Once we have a confirmed conntrack, ie. a packet went through the stack and a conntrack was added, then allow second packet to configure the flowtable offload. This allows UDP media traffic going in only one direction to enable offloads. Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx> --- net/netfilter/nft_flow_offload.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index d6bab8c3cbb0..f2e95edfb4de 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -88,14 +88,9 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, goto out; } - if (test_bit(IPS_HELPER_BIT, &ct->status)) - goto out; - - if (ctinfo == IP_CT_NEW || - ctinfo == IP_CT_RELATED) - goto out; - - if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status)) + if (test_bit(IPS_HELPER_BIT, &ct->status) || + !test_bit(IPS_CONFIRMED_BIT, &ct->status) || + test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status)) goto out; dir = CTINFO2DIR(ctinfo); -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
