kernel: port another missing upstream change to xt_FLOWOFFLOAD on 4.19
authorFelix Fietkau <nbd@nbd.name>
Wed, 25 Sep 2019 12:09:45 +0000 (14:09 +0200)
committerFelix Fietkau <nbd@nbd.name>
Wed, 25 Sep 2019 16:16:39 +0000 (18:16 +0200)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
target/linux/generic/hack-4.19/650-netfilter-add-xt_OFFLOAD-target.patch

index bc5a5eba58f197c119c96efa07ced66d8f3240bf..80bc1cdeffb8696f1a28653e02125bc8a124438c 100644 (file)
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,383 @@
+@@ -0,0 +1,387 @@
 +/*
 + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
 + *
@@ -344,13 +344,13 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +flowoffload_tg(struct sk_buff *skb, const struct xt_action_param *par)
 +{
 +      const struct xt_flowoffload_target_info *info = par->targinfo;
++      struct tcphdr _tcph, *tcph = NULL;
 +      enum ip_conntrack_info ctinfo;
 +      enum ip_conntrack_dir dir;
 +      struct nf_flow_route route;
 +      struct flow_offload *flow;
 +      struct nf_conn *ct;
 +      struct net *net;
-+      bool is_tcp = false;
 +
 +      if (xt_flowoffload_skip(skb, xt_family(par)))
 +              return XT_CONTINUE;
@@ -363,7 +363,11 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +      case IPPROTO_TCP:
 +              if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED)
 +                      return XT_CONTINUE;
-+              is_tcp = true;
++
++              tcph = skb_header_pointer(skb, par->thoff,
++                                        sizeof(_tcph), &_tcph);
++              if (unlikely(!tcph || tcph->fin || tcph->rst))
++                      return XT_CONTINUE;
 +              break;
 +      case IPPROTO_UDP:
 +              break;
@@ -393,7 +397,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +      if (!flow)
 +              goto err_flow_alloc;
 +
-+      if (is_tcp) {
++      if (tcph) {
 +              ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
 +              ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
 +      }