aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@nbd.name>2018-04-08 19:19:58 +0200
committerFelix Fietkau <nbd@nbd.name>2018-06-13 12:54:25 +0200
commitb560c1748a4edf0d02046e5a988cc0caf1f4f987 (patch)
tree9688ae87fd9184a84e828e105b0bcf94a58f9296
parentdf02e7a3c790552c9620242544ec0137dae6a32b (diff)
downloadupstream-b560c1748a4edf0d02046e5a988cc0caf1f4f987.tar.gz
upstream-b560c1748a4edf0d02046e5a988cc0caf1f4f987.tar.bz2
upstream-b560c1748a4edf0d02046e5a988cc0caf1f4f987.zip
kernel: avoid flow offload for connections with xfrm on the dst entry (should fix IPSec)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
-rw-r--r--target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch5
1 files changed, 4 insertions, 1 deletions
diff --git a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
index 7f78d521f8..418ea469e6 100644
--- a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
+++ b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
--- /dev/null
+++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,365 @@
+@@ -0,0 +1,368 @@
+/*
+ * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
+ *
@@ -326,6 +326,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
+ if (!this_dst || !other_dst)
+ return -ENOENT;
+
++ if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
++ return -EINVAL;
++
+ route->tuple[dir].dst = this_dst;
+ route->tuple[dir].ifindex = xt_in(par)->ifindex;
+ route->tuple[!dir].dst = other_dst;