diff options
| -rw-r--r-- | net/netfilter/nf_flow_table_core.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index df72b0376970..bdde469bbbd1 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -161,10 +161,20 @@ void flow_offload_route_init(struct flow_offload *flow, } EXPORT_SYMBOL_GPL(flow_offload_route_init); -static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp) +static void flow_offload_fixup_tcp(struct nf_conn *ct) { + struct ip_ct_tcp *tcp = &ct->proto.tcp; + + spin_lock_bh(&ct->lock); + /* Conntrack state is outdated due to offload bypass. + * Clear IP_CT_TCP_FLAG_MAXACK_SET, otherwise conntracks + * TCP reset validation will fail. + */ tcp->seen[0].td_maxwin = 0; + tcp->seen[0].flags &= ~IP_CT_TCP_FLAG_MAXACK_SET; tcp->seen[1].td_maxwin = 0; + tcp->seen[1].flags &= ~IP_CT_TCP_FLAG_MAXACK_SET; + spin_unlock_bh(&ct->lock); } static void flow_offload_fixup_ct(struct nf_conn *ct) @@ -176,7 +186,7 @@ static void flow_offload_fixup_ct(struct nf_conn *ct) if (l4num == IPPROTO_TCP) { struct nf_tcp_net *tn = nf_tcp_pernet(net); - flow_offload_fixup_tcp(&ct->proto.tcp); + flow_offload_fixup_tcp(ct); timeout = tn->timeouts[ct->proto.tcp.state]; timeout -= tn->offload_timeout; |