On Mon, Apr 29, 2019 at 12:19:42PM +0200, Pablo Neira Ayuso wrote:
> This is fixing flow offload for UDP traffic where packets only follow
> one single direction.
>
> The nf_ct_tcp_fixup() mechanism works fine in case that the offloaded
BTW:
s/nf_ct_tcp_fixup()/flow_offload_fixup_tcp()/
I was refering to the wrong function, for the record.
> entry remains in SYN_RECV state, given sequence tracking is reset and
> that conntrack handles syn+ack packets as a retransmission, ie.
>
> sES + synack => sIG
>
> for reply traffic.
>
> Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression")
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> net/netfilter/nft_flow_offload.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
> index 6e6b9adf7d38..8968c7f5a72e 100644
> --- a/net/netfilter/nft_flow_offload.c
> +++ b/net/netfilter/nft_flow_offload.c
> @@ -94,8 +94,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
> if (help)
> goto out;
>
> - if (ctinfo == IP_CT_NEW ||
> - ctinfo == IP_CT_RELATED)
> + if (!nf_ct_is_confirmed(ct))
> goto out;
>
> if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status))
> --
> 2.11.0
>
