global: remove automatic notrack rules

With recent Kernel versions and the introduction of the conntrack routing
cache there is no need to maintain performance hacks in userspace anymore,
so simply drop the generation of automatic -j CT --notrack rules for zones.

This also fixes some cases where traffic is not matched for zones that do
not explicitely enforce connection tracking.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/forwards.c b/forwards.c
index c610247c8ab6aed99a9d210946c6f807e2607af9..997c30712614373ae3b8f9fd94b02cdc2f8ebc2a 100644 (file)
--- a/forwards.c
+++ b/forwards.c
@@ -38,7 +38,6 @@ fw3_load_forwards(struct fw3_state *state, struct uci_package *p)
        struct uci_section *s;
        struct uci_element *e;
        struct fw3_forward *forward;
-       bool changed;
 
        INIT_LIST_HEAD(&state->forwards);
 
@@ -88,30 +87,15 @@ fw3_load_forwards(struct fw3_state *state, struct uci_package *p)
                continue;
        }
 
-       /* Propagate conntrack requirement flag into all zones connected through
-          forwarding entries and repeat until all zones are normalized */
-       do {
-               changed = false;
-
-               list_for_each_entry(forward, &state->forwards, list)
+       list_for_each_entry(forward, &state->forwards, list)
+       {
+               /* NB: forward family... */
+               if (forward->_dest)
                {
-                       /* NB: forward family... */
-                       if (forward->_dest)
-                       {
-                               fw3_setbit(forward->_dest->flags[0], FW3_FLAG_ACCEPT);
-                               fw3_setbit(forward->_dest->flags[1], FW3_FLAG_ACCEPT);
-
-                               if (forward->_src &&
-                                   (forward->_src->conntrack != forward->_dest->conntrack))
-                               {
-                                       forward->_src->conntrack = true;
-                                       forward->_dest->conntrack = true;
-                                       changed = true;
-                               }
-                       }
+                       fw3_setbit(forward->_dest->flags[0], FW3_FLAG_ACCEPT);
+                       fw3_setbit(forward->_dest->flags[1], FW3_FLAG_ACCEPT);
                }
        }
-       while (changed);
 }
 
 

diff --git a/options.h b/options.h
index 307c5afb198c80f7d5ae1f5ebde3580f620e9a31..089242fdb7c7d70d9808c7ea08201df447935c9b 100644 (file)
--- a/options.h
+++ b/options.h
@@ -307,7 +307,6 @@ struct fw3_zone
        struct list_head masq_src;
        struct list_head masq_dest;
 
-       bool conntrack;
        bool mtu_fix;
 
        bool log;

diff --git a/redirects.c b/redirects.c
index be1bfcb463de7099aff28b3f30b8abba07af9f7e..a657b6d8644196f162b75b9f46edcbd06533667a 100644 (file)
--- a/redirects.c
+++ b/redirects.c
@@ -278,7 +278,6 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p)
                        else
                        {
                                set(redir->_src->flags, FW3_FAMILY_V4, redir->target);
-                               redir->_src->conntrack = true;
                                valid = true;
 
                                if (!check_local(e, redir, state) && !redir->dest.set &&
@@ -309,7 +308,6 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p)
                        else
                        {
                                set(redir->_dest->flags, FW3_FAMILY_V4, redir->target);
-                               redir->_dest->conntrack = true;
                                valid = true;
                        }
                }

diff --git a/snats.c b/snats.c
index f43daf244c05362243453a7a436f4d34ea6e3035..fad600876f4d8bc7c64f9384b87c32fb12dac1bb 100644 (file)
--- a/snats.c
+++ b/snats.c
@@ -252,10 +252,7 @@ fw3_load_snats(struct fw3_state *state, struct uci_package *p, struct blob_attr
                }
 
                if (snat->_src)
-               {
                        set(snat->_src->flags, FW3_FAMILY_V4, FW3_FLAG_SNAT);
-                       snat->_src->conntrack = true;
-               }
        }
 }
 

diff --git a/utils.c b/utils.c
index aca98d59657d037b8789769a0e18244c757c7405..537c62980fc354a75ea848268fa26640561f8bbd 100644 (file)
--- a/utils.c
+++ b/utils.c
@@ -462,11 +462,6 @@ write_zone_uci(struct uci_context *ctx, struct fw3_zone *z,
        ptr.value  = z->masq ? "1" : "0";
        uci_set(ctx, &ptr);
 
-       ptr.o      = NULL;
-       ptr.option = "conntrack";
-       ptr.value  = z->conntrack ? "1" : "0";
-       uci_set(ctx, &ptr);
-
        ptr.o      = NULL;
        ptr.option = "mtu_fix";
        ptr.value  = z->mtu_fix ? "1" : "0";

diff --git a/zones.c b/zones.c
index a95e363a7792c497951d9c1a2e4c63e738677831..8b4bbcd09879b7cf76db5b5f3ac9c1a9f74a6f1f 100644 (file)
--- a/zones.c
+++ b/zones.c
@@ -73,7 +73,6 @@ const struct fw3_option fw3_zone_opts[] = {
        FW3_OPT("extra_src",           string,   zone,     extra_src),
        FW3_OPT("extra_dest",          string,   zone,     extra_dest),
 
-       FW3_OPT("conntrack",           bool,     zone,     conntrack),
        FW3_OPT("mtu_fix",             bool,     zone,     mtu_fix),
        FW3_OPT("custom_chains",       bool,     zone,     custom_chains),
 
@@ -217,7 +216,6 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
                if (zone->masq)
                {
                        fw3_setbit(zone->flags[0], FW3_FLAG_SNAT);
-                       zone->conntrack = true;
                }
 
                if (zone->custom_chains)
@@ -268,9 +266,6 @@ print_zone_chain(struct fw3_ipt_handle *handle, struct fw3_state *state,
        if (zone->custom_chains)
                set(zone->flags, handle->family, FW3_FLAG_CUSTOM_CHAINS);
 
-       if (!zone->conntrack && !state->defaults.drop_invalid)
-               set(zone->flags, handle->family, FW3_FLAG_NOTRACK);
-
        for (c = zone_chains; c->format; c++)
        {
                /* don't touch user chains on selective stop */
@@ -488,7 +483,6 @@ static void
 print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                 bool reload, struct fw3_zone *zone)
 {
-       bool disable_notrack = state->defaults.drop_invalid;
        bool first_src, first_dest;
        struct fw3_address *msrc;
        struct fw3_address *mdest;
@@ -620,15 +614,6 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                break;
 
        case FW3_TABLE_RAW:
-               if (!zone->conntrack && !disable_notrack)
-               {
-                       r = fw3_ipt_rule_new(handle);
-                       fw3_ipt_rule_target(r, "CT");
-                       fw3_ipt_rule_addarg(r, false, "--notrack", NULL);
-                       fw3_ipt_rule_append(r, "zone_%s_notrack", zone->name);
-               }
-               break;
-
        case FW3_TABLE_MANGLE:
                break;
        }