| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/06/29 12:56 | flow | patch-triage |
15mArgs:null Results: {
"EnableConfigs": [
"NF_FLOW_TABLE",
"NFT_FLOW_OFFLOAD",
"BRIDGE",
"BRIDGE_VLAN_FILTERING"
],
"FocusSymbols": [
"br_fdb_has_forwarding_entry_rcu",
"br_vlan_get_offload_info_rcu",
"br_vlan_is_enabled_rcu",
"__dev_fill_forward_path",
"nft_flow_route",
"nft_flow_route_bridging",
"nft_flow_offload_is_bridging",
"nft_br_vlan_dev_fill_forward_path",
"nft_fill_vlan_passthrough_info"
],
"Reasoning": "The patch adds support for flow offload of bridged traffic. It introduces new functions to check bridge FDB entries and VLAN information for flow offload, and modifies the netfilter flow table path to handle bridged traffic. This is a functional change in the core networking and netfilter subsystems that should be fuzzed.",
"WorthFuzzing": true
} |
| 1/1 | 2026/06/29 12:56 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit 05295d62eecf28986e18aad779cf5dcf3d0596ae\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Mon Jun 29 12:56:27 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/include/linux/if_bridge.h b/include/linux/if_bridge.h\nindex 75673b8bffcb8a..c1cae54749c516 100644\n--- a/include/linux/if_bridge.h\n+++ b/include/linux/if_bridge.h\n@@ -148,6 +148,9 @@ int br_vlan_get_info(const struct net_device *dev, u16 vid,\n \t\t struct bridge_vlan_info *p_vinfo);\n int br_vlan_get_info_rcu(const struct net_device *dev, u16 vid,\n \t\t\t struct bridge_vlan_info *p_vinfo);\n+u16 br_vlan_get_offload_info_rcu(const struct net_device *dev,\n+\t\t\t\t const struct sk_buff *skb, __be16 *proto);\n+bool br_vlan_is_enabled_rcu(const struct net_device *dev);\n bool br_mst_enabled(const struct net_device *dev);\n int br_mst_get_info(const struct net_device *dev, u16 msti, unsigned long *vids);\n int br_mst_get_state(const struct net_device *dev, u16 msti, u8 *state);\n@@ -184,6 +187,17 @@ static inline int br_vlan_get_info_rcu(const struct net_device *dev, u16 vid,\n \treturn -EINVAL;\n }\n \n+static inline u16 br_vlan_get_offload_info_rcu(const struct net_device *dev,\n+\t\t\t\t\t\tconst struct sk_buff *skb,\n+\t\t\t\t\t\t__be16 *proto)\n+{\n+\treturn 0;\n+}\n+\n+static inline bool br_vlan_is_enabled_rcu(const struct net_device *dev)\n+{\n+\treturn false;\n+}\n static inline bool br_mst_enabled(const struct net_device *dev)\n {\n \treturn false;\n@@ -209,6 +223,8 @@ void br_fdb_clear_offload(const struct net_device *dev, u16 vid);\n bool br_port_flag_is_set(const struct net_device *dev, unsigned long flag);\n u8 br_port_get_stp_state(const struct net_device *dev);\n clock_t br_get_ageing_time(const struct net_device *br_dev);\n+bool br_fdb_has_forwarding_entry_rcu(const struct net_device *dev,\n+\t\t\t\t const struct sk_buff *skb, const u8 *addr);\n #else\n static inline struct net_device *\n br_fdb_find_port(const struct net_device *br_dev,\n@@ -237,6 +253,13 @@ static inline clock_t br_get_ageing_time(const struct net_device *br_dev)\n {\n \treturn 0;\n }\n+\n+static inline bool br_fdb_has_forwarding_entry_rcu(const struct net_device *dev,\n+\t\t\t\t\t\t const struct sk_buff *skb,\n+\t\t\t\t\t\t const u8 *addr)\n+{\n+\treturn false;\n+}\n #endif\n \n #endif\ndiff --git a/include/linux/netdevice.h b/include/linux/netdevice.h\nindex 9981d637f8b546..c1d0b897de9534 100644\n--- a/include/linux/netdevice.h\n+++ b/include/linux/netdevice.h\n@@ -3422,6 +3422,8 @@ int dev_get_iflink(const struct net_device *dev);\n int dev_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb);\n int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr,\n \t\t\t struct net_device_path_stack *stack);\n+int __dev_fill_forward_path(struct net_device_path_ctx *ctx, const u8 *daddr,\n+\t\t\t struct net_device_path_stack *stack);\n struct net_device *dev_get_by_name(struct net *net, const char *name);\n struct net_device *dev_get_by_name_rcu(struct net *net, const char *name);\n struct net_device *__dev_get_by_name(struct net *net, const char *name);\ndiff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c\nindex e4570bbed85445..3161c2689f6a6f 100644\n--- a/net/bridge/br_fdb.c\n+++ b/net/bridge/br_fdb.c\n@@ -267,6 +267,38 @@ struct net_bridge_fdb_entry *br_fdb_find_rcu(struct net_bridge *br,\n \treturn fdb_find_rcu(\u0026br-\u003efdb_hash_tbl, addr, vid);\n }\n \n+/**\n+ * br_fdb_has_forwarding_entry_rcu - check if a MAC can be forwarded by the bridge\n+ * @dev: bridge port network device\n+ * @skb: packet buffer (used to determine VLAN id)\n+ * @addr: destination MAC address\n+ *\n+ * Resolves the VLAN id for @skb on @dev (skb VLAN tag when present, PVID\n+ * when VLAN filtering is enabled, 0 otherwise) then checks whether the bridge\n+ * FDB contains a forwarding entry (dst != NULL, not a local/self entry) for\n+ * @addr and that VLAN id. Single br_port_get_rcu() lookup.\n+ * Must be called under RCU read lock.\n+ */\n+bool br_fdb_has_forwarding_entry_rcu(const struct net_device *dev,\n+\t\t\t\t const struct sk_buff *skb, const u8 *addr)\n+{\n+\tstruct net_bridge_port *port = br_port_get_rcu(dev);\n+\tstruct net_bridge_fdb_entry *fdb;\n+\tu16 vid = 0;\n+\n+\tif (!port)\n+\t\treturn false;\n+\tif (br_opt_get(port-\u003ebr, BROPT_VLAN_ENABLED)) {\n+\t\tif (skb_vlan_tag_present(skb))\n+\t\t\tvid = skb_vlan_tag_get_id(skb);\n+\t\telse\n+\t\t\tbr_vlan_get_pvid_rcu(dev, \u0026vid);\n+\t}\n+\tfdb = br_fdb_find_rcu(port-\u003ebr, addr, vid);\n+\treturn fdb \u0026\u0026 fdb-\u003edst;\n+}\n+EXPORT_SYMBOL_GPL(br_fdb_has_forwarding_entry_rcu);\n+\n /* When a static FDB entry is added, the mac address from the entry is\n * added to the bridge private HW address list and all required ports\n * are then updated with the new information.\ndiff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c\nindex 5560afcaaca327..0b296362adf7c9 100644\n--- a/net/bridge/br_vlan.c\n+++ b/net/bridge/br_vlan.c\n@@ -1559,6 +1559,51 @@ int br_vlan_get_info_rcu(const struct net_device *dev, u16 vid,\n }\n EXPORT_SYMBOL_GPL(br_vlan_get_info_rcu);\n \n+/**\n+ * br_vlan_get_offload_info_rcu - get VLAN id and protocol for bridge flow offload\n+ * @dev: bridge port network device\n+ * @skb: packet buffer\n+ * @proto: output for the bridge VLAN protocol (set only when return value != 0)\n+ *\n+ * When VLAN filtering is enabled, resolves the VLAN id for flow offload (skb\n+ * VLAN tag id if present, PVID otherwise) and writes the bridge VLAN protocol\n+ * to @proto. Returns 0 when filtering is off or @dev is not a bridge port.\n+ * Single br_port_get_rcu() lookup. Must be called under RCU read lock.\n+ */\n+u16 br_vlan_get_offload_info_rcu(const struct net_device *dev,\n+\t\t\t\t const struct sk_buff *skb, __be16 *proto)\n+{\n+\tstruct net_bridge_port *port = br_port_get_rcu(dev);\n+\tu16 vid = 0;\n+\n+\tif (!port || !br_opt_get(port-\u003ebr, BROPT_VLAN_ENABLED))\n+\t\treturn 0;\n+\tif (skb_vlan_tag_present(skb))\n+\t\tvid = skb_vlan_tag_get_id(skb);\n+\telse\n+\t\tbr_vlan_get_pvid_rcu(dev, \u0026vid);\n+\tif (vid)\n+\t\t*proto = port-\u003ebr-\u003evlan_proto;\n+\treturn vid;\n+}\n+EXPORT_SYMBOL_GPL(br_vlan_get_offload_info_rcu);\n+\n+/**\n+ * br_vlan_is_enabled_rcu - check if VLAN filtering is active on a port's bridge\n+ * @dev: bridge port network device\n+ *\n+ * Returns true if VLAN filtering is enabled on the bridge @dev belongs to.\n+ * Returns false when @dev is not a bridge port or filtering is off.\n+ * Must be called under RCU read lock.