From: Florian Westphal Date: Tue, 21 May 2019 11:24:32 +0000 (+0200) Subject: netfilter: nft_flow_offload: don't offload when sequence numbers need adjustment X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=91a9048f238063dde7feea752b9dd386f7e3808b;p=openwrt%2Fstaging%2Fblogic.git netfilter: nft_flow_offload: don't offload when sequence numbers need adjustment We can't deal with tcp sequence number rewrite in flow_offload. While at it, simplify helper check, we only need to know if the extension is present, we don't need the helper data. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index bde63d9c3c4e..c97c03c3939a 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -12,7 +12,6 @@ #include #include #include -#include struct nft_flow_offload { struct nft_flowtable *flowtable; @@ -67,7 +66,6 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, { struct nft_flow_offload *priv = nft_expr_priv(expr); struct nf_flowtable *flowtable = &priv->flowtable->data; - const struct nf_conn_help *help; enum ip_conntrack_info ctinfo; struct nf_flow_route route; struct flow_offload *flow; @@ -93,8 +91,8 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, goto out; } - help = nfct_help(ct); - if (help) + if (nf_ct_ext_exist(ct, NF_CT_EXT_HELPER) || + ct->status & IPS_SEQ_ADJUST) goto out; if (!nf_ct_is_confirmed(ct))