kernel: backport flow offload pppoe fix

[openwrt/staging/blocktrron.git] / target / linux / generic / backport-6.6 / 740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch

diff --git a/target/linux/generic/backport-6.6/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch b/target/linux/generic/backport-6.6/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch
new file mode 100644 (file)
index 0000000..20ac222
--- /dev/null
+++ b/target/linux/generic/backport-6.6/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch
@@ -0,0 +1,24 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 11 Apr 2024 13:29:00 +0200
+Subject: [PATCH] netfilter: flowtable: incorrect pppoe tuple
+
+pppoe traffic reaching ingress path does not match the flowtable entry
+because the pppoe header is expected to be at the network header offset.
+This bug causes a mismatch in the flow table lookup, so pppoe packets
+enter the classical forwarding path.
+
+Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+
+--- a/net/netfilter/nf_flow_table_ip.c
++++ b/net/netfilter/nf_flow_table_ip.c
+@@ -157,7 +157,7 @@ static void nf_flow_tuple_encap(struct s
+               tuple->encap[i].proto = skb->protocol;
+               break;
+       case htons(ETH_P_PPP_SES):
+-              phdr = (struct pppoe_hdr *)skb_mac_header(skb);
++              phdr = (struct pppoe_hdr *)skb_network_header(skb);
+               tuple->encap[i].id = ntohs(phdr->sid);
+               tuple->encap[i].proto = skb->protocol;
+               break;