\n+ */\n+bool br_vlan_is_enabled_rcu(const struct net_device *dev)\n+{\n+\tstruct net_bridge_port *port = br_port_get_rcu(dev);\n+\n+\treturn port \u0026\u0026 br_opt_get(port-\u003ebr, BROPT_VLAN_ENABLED);\n+}\n+EXPORT_SYMBOL_GPL(br_vlan_is_enabled_rcu);\n+\n static int br_vlan_is_bind_vlan_dev(const struct net_device *dev)\n {\n \treturn is_vlan_dev(dev) \u0026\u0026\ndiff --git a/net/core/dev.c b/net/core/dev.c\nindex 4b3d5cfdf6e00f..62f1d0b64c76de 100644\n--- a/net/core/dev.c\n+++ b/net/core/dev.c\n@@ -750,44 +750,52 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack)\n \treturn \u0026stack-\u003epath[k];\n }\n \n-int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr,\n-\t\t\t struct net_device_path_stack *stack)\n+int __dev_fill_forward_path(struct net_device_path_ctx *ctx, const u8 *daddr,\n+\t\t\t struct net_device_path_stack *stack)\n {\n \tconst struct net_device *last_dev;\n-\tstruct net_device_path_ctx ctx = {\n-\t\t.dev\t= dev,\n-\t};\n \tstruct net_device_path *path;\n \tint ret = 0;\n \n-\tmemcpy(ctx.daddr, daddr, sizeof(ctx.daddr));\n+\tmemcpy(ctx-\u003edaddr, daddr, sizeof(ctx-\u003edaddr));\n \tstack-\u003enum_paths = 0;\n-\twhile (ctx.dev \u0026\u0026 ctx.dev-\u003enetdev_ops-\u003endo_fill_forward_path) {\n-\t\tlast_dev = ctx.dev;\n+\twhile (ctx-\u003edev \u0026\u0026 ctx-\u003edev-\u003enetdev_ops-\u003endo_fill_forward_path) {\n+\t\tlast_dev = ctx-\u003edev;\n \t\tpath = dev_fwd_path(stack);\n \t\tif (!path)\n \t\t\treturn -1;\n \n \t\tmemset(path, 0, sizeof(struct net_device_path));\n-\t\tret = ctx.dev-\u003enetdev_ops-\u003endo_fill_forward_path(\u0026ctx, path);\n+\t\tret = ctx-\u003edev-\u003enetdev_ops-\u003endo_fill_forward_path(ctx, path);\n \t\tif (ret \u003c 0)\n \t\t\treturn -1;\n \n-\t\tif (WARN_ON_ONCE(last_dev == ctx.dev))\n+\t\tif (WARN_ON_ONCE(last_dev == ctx-\u003edev))\n \t\t\treturn -1;\n \t}\n \n-\tif (!ctx.dev)\n+\tif (!ctx-\u003edev)\n \t\treturn ret;\n \n \tpath = dev_fwd_path(stack);\n \tif (!path)\n \t\treturn -1;\n \tpath-\u003etype = DEV_PATH_ETHERNET;\n-\tpath-\u003edev = ctx.dev;\n+\tpath-\u003edev = ctx-\u003edev;\n \n \treturn ret;\n }\n+EXPORT_SYMBOL_GPL(__dev_fill_forward_path);\n+\n+int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr,\n+\t\t\t struct net_device_path_stack *stack)\n+{\n+\tstruct net_device_path_ctx ctx = {\n+\t\t.dev\t= dev,\n+\t};\n+\n+\treturn __dev_fill_forward_path(\u0026ctx, daddr, stack);\n+}\n EXPORT_SYMBOL_GPL(dev_fill_forward_path);\n \n /* must be called under rcu_read_lock(), as we dont take a reference */\ndiff --git a/net/netfilter/nf_flow_table_path.c b/net/netfilter/nf_flow_table_path.c\nindex 98c03b487f5211..d15c425c88c4aa 100644\n--- a/net/netfilter/nf_flow_table_path.c\n+++ b/net/netfilter/nf_flow_table_path.c\n@@ -15,6 +15,11 @@\n #include \u003cnet/netfilter/nf_conntrack_core.h\u003e\n #include \u003cnet/netfilter/nf_conntrack_extend.h\u003e\n #include \u003cnet/netfilter/nf_flow_table.h\u003e\n+#include \u003clinux/if_bridge.h\u003e\n+#include \u003clinux/if_ether.h\u003e\n+#include \u003clinux/if_vlan.h\u003e\n+#include \u003cnet/route.h\u003e\n+#include \u003cnet/ip6_route.h\u003e\n \n static enum flow_offload_xmit_type nft_xmit_type(struct dst_entry *dst)\n {\n@@ -42,7 +47,25 @@ static bool nft_is_valid_ether_device(const struct net_device *dev)\n \treturn true;\n }\n \n-static int nft_dev_fill_forward_path(const struct nf_flow_route *route,\n+static bool nft_flow_offload_is_bridging(struct sk_buff *skb)\n+{\n+\tbool ret;\n+\n+\tif (!netif_is_bridge_port(skb-\u003edev))\n+\t\treturn false;\n+\tif (!skb_mac_header_was_set(skb))\n+\t\treturn false;\n+\n+\trcu_read_lock();\n+\tret = br_fdb_has_forwarding_entry_rcu(skb-\u003edev, skb,\n+\t\t\t\t\t eth_hdr(skb)-\u003eh_dest);\n+\trcu_read_unlock();\n+\n+\treturn ret;\n+}\n+\n+static int nft_dev_fill_forward_path(struct net_device_path_ctx *ctx,\n+\t\t\t\t const struct nf_flow_route *route,\n \t\t\t\t const struct dst_entry *dst_cache,\n \t\t\t\t const struct nf_conn *ct,\n \t\t\t\t enum ip_conntrack_dir dir, u8 *ha,\n@@ -58,6 +81,12 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,\n \t\tgoto out;\n \t}\n \n+\t/* Bridging fastpath copies Ethernet addresses into ha; do not replace\n+\t * them via neighbour lookup on the routed destination device.\n+\t */\n+\tif (!is_zero_ether_addr(ha))\n+\t\tgoto out;\n+\n \tn = dst_neigh_lookup(dst_cache, daddr);\n \tif (!n)\n \t\treturn -1;\n@@ -72,7 +101,23 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,\n \t\treturn -1;\n \n out:\n-\treturn dev_fill_forward_path(dev, ha, stack);\n+\treturn __dev_fill_forward_path(ctx, ha, stack);\n+}\n+\n+static void nft_br_vlan_dev_fill_forward_path(const struct nft_pktinfo *pkt,\n+\t\t\t\t\t struct net_device_path_ctx *ctx)\n+{\n+\t__be16 proto = 0;\n+\tu16 vlan_id;\n+\n+\trcu_read_lock();\n+\tvlan_id = br_vlan_get_offload_info_rcu(pkt-\u003eskb-\u003edev, pkt-\u003eskb, \u0026proto);\n+\tif (vlan_id) {\n+\t\tctx-\u003enum_vlans = 1;\n+\t\tctx-\u003evlan[0].id = vlan_id;\n+\t\tctx-\u003evlan[0].proto = proto;\n+\t}\n+\trcu_read_unlock();\n }\n \n struct nft_forward_info {\n@@ -92,6 +137,29 @@ struct nft_forward_info {\n \tenum flow_offload_xmit_type xmit_type;\n };\n \n+static void nft_fill_vlan_passthrough_info(const struct nft_pktinfo *pkt,\n+\t\t\t\t\t struct nft_forward_info *info)\n+{\n+\tif (!skb_vlan_tag_present(pkt-\u003eskb))\n+\t\treturn;\n+\n+\trcu_read_lock();\n+\t/* when bridge VLAN filtering is enabled, the bridge handles the tag */\n+\tif (netif_is_bridge_port(pkt-\u003eskb-\u003edev) \u0026\u0026\n+\t !br_vlan_is_enabled_rcu(pkt-\u003eskb-\u003edev)) {\n+\t\tif (info-\u003enum_encaps \u003e= NF_FLOW_TABLE_ENCAP_MAX) {\n+\t\t\tinfo-\u003eindev = NULL;\n+\t\t} else {\n+\t\t\tinfo-\u003eencap[info-\u003enum_encaps].id =\n+\t\t\t\tskb_vlan_tag_get_id(pkt-\u003eskb);\n+\t\t\tinfo-\u003eencap[info-\u003enum_encaps].proto =\n+\t\t\t\tpkt-\u003eskb-\u003evlan_proto;\n+\t\t\tinfo-\u003enum_encaps++;\n+\t\t}\n+\t}\n+\trcu_read_unlock();\n+}\n+\n static int nft_dev_path_info(const struct net_device_path_stack *stack,\n \t\t\t struct nft_forward_info *info,\n \t\t\t unsigned char *ha, struct nf_flowtable *flowtable)\n@@ -103,13 +171,13 @@ static int nft_dev_path_info(const struct net_device_path_stack *stack,\n \n \tfor (i = 0; i \u003c stack-\u003enum_paths; i++) {\n \t\tpath = \u0026stack-\u003epath[i];\n+\t\tinfo-\u003eindev = path-\u003edev;\n \t\tswitch (path-\u003etype) {\n \t\tcase DEV_PATH_ETHERNET:\n \t\tcase DEV_PATH_DSA:\n \t\tcase DEV_PATH_VLAN:\n \t\tcase DEV_PATH_PPPOE:\n \t\tcase DEV_PATH_TUN:\n-\t\t\tinfo-\u003eindev = path-\u003edev;\n \t\t\tif (is_zero_ether_addr(info-\u003eh_source))\n \t\t\t\tmemcpy(info-\u003eh_source, path-\u003edev-\u003edev_addr, ETH_ALEN);\n \n@@ -175,6 +243,10 @@ static int nft_dev_path_info(const struct net_device_path_stack *stack,\n \t\t\t}\n \t\t\tinfo-\u003exmit_type = FLOW_OFFLOAD_XMIT_DIRECT;\n \t\t\tbreak;\n+\t\tcase DEV_PATH_MTK_WDMA:\n+\t\t\tif (is_zero_ether_addr(info-\u003eh_source))\n+\t\t\t\tmemcpy(info-\u003eh_source, path-\u003edev-\u003edev_addr, ETH_ALEN);\n+\t\t\tbreak;\n \t\tdefault:\n \t\t\treturn -1;\n \t\t}\n@@ -244,6 +316,7 @@ static int nft_flow_tunnel_update_route(const struct nft_pktinfo *pkt,\n }\n \n static int nft_dev_forward_path(const struct nft_pktinfo *pkt,\n+\t\t\t\tbool is_bridging,\n \t\t\t\tstruct nf_flow_route *route,\n \t\t\t\tconst struct nf_conn *ct,\n \t\t\t\tenum ip_conntrack_dir dir,\n@@ -251,12 +324,38 @@ static int nft_dev_forward_path(const struct nft_pktinfo *pkt,\n {\n \tconst struct dst_entry *dst = route-\u003etuple[dir].dst;\n \tstruct net_device_path_stack stack;\n+\tstruct net_device_path_ctx ctx = {\n+\t\t.dev\t= dst-\u003edev,\n+\t};\n \tstruct nft_forward_info info = {};\n+\tenum ip_conntrack_info pkt_ctinfo;\n+\tenum ip_conntrack_dir skb_dir;\n+\tstruct ethhdr *eth;\n \tunsigned char ha[ETH_ALEN];\n \tint i;\n \n-\tif (nft_dev_fill_forward_path(route, dst, ct, dir, ha, \u0026stack) \u003c 