kernel: flow-offload: only offload connections that have been fully established
authorFelix Fietkau <nbd@nbd.name>
Tue, 13 Mar 2018 08:16:20 +0000 (09:16 +0100)
committerFelix Fietkau <nbd@nbd.name>
Fri, 23 Mar 2018 19:56:34 +0000 (20:56 +0100)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch

index 40f89d4..5c40961 100644 (file)
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,335 @@
+@@ -0,0 +1,338 @@
 +/*
 + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
 + *
@@ -337,6 +337,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +
 +      switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) {
 +      case IPPROTO_TCP:
++              if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED)
++                      return XT_CONTINUE;
++              break;
 +      case IPPROTO_UDP:
 +              break;
 +      default: