diff --git a/target/linux/generic/hack-4.19/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.19/650-netfilter-add-xt_OFFLOAD-target.patch index bc5a5eba58..80bc1cdeff 100644 --- a/target/linux/generic/hack-4.19/650-netfilter-add-xt_OFFLOAD-target.patch +++ b/target/linux/generic/hack-4.19/650-netfilter-add-xt_OFFLOAD-target.patch @@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o --- /dev/null +++ b/net/netfilter/xt_FLOWOFFLOAD.c -@@ -0,0 +1,383 @@ +@@ -0,0 +1,387 @@ +/* + * Copyright (C) 2018 Felix Fietkau + * @@ -344,13 +344,13 @@ Signed-off-by: Felix Fietkau +flowoffload_tg(struct sk_buff *skb, const struct xt_action_param *par) +{ + const struct xt_flowoffload_target_info *info = par->targinfo; ++ struct tcphdr _tcph, *tcph = NULL; + enum ip_conntrack_info ctinfo; + enum ip_conntrack_dir dir; + struct nf_flow_route route; + struct flow_offload *flow; + struct nf_conn *ct; + struct net *net; -+ bool is_tcp = false; + + if (xt_flowoffload_skip(skb, xt_family(par))) + return XT_CONTINUE; @@ -363,7 +363,11 @@ Signed-off-by: Felix Fietkau + case IPPROTO_TCP: + if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) + return XT_CONTINUE; -+ is_tcp = true; ++ ++ tcph = skb_header_pointer(skb, par->thoff, ++ sizeof(_tcph), &_tcph); ++ if (unlikely(!tcph || tcph->fin || tcph->rst)) ++ return XT_CONTINUE; + break; + case IPPROTO_UDP: + break; @@ -393,7 +397,7 @@ Signed-off-by: Felix Fietkau + if (!flow) + goto err_flow_alloc; + -+ if (is_tcp) { ++ if (tcph) { + ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; + ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; + }