kernel: avoid flow offload for connections with xfrm on the dst entry (should fix...

[openwrt/openwrt.git] / target / linux / generic / hack-4.14 / 650-netfilter-add-xt_OFFLOAD-target.patch

diff --git a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
index 84ae4affe3dcaf121f789ae1e5b2dfe86afdb885..308fe0974d20e8b1dc00fd7e2b939831d22c046a 100644 (file)
--- a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
+++ b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,365 @@
+@@ -0,0 +1,368 @@
 +/*
 + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
 + *
@@ -326,6 +326,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +      if (!this_dst || !other_dst)
 +              return -ENOENT;
 +
++      if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
++              return -EINVAL;
++
 +      route->tuple[dir].dst           = this_dst;
 +      route->tuple[dir].ifindex       = xt_in(par)->ifindex;
 +      route->tuple[!dir].dst          = other_dst;