From 18f18a2054e3e76cfd97b89baf2d2ecff1a6008d Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Thu, 14 Jun 2018 11:25:23 +0200 Subject: kernel: fix conntrack fixup of offloaded flows on timeout Fixes excessively long conntrack timeout of short lived connections Signed-off-by: Felix Fietkau --- ...f_flow_table-fix-up-ct-state-of-flows-aft.patch | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 target/linux/generic/backport-4.14/371-netfilter-nf_flow_table-fix-up-ct-state-of-flows-aft.patch (limited to 'target/linux/generic/backport-4.14') diff --git a/target/linux/generic/backport-4.14/371-netfilter-nf_flow_table-fix-up-ct-state-of-flows-aft.patch b/target/linux/generic/backport-4.14/371-netfilter-nf_flow_table-fix-up-ct-state-of-flows-aft.patch new file mode 100644 index 0000000000..fb14a284ae --- /dev/null +++ b/target/linux/generic/backport-4.14/371-netfilter-nf_flow_table-fix-up-ct-state-of-flows-aft.patch @@ -0,0 +1,24 @@ +From: Felix Fietkau +Date: Thu, 14 Jun 2018 11:20:09 +0200 +Subject: [PATCH] netfilter: nf_flow_table: fix up ct state of flows after + timeout + +If a connection simply times out instead of being torn down, it is left +active with a long timeout. Fix this by calling flow_offload_fixup_ct_state +here as well. + +Signed-off-by: Felix Fietkau +--- + +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -233,6 +233,9 @@ static void flow_offload_del(struct nf_f + e = container_of(flow, struct flow_offload_entry, flow); + clear_bit(IPS_OFFLOAD_BIT, &e->ct->status); + ++ if (!(flow->flags & FLOW_OFFLOAD_TEARDOWN)) ++ flow_offload_fixup_ct_state(e->ct); ++ + flow_offload_free(flow); + } + -- cgit v1.2.3