[][openwrt][mt7988][crypto][prevent hnat bind UDP flow]
[Description]
Change HNAT binding flow.
HNAT will not bind UDP encrypted flow since EIP197 HW does not support
fragmentation. If we bind UDP flow to encryption, it will possibly cause
network fail due to fragmentation.
[Release-log]
N/A
Change-Id: I421b20e39ccbc91b805ce2977fa662a121a0db4b
Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/7962051
diff --git a/target/linux/mediatek/patches-5.4/999-4102-mtk-crypto-offload-support.patch b/target/linux/mediatek/patches-5.4/999-4102-mtk-crypto-offload-support.patch
index 360be72..75880ed 100644
--- a/target/linux/mediatek/patches-5.4/999-4102-mtk-crypto-offload-support.patch
+++ b/target/linux/mediatek/patches-5.4/999-4102-mtk-crypto-offload-support.patch
@@ -95,7 +95,22 @@
return 0;
ct = nf_ct_get(skb, &ctinfo);
-@@ -3005,7 +3017,10 @@ mtk_hnat_ipv4_nf_local_out(void *priv, s
+@@ -2709,6 +2721,14 @@ static unsigned int mtk_hnat_nf_post_rou
+ }
+ }
+
++ /* we are not support protocols other than IPv4 TCP for crypto offload yet */
++ if (skb_hnat_is_decrypt(skb)
++ && (ntohs(skb->protocol) != ETH_P_IP
++ || ip_hdr(skb)->protocol != IPPROTO_TCP)) {
++ skb_hnat_alg(skb) = 1;
++ return 0;
++ }
++
+ if (!IS_LAN_GRP(out) && !IS_WAN(out) && !IS_EXT(out))
+ is_virt_dev = true;
+
+@@ -3016,7 +3036,10 @@ mtk_hnat_ipv4_nf_local_out(void *priv, s
if (iph->protocol == IPPROTO_IPV6) {
entry->udib1.pkt_type = IPV6_6RD;
hnat_set_head_frags(state, skb, 0, hnat_set_alg);