Sometimes flowtable datapath passes up packets to classic forwarding
path, eg. mtu exceeded case. Skip TCP tracking otherwise these packets
are considered invalid by conntrack.
Fixes: ac2a66665e23 ("netfilter: add generic flow table infrastructure")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
This is a fix, but I'm routing it through nf-next at this stage.
net/netfilter/nf_conntrack_proto_tcp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index d1582b888c0d..e0a1f86910ec 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -889,6 +889,9 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
if (!nf_ct_is_confirmed(ct) && !tcp_new(ct, skb, dataoff, th))
return -NF_ACCEPT;
+ if (unlikely(test_bit(IPS_OFFLOAD_BIT, &ct->status)))
+ return NF_ACCEPT;
+
spin_lock_bh(&ct->lock);
old_state = ct->proto.tcp.state;
dir = CTINFO2DIR(ctinfo);
--
2.30.2
