diff options
Diffstat (limited to 'target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch')
-rw-r--r-- | target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch | 39 |
1 files changed, 0 insertions, 39 deletions
diff --git a/target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch b/target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch deleted file mode 100644 index e91aaa91d7..0000000000 --- a/target/linux/generic/backport-4.14/366-netfilter-nft_flow_offload-Fix-reverse-route-lookup.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: wenxu <wenxu@ucloud.cn> -Date: Wed, 9 Jan 2019 10:40:11 +0800 -Subject: [PATCH] netfilter: nft_flow_offload: Fix reverse route lookup - -Using the following example: - - client 1.1.1.7 ---> 2.2.2.7 which dnat to 10.0.0.7 server - -The first reply packet (ie. syn+ack) uses an incorrect destination -address for the reverse route lookup since it uses: - - daddr = ct->tuplehash[!dir].tuple.dst.u3.ip; - -which is 2.2.2.7 in the scenario that is described above, while this -should be: - - daddr = ct->tuplehash[dir].tuple.src.u3.ip; - -that is 10.0.0.7. - -Signed-off-by: wenxu <wenxu@ucloud.cn> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - ---- a/net/netfilter/nft_flow_offload.c -+++ b/net/netfilter/nft_flow_offload.c -@@ -29,10 +29,10 @@ static int nft_flow_route(const struct n - memset(&fl, 0, sizeof(fl)); - switch (nft_pf(pkt)) { - case NFPROTO_IPV4: -- fl.u.ip4.daddr = ct->tuplehash[!dir].tuple.dst.u3.ip; -+ fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip; - break; - case NFPROTO_IPV6: -- fl.u.ip6.daddr = ct->tuplehash[!dir].tuple.dst.u3.in6; -+ fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6; - break; - } - |