0 ||\n-\t nft_dev_path_info(\u0026stack, \u0026info, ha, \u0026ft-\u003edata) \u003c 0)\n+\tmemset(ha, 0, sizeof(ha));\n+\n+\tif (is_bridging) {\n+\t\tnf_ct_get(pkt-\u003eskb, \u0026pkt_ctinfo);\n+\t\teth = eth_hdr(pkt-\u003eskb);\n+\t\tskb_dir = CTINFO2DIR(pkt_ctinfo);\n+\t\tif (skb_dir != dir) {\n+\t\t\tmemcpy(ha, eth-\u003eh_source, ETH_ALEN);\n+\t\t\tmemcpy(info.h_source, eth-\u003eh_dest, ETH_ALEN);\n+\t\t} else {\n+\t\t\tmemcpy(ha, eth-\u003eh_dest, ETH_ALEN);\n+\t\t\tmemcpy(info.h_source, eth-\u003eh_source, ETH_ALEN);\n+\t\t}\n+\t\tnft_br_vlan_dev_fill_forward_path(pkt, \u0026ctx);\n+\t}\n+\n+\tif (nft_dev_fill_forward_path(\u0026ctx, route, dst, ct, dir, ha, \u0026stack) \u003c 0)\n+\t\treturn -ENOENT;\n+\n+\tnft_fill_vlan_passthrough_info(pkt, \u0026info);\n+\n+\tif (nft_dev_path_info(\u0026stack, \u0026info, ha, \u0026ft-\u003edata) \u003c 0)\n \t\treturn -ENOENT;\n \n \tif (!nft_flowtable_find_dev(info.indev, ft))\n@@ -292,9 +391,11 @@ static int nft_dev_forward_path(const struct nft_pktinfo *pkt,\n \treturn 0;\n }\n \n-int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,\n-\t\t struct nf_flow_route *route, enum ip_conntrack_dir dir,\n-\t\t struct nft_flowtable *ft)\n+static int nft_flow_route_routing(const struct nft_pktinfo *pkt,\n+\t\t\t\t const struct nf_conn *ct,\n+\t\t\t\t struct nf_flow_route *route,\n+\t\t\t\t enum ip_conntrack_dir dir,\n+\t\t\t\t struct nft_flowtable *ft)\n {\n \tstruct dst_entry *this_dst = skb_dst(pkt-\u003eskb);\n \tstruct dst_entry *other_dst = NULL;\n@@ -334,12 +435,12 @@ int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,\n \tnft_default_forward_path(route, this_dst, dir);\n \tnft_default_forward_path(route, other_dst, !dir);\n \n-\tif (route-\u003etuple[dir].xmit_type\t== FLOW_OFFLOAD_XMIT_NEIGH \u0026\u0026\n-\t nft_dev_forward_path(pkt, route, ct, dir, ft) \u003c 0)\n+\tif (route-\u003etuple[dir].xmit_type == FLOW_OFFLOAD_XMIT_NEIGH \u0026\u0026\n+\t nft_dev_forward_path(pkt, false, route, ct, dir, ft) \u003c 0)\n \t\tgoto err_dst_release;\n \n \tif (route-\u003etuple[!dir].xmit_type == FLOW_OFFLOAD_XMIT_NEIGH \u0026\u0026\n-\t nft_dev_forward_path(pkt, route, ct, !dir, ft) \u003c 0)\n+\t nft_dev_forward_path(pkt, false, route, ct, !dir, ft) \u003c 0)\n \t\tgoto err_dst_release;\n \n \treturn 0;\n@@ -349,4 +450,82 @@ int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,\n \tdst_release(route-\u003etuple[!dir].dst);\n \treturn -ENOENT;\n }\n+\n+static int nft_flow_route_bridging(const struct nft_pktinfo *pkt,\n+\t\t\t\t const struct nf_conn *ct,\n+\t\t\t\t struct nf_flow_route *route,\n+\t\t\t\t enum ip_conntrack_dir dir,\n+\t\t\t\t struct nft_flowtable *ft)\n+{\n+\tstruct dst_entry *dsts[IP_CT_DIR_MAX] = {};\n+\tstruct net_device *br_dev;\n+\tint i;\n+\n+\t/* Allocate minimal dsts anchored to the bridge master device to supply\n+\t * xmit_type and MTU. A full routing lookup via nf_route() is avoided\n+\t * because it fails for prefixes that are bridged but not routed.\n+\t */\n+\trcu_read_lock();\n+\tbr_dev = netdev_master_upper_dev_get_rcu(pkt-\u003eskb-\u003edev);\n+\tif (!br_dev || !netif_is_bridge_master(br_dev)) {\n+\t\trcu_read_unlock();\n+\t\treturn -ENOENT;\n+\t}\n+\n+\tfor (i = 0; i \u003c IP_CT_DIR_MAX; i++) {\n+\t\tswitch (nft_pf(pkt)) {\n+\t\tcase NFPROTO_IPV4: {\n+\t\t\tstruct rtable *rt;\n+\n+\t\t\trt = rt_dst_alloc(br_dev, 0, RTN_UNICAST, true);\n+\t\t\tif (rt)\n+\t\t\t\tdsts[i] = \u0026rt-\u003edst;\n+\t\t\tbreak;\n+\t\t}\n+\t\tcase NFPROTO_IPV6: {\n+\t\t\tstruct rt6_info *rt;\n+\n+\t\t\trt = ip6_dst_alloc(nft_net(pkt), br_dev, 0);\n+\t\t\tif (rt)\n+\t\t\t\tdsts[i] = \u0026rt-\u003edst;\n+\t\t\tbreak;\n+\t\t}\n+\t\t}\n+\t}\n+\trcu_read_unlock();\n+\n+\tif (!dsts[dir] || !dsts[!dir]) {\n+\t\tdst_release(dsts[dir]);\n+\t\tdst_release(dsts[!dir]);\n+\t\treturn -ENOENT;\n+\t}\n+\n+\tnft_default_forward_path(route, dsts[dir], dir);\n+\tnft_default_forward_path(route, dsts[!dir], !dir);\n+\t/* Drop allocation references; route-\u003etuple[*].dst holds the clones. */\n+\tdst_release(dsts[dir]);\n+\tdst_release(dsts[!dir]);\n+\n+\tif (route-\u003etuple[dir].xmit_type == FLOW_OFFLOAD_XMIT_NEIGH \u0026\u0026\n+\t route-\u003etuple[!dir].xmit_type == FLOW_OFFLOAD_XMIT_NEIGH) {\n+\t\tif (nft_dev_forward_path(pkt, true, route, ct, dir, ft) ||\n+\t\t nft_dev_forward_path(pkt, true, route, ct, !dir, ft)) {\n+\t\t\tdst_release(route-\u003etuple[dir].dst);\n+\t\t\tdst_release(route-\u003etuple[!dir].dst);\n+\t\t\treturn -ENOENT;\n+\t\t}\n+\t}\n+\n+\treturn 0;\n+}\n+\n+int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,\n+\t\t struct nf_flow_route *route, enum ip_conntrack_dir dir,\n+\t\t struct nft_flowtable *ft)\n+{\n+\tif (nft_flow_offload_is_bridging(pkt-\u003eskb))\n+\t\treturn nft_flow_route_bridging(pkt, ct, route, dir, ft);\n+\n+\treturn nft_flow_route_routing(pkt, ct, route, dir, ft);\n+}\n EXPORT_SYMBOL_GPL(nft_flow_route);\n"
} |
| 2/1 | 2026/06/29 12:56 | agent | patch-evaluator |
15mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": [
"NF_FLOW_TABLE",
"NFT_FLOW_OFFLOAD",
"BRIDGE",
"BRIDGE_VLAN_FILTERING"
],
"FocusSymbols": [
"br_fdb_has_forwarding_entry_rcu",
"br_vlan_get_offload_info_rcu",
"br_vlan_is_enabled_rcu",
"__dev_fill_forward_path",
"nft_flow_route",
"nft_flow_route_bridging",
"nft_flow_offload_is_bridging",
"nft_br_vlan_dev_fill_forward_path",
"nft_fill_vlan_passthrough_info"
],
"Reasoning": "The patch adds support for flow offload of bridged traffic. It introduces new functions to check bridge FDB entries and VLAN information for flow offload, and modifies the netfilter flow table path to handle bridged traffic. This is a functional change in the core networking and netfilter subsystems that should be fuzzed.",
"WorthFuzzing": true
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit 05295d62eecf28986e18aad779cf5dcf3d0596ae
Author: syz-cluster <triage@syzkaller.com>
Date: Mon Jun 29 12:56:27 2026 +0000
syz-cluster: applied patch under review
diff --git a/include/linux/if_bridge.h b/include/linux/if_bridge.h
index 75673b8bffcb8a..c1cae54749c516 100644
--- a/include/linux/if_bridge.h
+++ b/include/linux/if_bridge.h
@@ -148,6 +148,9 @@ int br_vlan_get_info(const struct net_device *dev, u16 vid,
struct bridge_vlan_info *p_vinfo);
int br_vlan_get_info_rcu(const struct net_device *dev, u16 vid,
struct bridge_vlan_info *p_vinfo);
+u16 br_vlan_get_offload_info_rcu(const struct net_device *dev,
+ const struct sk_buff *skb, __be16 *proto);
+bool br_vlan_is_enabled_rcu(const struct net_device *dev);
bool br_mst_enabled(const struct net_device *dev);
int br_mst_get_info(const struct net_device *dev, u16 msti, unsigned long *vids);
int br_mst_get_state(const struct net_device *dev, u16 msti, u8 *state);
@@ -184,6 +187,17 @@ static inline int br_vlan_get_info_rcu(const struct net_device *dev, u16 vid,
return -EINVAL;
}
+static inline u16 br_vlan_get_offload_info_rcu(const struct net_device *dev,
+ const struct sk_buff *skb,
+ __be16 *proto)
+{
+ return 0;
+}
+
+static inline bool br_vlan_is_enabled_rcu(const struct net_device *dev)
+{
+ return false;
+}
static inline bool br_mst_enabled(const struct net_device *dev)
{
return false;
@@ -209,6 +223,8 @@ void br_fdb_clear_offload(const struct net_device *dev, u16 vid);
bool br_port_flag_is_set(const struct net_device *dev, unsigned long flag);
u8 br_port_get_stp_state(const struct net_device *dev);
clock_t br_get_ageing_time(const struct net_device *br_dev);
+bool br_fdb_has_forwarding_entry_rcu(const struct net_device *dev,
+ const struct sk_buff *skb, const u8 *addr);
#else
static inline struct net_device *
br_fdb_find_port(const struct net_device *br_dev,
@@ -237,6 +253,13 @@ static inline clock_t br_get_ageing_time(const struct net_device *br_dev)
