target/linux/generic/backport-4.14/354-v4.18-netfilter-nf_flow_table-move-ip-header-check-out-of-.patch

   1 From: Felix Fietkau <nbd@nbd.name>
   2 Date: Sat, 17 Feb 2018 11:51:20 +0100
   3 Subject: [PATCH] netfilter: nf_flow_table: move ip header check out of
   4  nf_flow_exceeds_mtu
   5
   6 Allows the function to be shared with the IPv6 hook code
   7
   8 Signed-off-by: Felix Fietkau <nbd@nbd.name>
   9 ---
  10
  11 --- a/net/netfilter/nf_flow_table_ip.c
  12 +++ b/net/netfilter/nf_flow_table_ip.c
  13 @@ -181,9 +181,6 @@ static bool nf_flow_exceeds_mtu(const st
  14         if (skb->len <= mtu)
  15                 return false;
  16
  17 -       if ((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0)
  18 -               return false;
  19 -
  20         if (skb_is_gso(skb) && skb_gso_validate_mtu(skb, mtu))
  21                 return false;
  22
  23 @@ -222,7 +219,8 @@ nf_flow_offload_ip_hook(void *priv, stru
  24         flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
  25         rt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
  26
  27 -       if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)))
  28 +       if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) &&
  29 +           (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0)
  30                 return NF_ACCEPT;
  31
  32         if (skb_try_make_writable(skb, sizeof(*iph)))