Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> +static void nft_flow_offload_eval(const struct nft_expr *expr,
> + struct nft_regs *regs,
> + const struct nft_pktinfo *pkt)
> +{
[..]
> + if (test_bit(IPS_HELPER_BIT, &ct->status))
> + goto out;
> +
> + if (ctinfo == IP_CT_NEW ||
> + ctinfo == IP_CT_RELATED)
> + goto out;Would it make sense to delay offload decision until l4 tracker has set ASSURED bit?