{
return 0;
}
+
+static inline bool br_fdb_has_forwarding_entry_rcu(const struct net_device *dev,
+ const struct sk_buff *skb,
+ const u8 *addr)
+{
+ return false;
+}
#endif
#endif
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 9981d637f8b546..c1d0b897de9534 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3422,6 +3422,8 @@ int dev_get_iflink(const struct net_device *dev);
int dev_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb);
int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr,
struct net_device_path_stack *stack);
+int __dev_fill_forward_path(struct net_device_path_ctx *ctx, const u8 *daddr,
+ struct net_device_path_stack *stack);
struct net_device *dev_get_by_name(struct net *net, const char *name);
struct net_device *dev_get_by_name_rcu(struct net *net, const char *name);
struct net_device *__dev_get_by_name(struct net *net, const char *name);
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index e4570bbed85445..3161c2689f6a6f 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -267,6 +267,38 @@ struct net_bridge_fdb_entry *br_fdb_find_rcu(struct net_bridge *br,
return fdb_find_rcu(&br->fdb_hash_tbl, addr, vid);
}
+/**
+ * br_fdb_has_forwarding_entry_rcu - check if a MAC can be forwarded by the bridge
+ * @dev: bridge port network device
+ * @skb: packet buffer (used to determine VLAN id)
+ * @addr: destination MAC address
+ *
+ * Resolves the VLAN id for @skb on @dev (skb VLAN tag when present, PVID
+ * when VLAN filtering is enabled, 0 otherwise) then checks whether the bridge
+ * FDB contains a forwarding entry (dst != NULL, not a local/self entry) for
+ * @addr and that VLAN id. Single br_port_get_rcu() lookup.
+ * Must be called under RCU read lock.
+ */
+bool br_fdb_has_forwarding_entry_rcu(const struct net_device *dev,
+ const struct sk_buff *skb, const u8 *addr)
+{
+ struct net_bridge_port *port = br_port_get_rcu(dev);
+ struct net_bridge_fdb_entry *fdb;
+ u16 vid = 0;
+
+ if (!port)
+ return false;
+ if (br_opt_get(port->br, BROPT_VLAN_ENABLED)) {
+ if (skb_vlan_tag_present(skb))
+ vid = skb_vlan_tag_get_id(skb);
+ else
+ br_vlan_get_pvid_rcu(dev, &vid);
+ }
+ fdb = br_fdb_find_rcu(port->br, addr, vid);
+ return fdb && fdb->dst;
+}
+EXPORT_SYMBOL_GPL(br_fdb_has_forwarding_entry_rcu);
+
/* When a static FDB entry is added, the mac address from the entry is
* added to the bridge private HW address list and all required ports
* are then updated with the new information.
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 5560afcaaca327..0b296362adf7c9 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -1559,6 +1559,51 @@ int br_vlan_get_info_rcu(const struct net_device *dev, u16 vid,
}
EXPORT_SYMBOL_GPL(br_vlan_get_info_rcu);
+/**
+ * br_vlan_get_offload_info_rcu - get VLAN id and protocol for bridge flow offload
+ * @dev: bridge port network device
+ * @skb: packet buffer
+ * @proto: output for the bridge VLAN protocol (set only when return value != 0)
+ *
+ * When VLAN filtering is enabled, resolves the VLAN id for flow offload (skb
+ * VLAN tag id if present, PVID otherwise) and writes the bridge VLAN protocol
+ * to @proto. Returns 0 when filtering is off or @dev is not a bridge port.
+ * Single br_port_get_rcu() lookup. Must be called under RCU read lock.
+ */
+u16 br_vlan_get_offload_info_rcu(const struct net_device *dev,
+ const struct sk_buff *skb, __be16 *proto)
+{
+ struct net_bridge_port *port = br_port_get_rcu(dev);
+ u16 vid = 0;
+
+ if (!port || !br_opt_get(port->br, BROPT_VLAN_ENABLED))
+ return 0;
+ if (skb_vlan_tag_present(skb))
+ vid = skb_vlan_tag_get_id(skb);
+ else
+ br_vlan_get_pvid_rcu(dev, &vid);
+ if (vid)
+ *proto = port->br->vlan_proto;
+ return vid;
+}
+EXPORT_SYMBOL_GPL(br_vlan_get_offload_info_rcu);
+
+/**
+ * br_vlan_is_enabled_rcu - check if VLAN filtering is active on a port's bridge
+ * @dev: bridge port network device
+ *
+ * Returns true if VLAN filtering is enabled on the bridge @dev belongs to.
+ * Returns false when @dev is not a bridge port or filtering is off.
+ * Must be called under RCU read lock.
+ */
+bool br_vlan_is_enabled_rcu(const struct net_device *dev)
+{
+ struct net_bridge_port *port = br_port_get_rcu(dev);
+
+ return port && br_opt_get(port->br, BROPT_VLAN_ENABLED);
+}
+EXPORT_SYMBOL_GPL(br_vlan_is_enabled_rcu);
+
static int br_vlan_is_bind_vlan_dev(const struct net_device *dev)
{
return is_vlan_dev(dev) &&
diff --git a/net/core/dev.c b/net/core/dev.c
index 4b3d5cfdf6e00f..62f1d0b64c76de 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -750,44 +750,52 @@ static struct net_device_path *dev_fwd_path(struct net_device_path_stack *stack)
return &stack->path[k];
}
-int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr,
- struct net_device_path_stack *stack)
+int __dev_fill_forward_path(struct net_device_path_ctx *ctx, const u8 *daddr,
+ struct net_device_path_stack *stack)
{
const struct net_device *last_dev;
- struct net_device_path_ctx ctx = {
- .dev = dev,
- };
struct net_device_path *path;
int ret = 0;
- memcpy(ctx.daddr, daddr, sizeof(ctx.daddr));
+ memcpy(ctx->daddr, daddr, sizeof(ctx->daddr));
stack->num_paths = 0;
- while (ctx.dev && ctx.dev->netdev_ops->ndo_fill_forward_path) {
- last_dev = ctx.dev;
+ while (ctx->dev && ctx->dev->netdev_ops->ndo_fill_forward_path) {
+ last_dev = ctx->dev;
path = dev_fwd_path(stack);
if (!path)
return -1;
memset(path, 0, sizeof(struct net_device_path));
- ret = ctx.dev->netdev_ops->ndo_fill_forward_path(&ctx, path);
+ ret = ctx->dev->netdev_ops->ndo_fill_forward_path(ctx, path);
if (ret < 0)
return -1;
- if (WARN_ON_ONCE(last_dev == ctx.dev))
+ if (WARN_ON_ONCE(last_dev == ctx->dev))
return -1;
}
- if (!ctx.dev)
+ if (!ctx->dev)
return ret;
path = dev_fwd_path(stack);
if (!path)
return -1;
path->type = DEV_PATH_ETHERNET;
- path->dev = ctx.dev;
+ path->dev = ctx->dev;
return ret;
}
+EXPORT_SYMBOL_GPL(__dev_fill_forward_path);
+
+int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr,
+ struct net_device_path_stack *stack)
+{
+ struct net_device_path_ctx ctx = {
+ .dev = dev,
+ };
+
+ return __dev_fill_forward_path(&ctx, daddr, stack);
+}
EXPORT_SYMBOL_GPL(dev_fill_forward_path);
/* must be called under rcu_read_lock(), as we dont take a reference */
diff --git a/net/netfilter/nf_flow_table_path.c b/net/netfilter/nf_flow_table_path.c
index 98c03b487f5211..d15c425c88c4aa 100644
--- a/net/netfilter/nf_flow_table_path.c
+++ b/net/netfilter/nf_flow_table_path.c
@@ -15,6 +15,11 @@
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_extend.h>
#include <net/netfilter/nf_flow_table.h>
+#include <linux/if_bridge.h>
+#include <linux/if_ether.h>
+#include <linux/if_vlan.h>
+#include <net/route.h>
+#include <net/ip6_route.h>
static enum flow_offload_xmit_type nft_xmit_type(struct dst_entry *dst)
{
@@ -42,7 +47,25 @@ static bool nft_is_valid_ether_device(const struct net_device *dev)
return true;
}
-static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
+static bool nft_flow_offload_is_bridging(struct sk_buff *skb)
+{
+ bool ret;
+
+ if (!netif_is_bridge_port(skb->dev))
+ return false;
+ if (!skb_mac_header_was_set(skb))
+ return false;
+
+ rcu_read_lock();
+ ret = br_fdb_has_forwarding_entry_rcu(skb->dev, skb,
+ eth_hdr(skb)->h_dest);
+ rcu_read_unlock();
+
+ return ret;
+}
+
+static int nft_dev_fill_forward_path(struct net_device_path_ctx *ctx,
+ const struct nf_flow_route *route,
const struct dst_entry *dst_cache,
const struct nf_conn *ct,
enum ip_conntrack_dir dir, u8 *ha,
@@ -58,6 +81,12 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
goto out;
}
+ /* Bridging fastpath copies Ethernet addresses into ha; do not replace
+ * them via neighbour lookup on the routed destination device.
