From: Felix Fietkau Date: Tue, 17 Mar 2015 17:14:48 +0000 (+0000) Subject: kernel: remove the netfilter optimization that skips the filter table, it has caused... X-Git-Tag: reboot~3862 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=f30358d41a41caebc1eda7d1445289d070a5cbf3;p=openwrt%2Fstaging%2Fxback.git kernel: remove the netfilter optimization that skips the filter table, it has caused too many issues Signed-off-by: Felix Fietkau SVN-Revision: 44873 --- diff --git a/package/base-files/files/etc/sysctl.conf b/package/base-files/files/etc/sysctl.conf index 1225e46fd0..8f3de1aac0 100644 --- a/package/base-files/files/etc/sysctl.conf +++ b/package/base-files/files/etc/sysctl.conf @@ -22,7 +22,6 @@ net.netfilter.nf_conntrack_max=16384 net.netfilter.nf_conntrack_tcp_timeout_established=7440 net.netfilter.nf_conntrack_udp_timeout=60 net.netfilter.nf_conntrack_udp_timeout_stream=180 -net.netfilter.nf_conntrack_skip_filter=1 # disable bridge firewalling by default net.bridge.bridge-nf-call-arptables=0 diff --git a/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch deleted file mode 100644 index be0dd3dfe6..0000000000 --- a/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch +++ /dev/null @@ -1,87 +0,0 @@ ---- a/include/net/netns/conntrack.h -+++ b/include/net/netns/conntrack.h -@@ -80,6 +80,7 @@ struct netns_ct { - int sysctl_acct; - int sysctl_tstamp; - int sysctl_checksum; -+ int skip_filter; - unsigned int sysctl_log_invalid; /* Log invalid packets */ - int sysctl_auto_assign_helper; - bool auto_assign_helper_warned; ---- a/net/ipv4/netfilter/iptable_filter.c -+++ b/net/ipv4/netfilter/iptable_filter.c -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,7 @@ iptable_filter_hook(unsigned int hook, s - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) - { -+ enum ip_conntrack_info ctinfo; - const struct net *net; - - if (hook == NF_INET_LOCAL_OUT && -@@ -46,6 +48,11 @@ iptable_filter_hook(unsigned int hook, s - return NF_ACCEPT; - - net = dev_net((in != NULL) ? in : out); -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; -+ - return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter); - } - ---- a/net/ipv6/netfilter/ip6table_filter.c -+++ b/net/ipv6/netfilter/ip6table_filter.c -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,12 @@ ip6table_filter_hook(unsigned int hook, - int (*okfn)(struct sk_buff *)) - { - const struct net *net = dev_net((in != NULL) ? in : out); -+ enum ip_conntrack_info ctinfo; -+ -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; - - return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter); - } ---- a/net/netfilter/nf_conntrack_standalone.c -+++ b/net/netfilter/nf_conntrack_standalone.c -@@ -510,6 +510,13 @@ static ctl_table nf_ct_sysctl_table[] = - .extra2 = &log_invalid_proto_max, - }, - { -+ .procname = "nf_conntrack_skip_filter", -+ .data = &init_net.ct.skip_filter, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+ { - .procname = "nf_conntrack_expect_max", - .data = &nf_ct_expect_max, - .maxlen = sizeof(int), -@@ -545,6 +552,7 @@ static int nf_conntrack_standalone_init_ - table[2].data = &net->ct.htable_size; - table[3].data = &net->ct.sysctl_checksum; - table[4].data = &net->ct.sysctl_log_invalid; -+ table[5].data = &net->ct.skip_filter; - - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) diff --git a/target/linux/generic/patches-3.14/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.14/617-netfilter_skip_filter_sysctl.patch deleted file mode 100644 index 255eaae52e..0000000000 --- a/target/linux/generic/patches-3.14/617-netfilter_skip_filter_sysctl.patch +++ /dev/null @@ -1,87 +0,0 @@ ---- a/include/net/netns/conntrack.h -+++ b/include/net/netns/conntrack.h -@@ -73,6 +73,7 @@ struct netns_ct { - struct ctl_table_header *helper_sysctl_header; - #endif - char *slabname; -+ int skip_filter; - unsigned int sysctl_log_invalid; /* Log invalid packets */ - unsigned int sysctl_events_retry_timeout; - int sysctl_events; ---- a/net/ipv4/netfilter/iptable_filter.c -+++ b/net/ipv4/netfilter/iptable_filter.c -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,7 @@ iptable_filter_hook(const struct nf_hook - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) - { -+ enum ip_conntrack_info ctinfo; - const struct net *net; - - if (ops->hooknum == NF_INET_LOCAL_OUT && -@@ -46,6 +48,11 @@ iptable_filter_hook(const struct nf_hook - return NF_ACCEPT; - - net = dev_net((in != NULL) ? in : out); -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; -+ - return ipt_do_table(skb, ops->hooknum, in, out, - net->ipv4.iptable_filter); - } ---- a/net/ipv6/netfilter/ip6table_filter.c -+++ b/net/ipv6/netfilter/ip6table_filter.c -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,12 @@ ip6table_filter_hook(const struct nf_hoo - int (*okfn)(struct sk_buff *)) - { - const struct net *net = dev_net((in != NULL) ? in : out); -+ enum ip_conntrack_info ctinfo; -+ -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; - - return ip6t_do_table(skb, ops->hooknum, in, out, - net->ipv6.ip6table_filter); ---- a/net/netfilter/nf_conntrack_standalone.c -+++ b/net/netfilter/nf_conntrack_standalone.c -@@ -510,6 +510,13 @@ static struct ctl_table nf_ct_sysctl_tab - .extra2 = &log_invalid_proto_max, - }, - { -+ .procname = "nf_conntrack_skip_filter", -+ .data = &init_net.ct.skip_filter, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+ { - .procname = "nf_conntrack_expect_max", - .data = &nf_ct_expect_max, - .maxlen = sizeof(int), -@@ -545,6 +552,7 @@ static int nf_conntrack_standalone_init_ - table[2].data = &net->ct.htable_size; - table[3].data = &net->ct.sysctl_checksum; - table[4].data = &net->ct.sysctl_log_invalid; -+ table[5].data = &net->ct.skip_filter; - - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) diff --git a/target/linux/generic/patches-3.18/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.18/617-netfilter_skip_filter_sysctl.patch deleted file mode 100644 index 247d3539c2..0000000000 --- a/target/linux/generic/patches-3.18/617-netfilter_skip_filter_sysctl.patch +++ /dev/null @@ -1,87 +0,0 @@ ---- a/include/net/netns/conntrack.h -+++ b/include/net/netns/conntrack.h -@@ -86,6 +86,7 @@ struct netns_ct { - struct ctl_table_header *helper_sysctl_header; - #endif - char *slabname; -+ int skip_filter; - unsigned int sysctl_log_invalid; /* Log invalid packets */ - int sysctl_events; - int sysctl_acct; ---- a/net/ipv4/netfilter/iptable_filter.c -+++ b/net/ipv4/netfilter/iptable_filter.c -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,7 @@ iptable_filter_hook(const struct nf_hook - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) - { -+ enum ip_conntrack_info ctinfo; - const struct net *net; - - if (ops->hooknum == NF_INET_LOCAL_OUT && -@@ -46,6 +48,11 @@ iptable_filter_hook(const struct nf_hook - return NF_ACCEPT; - - net = dev_net((in != NULL) ? in : out); -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; -+ - return ipt_do_table(skb, ops->hooknum, in, out, - net->ipv4.iptable_filter); - } ---- a/net/ipv6/netfilter/ip6table_filter.c -+++ b/net/ipv6/netfilter/ip6table_filter.c -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,12 @@ ip6table_filter_hook(const struct nf_hoo - int (*okfn)(struct sk_buff *)) - { - const struct net *net = dev_net((in != NULL) ? in : out); -+ enum ip_conntrack_info ctinfo; -+ -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; - - return ip6t_do_table(skb, ops->hooknum, in, out, - net->ipv6.ip6table_filter); ---- a/net/netfilter/nf_conntrack_standalone.c -+++ b/net/netfilter/nf_conntrack_standalone.c -@@ -510,6 +510,13 @@ static struct ctl_table nf_ct_sysctl_tab - .extra2 = &log_invalid_proto_max, - }, - { -+ .procname = "nf_conntrack_skip_filter", -+ .data = &init_net.ct.skip_filter, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+ { - .procname = "nf_conntrack_expect_max", - .data = &nf_ct_expect_max, - .maxlen = sizeof(int), -@@ -545,6 +552,7 @@ static int nf_conntrack_standalone_init_ - table[2].data = &net->ct.htable_size; - table[3].data = &net->ct.sysctl_checksum; - table[4].data = &net->ct.sysctl_log_invalid; -+ table[5].data = &net->ct.skip_filter; - - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) diff --git a/target/linux/generic/patches-3.19/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.19/617-netfilter_skip_filter_sysctl.patch deleted file mode 100644 index 6cf6568ab5..0000000000 --- a/target/linux/generic/patches-3.19/617-netfilter_skip_filter_sysctl.patch +++ /dev/null @@ -1,87 +0,0 @@ ---- a/include/net/netns/conntrack.h -+++ b/include/net/netns/conntrack.h -@@ -86,6 +86,7 @@ struct netns_ct { - struct ctl_table_header *helper_sysctl_header; - #endif - char *slabname; -+ int skip_filter; - unsigned int sysctl_log_invalid; /* Log invalid packets */ - int sysctl_events; - int sysctl_acct; ---- a/net/ipv4/netfilter/iptable_filter.c -+++ b/net/ipv4/netfilter/iptable_filter.c -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,7 @@ iptable_filter_hook(const struct nf_hook - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) - { -+ enum ip_conntrack_info ctinfo; - const struct net *net; - - if (ops->hooknum == NF_INET_LOCAL_OUT && -@@ -46,6 +48,11 @@ iptable_filter_hook(const struct nf_hook - return NF_ACCEPT; - - net = dev_net((in != NULL) ? in : out); -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; -+ - return ipt_do_table(skb, ops->hooknum, in, out, - net->ipv4.iptable_filter); - } ---- a/net/ipv6/netfilter/ip6table_filter.c -+++ b/net/ipv6/netfilter/ip6table_filter.c -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,12 @@ ip6table_filter_hook(const struct nf_hoo - int (*okfn)(struct sk_buff *)) - { - const struct net *net = dev_net((in != NULL) ? in : out); -+ enum ip_conntrack_info ctinfo; -+ -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; - - return ip6t_do_table(skb, ops->hooknum, in, out, - net->ipv6.ip6table_filter); ---- a/net/netfilter/nf_conntrack_standalone.c -+++ b/net/netfilter/nf_conntrack_standalone.c -@@ -507,6 +507,13 @@ static struct ctl_table nf_ct_sysctl_tab - .extra2 = &log_invalid_proto_max, - }, - { -+ .procname = "nf_conntrack_skip_filter", -+ .data = &init_net.ct.skip_filter, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+ { - .procname = "nf_conntrack_expect_max", - .data = &nf_ct_expect_max, - .maxlen = sizeof(int), -@@ -542,6 +549,7 @@ static int nf_conntrack_standalone_init_ - table[2].data = &net->ct.htable_size; - table[3].data = &net->ct.sysctl_checksum; - table[4].data = &net->ct.sysctl_log_invalid; -+ table[5].data = &net->ct.skip_filter; - - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) diff --git a/target/linux/generic/patches-4.0/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-4.0/617-netfilter_skip_filter_sysctl.patch deleted file mode 100644 index 6cf6568ab5..0000000000 --- a/target/linux/generic/patches-4.0/617-netfilter_skip_filter_sysctl.patch +++ /dev/null @@ -1,87 +0,0 @@ ---- a/include/net/netns/conntrack.h -+++ b/include/net/netns/conntrack.h -@@ -86,6 +86,7 @@ struct netns_ct { - struct ctl_table_header *helper_sysctl_header; - #endif - char *slabname; -+ int skip_filter; - unsigned int sysctl_log_invalid; /* Log invalid packets */ - int sysctl_events; - int sysctl_acct; ---- a/net/ipv4/netfilter/iptable_filter.c -+++ b/net/ipv4/netfilter/iptable_filter.c -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,7 @@ iptable_filter_hook(const struct nf_hook - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) - { -+ enum ip_conntrack_info ctinfo; - const struct net *net; - - if (ops->hooknum == NF_INET_LOCAL_OUT && -@@ -46,6 +48,11 @@ iptable_filter_hook(const struct nf_hook - return NF_ACCEPT; - - net = dev_net((in != NULL) ? in : out); -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; -+ - return ipt_do_table(skb, ops->hooknum, in, out, - net->ipv4.iptable_filter); - } ---- a/net/ipv6/netfilter/ip6table_filter.c -+++ b/net/ipv6/netfilter/ip6table_filter.c -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Netfilter Core Team "); -@@ -37,6 +38,12 @@ ip6table_filter_hook(const struct nf_hoo - int (*okfn)(struct sk_buff *)) - { - const struct net *net = dev_net((in != NULL) ? in : out); -+ enum ip_conntrack_info ctinfo; -+ -+ nf_ct_get(skb, &ctinfo); -+ if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) && -+ net->ct.skip_filter) -+ return NF_ACCEPT; - - return ip6t_do_table(skb, ops->hooknum, in, out, - net->ipv6.ip6table_filter); ---- a/net/netfilter/nf_conntrack_standalone.c -+++ b/net/netfilter/nf_conntrack_standalone.c -@@ -507,6 +507,13 @@ static struct ctl_table nf_ct_sysctl_tab - .extra2 = &log_invalid_proto_max, - }, - { -+ .procname = "nf_conntrack_skip_filter", -+ .data = &init_net.ct.skip_filter, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+ { - .procname = "nf_conntrack_expect_max", - .data = &nf_ct_expect_max, - .maxlen = sizeof(int), -@@ -542,6 +549,7 @@ static int nf_conntrack_standalone_init_ - table[2].data = &net->ct.htable_size; - table[3].data = &net->ct.sysctl_checksum; - table[4].data = &net->ct.sysctl_log_invalid; -+ table[5].data = &net->ct.skip_filter; - - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns)