aboutsummaryrefslogtreecommitdiffstats
path: root/target
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2014-08-07 19:31:18 +0000
committerFelix Fietkau <nbd@openwrt.org>2014-08-07 19:31:18 +0000
commit4ae98309ff6b932dda5618ed941772a6bfb2bce5 (patch)
treee169ccbe97f54e99468854f707f4dd84b0e4c56c /target
parenta34084ecc3e7dcf84f95f180e1a5021cc8a5f332 (diff)
downloadupstream-4ae98309ff6b932dda5618ed941772a6bfb2bce5.tar.gz
upstream-4ae98309ff6b932dda5618ed941772a6bfb2bce5.tar.bz2
upstream-4ae98309ff6b932dda5618ed941772a6bfb2bce5.zip
kernel: add a patch to allow disabling processing of the netfilter "filter" table for established connection packets
Signed-off-by: Felix Fietkau <nbd@openwrt.org> Backport of r42046 git-svn-id: svn://svn.openwrt.org/openwrt/branches/barrier_breaker@42050 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'target')
-rw-r--r--target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch87
1 files changed, 87 insertions, 0 deletions
diff --git a/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch
new file mode 100644
index 0000000000..a570834dc6
--- /dev/null
+++ b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch
@@ -0,0 +1,87 @@
+--- a/include/net/netns/conntrack.h
++++ b/include/net/netns/conntrack.h
+@@ -80,6 +80,7 @@ struct netns_ct {
+ int sysctl_acct;
+ int sysctl_tstamp;
+ int sysctl_checksum;
++ int skip_filter;
+ unsigned int sysctl_log_invalid; /* Log invalid packets */
+ int sysctl_auto_assign_helper;
+ bool auto_assign_helper_warned;
+--- a/net/ipv4/netfilter/iptable_filter.c
++++ b/net/ipv4/netfilter/iptable_filter.c
+@@ -15,6 +15,7 @@
+ #include <linux/netfilter_ipv4/ip_tables.h>
+ #include <linux/slab.h>
+ #include <net/ip.h>
++#include <net/netfilter/nf_conntrack.h>
+
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
+@@ -37,6 +38,7 @@ iptable_filter_hook(unsigned int hook, s
+ const struct net_device *in, const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+ {
++ enum ip_conntrack_info ctinfo;
+ const struct net *net;
+
+ if (hook == NF_INET_LOCAL_OUT &&
+@@ -46,6 +48,11 @@ iptable_filter_hook(unsigned int hook, s
+ return NF_ACCEPT;
+
+ net = dev_net((in != NULL) ? in : out);
++ nf_ct_get(skb, &ctinfo);
++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) &&
++ net->ct.skip_filter)
++ return NF_ACCEPT;
++
+ return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter);
+ }
+
+--- a/net/ipv6/netfilter/ip6table_filter.c
++++ b/net/ipv6/netfilter/ip6table_filter.c
+@@ -13,6 +13,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/netfilter_ipv6/ip6_tables.h>
+ #include <linux/slab.h>
++#include <net/netfilter/nf_conntrack.h>
+
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
+@@ -37,6 +38,12 @@ ip6table_filter_hook(unsigned int hook,
+ int (*okfn)(struct sk_buff *))
+ {
+ const struct net *net = dev_net((in != NULL) ? in : out);
++ enum ip_conntrack_info ctinfo;
++
++ nf_ct_get(skb, &ctinfo);
++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) &&
++ net->ct.skip_filter)
++ return NF_ACCEPT;
+
+ return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter);
+ }
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -477,6 +477,13 @@ static ctl_table nf_ct_sysctl_table[] =
+ .extra2 = &log_invalid_proto_max,
+ },
+ {
++ .procname = "nf_conntrack_skip_filter",
++ .data = &init_net.ct.skip_filter,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec,
++ },
++ {
+ .procname = "nf_conntrack_expect_max",
+ .data = &nf_ct_expect_max,
+ .maxlen = sizeof(int),
+@@ -512,6 +519,7 @@ static int nf_conntrack_standalone_init_
+ table[2].data = &net->ct.htable_size;
+ table[3].data = &net->ct.sysctl_checksum;
+ table[4].data = &net->ct.sysctl_log_invalid;
++ table[5].data = &net->ct.skip_filter;
+
+ /* Don't export sysctls to unprivileged users */
+ if (net->user_ns != &init_user_ns)