[OpenWrt-Devel] 090-backport_netfilter_rtcache.patch and IPsec routing/connection errors/packet loss

Stijn Tintel stijn at linux-ipv6.be
Tue Dec 23 16:59:28 EST 2014


On 23-12-14 20:11, Andre Valentin wrote:
> Hi!
>
> I just recompiled the module and loaded it on the router. But it seems that this does not fix the error. 5 minutes later I got several alerts (ping checks).
The workaround below seems to work for me. How did you apply this patch
to the OpenWrt code
>> Untested workaround.
>> I'll look into this in more detail over the holidays.
>>
>> netfilter: rtcache: don't cache dst for skb with active transformer
>>
>> diff --git a/net/netfilter/nf_conntrack_rtcache.c b/net/netfilter/nf_conntrack_rtcache.c
>> --- a/net/netfilter/nf_conntrack_rtcache.c
>> +++ b/net/netfilter/nf_conntrack_rtcache.c
>> @@ -19,6 +19,7 @@
>>  #include <linux/module.h>
>>
>>  #include <net/dst.h>
>> +#include <net/xfrm.h>
>>
>>  #include <net/netfilter/nf_conntrack.h>
>>  #include <net/netfilter/nf_conntrack_core.h>
>> @@ -191,6 +192,9 @@ static unsigned int nf_rtcache_forward(const struct nf_hook_ops *ops,
>>         struct nf_conn *ct;
>>         int iif;
>>
>> +       if (secpath_exists(skb))
>> +               return NF_ACCEPT;
>> +
>>         ct = nf_ct_get(skb, &ctinfo);
>>         if (!ct)
>>                 return NF_ACCEPT;
Kind regards,
Stijn
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list