AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-14 23:36:45 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity

netfilter: nft_flow_offload: set liberal tracking mode for tcp

Browse Source 
Without it, whenever a packet has to be pushed up the stack (e.g. because
of mtu mismatch), then conntrack will flag packets as invalid, which in
turn breaks NAT.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal 2019-05-21 13:24:31 +02:00 committed by Pablo Neira Ayuso
parent e75b3e1c9b
commit 8437a6209f
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
net/netfilter/nft_flow_offload.c
View File

@ -72,6 +72,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
struct nf_flow_route route;
struct flow_offload *flow;
enum ip_conntrack_dir dir;
bool is_tcp = false;
struct nf_conn *ct;
int ret;
@ -84,6 +85,8 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) {
case IPPROTO_TCP:
is_tcp = true;
break;
case IPPROTO_UDP:
break;
default:
@ -108,6 +111,11 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
if (!flow)
goto err_flow_alloc;
if (is_tcp) {
ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
}
ret = flow_offload_add(flowtable, flow);
if (ret < 0)
goto err_flow_add;