+ */
+ if (!is_zero_ether_addr(ha))
+ goto out;
+
n = dst_neigh_lookup(dst_cache, daddr);
if (!n)
return -1;
@@ -72,7 +101,23 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
return -1;
out:
- return dev_fill_forward_path(dev, ha, stack);
+ return __dev_fill_forward_path(ctx, ha, stack);
+}
+
+static void nft_br_vlan_dev_fill_forward_path(const struct nft_pktinfo *pkt,
+ struct net_device_path_ctx *ctx)
+{
+ __be16 proto = 0;
+ u16 vlan_id;
+
+ rcu_read_lock();
+ vlan_id = br_vlan_get_offload_info_rcu(pkt->skb->dev, pkt->skb, &proto);
+ if (vlan_id) {
+ ctx->num_vlans = 1;
+ ctx->vlan[0].id = vlan_id;
+ ctx->vlan[0].proto = proto;
+ }
+ rcu_read_unlock();
}
struct nft_forward_info {
@@ -92,6 +137,29 @@ struct nft_forward_info {
enum flow_offload_xmit_type xmit_type;
};
+static void nft_fill_vlan_passthrough_info(const struct nft_pktinfo *pkt,
+ struct nft_forward_info *info)
+{
+ if (!skb_vlan_tag_present(pkt->skb))
+ return;
+
+ rcu_read_lock();
+ /* when bridge VLAN filtering is enabled, the bridge handles the tag */
+ if (netif_is_bridge_port(pkt->skb->dev) &&
+ !br_vlan_is_enabled_rcu(pkt->skb->dev)) {
+ if (info->num_encaps >= NF_FLOW_TABLE_ENCAP_MAX) {
+ info->indev = NULL;
+ } else {
+ info->encap[info->num_encaps].id =
+ skb_vlan_tag_get_id(pkt->skb);
+ info->encap[info->num_encaps].proto =
+ pkt->skb->vlan_proto;
+ info->num_encaps++;
+ }
+ }
+ rcu_read_unlock();
+}
+
static int nft_dev_path_info(const struct net_device_path_stack *stack,
struct nft_forward_info *info,
unsigned char *ha, struct nf_flowtable *flowtable)
@@ -103,13 +171,13 @@ static int nft_dev_path_info(const struct net_device_path_stack *stack,
for (i = 0; i < stack->num_paths; i++) {
path = &stack->path[i];
+ info->indev = path->dev;
switch (path->type) {
case DEV_PATH_ETHERNET:
case DEV_PATH_DSA:
case DEV_PATH_VLAN:
case DEV_PATH_PPPOE:
case DEV_PATH_TUN:
- info->indev = path->dev;
if (is_zero_ether_addr(info->h_source))
memcpy(info->h_source, path->dev->dev_addr, ETH_ALEN);
@@ -175,6 +243,10 @@ static int nft_dev_path_info(const struct net_device_path_stack *stack,
}
info->xmit_type = FLOW_OFFLOAD_XMIT_DIRECT;
break;
+ case DEV_PATH_MTK_WDMA:
+ if (is_zero_ether_addr(info->h_source))
+ memcpy(info->h_source, path->dev->dev_addr, ETH_ALEN);
+ break;
default:
return -1;
}
@@ -244,6 +316,7 @@ static int nft_flow_tunnel_update_route(const struct nft_pktinfo *pkt,
}
static int nft_dev_forward_path(const struct nft_pktinfo *pkt,
+ bool is_bridging,
struct nf_flow_route *route,
const struct nf_conn *ct,
enum ip_conntrack_dir dir,
@@ -251,12 +324,38 @@ static int nft_dev_forward_path(const struct nft_pktinfo *pkt,
{
const struct dst_entry *dst = route->tuple[dir].dst;
struct net_device_path_stack stack;
+ struct net_device_path_ctx ctx = {
+ .dev = dst->dev,
+ };
struct nft_forward_info info = {};
+ enum ip_conntrack_info pkt_ctinfo;
+ enum ip_conntrack_dir skb_dir;
+ struct ethhdr *eth;
unsigned char ha[ETH_ALEN];
int i;
- if (nft_dev_fill_forward_path(route, dst, ct, dir, ha, &stack) < 0 ||
- nft_dev_path_info(&stack, &info, ha, &ft->data) < 0)
+ memset(ha, 0, sizeof(ha));
+
+ if (is_bridging) {
+ nf_ct_get(pkt->skb, &pkt_ctinfo);
+ eth = eth_hdr(pkt->skb);
+ skb_dir = CTINFO2DIR(pkt_ctinfo);
+ if (skb_dir != dir) {
+ memcpy(ha, eth->h_source, ETH_ALEN);
+ memcpy(info.h_source, eth->h_dest, ETH_ALEN);
+ } else {
+ memcpy(ha, eth->h_dest, ETH_ALEN);
+ memcpy(info.h_source, eth->h_source, ETH_ALEN);
+ }
+ nft_br_vlan_dev_fill_forward_path(pkt, &ctx);
+ }
+
+ if (nft_dev_fill_forward_path(&ctx, route, dst, ct, dir, ha, &stack) < 0)
+ return -ENOENT;
+
+ nft_fill_vlan_passthrough_info(pkt, &info);
+
+ if (nft_dev_path_info(&stack, &info, ha, &ft->data) < 0)
return -ENOENT;
if (!nft_flowtable_find_dev(info.indev, ft))
@@ -292,9 +391,11 @@ static int nft_dev_forward_path(const struct nft_pktinfo *pkt,
return 0;
}
-int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,
- struct nf_flow_route *route, enum ip_conntrack_dir dir,
- struct nft_flowtable *ft)
+static int nft_flow_route_routing(const struct nft_pktinfo *pkt,
+ const struct nf_conn *ct,
+ struct nf_flow_route *route,
+ enum ip_conntrack_dir dir,
+ struct nft_flowtable *ft)
{
struct dst_entry *this_dst = skb_dst(pkt->skb);
struct dst_entry *other_dst = NULL;
@@ -334,12 +435,12 @@ int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,
nft_default_forward_path(route, this_dst, dir);
nft_default_forward_path(route, other_dst, !dir);
- if (route->tuple[dir].xmit_type == FLOW_OFFLOAD_XMIT_NEIGH &&
- nft_dev_forward_path(pkt, route, ct, dir, ft) < 0)
+ if (route->tuple[dir].xmit_type == FLOW_OFFLOAD_XMIT_NEIGH &&
+ nft_dev_forward_path(pkt, false, route, ct, dir, ft) < 0)
goto err_dst_release;
if (route->tuple[!dir].xmit_type == FLOW_OFFLOAD_XMIT_NEIGH &&
- nft_dev_forward_path(pkt, route, ct, !dir, ft) < 0)
+ nft_dev_forward_path(pkt, false, route, ct, !dir, ft) < 0)
goto err_dst_release;
return 0;
@@ -349,4 +450,82 @@ int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,
dst_release(route->tuple[!dir].dst);
return -ENOENT;
}
+
+static int nft_flow_route_bridging(const struct nft_pktinfo *pkt,
+ const struct nf_conn *ct,
+ struct nf_flow_route *route,
+ enum ip_conntrack_dir dir,
+ struct nft_flowtable *ft)
+{
+ struct dst_entry *dsts[IP_CT_DIR_MAX] = {};
+ struct net_device *br_dev;
+ int i;
+
+ /* Allocate minimal dsts anchored to the bridge master device to supply
+ * xmit_type and MTU. A full routing lookup via nf_route() is avoided
+ * because it fails for prefixes that are bridged but not routed.
