kernel: avoid flow offload for connections with xfrm on the dst entry (should fix...

Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
index 7f78d521f86d924f14295cf81e90e27460772c52..418ea469e660e4b3c1c7aa6130ea6392d973830c 100644 (file)
--- a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
+++ b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c

-@@ -0,0 +1,365 @@
+@@ -0,0 +1,368 @@

 +/*
 + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
 + *
 +/*
 + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
 + *


@@ -326,6 +326,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +      if (!this_dst || !other_dst)
 +              return -ENOENT;
 +
 +      if (!this_dst || !other_dst)
 +              return -ENOENT;
 +

++      if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
++              return -EINVAL;
++

 +      route->tuple[dir].dst           = this_dst;
 +      route->tuple[dir].ifindex       = xt_in(par)->ifindex;
 +      route->tuple[!dir].dst          = other_dst;
 +      route->tuple[dir].dst           = this_dst;
 +      route->tuple[dir].ifindex       = xt_in(par)->ifindex;
 +      route->tuple[!dir].dst          = other_dst;