netfilter: nft_flow_offload: add entry to flowtable after confirmation
[ Upstream commit 270a8a297f42ecff82060aaa53118361f09c1f7d ]
This is fixing flow offload for UDP traffic where packets only follow
one single direction.
The flow_offload_fixup_tcp() mechanism works fine in case that the
offloaded entry remains in SYN_RECV state, given sequence tracking is
reset and that conntrack handles syn+ack packets as a retransmission, ie.
sES + synack => sIG
for reply traffic.
Fixes: a3c90f7a23 ("netfilter: nf_tables: flow offload expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Pablo Neira Ayuso
Greg Kroah-Hartman
parent
7939468446
commit
8480fbeb0b
1 changed files with 1 additions and 2 deletions
|
|
@ -103,8 +103,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
|
|||
ct->status & IPS_SEQ_ADJUST)
|
||||
goto out;
|
||||
|
||||
if (ctinfo == IP_CT_NEW ||
|
||||
ctinfo == IP_CT_RELATED)
|
||||
if (!nf_ct_is_confirmed(ct))
|
||||
goto out;
|
||||
|
||||
if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status))
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue