kernel: avoid flow offload for connections with xfrm on the dst entry (should fix IPSec)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(backported from b560c1748a4edf0d02046e5a988cc0caf1f4f987)
(rebased patches)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch

@@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 --- /dev/null
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -0,0 +1,365 @@
+@@ -0,0 +1,368 @@
 +/*
 + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
 + *
@@ -326,6 +326,9 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +	if (!this_dst || !other_dst)
 +		return -ENOENT;
 +
++	if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
++		return -EINVAL;
++
 +	route->tuple[dir].dst		= this_dst;
 +	route->tuple[dir].ifindex	= xt_in(par)->ifindex;
 +	route->tuple[!dir].dst		= other_dst;

target/linux/generic/hack-4.14/940-cleanup-offload-hooks-on-netdev-unregister.patch

@@ -39,7 +39,7 @@ Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
 
 --- a/net/netfilter/xt_FLOWOFFLOAD.c
 +++ b/net/netfilter/xt_FLOWOFFLOAD.c
-@@ -337,10 +337,41 @@ static void xt_flowoffload_table_cleanup
+@@ -340,10 +340,41 @@ static void xt_flowoffload_table_cleanup
  	nf_flow_table_free(table);
  }
  
@@ -81,7 +81,7 @@ Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
  	INIT_DELAYED_WORK(&hook_work, xt_flowoffload_hook_work);
  
  	ret = xt_flowoffload_table_init(&nf_flowtable);
-@@ -358,6 +389,7 @@ static void __exit xt_flowoffload_tg_exi
+@@ -361,6 +392,7 @@ static void __exit xt_flowoffload_tg_exi
  {
  	xt_unregister_target(&offload_tg_reg);
  	xt_flowoffload_table_cleanup(&nf_flowtable);