[OpenWrt-Devel] 090-backport_netfilter_rtcache.patch and IPsec routing/connection errors/packet loss
Stijn Tintel
stijn at linux-ipv6.be
Tue Dec 23 16:59:28 EST 2014
On 23-12-14 20:11, Andre Valentin wrote:
> Hi!
>
> I just recompiled the module and loaded it on the router. But it seems that this does not fix the error. 5 minutes later I got several alerts (ping checks).
The workaround below seems to work for me. How did you apply this patch
to the OpenWrt code
>> Untested workaround.
>> I'll look into this in more detail over the holidays.
>>
>> netfilter: rtcache: don't cache dst for skb with active transformer
>>
>> diff --git a/net/netfilter/nf_conntrack_rtcache.c b/net/netfilter/nf_conntrack_rtcache.c
>> --- a/net/netfilter/nf_conntrack_rtcache.c
>> +++ b/net/netfilter/nf_conntrack_rtcache.c
>> @@ -19,6 +19,7 @@
>> #include <linux/module.h>
>>
>> #include <net/dst.h>
>> +#include <net/xfrm.h>
>>
>> #include <net/netfilter/nf_conntrack.h>
>> #include <net/netfilter/nf_conntrack_core.h>
>> @@ -191,6 +192,9 @@ static unsigned int nf_rtcache_forward(const struct nf_hook_ops *ops,
>> struct nf_conn *ct;
>> int iif;
>>
>> + if (secpath_exists(skb))
>> + return NF_ACCEPT;
>> +
>> ct = nf_ct_get(skb, &ctinfo);
>> if (!ct)
>> return NF_ACCEPT;
Kind regards,
Stijn
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list