From 2c7b0e9f31630c97f4864ee729be64a2b7ba98e4 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Tue, 13 Mar 2018 09:16:20 +0100
Subject: [PATCH] kernel: flow-offload: only offload connections that have been
 fully established

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 .../hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch      | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
index 40f89d4d91..5c40961c37 100644
--- a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
+++ b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,335 @@
+@@ -0,0 +1,338 @@
 +/*
 + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
 + *
@@ -337,6 +337,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +
 +	switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) {
 +	case IPPROTO_TCP:
++		if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED)
++			return XT_CONTINUE;
++		break;
 +	case IPPROTO_UDP:
 +		break;
 +	default:
-- 
2.30.2