diff options
author | Rafał Miłecki <zajec5@gmail.com> | 2014-10-27 18:14:39 +0000 |
---|---|---|
committer | Rafał Miłecki <zajec5@gmail.com> | 2014-10-27 18:14:39 +0000 |
commit | 1513b39a8c8e21e3f8fbebab9fb4c41040ccf695 (patch) | |
tree | 7c786effff410b4a96d29c920d60cd279236fbf7 /target/linux/generic/patches-3.18/617-netfilter_skip_filter_sysctl.patch | |
parent | 38e72c779e229933625d96d4355a0250123b6ce5 (diff) | |
download | upstream-1513b39a8c8e21e3f8fbebab9fb4c41040ccf695.tar.gz upstream-1513b39a8c8e21e3f8fbebab9fb4c41040ccf695.tar.bz2 upstream-1513b39a8c8e21e3f8fbebab9fb4c41040ccf695.zip |
kernel: start working on 3.18 support
This commit:
1) Copies 3.14 patches
2) Drops mainlined stuff
3) Modifies some patches to apply
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 43093
Diffstat (limited to 'target/linux/generic/patches-3.18/617-netfilter_skip_filter_sysctl.patch')
-rw-r--r-- | target/linux/generic/patches-3.18/617-netfilter_skip_filter_sysctl.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/target/linux/generic/patches-3.18/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.18/617-netfilter_skip_filter_sysctl.patch new file mode 100644 index 0000000000..247d3539c2 --- /dev/null +++ b/target/linux/generic/patches-3.18/617-netfilter_skip_filter_sysctl.patch @@ -0,0 +1,87 @@ +--- a/include/net/netns/conntrack.h ++++ b/include/net/netns/conntrack.h +@@ -86,6 +86,7 @@ struct netns_ct { + struct ctl_table_header *helper_sysctl_header; + #endif + char *slabname; ++ int skip_filter; + unsigned int sysctl_log_invalid; /* Log invalid packets */ + int sysctl_events; + int sysctl_acct; +--- a/net/ipv4/netfilter/iptable_filter.c ++++ b/net/ipv4/netfilter/iptable_filter.c +@@ -15,6 +15,7 @@ + #include <linux/netfilter_ipv4/ip_tables.h> + #include <linux/slab.h> + #include <net/ip.h> ++#include <net/netfilter/nf_conntrack.h> + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); +@@ -37,6 +38,7 @@ iptable_filter_hook(const struct nf_hook + const struct net_device *in, const struct net_device *out, + int (*okfn)(struct sk_buff *)) + { ++ enum ip_conntrack_info ctinfo; + const struct net *net; + + if (ops->hooknum == NF_INET_LOCAL_OUT && +@@ -46,6 +48,11 @@ iptable_filter_hook(const struct nf_hook + return NF_ACCEPT; + + net = dev_net((in != NULL) ? in : out); ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; ++ + return ipt_do_table(skb, ops->hooknum, in, out, + net->ipv4.iptable_filter); + } +--- a/net/ipv6/netfilter/ip6table_filter.c ++++ b/net/ipv6/netfilter/ip6table_filter.c +@@ -13,6 +13,7 @@ + #include <linux/moduleparam.h> + #include <linux/netfilter_ipv6/ip6_tables.h> + #include <linux/slab.h> ++#include <net/netfilter/nf_conntrack.h> + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); +@@ -37,6 +38,12 @@ ip6table_filter_hook(const struct nf_hoo + int (*okfn)(struct sk_buff *)) + { + const struct net *net = dev_net((in != NULL) ? in : out); ++ enum ip_conntrack_info ctinfo; ++ ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; + + return ip6t_do_table(skb, ops->hooknum, in, out, + net->ipv6.ip6table_filter); +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -510,6 +510,13 @@ static struct ctl_table nf_ct_sysctl_tab + .extra2 = &log_invalid_proto_max, + }, + { ++ .procname = "nf_conntrack_skip_filter", ++ .data = &init_net.ct.skip_filter, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++ { + .procname = "nf_conntrack_expect_max", + .data = &nf_ct_expect_max, + .maxlen = sizeof(int), +@@ -545,6 +552,7 @@ static int nf_conntrack_standalone_init_ + table[2].data = &net->ct.htable_size; + table[3].data = &net->ct.sysctl_checksum; + table[4].data = &net->ct.sysctl_log_invalid; ++ table[5].data = &net->ct.skip_filter; + + /* Don't export sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) |