From 3a507b2f9b6e544fc5768d501332919d579f2f9e Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sun, 8 Apr 2018 19:19:58 +0200 Subject: [PATCH] kernel: avoid flow offload for connections with xfrm on the dst entry (should fix IPSec) Signed-off-by: Felix Fietkau (backported from b560c1748a4edf0d02046e5a988cc0caf1f4f987) (rebased patches) Signed-off-by: Jo-Philipp Wich --- .../hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch | 5 ++++- .../940-cleanup-offload-hooks-on-netdev-unregister.patch | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch index 84ae4affe3..308fe0974d 100644 --- a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch +++ b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch @@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o --- /dev/null +++ b/net/netfilter/xt_FLOWOFFLOAD.c -@@ -0,0 +1,365 @@ +@@ -0,0 +1,368 @@ +/* + * Copyright (C) 2018 Felix Fietkau + * @@ -326,6 +326,9 @@ Signed-off-by: Felix Fietkau + if (!this_dst || !other_dst) + return -ENOENT; + ++ if (dst_xfrm(this_dst) || dst_xfrm(other_dst)) ++ return -EINVAL; ++ + route->tuple[dir].dst = this_dst; + route->tuple[dir].ifindex = xt_in(par)->ifindex; + route->tuple[!dir].dst = other_dst; diff --git a/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch b/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch index 833d9f9916..6638a5e949 100644 --- a/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch +++ b/target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch @@ -39,7 +39,7 @@ Signed-off-by: Chen Minqiang --- a/net/netfilter/xt_FLOWOFFLOAD.c +++ b/net/netfilter/xt_FLOWOFFLOAD.c -@@ -337,10 +337,41 @@ static void xt_flowoffload_table_cleanup +@@ -340,10 +340,41 @@ static void xt_flowoffload_table_cleanup nf_flow_table_free(table); } @@ -81,7 +81,7 @@ Signed-off-by: Chen Minqiang INIT_DELAYED_WORK(&hook_work, xt_flowoffload_hook_work); ret = xt_flowoffload_table_init(&nf_flowtable); -@@ -358,6 +389,7 @@ static void __exit xt_flowoffload_tg_exi +@@ -361,6 +392,7 @@ static void __exit xt_flowoffload_tg_exi { xt_unregister_target(&offload_tg_reg); xt_flowoffload_table_cleanup(&nf_flowtable); -- 2.30.2