kernel: fix ipsec related regression in the netfilter rtcache patch

[openwrt/svn-archive/archive.git] / target / linux / generic / patches-3.14 / 090-backport_netfilter_rtcache.patch

diff --git a/target/linux/generic/patches-3.14/090-backport_netfilter_rtcache.patch b/target/linux/generic/patches-3.14/090-backport_netfilter_rtcache.patch
index ebe573f5764c6ddf4519aa1834cf924eff2af807..104a82cfd28dab944038f91d8ab6356d13198dbb 100644 (file)
--- a/target/linux/generic/patches-3.14/090-backport_netfilter_rtcache.patch
+++ b/target/linux/generic/patches-3.14/090-backport_netfilter_rtcache.patch
@@ -115,7 +115,7 @@ Signed-off-by: Florian Westphal <fw@strlen.de>
  obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o
 --- /dev/null
 +++ b/net/netfilter/nf_conntrack_rtcache.c
-@@ -0,0 +1,386 @@
+@@ -0,0 +1,390 @@
 +/* route cache for netfilter.
 + *
 + * (C) 2014 Red Hat GmbH
@@ -307,12 +307,16 @@ Signed-off-by: Florian Westphal <fw@strlen.de>
 +      enum ip_conntrack_info ctinfo;
 +      enum ip_conntrack_dir dir;
 +      struct nf_conn *ct;
++      struct dst_entry *dst = skb_dst(skb);
 +      int iif;
 +
 +      ct = nf_ct_get(skb, &ctinfo);
 +      if (!ct)
 +              return NF_ACCEPT;
 +
++      if (dst && dst_xfrm(dst))
++              return NF_ACCEPT;
++
 +      if (!nf_ct_is_confirmed(ct)) {
 +              if (WARN_ON(nf_ct_rtcache_find(ct)))
 +                      return NF_ACCEPT;