On 2/24/2020 6:04 PM, Edward Cree wrote:

On 23/02/2020 11:45, Paul Blakey wrote:

quoted

Offload nf conntrack processing by looking up the 5-tuple in the
zone's flow table.

The nf conntrack module will process the packets until a connection is
in established state. Once in established state, the ct state pointer
(nf_conn) will be restored on the skb from a successful ft lookup.

Signed-off-by: Paul Blakey <redacted>
Acked-by: Jiri Pirko <redacted>
---
 net/sched/act_ct.c | 163 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 160 insertions(+), 3 deletions(-)

diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index b2bc885..3592e24 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c

<snip>

quoted

@@ -645,6 +802,7 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
 			goto out_push;
 	}
 
+do_nat:
 	ct = nf_ct_get(skb, &ctinfo);
 	if (!ct)
 		goto out_push;

@@ -662,9 +820,8 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
 		 * even if the connection is already confirmed.
 		 */
 		nf_conntrack_confirm(skb);
-	}
-
-	tcf_ct_flow_table_process_conn(p->ct_ft, ct, ctinfo);
+	} else if (!skip_add)
+		tcf_ct_flow_table_process_conn(p->ct_ft, ct, ctinfo);
 

Elseif body should be enclosed in braces, since if body was.
-ed

thanks, will do