diff options
author | Felix Fietkau <nbd@openwrt.org> | 2014-08-07 19:31:18 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2014-08-07 19:31:18 +0000 |
commit | 4ae98309ff6b932dda5618ed941772a6bfb2bce5 (patch) | |
tree | e169ccbe97f54e99468854f707f4dd84b0e4c56c /target | |
parent | a34084ecc3e7dcf84f95f180e1a5021cc8a5f332 (diff) | |
download | upstream-4ae98309ff6b932dda5618ed941772a6bfb2bce5.tar.gz upstream-4ae98309ff6b932dda5618ed941772a6bfb2bce5.tar.bz2 upstream-4ae98309ff6b932dda5618ed941772a6bfb2bce5.zip |
kernel: add a patch to allow disabling processing of the netfilter "filter" table for established connection packets
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Backport of r42046
git-svn-id: svn://svn.openwrt.org/openwrt/branches/barrier_breaker@42050 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'target')
-rw-r--r-- | target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch new file mode 100644 index 0000000000..a570834dc6 --- /dev/null +++ b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch @@ -0,0 +1,87 @@ +--- a/include/net/netns/conntrack.h ++++ b/include/net/netns/conntrack.h +@@ -80,6 +80,7 @@ struct netns_ct { + int sysctl_acct; + int sysctl_tstamp; + int sysctl_checksum; ++ int skip_filter; + unsigned int sysctl_log_invalid; /* Log invalid packets */ + int sysctl_auto_assign_helper; + bool auto_assign_helper_warned; +--- a/net/ipv4/netfilter/iptable_filter.c ++++ b/net/ipv4/netfilter/iptable_filter.c +@@ -15,6 +15,7 @@ + #include <linux/netfilter_ipv4/ip_tables.h> + #include <linux/slab.h> + #include <net/ip.h> ++#include <net/netfilter/nf_conntrack.h> + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); +@@ -37,6 +38,7 @@ iptable_filter_hook(unsigned int hook, s + const struct net_device *in, const struct net_device *out, + int (*okfn)(struct sk_buff *)) + { ++ enum ip_conntrack_info ctinfo; + const struct net *net; + + if (hook == NF_INET_LOCAL_OUT && +@@ -46,6 +48,11 @@ iptable_filter_hook(unsigned int hook, s + return NF_ACCEPT; + + net = dev_net((in != NULL) ? in : out); ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; ++ + return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter); + } + +--- a/net/ipv6/netfilter/ip6table_filter.c ++++ b/net/ipv6/netfilter/ip6table_filter.c +@@ -13,6 +13,7 @@ + #include <linux/moduleparam.h> + #include <linux/netfilter_ipv6/ip6_tables.h> + #include <linux/slab.h> ++#include <net/netfilter/nf_conntrack.h> + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); +@@ -37,6 +38,12 @@ ip6table_filter_hook(unsigned int hook, + int (*okfn)(struct sk_buff *)) + { + const struct net *net = dev_net((in != NULL) ? in : out); ++ enum ip_conntrack_info ctinfo; ++ ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; + + return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter); + } +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -477,6 +477,13 @@ static ctl_table nf_ct_sysctl_table[] = + .extra2 = &log_invalid_proto_max, + }, + { ++ .procname = "nf_conntrack_skip_filter", ++ .data = &init_net.ct.skip_filter, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++ { + .procname = "nf_conntrack_expect_max", + .data = &nf_ct_expect_max, + .maxlen = sizeof(int), +@@ -512,6 +519,7 @@ static int nf_conntrack_standalone_init_ + table[2].data = &net->ct.htable_size; + table[3].data = &net->ct.sysctl_checksum; + table[4].data = &net->ct.sysctl_log_invalid; ++ table[5].data = &net->ct.skip_filter; + + /* Don't export sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) |