From 053a3a4aaf81f3ac32087f272eadf1a72453a58c Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Thu, 7 Aug 2014 18:59:22 +0000 Subject: [PATCH] kernel: add a patch to allow disabling processing of the netfilter "filter" table for established connection packets Signed-off-by: Felix Fietkau SVN-Revision: 42046 --- .../617-netfilter_skip_filter_sysctl.patch | 87 +++++++++++++++++++ .../617-netfilter_skip_filter_sysctl.patch | 87 +++++++++++++++++++ 2 files changed, 174 insertions(+) create mode 100644 target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch create mode 100644 target/linux/generic/patches-3.14/617-netfilter_skip_filter_sysctl.patch diff --git a/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch new file mode 100644 index 00000000000..a570834dc66 --- /dev/null +++ b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch @@ -0,0 +1,87 @@ +--- a/include/net/netns/conntrack.h ++++ b/include/net/netns/conntrack.h +@@ -80,6 +80,7 @@ struct netns_ct { + int sysctl_acct; + int sysctl_tstamp; + int sysctl_checksum; ++ int skip_filter; + unsigned int sysctl_log_invalid; /* Log invalid packets */ + int sysctl_auto_assign_helper; + bool auto_assign_helper_warned; +--- a/net/ipv4/netfilter/iptable_filter.c ++++ b/net/ipv4/netfilter/iptable_filter.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team "); +@@ -37,6 +38,7 @@ iptable_filter_hook(unsigned int hook, s + const struct net_device *in, const struct net_device *out, + int (*okfn)(struct sk_buff *)) + { ++ enum ip_conntrack_info ctinfo; + const struct net *net; + + if (hook == NF_INET_LOCAL_OUT && +@@ -46,6 +48,11 @@ iptable_filter_hook(unsigned int hook, s + return NF_ACCEPT; + + net = dev_net((in != NULL) ? in : out); ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; ++ + return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter); + } + +--- a/net/ipv6/netfilter/ip6table_filter.c ++++ b/net/ipv6/netfilter/ip6table_filter.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team "); +@@ -37,6 +38,12 @@ ip6table_filter_hook(unsigned int hook, + int (*okfn)(struct sk_buff *)) + { + const struct net *net = dev_net((in != NULL) ? in : out); ++ enum ip_conntrack_info ctinfo; ++ ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; + + return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter); + } +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -477,6 +477,13 @@ static ctl_table nf_ct_sysctl_table[] = + .extra2 = &log_invalid_proto_max, + }, + { ++ .procname = "nf_conntrack_skip_filter", ++ .data = &init_net.ct.skip_filter, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++ { + .procname = "nf_conntrack_expect_max", + .data = &nf_ct_expect_max, + .maxlen = sizeof(int), +@@ -512,6 +519,7 @@ static int nf_conntrack_standalone_init_ + table[2].data = &net->ct.htable_size; + table[3].data = &net->ct.sysctl_checksum; + table[4].data = &net->ct.sysctl_log_invalid; ++ table[5].data = &net->ct.skip_filter; + + /* Don't export sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) diff --git a/target/linux/generic/patches-3.14/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.14/617-netfilter_skip_filter_sysctl.patch new file mode 100644 index 00000000000..93d38f56d81 --- /dev/null +++ b/target/linux/generic/patches-3.14/617-netfilter_skip_filter_sysctl.patch @@ -0,0 +1,87 @@ +--- a/include/net/netns/conntrack.h ++++ b/include/net/netns/conntrack.h +@@ -73,6 +73,7 @@ struct netns_ct { + struct ctl_table_header *helper_sysctl_header; + #endif + char *slabname; ++ int skip_filter; + unsigned int sysctl_log_invalid; /* Log invalid packets */ + unsigned int sysctl_events_retry_timeout; + int sysctl_events; +--- a/net/ipv4/netfilter/iptable_filter.c ++++ b/net/ipv4/netfilter/iptable_filter.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team "); +@@ -37,6 +38,7 @@ iptable_filter_hook(const struct nf_hook + const struct net_device *in, const struct net_device *out, + int (*okfn)(struct sk_buff *)) + { ++ enum ip_conntrack_info ctinfo; + const struct net *net; + + if (ops->hooknum == NF_INET_LOCAL_OUT && +@@ -46,6 +48,11 @@ iptable_filter_hook(const struct nf_hook + return NF_ACCEPT; + + net = dev_net((in != NULL) ? in : out); ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; ++ + return ipt_do_table(skb, ops->hooknum, in, out, + net->ipv4.iptable_filter); + } +--- a/net/ipv6/netfilter/ip6table_filter.c ++++ b/net/ipv6/netfilter/ip6table_filter.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Netfilter Core Team "); +@@ -37,6 +38,12 @@ ip6table_filter_hook(const struct nf_hoo + int (*okfn)(struct sk_buff *)) + { + const struct net *net = dev_net((in != NULL) ? in : out); ++ enum ip_conntrack_info ctinfo; ++ ++ nf_ct_get(skb, &ctinfo); ++ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && ++ net->ct.skip_filter) ++ return NF_ACCEPT; + + return ip6t_do_table(skb, ops->hooknum, in, out, + net->ipv6.ip6table_filter); +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -477,6 +477,13 @@ static struct ctl_table nf_ct_sysctl_tab + .extra2 = &log_invalid_proto_max, + }, + { ++ .procname = "nf_conntrack_skip_filter", ++ .data = &init_net.ct.skip_filter, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++ { + .procname = "nf_conntrack_expect_max", + .data = &nf_ct_expect_max, + .maxlen = sizeof(int), +@@ -512,6 +519,7 @@ static int nf_conntrack_standalone_init_ + table[2].data = &net->ct.htable_size; + table[3].data = &net->ct.sysctl_checksum; + table[4].data = &net->ct.sysctl_log_invalid; ++ table[5].data = &net->ct.skip_filter; + + /* Don't export sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns)