kernel: avoid flow offload for connections with xfrm on the dst entry (should fix...

author Felix Fietkau <nbd@nbd.name>

Sun, 8 Apr 2018 17:19:58 +0000 (19:19 +0200)

committer Jo-Philipp Wich <jo@mein.io>

Tue, 18 Dec 2018 08:43:59 +0000 (09:43 +0100)
author Felix Fietkau <nbd@nbd.name>
Sun, 8 Apr 2018 17:19:58 +0000 (19:19 +0200)
committer Jo-Philipp Wich <jo@mein.io>
Tue, 18 Dec 2018 08:43:59 +0000 (09:43 +0100)
diff --git a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch

index 84ae4affe3dcaf121f789ae1e5b2dfe86afdb885..308fe0974d20e8b1dc00fd7e2b939831d22c046a 100644 (file)
--- a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
+++ b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
   obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
  --- /dev/null
  +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,365 @@
+@@ -0,0 +1,368 @@
  +/*
  + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
  + *
@@ -326,6 +326,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  +      if (!this_dst || !other_dst)
  +              return -ENOENT;
  +
++      if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
++              return -EINVAL;
++
  +      route->tuple[dir].dst           = this_dst;
  +      route->tuple[dir].ifindex       = xt_in(par)->ifindex;
  +      route->tuple[!dir].dst          = other_dst;
diff --git a/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch b/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch

index 833d9f991680d92d8262292fde16986d580da5fd..6638a5e9498dfd9aaab63a7182292651ed4a0e78 100644 (file)
--- a/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch
+++ b/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch
@@ -39,7 +39,7 @@ Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
  
  --- a/net/netfilter/xt_FLOWOFFLOAD.c
  +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -337,10 +337,41 @@ static void xt_flowoffload_table_cleanup
+@@ -340,10 +340,41 @@ static void xt_flowoffload_table_cleanup
         nf_flow_table_free(table);
   }
   
@@ -81,7 +81,7 @@ Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
         INIT_DELAYED_WORK(&hook_work, xt_flowoffload_hook_work);
   
         ret = xt_flowoffload_table_init(&nf_flowtable);
-@@ -358,6 +389,7 @@ static void __exit xt_flowoffload_tg_exi
+@@ -361,6 +392,7 @@ static void __exit xt_flowoffload_tg_exi
   {
         xt_unregister_target(&offload_tg_reg);
         xt_flowoffload_table_cleanup(&nf_flowtable);
author	Felix Fietkau <nbd@nbd.name>
	Sun, 8 Apr 2018 17:19:58 +0000 (19:19 +0200)
committer	Jo-Philipp Wich <jo@mein.io>
	Tue, 18 Dec 2018 08:43:59 +0000 (09:43 +0100)
target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch		patch \| blob \| history
target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch		patch \| blob \| history