aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@nbd.name>2018-04-08 19:19:58 +0200
committerJo-Philipp Wich <jo@mein.io>2018-12-18 09:43:59 +0100
commit3a507b2f9b6e544fc5768d501332919d579f2f9e (patch)
tree6178bb411d2cf7dd3eb9cc0090c9116791704e7b /target/linux
parent1e0db693dfe6ae5c107713d9135a9a3d8a9b6d10 (diff)
downloadupstream-3a507b2f9b6e544fc5768d501332919d579f2f9e.tar.gz
upstream-3a507b2f9b6e544fc5768d501332919d579f2f9e.tar.bz2
upstream-3a507b2f9b6e544fc5768d501332919d579f2f9e.zip
kernel: avoid flow offload for connections with xfrm on the dst entry (should fix IPSec)
Signed-off-by: Felix Fietkau <nbd@nbd.name> (backported from b560c1748a4edf0d02046e5a988cc0caf1f4f987) (rebased patches) Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'target/linux')
-rw-r--r--target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch5
-rw-r--r--target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch4
2 files changed, 6 insertions, 3 deletions
diff --git a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
index 84ae4affe3..308fe0974d 100644
--- a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
+++ b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
--- /dev/null
+++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,365 @@
+@@ -0,0 +1,368 @@
+/*
+ * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
+ *
@@ -326,6 +326,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
+ if (!this_dst || !other_dst)
+ return -ENOENT;
+
++ if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
++ return -EINVAL;
++
+ route->tuple[dir].dst = this_dst;
+ route->tuple[dir].ifindex = xt_in(par)->ifindex;
+ route->tuple[!dir].dst = other_dst;
diff --git a/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch b/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch
index 833d9f9916..6638a5e949 100644
--- a/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch
+++ b/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch
@@ -39,7 +39,7 @@ Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
--- a/net/netfilter/xt_FLOWOFFLOAD.c
+++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -337,10 +337,41 @@ static void xt_flowoffload_table_cleanup
+@@ -340,10 +340,41 @@ static void xt_flowoffload_table_cleanup
nf_flow_table_free(table);
}
@@ -81,7 +81,7 @@ Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
INIT_DELAYED_WORK(&hook_work, xt_flowoffload_hook_work);
ret = xt_flowoffload_table_init(&nf_flowtable);
-@@ -358,6 +389,7 @@ static void __exit xt_flowoffload_tg_exi
+@@ -361,6 +392,7 @@ static void __exit xt_flowoffload_tg_exi
{
xt_unregister_target(&offload_tg_reg);
xt_flowoffload_table_cleanup(&nf_flowtable);