+ */
+ rcu_read_lock();
+ br_dev = netdev_master_upper_dev_get_rcu(pkt->skb->dev);
+ if (!br_dev || !netif_is_bridge_master(br_dev)) {
+ rcu_read_unlock();
+ return -ENOENT;
+ }
+
+ for (i = 0; i < IP_CT_DIR_MAX; i++) {
+ switch (nft_pf(pkt)) {
+ case NFPROTO_IPV4: {
+ struct rtable *rt;
+
+ rt = rt_dst_alloc(br_dev, 0, RTN_UNICAST, true);
+ if (rt)
+ dsts[i] = &rt->dst;
+ break;
+ }
+ case NFPROTO_IPV6: {
+ struct rt6_info *rt;
+
+ rt = ip6_dst_alloc(nft_net(pkt), br_dev, 0);
+ if (rt)
+ dsts[i] = &rt->dst;
+ break;
+ }
+ }
+ }
+ rcu_read_unlock();
+
+ if (!dsts[dir] || !dsts[!dir]) {
+ dst_release(dsts[dir]);
+ dst_release(dsts[!dir]);
+ return -ENOENT;
+ }
+
+ nft_default_forward_path(route, dsts[dir], dir);
+ nft_default_forward_path(route, dsts[!dir], !dir);
+ /* Drop allocation references; route->tuple[*].dst holds the clones. */
+ dst_release(dsts[dir]);
+ dst_release(dsts[!dir]);
+
+ if (route->tuple[dir].xmit_type == FLOW_OFFLOAD_XMIT_NEIGH &&
+ route->tuple[!dir].xmit_type == FLOW_OFFLOAD_XMIT_NEIGH) {
+ if (nft_dev_forward_path(pkt, true, route, ct, dir, ft) ||
+ nft_dev_forward_path(pkt, true, route, ct, !dir, ft)) {
+ dst_release(route->tuple[dir].dst);
+ dst_release(route->tuple[!dir].dst);
+ return -ENOENT;
+ }
+ }
+
+ return 0;
+}
+
+int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,
+ struct nf_flow_route *route, enum ip_conntrack_dir dir,
+ struct nft_flowtable *ft)
+{
+ if (nft_flow_offload_is_bridging(pkt->skb))
+ return nft_flow_route_bridging(pkt, ct, route, dir, ft);
+
+ return nft_flow_route_routing(pkt, ct, route, dir, ft);
+}
EXPORT_SYMBOL_GPL(nft_flow_route);
|
| 3/2 | 2026/06/29 12:56 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 8955 output: 23 thoughts: 245 Thoughts: **My Assessment of the Bridged Traffic Flow Offload Patch** Okay, so we have this new patch that seems to introduce flow offload support for bridged traffic, which is a pretty interesting development. It looks like the core changes are concentrated in `net/bridge/br_fdb.c`, `net/bridge/br_vlan.c`, `net/core/dev.c`, and `net/netfilter/nf_flow_table_path.c`. The introduction of these new functions like `br_fdb_has_forwarding_entry_rcu`, `br_vlan_get_offload_info_rcu`, `br_vlan_is_enabled_rcu`, and `__dev_fill_forward_path` are exactly what I would expect to see for something like this. And the modification to `nft_flow_route`, particularly the addition of `nft_flow_route_bridging`, suggests a clear integration with the Netfilter flow table framework. From a quick glance, this code looks functional and the logic is reachable, which is a good starting point. My next immediate thought is to get this into a fuzzing regime. That seems like a worthwhile test strategy. Now, let's nail down the configuration dependencies. Obviously, `CONFIG_NF_FLOW_TABLE` is going to be required, that's a no-brainer. `CONFIG_BRIDGE` is another obvious one. `CONFIG_BRIDGE_VLAN_FILTERING` is a maybe, based on the `br_vlan` files, so I'll need to confirm that one. I'll take a look at the `net/netfilter/Kconfig` or similar files for `nf_flow_table_path.c` to confirm. That should give me a pretty clear picture of the necessary environment to reproduce and validate the patch's functionality. |
| 4/2 | 2026/06/29 12:56 | tool | grepper |
0mArgs:{
"Expression": "nf_flow_table_path.o"
}Results: {
"Output": "net/netfilter/Makefile=143=nf_flow_table-objs\t\t:= nf_flow_table_core.o nf_flow_table_ip.o \\\nnet/netfilter/Makefile:144:\t\t\t\t nf_flow_table_path.o \\\nnet/netfilter/Makefile-145-\t\t\t\t nf_flow_table_offload.o nf_flow_table_xdp.o\n"
} |
| 5/2 | 2026/06/29 12:56 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 9732 output: 20 thoughts: 23 Thoughts: Here's my take on those thoughts, tailored for an expert audience: **NF_FLOW_TABLE Configuration Deep Dive** Okay, so I'm looking at `CONFIG_NF_FLOW_TABLE`. Right, that's the kernel configuration symbol that directly controls whether the `nf_flow_table` object files are included in the build. It's a pretty straightforward dependency, no real surprises there. I'm assuming that this is a critical module for any system using connection tracking or Netfilter's flow table implementation. The impact of this setting will depend on the rest of my configuration, of course - particularly how the kernel is compiled and which features I have enabled. I want to dive a little deeper, I'd say I need to understand whether this is a hard or soft dependency on other parts of the Netfilter subsystem. |
| 6/2 | 2026/06/29 12:57 | tool | grepper |
0mArgs:{
"Expression": "config NF_FLOW_TABLE"
}Results: {
"Output": "net/netfilter/Kconfig=701=endif # NF_TABLES\nnet/netfilter/Kconfig-702-\nnet/netfilter/Kconfig:703:config NF_FLOW_TABLE_INET\nnet/netfilter/Kconfig-704-\ttristate \"Netfilter flow table mixed IPv4/IPv6 module\"\n--\nnet/netfilter/Kconfig-710-\nnet/netfilter/Kconfig:711:config NF_FLOW_TABLE\nnet/netfilter/Kconfig-712-\ttristate \"Netfilter flow table module\"\n--\nnet/netfilter/Kconfig-720-\nnet/netfilter/Kconfig:721:config NF_FLOW_TABLE_PROCFS\nnet/netfilter/Kconfig-722-\tbool \"Supply flow table statistics in procfs\"\n"
} |
| 7/2 | 2026/06/29 12:57 | llm | patch-evaluator |
2mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 10165 output: 16 thoughts: 30 Thoughts: Okay, here's my take on those thoughts, tailored for an expert audience: **Examining Bridge Configuration Options** Alright, let's dive right in. My initial thought process is to quickly verify the core bridge configuration options. I need to confirm the presence and status of both `CONFIG_BRIDGE` and `CONFIG_BRIDGE_VLAN_FILTERING`. That's the baseline. I'm going to head straight to the `net/bridge/Kconfig` file. It's the logical place to find these settings and their dependencies. I'm essentially looking for the foundational definitions and any associated conditional logic within the kernel configuration system. A quick check here will give me a solid starting point for understanding how the bridge functionality is enabled and if VLAN filtering is supported at the configuration level. |
| 8/2 | 2026/06/29 13:00 | tool | grepper |
0mArgs:{
"Expression": "config BRIDGE"
}Results: {
"Output": "net/Kconfig=220=config NETFILTER_ADVANCED\n--\nnet/Kconfig-230-\nnet/Kconfig:231:config BRIDGE_NETFILTER\nnet/Kconfig-232-\ttristate \"Bridged IP/ARP packets filtering\"\n--\nnet/bridge/Kconfig-5-\nnet/bridge/Kconfig:6:config BRIDGE\nnet/bridge/Kconfig-7-\ttristate \"802.1d Ethernet Bridging\"\n--\nnet/bridge/Kconfig-35-\nnet/bridge/Kconfig:36:config BRIDGE_IGMP_SNOOPING\nnet/bridge/Kconfig-37-\tbool \"IGMP/MLD snooping\"\n--\nnet/bridge/Kconfig-49-\nnet/bridge/Kconfig:50:config BRIDGE_VLAN_FILTERING\nnet/bridge/Kconfig-51-\tbool \"VLAN filtering\"\n--\nnet/bridge/Kconfig-63-\nnet/bridge/Kconfig:64:config BRIDGE_MRP\nnet/bridge/Kconfig-65-\tbool \"MRP protocol\"\n--\nnet/bridge/Kconfig-75-\nnet/bridge/Kconfig:76:config BRIDGE_CFM\nnet/bridge/Kconfig-77-\tbool \"CFM protocol\"\n--\nnet/bridge/netfilter/Kconfig=28=config NF_CONNTRACK_BRIDGE\n--\nnet/bridge/netfilter/Kconfig-42-# old sockopt interface and eval loop\nnet/bridge/netfilter/Kconfig:43:config BRIDGE_NF_EBTABLES_LEGACY\nnet/bridge/netfilter/Kconfig-44-\ttristate \"Legacy EBTABLES support\"\n--\nnet/bridge/netfilter/Kconfig-52-\nnet/bridge/netfilter/Kconfig:53:menuconfig BRIDGE_NF_EBTABLES\nnet/bridge/netfilter/Kconfig-54-\ttristate \"Ethernet Bridge tables (ebtables) support\"\n--\nnet/bridge/netfilter/Kconfig=62=if BRIDGE_NF_EBTABLES\n--\nnet/bridge/netfilter/Kconfig-66-#\nnet/bridge/netfilter/Kconfig:67:config BRIDGE_EBT_BROUTE\nnet/bridge/netfilter/Kconfig-68-\ttristate \"ebt: broute table support\"\n--\nnet/bridge/netfilter/Kconfig-77-\nnet/bridge/netfilter/Kconfig:78:config BRIDGE_EBT_T_FILTER\nnet/bridge/netfilter/Kconfig-79-\ttristate \"ebt: filter table support\"\n--\nnet/bridge/netfilter/Kconfig-87-\nnet/bridge/netfilter/Kconfig:88:config BRIDGE_EBT_T_NAT\nnet/bridge/netfilter/Kconfig-89-\ttristate \"ebt: nat table support\"\n--\nnet/bridge/netfilter/Kconfig-99-#\nnet/bridge/netfilter/Kconfig:100:config BRIDGE_EBT_802_3\nnet/bridge/netfilter/Kconfig-101-\ttristate \"ebt: 802.3 filter support\"\n--\nnet/bridge/netfilter/Kconfig-106-\nnet/bridge/netfilter/Kconfig:107:config BRIDGE_EBT_AMONG\nnet/bridge/netfilter/Kconfig-108-\ttristate \"ebt: among filter support\"\n--\nnet/bridge/netfilter/Kconfig-115-\nnet/bridge/netfilter/Kconfig:116:config BRIDGE_EBT_ARP\nnet/bridge/netfilter/Kconfig-117-\ttristate \"ebt: ARP filter support\"\n--\nnet/bridge/netfilter/Kconfig-123-\nnet/bridge/netfilter/Kconfig:124:config BRIDGE_EBT_IP\nnet/bridge/netfilter/Kconfig-125-\ttristate \"ebt: IP filter support\"\n--\nnet/bridge/netfilter/Kconfig-131-\nnet/bridge/netfilter/Kconfig:132:config BRIDGE_EBT_IP6\nnet/bridge/netfilter/Kconfig-133-\ttristate \"ebt: IP6 filter support\"\n--\nnet/bridge/netfilter/Kconfig-140-\nnet/bridge/netfilter/Kconfig:141:config BRIDGE_EBT_LIMIT\nnet/bridge/netfilter/Kconfig-142-\ttristate \"ebt: limit match support\"\n--\nnet/bridge/netfilter/Kconfig-150-\nnet/bridge/netfilter/Kconfig:151:config BRIDGE_EBT_MARK\nnet/bridge/netfilter/Kconfig-152-\ttristate \"ebt: mark filter support\"\n--\nnet/bridge/netfilter/Kconfig-160-\nnet/bridge/netfilter/Kconfig:161:config BRIDGE_EBT_PKTTYPE\nnet/bridge/netfilter/Kconfig-162-\ttristate \"ebt: packet type filter support\"\n--\nnet/bridge/netfilter/Kconfig-170-\nnet/bridge/netfilter/Kconfig:171:config BRIDGE_EBT_STP\nnet/bridge/netfilter/Kconfig-172-\ttristate \"ebt: STP filter support\"\n--\nnet/bridge/netfilter/Kconfig-178-\nnet/bridge/netfilter/Kconfig:179:config BRIDGE_EBT_VLAN\nnet/bridge/netfilter/Kconfig-180-\ttristate \"ebt: 802.1Q VLAN filter support\"\n--\nnet/bridge/netfilter/Kconfig-188-#\nnet/bridge/netfilter/Kconfig:189:config BRIDGE_EBT_ARPREPLY\nnet/bridge/netfilter/Kconfig-190-\ttristate \"ebt: arp reply target support\"\n--\nnet/bridge/netfilter/Kconfig-197-\nnet/bridge/netfilter/Kconfig:198:config BRIDGE_EBT_DNAT\nnet/bridge/netfilter/Kconfig-199-\ttristate \"ebt: dnat target support\"\n--\nnet/bridge/netfilter/Kconfig-205-\nnet/bridge/netfilter/Kconfig:206:config BRIDGE_EBT_MARK_T\nnet/bridge/netfilter/Kconfig-207-\ttristate \"ebt: mark target support\"\n--\nnet/bridge/netfilter/Kconfig-215-\nnet/bridge/netfilter/Kconfig:216:config BRIDGE_EBT_REDIRECT\nnet/bridge/netfilter/Kconfig-217-\ttristate \"ebt: redirect target support\"\n--\nnet/bridge/netfilter/Kconfig-223-\nnet/bridge/netfilter/Kconfig:224:config BRIDGE_EBT_SNAT\nnet/bridge/netfilter/Kconfig-225-\ttristate \"ebt: snat target support\"\n--\nnet/bridge/netfilter/Kconfig-233-#\nnet/bridge/netfilter/Kconfig:234:config BRIDGE_EBT_LOG\nnet/bridge/netfilter/Kconfig-235-\ttristate \"ebt: log support\"\n--\nnet/bridge/netfilter/Kconfig-242-\nnet/bridge/netfilter/Kconfig:243:config BRIDGE_EBT_NFLOG\nnet/bridge/netfilter/Kconfig-244-\ttristate \"ebt: nflog support\"\n"
} |
| 9/2 | 2026/06/29 13:00 | llm | patch-evaluator |
3mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 12239 output: 20 thoughts: 108 Thoughts: Okay, here's my take on those new functions, considering the context of bridging and VLANs: **New Bridge FDB and VLAN RCU Helpers** Alright, so I see these new functions popping up: `br_fdb_has_forwarding_entry_rcu`, `br_vlan_get_offload_info_rcu`, and `br_vlan_is_enabled_rcu`. They're all labeled with "rcu," which immediately tells me they're designed for safe, lockless access to bridge forwarding database (FDB) and VLAN information structures. The fact that they're in `net/bridge/br_fdb.c` and `net/bridge/br_vlan.c` respectively is pretty much expected, obviously. `br_vlan_get_offload_info_rcu` and `br_vlan_is_enabled_rcu` are in `br_vlan.c`, and so are related to VLAN filtering, which is compiled in only when `CONFIG_BRIDGE_VLAN_FILTERING` is enabled. I'm guessing that means they're likely involved in querying VLAN-related parameters, and perhaps their presence suggests enhancements to VLAN-aware bridging. Perhaps better performance accessing VLAN entries. The RCU-based access strongly implies these are likely being used from interrupt contexts, or possibly in scenarios where contention is a significant concern. They're clearly looking to avoid taking locks to provide higher concurrency. It's good to see this level of careful optimization. I'll need to dig into the surrounding code to understand the exact use cases and performance implications. |
| 10/2 | 2026/06/29 13:04 | tool | grepper |
0mArgs:{
"Expression": "br_vlan.o"
}Results: {
"Output": "net/bridge/Makefile=21=bridge-$(CONFIG_BRIDGE_IGMP_SNOOPING) += br_multicast.o br_mdb.o br_multicast_eht.o\nnet/bridge/Makefile-22-\nnet/bridge/Makefile:23:bridge-$(CONFIG_BRIDGE_VLAN_FILTERING) += br_vlan.o br_vlan_tunnel.o br_vlan_options.o br_mst.o\nnet/bridge/Makefile-24-\n--\nnet/bridge/br_private.h=1882=static inline u16 br_vlan_flags(const struct net_bridge_vlan *v, u16 pvid)\n--\nnet/bridge/br_private.h-1888-\nnet/bridge/br_private.h:1889:/* br_vlan_options.c */\nnet/bridge/br_private.h-1890-#ifdef CONFIG_BRIDGE_VLAN_FILTERING\nnet/bridge/br_private.h:1891:bool br_vlan_opts_eq_range(const struct net_bridge_vlan *v_curr,\nnet/bridge/br_private.h-1892-\t\t\t const struct net_bridge_vlan *range_end);\nnet/bridge/br_private.h:1893:bool br_vlan_opts_fill(struct sk_buff *skb, const struct net_bridge_vlan *v,\nnet/bridge/br_private.h-1894-\t\t const struct net_bridge_port *p);\nnet/bridge/br_private.h:1895:size_t br_vlan_opts_nl_size(void);\nnet/bridge/br_private.h-1896-int br_vlan_process_options(const struct net_bridge *br,\n--\nnet/bridge/br_vlan.c=1903=static bool br_vlan_fill_vids(struct sk_buff *skb, u16 vid, u16 vid_range,\n--\nnet/bridge/br_vlan.c-1931-\tif (v_opts) {\nnet/bridge/br_vlan.c:1932:\t\tif (!br_vlan_opts_fill(skb, v_opts, p))\nnet/bridge/br_vlan.c-1933-\t\t\tgoto out_err;\n--\nnet/bridge/br_vlan.c=1948=static size_t rtnl_vlan_nlmsg_size(void)\n--\nnet/bridge/br_vlan.c-1953-\t\t+ nla_total_size(sizeof(struct bridge_vlan_info)) /* BRIDGE_VLANDB_ENTRY_INFO */\nnet/bridge/br_vlan.c:1954:\t\t+ br_vlan_opts_nl_size(); /* bridge vlan options */\nnet/bridge/br_vlan.c-1955-}\n--\nnet/bridge/br_vlan.c=2029=bool br_vlan_can_enter_range(const struct net_bridge_vlan *v_curr,\n--\nnet/bridge/br_vlan.c-2033-\t range_end-\u003eflags == v_curr-\u003eflags \u0026\u0026\nnet/bridge/br_vlan.c:2034:\t br_vlan_opts_eq_range(v_curr, range_end);\nnet/bridge/br_vlan.c-2035-}\n--\nnet/bridge/br_vlan_options.c=32=static bool __vlan_tun_can_enter_range(const struct net_bridge_vlan *v_curr,\n--\nnet/bridge/br_vlan_options.c-39-/* check if the options' state of v_curr allow it to enter the range */\nnet/bridge/br_vlan_options.c:40:bool br_vlan_opts_eq_range(const struct net_bridge_vlan *v_curr,\nnet/bridge/br_vlan_options.c-41-\t\t\t const struct net_bridge_vlan *range_end)\n--\nnet/bridge/br_vlan_options.c-71-\nnet/bridge/br_vlan_options.c:72:bool br_vlan_opts_fill(struct sk_buff *skb, const struct net_bridge_vlan *v,\nnet/bridge/br_vlan_options.c-73-\t\t const struct net_bridge_port *p)\n--\nnet/bridge/br_vlan_options.c-97-\nnet/bridge/br_vlan_options.c:98:size_t br_vlan_opts_nl_size(void)\nnet/bridge/br_vlan_options.c-99-{\n"
} |
| 11/2 | 2026/06/29 13:04 | llm | patch-evaluator |
1mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 13903 output: 19 thoughts: 617 Thoughts: **Analyzing Kernel Configuration Dependencies for Network Flow Table Functionality** Okay, so I need to figure out the necessary kernel configurations to support this flow table implementation, specifically concerning bridging and VLAN filtering. It looks like `CONFIG_BRIDGE_VLAN_FILTERING` is a key requirement, obviously. And, of course, `CONFIG_NF_FLOW_TABLE` is essential. Since `NF_FLOW_TABLE` implies `NETFILTER`, I don't need to explicitly state `CONFIG_NETFILTER`, it's covered. Now, the dependency tree seems to branch: `CONFIG_BRIDGE_VLAN_FILTERING` needs `CONFIG_BRIDGE`. Got it. That seems like a solid starting point. Next, I need to check the relevant symbols within the kernel. Let's see... I've identified several key function names: `br_fdb_has_forwarding_entry_rcu`, `br_vlan_get_offload_info_rcu`, `br_vlan_is_enabled_rcu`, `__dev_fill_forward_path`, `nft_flow_route`, `nft_dev_forward_path`, `nft_flow_route_bridging`, `nft_flow_route_routing`, `nft_flow_offload_is_bridging`, `nft_br_vlan_dev_fill_forward_path`, and `nft_fill_vlan_passthrough_info`. These will give me a good picture of the code path. Alright, I need to see which of these are exported. This tells me what's available to modules and other parts of the kernel. Okay, so `nft_flow_route_bridging` is static, which is interesting. `nft_flow_route` and `__dev_fill_forward_path` are exported. And the `br_` prefixed functions are also exported. This is good to know. Let's do a quick, clean list of the relevant symbols, just to keep things organized: * `br_fdb_has_forwarding_entry_rcu` * `br_vlan_get_offload_info_rcu` * `br_vlan_is_enabled_rcu` * `__dev_fill_forward_path` * `nft_flow_route` * `nft_flow_route_bridging` * `nft_flow_offload_is_bridging` * `nft_br_vlan_dev_fill_forward_path` * `nft_fill_vlan_passthrough_info` Just a quick double-check on `nft_flow_route_bridging` to make sure I have the exact name. Yep, the definition in the diff matches what I have in my notes. I always double-check. ```c static int nft_flow_route_bridging(const struct nft_pktinfo *pkt, const struct nf_conn *ct, struct nf_flow_route *route, enum ip_conntrack_dir dir, struct nft_flowtable *ft) ``` Now, let me make sure I didn't miss anything. So I need `NF_FLOW_TABLE`, `BRIDGE`, and `BRIDGE_VLAN_FILTERING`. I should also double check if `nft_flow_route` has any other hidden dependencies. I'll need to dig a little deeper on that point. |
