`	`ct->proto.tcp.seen[1].flags \|= IP_CT_TCP_FLAG_BE_LIBERAL;`
`362`	`362`	`}`
`363`	`363`
	`364`	`+ __set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags);`
`364`	`365`	`ret = flow_offload_add(flowtable, flow);`
`365`	`366`	`if (ret < 0)`
`366`	`367`	`goto err_flow_add;`