![Hauke Mehrtens](/assets/img/avatar_default.png)
This backports some patches from kernel 5.15 to fix issues with flowtable offloading in kernel 5.10. OpenWrt backports most of the patches related to flowtable offloading from kernel 5.15 already, but we are missing some of the extra fixes. This fixes some connection tracking problems when a flow gets removed from the offload and added to the normal SW path again. The patch 614-v5.18-netfilter-flowtable-fix-TCP-flow-teardown.patch was extended manually with the nf_conntrack_tcp_established() function. All changes are already included in kernel 5.15. Fixes: #8776 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
74 lines
2.3 KiB
Diff
74 lines
2.3 KiB
Diff
From: Felix Fietkau <nbd@nbd.name>
|
|
Subject: netfilter: optional tcp window check
|
|
|
|
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
---
|
|
net/netfilter/nf_conntrack_proto_tcp.c | 13 +++++++++++++
|
|
1 file changed, 13 insertions(+)
|
|
|
|
--- a/net/netfilter/nf_conntrack_proto_tcp.c
|
|
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
|
|
@@ -31,6 +31,9 @@
|
|
#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
|
|
#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
|
|
|
|
+/* Do not check the TCP window for incoming packets */
|
|
+static int nf_ct_tcp_no_window_check __read_mostly = 1;
|
|
+
|
|
/* "Be conservative in what you do,
|
|
be liberal in what you accept from others."
|
|
If it's non-zero, we mark only out of window RST segments as INVALID. */
|
|
@@ -476,6 +479,9 @@ static bool tcp_in_window(const struct n
|
|
s32 receiver_offset;
|
|
bool res, in_recv_win;
|
|
|
|
+ if (nf_ct_tcp_no_window_check)
|
|
+ return true;
|
|
+
|
|
/*
|
|
* Get the required data from the packet.
|
|
*/
|
|
@@ -1139,7 +1145,7 @@ int nf_conntrack_tcp_packet(struct nf_co
|
|
IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&
|
|
timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK])
|
|
timeout = timeouts[TCP_CONNTRACK_UNACK];
|
|
- else if (ct->proto.tcp.last_win == 0 &&
|
|
+ else if (!nf_ct_tcp_no_window_check && ct->proto.tcp.last_win == 0 &&
|
|
timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
|
|
timeout = timeouts[TCP_CONNTRACK_RETRANS];
|
|
else
|
|
--- a/net/netfilter/nf_conntrack_standalone.c
|
|
+++ b/net/netfilter/nf_conntrack_standalone.c
|
|
@@ -25,6 +25,9 @@
|
|
#include <net/netfilter/nf_conntrack_timestamp.h>
|
|
#include <linux/rculist_nulls.h>
|
|
|
|
+/* Do not check the TCP window for incoming packets */
|
|
+static int nf_ct_tcp_no_window_check __read_mostly = 1;
|
|
+
|
|
static bool enable_hooks __read_mostly;
|
|
MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks");
|
|
module_param(enable_hooks, bool, 0000);
|
|
@@ -658,6 +661,7 @@ enum nf_ct_sysctl_index {
|
|
NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM,
|
|
#endif
|
|
|
|
+ NF_SYSCTL_CT_PROTO_TCP_NO_WINDOW_CHECK,
|
|
__NF_SYSCTL_CT_LAST_SYSCTL,
|
|
};
|
|
|
|
@@ -1000,6 +1004,13 @@ static struct ctl_table nf_ct_sysctl_tab
|
|
.proc_handler = proc_dointvec_jiffies,
|
|
},
|
|
#endif
|
|
+ [NF_SYSCTL_CT_PROTO_TCP_NO_WINDOW_CHECK] = {
|
|
+ .procname = "nf_conntrack_tcp_no_window_check",
|
|
+ .data = &nf_ct_tcp_no_window_check,
|
|
+ .maxlen = sizeof(unsigned int),
|
|
+ .mode = 0644,
|
|
+ .proc_handler = proc_dointvec,
|
|
+ },
|
|
{}
|
|
};
|
|
|