Gitiles
Code Review Sign In
git01.mediatek.com / openwrt / feeds / mtk-openwrt-feeds / 5c851039793bf45bed2bad09bf1c5e1e0774eb08^! / .
commit5c851039793bf45bed2bad09bf1c5e1e0774eb08[log] [tgz]
authordeveloper <developer@mediatek.com>Mon Sep 04 11:13:18 2023 +0800
committerdeveloper <developer@mediatek.com>Tue Sep 05 11:15:35 2023 +0800
treebe1e0c31d8a7464fd0c6e5bea9d67cc05850e00f
parent973c5bfda3c17b9942ddfe7951693549389a294d [diff]
[][openwrt][mt7988][crypto][prevent hnat bind UDP flow]

[Description]
Change HNAT binding flow.
HNAT will not bind UDP encrypted flow since EIP197 HW does not support
fragmentation. If we bind UDP flow to encryption, it will possibly cause
network fail due to fragmentation.

[Release-log]
N/A

Change-Id: I421b20e39ccbc91b805ce2977fa662a121a0db4b
Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/7962051

diff --git a/package-21.02/kernel/crypto-eip/src/xfrm-offload.c b/package-21.02/kernel/crypto-eip/src/xfrm-offload.c
index 9e101e8..1f29dd0 100644
--- a/package-21.02/kernel/crypto-eip/src/xfrm-offload.c
+++ b/package-21.02/kernel/crypto-eip/src/xfrm-offload.c

@@ -282,6 +282,16 @@
 {
 	struct mtk_xfrm_params *xfrm_params;
 
+	/*
+	 * EIP197 does not support fragmentation. As a result, we can not bind UDP
+	 * flow since it may cause network fail due to fragmentation
+	 */
+	if (ntohs(skb->protocol) != ETH_P_IP
+	    || ip_hdr(skb)->protocol != IPPROTO_TCP) {
+		skb_hnat_alg(skb) = 1;
+		return false;
+	}
+
 	xfrm_params = (struct mtk_xfrm_params *)xs->xso.offload_handle;
 	skb_hnat_cdrt(skb) = xfrm_params->cdrt->idx;
 

diff --git a/target/linux/mediatek/patches-5.4/999-4102-mtk-crypto-offload-support.patch b/target/linux/mediatek/patches-5.4/999-4102-mtk-crypto-offload-support.patch
index 360be72..75880ed 100644
--- a/target/linux/mediatek/patches-5.4/999-4102-mtk-crypto-offload-support.patch
+++ b/target/linux/mediatek/patches-5.4/999-4102-mtk-crypto-offload-support.patch

@@ -95,7 +95,22 @@
  		return 0;
  
  	ct = nf_ct_get(skb, &ctinfo);
-@@ -3005,7 +3017,10 @@ mtk_hnat_ipv4_nf_local_out(void *priv, s
+@@ -2709,6 +2721,14 @@ static unsigned int mtk_hnat_nf_post_rou
+ 		}
+ 	}
+ 
++	/* we are not support protocols other than IPv4 TCP for crypto offload yet */
++	if (skb_hnat_is_decrypt(skb)
++	    && (ntohs(skb->protocol) != ETH_P_IP
++		|| ip_hdr(skb)->protocol != IPPROTO_TCP)) {
++		skb_hnat_alg(skb) = 1;
++		return 0;
++	}
++
+ 	if (!IS_LAN_GRP(out) && !IS_WAN(out) && !IS_EXT(out))
+ 		is_virt_dev = true;
+ 
+@@ -3016,7 +3036,10 @@ mtk_hnat_ipv4_nf_local_out(void *priv, s
  	if (iph->protocol == IPPROTO_IPV6) {
  		entry->udib1.pkt_type = IPV6_6RD;
  		hnat_set_head_frags(state, skb, 0, hnat_set_alg);

diff --git a/target/linux/mediatek/patches-5.4/999-4103-mtk-tunnel-crypto-offload-support.patch b/target/linux/mediatek/patches-5.4/999-4103-mtk-tunnel-crypto-offload-support.patch
index 8bc2300..b2cc240 100644
--- a/target/linux/mediatek/patches-5.4/999-4103-mtk-tunnel-crypto-offload-support.patch
+++ b/target/linux/mediatek/patches-5.4/999-4103-mtk-tunnel-crypto-offload-support.patch

@@ -138,7 +138,7 @@
  	skb_hnat_magic_tag(skb) = HNAT_MAGIC_TAG;
  
  	if (skb_hnat_iface(skb) == FOE_MAGIC_WED0)
-@@ -3017,7 +3062,8 @@ mtk_hnat_ipv4_nf_local_out(void *priv, s
+@@ -3037,7 +3082,8 @@ mtk_hnat_ipv4_nf_local_out(void *priv, s
  		entry->udib1.pkt_type = IPV6_6RD;
  		hnat_set_head_frags(state, skb, 0, hnat_set_alg);
  	} else if (is_magic_tag_valid(skb)