netfilter: flowtable: teardown flow if cached mtu is stale

Tear down the flow entry in the unlikely case that the interface mtu
changes, this gives the flow a chance to refresh the cached mtu,
otherwise such refresh does not occur until flow entry expires.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 98edcaa37b38d46f8236dd5ef1dff569581b8777..a22856106383e23745063d418741410ba03969d3 100644 (file)
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -377,8 +377,10 @@ static int nf_flow_offload_forward(struct nf_flowtable_ctx *ctx,
        flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
 
        mtu = flow->tuplehash[dir].tuple.mtu + ctx->offset;
-       if (unlikely(nf_flow_exceeds_mtu(skb, mtu)))
+       if (unlikely(nf_flow_exceeds_mtu(skb, mtu))) {
+               flow_offload_teardown(flow);
                return 0;
+       }
 
        iph = (struct iphdr *)(skb_network_header(skb) + ctx->offset);
        thoff = (iph->ihl * 4) + ctx->offset;
@@ -656,8 +658,10 @@ static int nf_flow_offload_ipv6_forward(struct nf_flowtable_ctx *ctx,
        flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
 
        mtu = flow->tuplehash[dir].tuple.mtu + ctx->offset;
-       if (unlikely(nf_flow_exceeds_mtu(skb, mtu)))
+       if (unlikely(nf_flow_exceeds_mtu(skb, mtu))) {
+               flow_offload_teardown(flow);
                return 0;
+       }
 
        ip6h = (struct ipv6hdr *)(skb_network_header(skb) + ctx->offset);
        thoff = sizeof(*ip6h) + ctx->offset;