depends on !NF_CONNTRACK || NF_CONNTRACK
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
-@@ -69,7 +69,6 @@ config NFT_FIB_IPV6
+@@ -97,7 +97,6 @@ config NFT_FIB_IPV6
multicast or blackhole.
endif # NF_TABLES_IPV6
config NF_FLOW_TABLE_IPV6
tristate "Netfilter flow table IPv6 module"
-@@ -79,6 +78,8 @@ config NF_FLOW_TABLE_IPV6
+@@ -107,6 +106,8 @@ config NF_FLOW_TABLE_IPV6
To compile it as a module, choose M here.
help
This option adds the flow table core infrastructure.
-@@ -959,6 +958,15 @@ config NETFILTER_XT_TARGET_NOTRACK
+@@ -968,6 +967,15 @@ config NETFILTER_XT_TARGET_NOTRACK
depends on NETFILTER_ADVANCED
select NETFILTER_XT_TARGET_CT
depends on NETFILTER_ADVANCED
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
-@@ -133,6 +133,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIF
+@@ -134,6 +134,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIF
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
--- /dev/null
+++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,364 @@
+@@ -0,0 +1,368 @@
+/*
+ * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
+ *
+xt_flowoffload_dst(const struct nf_conn *ct, enum ip_conntrack_dir dir,
+ const struct xt_action_param *par)
+{
-+ struct dst_entry *dst;
++ struct dst_entry *dst = NULL;
+ struct flowi fl;
+
+ memset(&fl, 0, sizeof(fl));
+ fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
+ break;
+ case NFPROTO_IPV6:
++ fl.u.ip6.saddr = ct->tuplehash[dir].tuple.dst.u3.in6;
+ fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
+ break;
+ }
+ if (!this_dst || !other_dst)
+ return -ENOENT;
+
++ if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
++ return -EINVAL;
++
+ route->tuple[dir].dst = this_dst;
+ route->tuple[dir].ifindex = xt_in(par)->ifindex;
+ route->tuple[!dir].dst = other_dst;
projects / openwrt / openwrt.git / blobdiff