diff options
author | Felix Fietkau <nbd@openwrt.org> | 2014-08-07 18:59:22 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2014-08-07 18:59:22 +0000 |
commit | 053a3a4aaf81f3ac32087f272eadf1a72453a58c (patch) | |
tree | 9983d36b966ab325ae4d08c42b649b2787ffda49 /target | |
parent | 3e64341eacf17a0552e83bf4e34f2c3d4f049921 (diff) | |
download | mtk-20170518-053a3a4aaf81f3ac32087f272eadf1a72453a58c.zip mtk-20170518-053a3a4aaf81f3ac32087f272eadf1a72453a58c.tar.gz mtk-20170518-053a3a4aaf81f3ac32087f272eadf1a72453a58c.tar.bz2 |
kernel: add a patch to allow disabling processing of the netfilter "filter" table for established connection packets
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 42046
Diffstat (limited to 'target')
-rw-r--r-- | target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch | 87 | ||||
-rw-r--r-- | target/linux/generic/patches-3.14/617-netfilter_skip_filter_sysctl.patch | 87 |
2 files changed, 174 insertions, 0 deletions
diff --git a/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch new file mode 100644 index 0000000..a570834 --- /dev/null +++ b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch @@ -0,0 +1,87 @@ +--- a/include/net/netns/conntrack.h ++++ b/include/net/netns/conntrack.h +@@ -80,6 +80,7 @@ struct netns_ct { + int sysctl_acct; + int sysctl_tstamp; + int sysctl_checksum; ++ int skip_filter; + unsigned int sysctl_log_invalid; /* Log invalid packets */ + int sysctl_auto_assign_helper; + bool auto_assign_helper_warned; +--- a/net/ipv4/netfilter/iptable_filter.c ++++ b/net/ipv4/netfilter/iptable_filter.c +@@ -15,6 +15,7 @@ + #include <linux/netfilter_ipv4/ip_tables.h> + #include <linux/slab.h> + #include <net/ip.h> ++#include <net/netfilter/nf_conntrack.h> + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); +@@ -37,6 +38,7 @@ iptable_filter_hook(unsigned int hook, s + const struct net_device *in, const struct net_device *out, + int (*okfn)(struct sk_buff *)) + { ++ enum ip_conntrack_info ctinfo; + const struct net *net; + + if (hook == NF_INET_LOCAL_OUT && +@@ -46,6 +48,11 @@ iptable_filter_hook(unsigned int hook, s + return NF_ACCEPT; + + net = dev_net((in != NULL) ? in : out); ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; ++ + return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter); + } + +--- a/net/ipv6/netfilter/ip6table_filter.c ++++ b/net/ipv6/netfilter/ip6table_filter.c +@@ -13,6 +13,7 @@ + #include <linux/moduleparam.h> + #include <linux/netfilter_ipv6/ip6_tables.h> + #include <linux/slab.h> ++#include <net/netfilter/nf_conntrack.h> + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); +@@ -37,6 +38,12 @@ ip6table_filter_hook(unsigned int hook, + int (*okfn)(struct sk_buff *)) + { + const struct net *net = dev_net((in != NULL) ? in : out); ++ enum ip_conntrack_info ctinfo; ++ ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; + + return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter); + } +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -477,6 +477,13 @@ static ctl_table nf_ct_sysctl_table[] = + .extra2 = &log_invalid_proto_max, + }, + { ++ .procname = "nf_conntrack_skip_filter", ++ .data = &init_net.ct.skip_filter, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++ { + .procname = "nf_conntrack_expect_max", + .data = &nf_ct_expect_max, + .maxlen = sizeof(int), +@@ -512,6 +519,7 @@ static int nf_conntrack_standalone_init_ + table[2].data = &net->ct.htable_size; + table[3].data = &net->ct.sysctl_checksum; + table[4].data = &net->ct.sysctl_log_invalid; ++ table[5].data = &net->ct.skip_filter; + + /* Don't export sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) diff --git a/target/linux/generic/patches-3.14/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.14/617-netfilter_skip_filter_sysctl.patch new file mode 100644 index 0000000..93d38f5 --- /dev/null +++ b/target/linux/generic/patches-3.14/617-netfilter_skip_filter_sysctl.patch @@ -0,0 +1,87 @@ +--- a/include/net/netns/conntrack.h ++++ b/include/net/netns/conntrack.h +@@ -73,6 +73,7 @@ struct netns_ct { + struct ctl_table_header *helper_sysctl_header; + #endif + char *slabname; ++ int skip_filter; + unsigned int sysctl_log_invalid; /* Log invalid packets */ + unsigned int sysctl_events_retry_timeout; + int sysctl_events; +--- a/net/ipv4/netfilter/iptable_filter.c ++++ b/net/ipv4/netfilter/iptable_filter.c +@@ -15,6 +15,7 @@ + #include <linux/netfilter_ipv4/ip_tables.h> + #include <linux/slab.h> + #include <net/ip.h> ++#include <net/netfilter/nf_conntrack.h> + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); +@@ -37,6 +38,7 @@ iptable_filter_hook(const struct nf_hook + const struct net_device *in, const struct net_device *out, + int (*okfn)(struct sk_buff *)) + { ++ enum ip_conntrack_info ctinfo; + const struct net *net; + + if (ops->hooknum == NF_INET_LOCAL_OUT && +@@ -46,6 +48,11 @@ iptable_filter_hook(const struct nf_hook + return NF_ACCEPT; + + net = dev_net((in != NULL) ? in : out); ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; ++ + return ipt_do_table(skb, ops->hooknum, in, out, + net->ipv4.iptable_filter); + } +--- a/net/ipv6/netfilter/ip6table_filter.c ++++ b/net/ipv6/netfilter/ip6table_filter.c +@@ -13,6 +13,7 @@ + #include <linux/moduleparam.h> + #include <linux/netfilter_ipv6/ip6_tables.h> + #include <linux/slab.h> ++#include <net/netfilter/nf_conntrack.h> + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); +@@ -37,6 +38,12 @@ ip6table_filter_hook(const struct nf_hoo + int (*okfn)(struct sk_buff *)) + { + const struct net *net = dev_net((in != NULL) ? in : out); ++ enum ip_conntrack_info ctinfo; ++ ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; + + return ip6t_do_table(skb, ops->hooknum, in, out, + net->ipv6.ip6table_filter); +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -477,6 +477,13 @@ static struct ctl_table nf_ct_sysctl_tab + .extra2 = &log_invalid_proto_max, + }, + { ++ .procname = "nf_conntrack_skip_filter", ++ .data = &init_net.ct.skip_filter, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++ { + .procname = "nf_conntrack_expect_max", + .data = &nf_ct_expect_max, + .maxlen = sizeof(int), +@@ -512,6 +519,7 @@ static int nf_conntrack_standalone_init_ + table[2].data = &net->ct.htable_size; + table[3].data = &net->ct.sysctl_checksum; + table[4].data = &net->ct.sysctl_log_invalid; ++ table[5].data = &net->ct.skip_filter; + + /* Don't export sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) |