1 files changed, 37 insertions, 0 deletions

diff --git a/queue-5.15/netfilter-flowtable-incorrect-pppoe-tuple.patch b/queue-5.15/netfilter-flowtable-incorrect-pppoe-tuple.patch
new file mode 100644
index 0000000000..a438851adc
--- /dev/null
+++ b/queue-5.15/netfilter-flowtable-incorrect-pppoe-tuple.patch
@@ -0,0 +1,37 @@
+From 5b01f17f95e922da7d78080535f7fa9583a298ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 00:09:00 +0200
+Subject: netfilter: flowtable: incorrect pppoe tuple
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 6db5dc7b351b9569940cd1cf445e237c42cd6d27 ]
+
+pppoe traffic reaching ingress path does not match the flowtable entry
+because the pppoe header is expected to be at the network header offset.
+This bug causes a mismatch in the flow table lookup, so pppoe packets
+enter the classical forwarding path.
+
+Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_flow_table_ip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
+index 448956fb52f69..f3227f9316969 100644
+--- a/net/netfilter/nf_flow_table_ip.c
++++ b/net/netfilter/nf_flow_table_ip.c
+@@ -156,7 +156,7 @@ static void nf_flow_tuple_encap(struct sk_buff *skb,
+ 		tuple->encap[i].proto = skb->protocol;
+ 		break;
+ 	case htons(ETH_P_PPP_SES):
+-		phdr = (struct pppoe_hdr *)skb_mac_header(skb);
++		phdr = (struct pppoe_hdr *)skb_network_header(skb);
+ 		tuple->encap[i].id = ntohs(phdr->sid);
+ 		tuple->encap[i].proto = skb->protocol;
+ 		break;
+-- 
+2.43.0
+