diff options
Diffstat (limited to 'target/linux/generic/pending-5.4/613-netfilter_optional_tcp_window_check.patch')
| -rw-r--r-- | target/linux/generic/pending-5.4/613-netfilter_optional_tcp_window_check.patch | 38 |
1 files changed, 29 insertions, 9 deletions
diff --git a/target/linux/generic/pending-5.4/613-netfilter_optional_tcp_window_check.patch b/target/linux/generic/pending-5.4/613-netfilter_optional_tcp_window_check.patch index 634218dfc3..5ad13883e7 100644 --- a/target/linux/generic/pending-5.4/613-netfilter_optional_tcp_window_check.patch +++ b/target/linux/generic/pending-5.4/613-netfilter_optional_tcp_window_check.patch @@ -8,7 +8,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name> --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c -@@ -34,6 +34,9 @@ +@@ -31,6 +31,9 @@ #include <net/netfilter/ipv4/nf_conntrack_ipv4.h> #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> @@ -18,7 +18,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name> /* "Be conservative in what you do, be liberal in what you accept from others." If it's non-zero, we mark only out of window RST segments as INVALID. */ -@@ -484,6 +487,9 @@ static bool tcp_in_window(const struct n +@@ -476,6 +479,9 @@ static bool tcp_in_window(const struct n s32 receiver_offset; bool res, in_recv_win; @@ -28,7 +28,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name> /* * Get the required data from the packet. */ -@@ -1059,7 +1065,7 @@ static int tcp_packet(struct nf_conn *ct +@@ -1123,7 +1129,7 @@ int nf_conntrack_tcp_packet(struct nf_co IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED && timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK]) timeout = timeouts[TCP_CONNTRACK_UNACK]; @@ -37,17 +37,37 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name> timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS]) timeout = timeouts[TCP_CONNTRACK_RETRANS]; else -@@ -1508,6 +1514,13 @@ static struct ctl_table tcp_sysctl_table - .mode = 0644, - .proc_handler = proc_dointvec, +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -25,6 +25,9 @@ + #include <net/netfilter/nf_conntrack_timestamp.h> + #include <linux/rculist_nulls.h> + ++/* Do not check the TCP window for incoming packets */ ++static int nf_ct_tcp_no_window_check __read_mostly = 1; ++ + static bool enable_hooks __read_mostly; + MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); + module_param(enable_hooks, bool, 0000); +@@ -646,6 +649,7 @@ enum nf_ct_sysctl_index { + NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, + #endif + ++ NF_SYSCTL_CT_PROTO_TCP_NO_WINDOW_CHECK, + __NF_SYSCTL_CT_LAST_SYSCTL, + }; + +@@ -972,6 +976,13 @@ static struct ctl_table nf_ct_sysctl_tab + .proc_handler = proc_dointvec_jiffies, }, -+ { + #endif ++ [NF_SYSCTL_CT_PROTO_TCP_NO_WINDOW_CHECK] = { + .procname = "nf_conntrack_tcp_no_window_check", + .data = &nf_ct_tcp_no_window_check, + .maxlen = sizeof(unsigned int), + .mode = 0644, + .proc_handler = proc_dointvec, + }, - { } + {} }; - #endif /* CONFIG_SYSCTL */ + |