netfilter: nft_flow_offload: set liberal tracking mode for tcp

Without it, whenever a packet has to be pushed up the stack (e.g. because of mtu mismatch), then conntrack will flag packets as invalid, which in turn breaks NAT. Signed-off-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nft_flow_offload: set liberal tracking mode for tcp
Without it, whenever a packet has to be pushed up the stack (e.g. because of mtu mismatch), then conntrack will flag packets as invalid, which in turn breaks NAT. Signed-off-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>
8437a620 · Florian Westphal · Pablo Neira Ayuso · e75b3e1c · 8437a620
隐藏空白更改
内联并排

Showing with 8 addition and 0 deletion

net/netfilter/nft_flow_offload.c net/netfilter/nft_flow_offload.c +8 -0

未找到文件。
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -72,6 +72,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
 	struct nf_flow_route route;
 	struct flow_offload *flow;
 	enum ip_conntrack_dir dir;
+	bool is_tcp = false;
 	struct nf_conn *ct;
 	int ret;

@@ -84,6 +85,8 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,

 	switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) {
 	case IPPROTO_TCP:
+		is_tcp = true;
+		break;
 	case IPPROTO_UDP:
 		break;
 	default:
@@ -108,6 +111,11 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
 	if (!flow)
 		goto err_flow_alloc;

+	if (is_tcp) {
+		ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
+		ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
+	}
+
 	ret = flow_offload_add(flowtable, flow);
 	if (ret < 0)
 		goto err_flow_add;