| 12/2 | 2026/06/29 13:05 | tool | grepper |
0mArgs:{
"Expression": "nft_flow_route"
}Results: {
"Output": "include/net/netfilter/nf_flow_table.h=246=struct nft_pktinfo;\ninclude/net/netfilter/nf_flow_table.h:247:int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,\ninclude/net/netfilter/nf_flow_table.h-248-\t\t struct nf_flow_route *route, enum ip_conntrack_dir dir,\n--\nnet/netfilter/nf_flow_table_path.c=318=static int nft_dev_forward_path(const struct nft_pktinfo *pkt,\n--\nnet/netfilter/nf_flow_table_path.c-393-\nnet/netfilter/nf_flow_table_path.c:394:static int nft_flow_route_routing(const struct nft_pktinfo *pkt,\nnet/netfilter/nf_flow_table_path.c-395-\t\t\t\t const struct nf_conn *ct,\n--\nnet/netfilter/nf_flow_table_path.c-453-\nnet/netfilter/nf_flow_table_path.c:454:static int nft_flow_route_bridging(const struct nft_pktinfo *pkt,\nnet/netfilter/nf_flow_table_path.c-455-\t\t\t\t const struct nf_conn *ct,\n--\nnet/netfilter/nf_flow_table_path.c-521-\nnet/netfilter/nf_flow_table_path.c:522:int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,\nnet/netfilter/nf_flow_table_path.c-523-\t\t struct nf_flow_route *route, enum ip_conntrack_dir dir,\n--\nnet/netfilter/nf_flow_table_path.c-526-\tif (nft_flow_offload_is_bridging(pkt-\u003eskb))\nnet/netfilter/nf_flow_table_path.c:527:\t\treturn nft_flow_route_bridging(pkt, ct, route, dir, ft);\nnet/netfilter/nf_flow_table_path.c-528-\nnet/netfilter/nf_flow_table_path.c:529:\treturn nft_flow_route_routing(pkt, ct, route, dir, ft);\nnet/netfilter/nf_flow_table_path.c-530-}\nnet/netfilter/nf_flow_table_path.c:531:EXPORT_SYMBOL_GPL(nft_flow_route);\n--\nnet/netfilter/nft_flow_offload.c=50=static void nft_flow_offload_eval(const struct nft_expr *expr,\n--\nnet/netfilter/nft_flow_offload.c-108-\tdir = CTINFO2DIR(ctinfo);\nnet/netfilter/nft_flow_offload.c:109:\tif (nft_flow_route(pkt, ct, \u0026route, dir, priv-\u003eflowtable) \u003c 0)\nnet/netfilter/nft_flow_offload.c-110-\t\tgoto err_flow_route;\n"
} |
| 13/2 | 2026/06/29 13:05 | llm | patch-evaluator |
5mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 16093 output: 22 thoughts: 35 Thoughts: Here's a summary of my immediate thought process: **Diving into the Offload Code** Okay, so `nft_flow_offload.c` is calling `nft_flow_route`. That immediately raises a flag. I need to understand the interaction and, specifically, how the offload functionality is being triggered. My next step is clear: I need to scrutinize the configuration related to `nft_flow_offload.o`. This is where the core logic will likely be defined. I'll be looking for clues about the conditions under which offload is enabled, what criteria are used for routing, and any relevant policy settings. I anticipate finding key parameters and potentially some optimizations or limitations dictated by the configuration. This could involve looking at various netfilter options and any related kconfig symbols. |
| 14/2 | 2026/06/29 13:10 | tool | grepper |
0mArgs:{
"Expression": "nft_flow_offload.o"
}Results: {
"Output": "net/netfilter/Makefile=112=obj-$(CONFIG_NFT_CT)\t\t+= nft_ct.o\nnet/netfilter/Makefile:113:obj-$(CONFIG_NFT_FLOW_OFFLOAD)\t+= nft_flow_offload.o\nnet/netfilter/Makefile-114-obj-$(CONFIG_NFT_LIMIT)\t\t+= nft_limit.o\n--\nnet/netfilter/nft_flow_offload.c=217=static struct nft_expr_type nft_flow_offload_type;\nnet/netfilter/nft_flow_offload.c:218:static const struct nft_expr_ops nft_flow_offload_ops = {\nnet/netfilter/nft_flow_offload.c-219-\t.type\t\t= \u0026nft_flow_offload_type,\n--\nnet/netfilter/nft_flow_offload.c=230=static struct nft_expr_type nft_flow_offload_type __read_mostly = {\nnet/netfilter/nft_flow_offload.c-231-\t.name\t\t= \"flow_offload\",\nnet/netfilter/nft_flow_offload.c:232:\t.ops\t\t= \u0026nft_flow_offload_ops,\nnet/netfilter/nft_flow_offload.c-233-\t.policy\t\t= nft_flow_offload_policy,\n"
} |
| 15/2 | 2026/06/29 13:10 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 16667 output: 21 thoughts: 34 Thoughts: Okay, here's my take on those thoughts, tailored for an expert audience: **Examining `CONFIG_NFT_FLOW_OFFLOAD`'s Dependencies** Alright, so the current issue is pointing towards a potential dependence on `CONFIG_NFT_FLOW_OFFLOAD`. This isn't entirely unexpected given the context, but I need to confirm this assumption. My immediate next step is to drill into the `Kconfig` files and verify the precise relationships. I need to understand if `CONFIG_NFT_FLOW_OFFLOAD` is a direct dependency, an implicit requirement, or merely an optimization that's *strongly* recommended in conjunction with the current task. I'll need to pay close attention to the conditionals, default values, and any explicit `select` statements that might be present. My goal is to determine if this setting is *strictly* necessary, or if there's some wiggle room that I need to investigate. Ultimately, the goal is to fully define the constraints of the system. |
| 16/2 | 2026/06/29 13:11 | tool | grepper |
0mArgs:{
"Expression": "config NFT_FLOW_OFFLOAD"
}Results: {
"Output": "net/netfilter/Kconfig=498=config NFT_EXTHDR_DCCP\n--\nnet/netfilter/Kconfig-503-\nnet/netfilter/Kconfig:504:config NFT_FLOW_OFFLOAD\nnet/netfilter/Kconfig-505-\tdepends on NF_CONNTRACK \u0026\u0026 NF_FLOW_TABLE\n"
} |
| 17/2 | 2026/06/29 13:11 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 17025 output: 246 thoughts: 257 Thoughts: **My Analysis of NFT Flow Offloading and Bridging Configuration** Okay, let's break this down. My understanding is that `NFT_FLOW_OFFLOAD` is the critical config that activates the flow offload functionality within nftables. Essentially, it's the on switch for this capability, and, as I understand it, it relies on calling `nft_flow_route`. Let's do a quick recap of the configs we're concerned with here: `NF_FLOW_TABLE`, `NFT_FLOW_OFFLOAD`, the `BRIDGE` options, and `BRIDGE_VLAN_FILTERING`. I know there are likely implications and dependencies, so let's see if we missed anything. Right, I'm noting that `CONFIG_NF_CONNTRACK` and `CONFIG_NETFILTER` are automatically implied by the `NFT_FLOW_OFFLOAD` setting. Good, that helps clarify the overall picture. Now, let's identify the key functions and symbols that are relevant to this process. I'm focusing on these for deeper analysis: * `br_fdb_has_forwarding_entry_rcu` * `br_vlan_get_offload_info_rcu` * `br_vlan_is_enabled_rcu` * `__dev_fill_forward_path` * `nft_flow_route` * `nft_flow_route_bridging` * `nft_flow_offload_is_bridging` * `nft_br_vlan_dev_fill_forward_path` * `nft_fill_vlan_passthrough_info` I'm ready to call `set-results` now. |
| 18/2 | 2026/06/29 13:12 | tool | set-results |
0mArgs:{
"EnableConfigs": [
"NF_FLOW_TABLE",
"NFT_FLOW_OFFLOAD",
"BRIDGE",
"BRIDGE_VLAN_FILTERING"
],
"FocusSymbols": [
"br_fdb_has_forwarding_entry_rcu",
"br_vlan_get_offload_info_rcu",
"br_vlan_is_enabled_rcu",
"__dev_fill_forward_path",
"nft_flow_route",
"nft_flow_route_bridging",
"nft_flow_offload_is_bridging",
"nft_br_vlan_dev_fill_forward_path",
"nft_fill_vlan_passthrough_info"
],
"Reasoning": "The patch adds support for flow offload of bridged traffic. It introduces new functions to check bridge FDB entries and VLAN information for flow offload, and modifies the netfilter flow table path to handle bridged traffic. This is a functional change in the core networking and netfilter subsystems that should be fuzzed.",
"WorthFuzzing": true
}Results: {
"EnableConfigs": [
"NF_FLOW_TABLE",
"NFT_FLOW_OFFLOAD",
"BRIDGE",
"BRIDGE_VLAN_FILTERING"
],
"FocusSymbols": [
"br_fdb_has_forwarding_entry_rcu",
"br_vlan_get_offload_info_rcu",
"br_vlan_is_enabled_rcu",
"__dev_fill_forward_path",
"nft_flow_route",
"nft_flow_route_bridging",
"nft_flow_offload_is_bridging",
"nft_br_vlan_dev_fill_forward_path",
"nft_fill_vlan_passthrough_info"
],
"Reasoning": "The patch adds support for flow offload of bridged traffic. It introduces new functions to check bridge FDB entries and VLAN information for flow offload, and modifies the netfilter flow table path to handle bridged traffic. This is a functional change in the core networking and netfilter subsystems that should be fuzzed.",
"WorthFuzzing": true
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|