From 2c7b0e9f31630c97f4864ee729be64a2b7ba98e4 Mon Sep 17 00:00:00 2001 From: Felix Fietkau <nbd@nbd.name> Date: Tue, 13 Mar 2018 09:16:20 +0100 Subject: [PATCH] kernel: flow-offload: only offload connections that have been fully established Signed-off-by: Felix Fietkau <nbd@nbd.name> --- .../hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch index 40f89d4d91..5c40961c37 100644 --- a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch +++ b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch @@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name> obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o --- /dev/null +++ b/net/netfilter/xt_FLOWOFFLOAD.c -@@ -0,0 +1,335 @@ +@@ -0,0 +1,338 @@ +/* + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name> + * @@ -337,6 +337,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name> + + switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) { + case IPPROTO_TCP: ++ if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) ++ return XT_CONTINUE; ++ break; + case IPPROTO_UDP: + break; + default: -- 2.30.2