target/linux/generic/pending-5.15/613-netfilter_optional_tcp_window_check.patch

   1 From: Felix Fietkau <nbd@nbd.name>
   2 Subject: netfilter: optional tcp window check
   3
   4 Signed-off-by: Felix Fietkau <nbd@nbd.name>
   5 ---
   6  net/netfilter/nf_conntrack_proto_tcp.c | 13 +++++++++++++
   7  1 file changed, 13 insertions(+)
   8
   9 --- a/net/netfilter/nf_conntrack_proto_tcp.c
  10 +++ b/net/netfilter/nf_conntrack_proto_tcp.c
  11 @@ -465,6 +465,9 @@ static bool tcp_in_window(struct nf_conn
  12         s32 receiver_offset;
  13         bool res, in_recv_win;
  14
  15 +       if (net->ct.sysctl_no_window_check)
  16 +               return true;
  17 +
  18         /*
  19          * Get the required data from the packet.
  20          */
  21 @@ -1160,7 +1163,7 @@ int nf_conntrack_tcp_packet(struct nf_co
  22                  IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&
  23                  timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK])
  24                 timeout = timeouts[TCP_CONNTRACK_UNACK];
  25 -       else if (ct->proto.tcp.last_win == 0 &&
  26 +       else if (!net->ct.sysctl_no_window_check && ct->proto.tcp.last_win == 0 &&
  27                  timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
  28                 timeout = timeouts[TCP_CONNTRACK_RETRANS];
  29         else
  30 --- a/net/netfilter/nf_conntrack_standalone.c
  31 +++ b/net/netfilter/nf_conntrack_standalone.c
  32 @@ -671,6 +671,7 @@ enum nf_ct_sysctl_index {
  33         NF_SYSCTL_CT_LWTUNNEL,
  34  #endif
  35
  36 +       NF_SYSCTL_CT_PROTO_TCP_NO_WINDOW_CHECK,
  37         __NF_SYSCTL_CT_LAST_SYSCTL,
  38  };
  39
  40 @@ -1026,6 +1027,13 @@ static struct ctl_table nf_ct_sysctl_tab
  41                 .proc_handler   = nf_hooks_lwtunnel_sysctl_handler,
  42         },
  43  #endif
  44 +       [NF_SYSCTL_CT_PROTO_TCP_NO_WINDOW_CHECK] = {
  45 +               .procname       = "nf_conntrack_tcp_no_window_check",
  46 +               .data           = &init_net.ct.sysctl_no_window_check,
  47 +               .maxlen         = sizeof(unsigned int),
  48 +               .mode           = 0644,
  49 +               .proc_handler   = proc_dointvec,
  50 +       },
  51         {}
  52  };
  53
  54 @@ -1153,6 +1161,7 @@ static int nf_conntrack_standalone_init_
  55  #ifdef CONFIG_NF_CONNTRACK_EVENTS
  56         table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events;
  57  #endif
  58 +       table[NF_SYSCTL_CT_PROTO_TCP_NO_WINDOW_CHECK].data = &net->ct.sysctl_no_window_check;
  59  #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
  60         table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp;
  61  #endif
  62 @@ -1222,6 +1231,7 @@ static int nf_conntrack_pernet_init(stru
  63         int ret;
  64
  65         net->ct.sysctl_checksum = 1;
  66 +       net->ct.sysctl_no_window_check = 1;
  67
  68         ret = nf_conntrack_standalone_init_sysctl(net);
  69         if (ret < 0)
  70 --- a/include/net/netns/conntrack.h
  71 +++ b/include/net/netns/conntrack.h
  72 @@ -109,6 +109,7 @@ struct netns_ct {
  73         u8                      sysctl_auto_assign_helper;
  74         u8                      sysctl_tstamp;
  75         u8                      sysctl_checksum;
  76 +       u8                      sysctl_no_window_check;
  77
  78         struct ct_pcpu __percpu *pcpu_lists;
  79         struct ip_conntrack_stat __percpu *stat;