kernel: fix ipsec related regression in the netfilter rtcache patch

Signed-off-by: Felix Fietkau <[email protected]>

SVN-Revision: 44913

target/linux/generic/patches-3.14/090-backport_netfilter_rtcache.patch

@@ -115,7 +115,7 @@ Signed-off-by: Florian Westphal <[email protected]>
  obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o
 --- /dev/null
 +++ b/net/netfilter/nf_conntrack_rtcache.c
-@@ -0,0 +1,386 @@
+@@ -0,0 +1,390 @@
 +/* route cache for netfilter.
 + *
 + * (C) 2014 Red Hat GmbH
@@ -307,12 +307,16 @@ Signed-off-by: Florian Westphal <[email protected]>
 +	enum ip_conntrack_info ctinfo;
 +	enum ip_conntrack_dir dir;
 +	struct nf_conn *ct;
++	struct dst_entry *dst = skb_dst(skb);
 +	int iif;
 +
 +	ct = nf_ct_get(skb, &ctinfo);
 +	if (!ct)
 +		return NF_ACCEPT;
 +
++	if (dst && dst_xfrm(dst))
++		return NF_ACCEPT;
++
 +	if (!nf_ct_is_confirmed(ct)) {
 +		if (WARN_ON(nf_ct_rtcache_find(ct)))
 +			return NF_ACCEPT;

target/linux/generic/patches-3.18/050-backport_netfilter_rtcache.patch

@@ -115,7 +115,7 @@ Signed-off-by: Florian Westphal <[email protected]>
  obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o
 --- /dev/null
 +++ b/net/netfilter/nf_conntrack_rtcache.c
-@@ -0,0 +1,387 @@
+@@ -0,0 +1,391 @@
 +/* route cache for netfilter.
 + *
 + * (C) 2014 Red Hat GmbH
@@ -307,12 +307,16 @@ Signed-off-by: Florian Westphal <[email protected]>
 +	enum ip_conntrack_info ctinfo;
 +	enum ip_conntrack_dir dir;
 +	struct nf_conn *ct;
++	struct dst_entry *dst = skb_dst(skb);
 +	int iif;
 +
 +	ct = nf_ct_get(skb, &ctinfo);
 +	if (!ct)
 +		return NF_ACCEPT;
 +
++	if (dst && dst_xfrm(dst))
++		return NF_ACCEPT;
++
 +	if (!nf_ct_is_confirmed(ct)) {
 +		if (WARN_ON(nf_ct_rtcache_find(ct)))
 +			return NF_ACCEPT;

target/linux/generic/patches-3.19/050-backport_netfilter_rtcache.patch

@@ -115,7 +115,7 @@ Signed-off-by: Florian Westphal <[email protected]>
  obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o
 --- /dev/null
 +++ b/net/netfilter/nf_conntrack_rtcache.c
-@@ -0,0 +1,387 @@
+@@ -0,0 +1,391 @@
 +/* route cache for netfilter.
 + *
 + * (C) 2014 Red Hat GmbH
@@ -307,12 +307,16 @@ Signed-off-by: Florian Westphal <[email protected]>
 +	enum ip_conntrack_info ctinfo;
 +	enum ip_conntrack_dir dir;
 +	struct nf_conn *ct;
++	struct dst_entry *dst = skb_dst(skb);
 +	int iif;
 +
 +	ct = nf_ct_get(skb, &ctinfo);
 +	if (!ct)
 +		return NF_ACCEPT;
 +
++	if (dst && dst_xfrm(dst))
++		return NF_ACCEPT;
++
 +	if (!nf_ct_is_confirmed(ct)) {
 +		if (WARN_ON(nf_ct_rtcache_find(ct)))
 +			return NF_ACCEPT;

target/linux/generic/patches-4.0/050-backport_netfilter_rtcache.patch

@@ -115,7 +115,7 @@ Signed-off-by: Florian Westphal <[email protected]>
  obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o
 --- /dev/null
 +++ b/net/netfilter/nf_conntrack_rtcache.c
-@@ -0,0 +1,387 @@
+@@ -0,0 +1,391 @@
 +/* route cache for netfilter.
 + *
 + * (C) 2014 Red Hat GmbH
@@ -307,12 +307,16 @@ Signed-off-by: Florian Westphal <[email protected]>
 +	enum ip_conntrack_info ctinfo;
 +	enum ip_conntrack_dir dir;
 +	struct nf_conn *ct;
++	struct dst_entry *dst = skb_dst(skb);
 +	int iif;
 +
 +	ct = nf_ct_get(skb, &ctinfo);
 +	if (!ct)
 +		return NF_ACCEPT;
 +
++	if (dst && dst_xfrm(dst))
++		return NF_ACCEPT;
++
 +	if (!nf_ct_is_confirmed(ct)) {
 +		if (WARN_ON(nf_ct_rtcache_find(ct)))
 +			return NF_ACCEPT;