Sync iptables FLOWOFFLOAD target with upstream nft_flow_offload.c, which fixes the issue.
Fixes: FS#3649 Signed-off-by: DENG Qingfang <dqf...@gmail.com> --- Note: I am by no means an expert on Netfilter subsystem. I just kind of copied and pasted upstream nft_flow_offload.c here, which seemed to work. A fix for kernel 5.10 is also required. .../650-netfilter-add-xt_OFFLOAD-target.patch | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch index d584cb5c6c..567ebe4528 100644 --- a/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch +++ b/target/linux/generic/hack-5.4/650-netfilter-add-xt_OFFLOAD-target.patch @@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <n...@nbd.name> obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o --- /dev/null +++ b/net/netfilter/xt_FLOWOFFLOAD.c -@@ -0,0 +1,427 @@ +@@ -0,0 +1,422 @@ +/* + * Copyright (C) 2018 Felix Fietkau <n...@nbd.name> + * @@ -315,7 +315,6 @@ Signed-off-by: Felix Fietkau <n...@nbd.name> + fl.u.ip4.flowi4_oif = ifindex; + break; + case NFPROTO_IPV6: -+ fl.u.ip6.saddr = ct->tuplehash[dir].tuple.dst.u3.in6; + fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6; + fl.u.ip6.flowi6_oif = ifindex; + break; @@ -333,13 +332,13 @@ Signed-off-by: Felix Fietkau <n...@nbd.name> +{ + struct dst_entry *this_dst, *other_dst; + -+ this_dst = xt_flowoffload_dst(ct, !dir, par, xt_out(par)->ifindex); ++ this_dst = skb_dst(skb); + other_dst = xt_flowoffload_dst(ct, dir, par, xt_in(par)->ifindex); + + route->tuple[dir].dst = this_dst; + route->tuple[!dir].dst = other_dst; + -+ if (!this_dst || !other_dst) ++ if (!other_dst) + return -ENOENT; + + if (dst_xfrm(this_dst) || dst_xfrm(other_dst)) @@ -390,9 +389,6 @@ Signed-off-by: Felix Fietkau <n...@nbd.name> + if (!nf_ct_is_confirmed(ct)) + return XT_CONTINUE; + -+ if (!xt_in(par) || !xt_out(par)) -+ return XT_CONTINUE; -+ + if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status)) + return XT_CONTINUE; + @@ -401,7 +397,6 @@ Signed-off-by: Felix Fietkau <n...@nbd.name> + if (xt_flowoffload_route(skb, ct, par, &route, dir) == 0) + flow = flow_offload_alloc(ct, &route); + -+ dst_release(route.tuple[dir].dst); + dst_release(route.tuple[!dir].dst); + + if (!flow) -- 2.25.1 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel