kernel: avoid flow offload for connections with xfrm on the dst entry (should fix IPSec)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit is contained in:
parent
df02e7a3c7
commit
b560c1748a
1 changed files with 4 additions and 1 deletions
|
@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/net/netfilter/xt_FLOWOFFLOAD.c
|
+++ b/net/netfilter/xt_FLOWOFFLOAD.c
|
||||||
@@ -0,0 +1,365 @@
|
@@ -0,0 +1,368 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
|
+ * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
|
||||||
+ *
|
+ *
|
||||||
|
@ -326,6 +326,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||||
+ if (!this_dst || !other_dst)
|
+ if (!this_dst || !other_dst)
|
||||||
+ return -ENOENT;
|
+ return -ENOENT;
|
||||||
+
|
+
|
||||||
|
+ if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
|
||||||
|
+ return -EINVAL;
|
||||||
|
+
|
||||||
+ route->tuple[dir].dst = this_dst;
|
+ route->tuple[dir].dst = this_dst;
|
||||||
+ route->tuple[dir].ifindex = xt_in(par)->ifindex;
|
+ route->tuple[dir].ifindex = xt_in(par)->ifindex;
|
||||||
+ route->tuple[!dir].dst = other_dst;
|
+ route->tuple[!dir].dst = other_dst;
|
||||||
|
|
Loading…
Reference in a new issue