Florian Westphal <fw@xxxxxxxxx> wrote:
> No idea, but it was intentional, see
> b6f27d322a0a ("netfilter: nf_flow_table: tear down TCP flows if RST or FIN was seen")
Maybe:
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -28,10 +28,8 @@ static int nf_flow_state_check(struct flow_offload *flow, int proto,
return 0;
tcph = (void *)(skb_network_header(skb) + thoff);
- if (unlikely(tcph->fin || tcph->rst)) {
- flow_offload_teardown(flow);
+ if (unlikely(tcph->fin || tcph->rst))
return -1;
- }
return 0;
}
?
This will let gc step clean the entry from the flowtable.
