From 64ae631f20eb349b47dae30c461ab33b5c4ac5c2 Mon Sep 17 00:00:00 2001 From: nbd Date: Tue, 17 Mar 2015 17:15:15 +0000 Subject: [PATCH] kernel: remove the netfilter optimization that skips the filter table, it has caused too many issues Signed-off-by: Felix Fietkau Backport of r44873 git-svn-id: svn://svn.openwrt.org/openwrt/branches/barrier_breaker@44874 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- package/base-files/files/etc/sysctl.conf | 1 - .../617-netfilter_skip_filter_sysctl.patch | 87 ------------------- 2 files changed, 88 deletions(-) delete mode 100644 target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch diff --git a/package/base-files/files/etc/sysctl.conf b/package/base-files/files/etc/sysctl.conf index 1225e46..8f3de1a 100644 --- a/package/base-files/files/etc/sysctl.conf +++ b/package/base-files/files/etc/sysctl.conf @@ -22,7 +22,6 @@ net.netfilter.nf_conntrack_max=16384 net.netfilter.nf_conntrack_tcp_timeout_established=7440 net.netfilter.nf_conntrack_udp_timeout=60 net.netfilter.nf_conntrack_udp_timeout_stream=180 -net.netfilter.nf_conntrack_skip_filter=1 # disable bridge firewalling by default net.bridge.bridge-nf-call-arptables=0 diff --git a/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch deleted file mode 100644 index a570834..0000000 --- a/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch +++ /dev/null @@ -1,87 +0,0 @@ ---- a/include/net/netns/conntrack.h -+++ b/include/net/netns/conntrack.h -@@ -80,6 +80,7 @@ struct netns_ct { - int sysctl_acct; - int sysctl_tstamp; - int sysctl_checksum; -+ int skip_filter; - unsigned int sysctl_log_invalid; /* Log invalid packets */ - int sysctl_auto_assign_helper; - bool auto_assign_helper_warned; ---- a/net/ipv4/netfilter/iptable_filter.c -+++ b/net/ipv4/netfilter/iptable_filter.c -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,7 @@ iptable_filter_hook(unsigned int hook, s - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) - { -+ enum ip_conntrack_info ctinfo; - const struct net *net; - - if (hook == NF_INET_LOCAL_OUT && -@@ -46,6 +48,11 @@ iptable_filter_hook(unsigned int hook, s - return NF_ACCEPT; - - net = dev_net((in != NULL) ? in : out); -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; -+ - return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter); - } - ---- a/net/ipv6/netfilter/ip6table_filter.c -+++ b/net/ipv6/netfilter/ip6table_filter.c -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,12 @@ ip6table_filter_hook(unsigned int hook, - int (*okfn)(struct sk_buff *)) - { - const struct net *net = dev_net((in != NULL) ? in : out); -+ enum ip_conntrack_info ctinfo; -+ -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; - - return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter); - } ---- a/net/netfilter/nf_conntrack_standalone.c -+++ b/net/netfilter/nf_conntrack_standalone.c -@@ -477,6 +477,13 @@ static ctl_table nf_ct_sysctl_table[] = - .extra2 = &log_invalid_proto_max, - }, - { -+ .procname = "nf_conntrack_skip_filter", -+ .data = &init_net.ct.skip_filter, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+ { - .procname = "nf_conntrack_expect_max", - .data = &nf_ct_expect_max, - .maxlen = sizeof(int), -@@ -512,6 +519,7 @@ static int nf_conntrack_standalone_init_ - table[2].data = &net->ct.htable_size; - table[3].data = &net->ct.sysctl_checksum; - table[4].data = &net->ct.sysctl_log_invalid; -+ table[5].data = &net->ct.skip_filter; - - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns)