diff options
author | Florian Westphal <fw@strlen.de> | 2019-05-21 13:24:31 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-07-10 09:53:30 +0200 |
commit | 48f611ecea0e67ba2065074e2c0f20bfcb860f85 (patch) | |
tree | b1d1c79864c193137e5cb63ad3507198052b046c /net | |
parent | 3b2734bc839d188e44934f5f2f4fe9a487bdaa47 (diff) | |
download | linux-stable-48f611ecea0e67ba2065074e2c0f20bfcb860f85.tar.gz linux-stable-48f611ecea0e67ba2065074e2c0f20bfcb860f85.tar.bz2 linux-stable-48f611ecea0e67ba2065074e2c0f20bfcb860f85.zip |
netfilter: nft_flow_offload: set liberal tracking mode for tcp
commit 8437a6209f76f85a2db1abb12a9bde2170801617 upstream.
Without it, whenever a packet has to be pushed up the stack (e.g. because
of mtu mismatch), then conntrack will flag packets as invalid, which in
turn breaks NAT.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nft_flow_offload.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 7f85af4c40ff..b63729350d97 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -72,6 +72,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, struct nf_flow_route route; struct flow_offload *flow; enum ip_conntrack_dir dir; + bool is_tcp = false; struct nf_conn *ct; int ret; @@ -84,6 +85,8 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) { case IPPROTO_TCP: + is_tcp = true; + break; case IPPROTO_UDP: break; default: @@ -109,6 +112,11 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, if (!flow) goto err_flow_alloc; + if (is_tcp) { + ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; + ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; + } + ret = flow_offload_add(flowtable, flow); if (ret < 0) goto err_flow_add; |