From: Felix Fietkau Date: Thu, 5 Apr 2018 17:22:43 +0000 (+0200) Subject: kernel: fix xtables flow offload issues X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=1c37cbbbecacbcd624f67ee7c18d76dcb478ba21;p=openwrt%2Fstaging%2Fthess.git kernel: fix xtables flow offload issues - avoid using garbage stack values as dst pointer if lookup fails - provide the source address for ipv6 dst lookup Signed-off-by: Felix Fietkau --- diff --git a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch index a322e605a2..7f78d521f8 100644 --- a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch +++ b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch @@ -70,7 +70,7 @@ Signed-off-by: Felix Fietkau help This option adds the flow table core infrastructure. -@@ -959,6 +958,15 @@ config NETFILTER_XT_TARGET_NOTRACK +@@ -968,6 +967,15 @@ config NETFILTER_XT_TARGET_NOTRACK depends on NETFILTER_ADVANCED select NETFILTER_XT_TARGET_CT @@ -88,7 +88,7 @@ Signed-off-by: Felix Fietkau depends on NETFILTER_ADVANCED --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile -@@ -133,6 +133,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIF +@@ -134,6 +134,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIF obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o @@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o --- /dev/null +++ b/net/netfilter/xt_FLOWOFFLOAD.c -@@ -0,0 +1,364 @@ +@@ -0,0 +1,365 @@ +/* + * Copyright (C) 2018 Felix Fietkau + * @@ -295,7 +295,7 @@ Signed-off-by: Felix Fietkau +xt_flowoffload_dst(const struct nf_conn *ct, enum ip_conntrack_dir dir, + const struct xt_action_param *par) +{ -+ struct dst_entry *dst; ++ struct dst_entry *dst = NULL; + struct flowi fl; + + memset(&fl, 0, sizeof(fl)); @@ -304,6 +304,7 @@ Signed-off-by: Felix Fietkau + fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip; + break; + case NFPROTO_IPV6: ++ fl.u.ip6.saddr = ct->tuplehash[dir].tuple.dst.u3.in6; + fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6; + break; + }