kernel: avoid flow offload for connections with xfrm on the dst entry (should fix IPSec)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit is contained in:
Felix Fietkau 2018-04-08 19:19:58 +02:00
parent df02e7a3c7
commit b560c1748a

View file

@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
--- /dev/null --- /dev/null
+++ b/net/netfilter/xt_FLOWOFFLOAD.c +++ b/net/netfilter/xt_FLOWOFFLOAD.c
@@ -0,0 +1,365 @@ @@ -0,0 +1,368 @@
+/* +/*
+ * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name> + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
+ * + *
@ -326,6 +326,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
+ if (!this_dst || !other_dst) + if (!this_dst || !other_dst)
+ return -ENOENT; + return -ENOENT;
+ +
+ if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
+ return -EINVAL;
+
+ route->tuple[dir].dst = this_dst; + route->tuple[dir].dst = this_dst;
+ route->tuple[dir].ifindex = xt_in(par)->ifindex; + route->tuple[dir].ifindex = xt_in(par)->ifindex;
+ route->tuple[!dir].dst = other_dst; + route->tuple[!dir].dst = other_dst;