diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-04-29 11:54:56 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-04-30 13:48:23 +0200 |
commit | 270a8a297f42ecff82060aaa53118361f09c1f7d (patch) | |
tree | 436b22c38eb28d4c9978b8db84dcca0fa04dd3a1 /net | |
parent | netfilter: nf_tables: delay chain policy update until transaction is complete (diff) | |
download | linux-270a8a297f42ecff82060aaa53118361f09c1f7d.tar.xz linux-270a8a297f42ecff82060aaa53118361f09c1f7d.zip |
netfilter: nft_flow_offload: add entry to flowtable after confirmation
This is fixing flow offload for UDP traffic where packets only follow
one single direction.
The flow_offload_fixup_tcp() mechanism works fine in case that the
offloaded entry remains in SYN_RECV state, given sequence tracking is
reset and that conntrack handles syn+ack packets as a retransmission, ie.
sES + synack => sIG
for reply traffic.
Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nft_flow_offload.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 6e6b9adf7d38..8968c7f5a72e 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -94,8 +94,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, if (help) goto out; - if (ctinfo == IP_CT_NEW || - ctinfo == IP_CT_RELATED) + if (!nf_ct_is_confirmed(ct)) goto out; if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status)) |