diff options
| author | Felix Fietkau <nbd@nbd.name> | 2020-10-24 21:14:16 +0200 |
|---|---|---|
| committer | Felix Fietkau <nbd@nbd.name> | 2021-02-16 20:06:51 +0100 |
| commit | b10d6044599d8c1fa7fbb2374bcbf30118d39db1 (patch) | |
| tree | 3fc84f92c14dfa7178487b71e1b8d63c2b688439 /target/linux/generic/pending-5.10/613-netfilter_optional_tcp_window_check.patch | |
| parent | 299b8554183791b325e393c880d32360d7d72f73 (diff) | |
| download | upstream-b10d6044599d8c1fa7fbb2374bcbf30118d39db1.tar.gz upstream-b10d6044599d8c1fa7fbb2374bcbf30118d39db1.tar.bz2 upstream-b10d6044599d8c1fa7fbb2374bcbf30118d39db1.zip | |
kernel: add linux 5.10 support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Diffstat (limited to 'target/linux/generic/pending-5.10/613-netfilter_optional_tcp_window_check.patch')
| -rw-r--r-- | target/linux/generic/pending-5.10/613-netfilter_optional_tcp_window_check.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/target/linux/generic/pending-5.10/613-netfilter_optional_tcp_window_check.patch b/target/linux/generic/pending-5.10/613-netfilter_optional_tcp_window_check.patch new file mode 100644 index 0000000000..61776921c6 --- /dev/null +++ b/target/linux/generic/pending-5.10/613-netfilter_optional_tcp_window_check.patch @@ -0,0 +1,73 @@ +From: Felix Fietkau <nbd@nbd.name> +Subject: netfilter: optional tcp window check + +Signed-off-by: Felix Fietkau <nbd@nbd.name> +--- + net/netfilter/nf_conntrack_proto_tcp.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -31,6 +31,9 @@ + #include <net/netfilter/ipv4/nf_conntrack_ipv4.h> + #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> + ++/* Do not check the TCP window for incoming packets */ ++static int nf_ct_tcp_no_window_check __read_mostly = 1; ++ + /* "Be conservative in what you do, + be liberal in what you accept from others." + If it's non-zero, we mark only out of window RST segments as INVALID. */ +@@ -476,6 +479,9 @@ static bool tcp_in_window(const struct n + s32 receiver_offset; + bool res, in_recv_win; + ++ if (nf_ct_tcp_no_window_check) ++ return true; ++ + /* + * Get the required data from the packet. + */ +@@ -1130,7 +1136,7 @@ int nf_conntrack_tcp_packet(struct nf_co + IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED && + timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK]) + timeout = timeouts[TCP_CONNTRACK_UNACK]; +- else if (ct->proto.tcp.last_win == 0 && ++ else if (!nf_ct_tcp_no_window_check && ct->proto.tcp.last_win == 0 && + timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS]) + timeout = timeouts[TCP_CONNTRACK_RETRANS]; + else +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -25,6 +25,9 @@ + #include <net/netfilter/nf_conntrack_timestamp.h> + #include <linux/rculist_nulls.h> + ++/* Do not check the TCP window for incoming packets */ ++static int nf_ct_tcp_no_window_check __read_mostly = 1; ++ + static bool enable_hooks __read_mostly; + MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); + module_param(enable_hooks, bool, 0000); +@@ -651,6 +654,7 @@ enum nf_ct_sysctl_index { + NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, + #endif + ++ NF_SYSCTL_CT_PROTO_TCP_NO_WINDOW_CHECK, + __NF_SYSCTL_CT_LAST_SYSCTL, + }; + +@@ -977,6 +981,13 @@ static struct ctl_table nf_ct_sysctl_tab + .proc_handler = proc_dointvec_jiffies, + }, + #endif ++ [NF_SYSCTL_CT_PROTO_TCP_NO_WINDOW_CHECK] = { ++ .procname = "nf_conntrack_tcp_no_window_check", ++ .data = &nf_ct_tcp_no_window_check, ++ .maxlen = sizeof(unsigned int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, + {} + }; + |