openwrt/target/linux/generic/pending-4.19/613-netfilter_optional_tcp_...

From: Felix Fietkau <nbd@nbd.name>
Subject: netfilter: optional tcp window check

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 net/netfilter/nf_conntrack_proto_tcp.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -34,6 +34,9 @@
 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
 
+/* Do not check the TCP window for incoming packets  */
+static int nf_ct_tcp_no_window_check __read_mostly = 1;
+
 /* "Be conservative in what you do,
     be liberal in what you accept from others."
     If it's non-zero, we mark only out of window RST segments as INVALID. */
@@ -484,6 +487,9 @@ static bool tcp_in_window(const struct n
 	s32 receiver_offset;
 	bool res, in_recv_win;
 
+	if (nf_ct_tcp_no_window_check)
+		return true;
+
 	/*
 	 * Get the required data from the packet.
 	 */
@@ -1059,7 +1065,7 @@ static int tcp_packet(struct nf_conn *ct
 		 IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&
 		 timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK])
 		timeout = timeouts[TCP_CONNTRACK_UNACK];
-	else if (ct->proto.tcp.last_win == 0 &&
+	else if (!nf_ct_tcp_no_window_check && ct->proto.tcp.last_win == 0 &&
 		 timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
 		timeout = timeouts[TCP_CONNTRACK_RETRANS];
 	else
@@ -1508,6 +1514,13 @@ static struct ctl_table tcp_sysctl_table
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
+	{
+		.procname       = "nf_conntrack_tcp_no_window_check",
+		.data           = &nf_ct_tcp_no_window_check,
+		.maxlen         = sizeof(unsigned int),
+		.mode           = 0644,
+		.proc_handler   = proc_dointvec,
+	},
 	{ }
 };
 #endif /* CONFIG_SYSCTL */
kernel: Copy patches from kernel 4.14 to 4.19 This just copies the files from the kernel 4.14 specific folders into the kernel 4.19 specific folder, no changes are done to the files in this commit. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 6 years ago			`From: Felix Fietkau <nbd@nbd.name>`
			`Subject: netfilter: optional tcp window check`

			`Signed-off-by: Felix Fietkau <nbd@nbd.name>`
			`---`
			`net/netfilter/nf_conntrack_proto_tcp.c \| 13 +++++++++++++`
			`1 file changed, 13 insertions(+)`

			`--- a/net/netfilter/nf_conntrack_proto_tcp.c`
			`+++ b/net/netfilter/nf_conntrack_proto_tcp.c`
kernel: Make the patches apply on top of 4.19 This makes the patches which were just copied in the previous commit apply on top of kernel 4.19. The patches in the backports-4.19 folder were checked if they are really in kernel 4.19 based on the title and only removed if they were found in the upstream kernel. The following additional patches form the pending folder went into upstream Linux 4.19: pending-4.19/171-usb-dwc2-Fix-inefficient-copy-of-unaligned-buffers.patch pending-4.19/190-2-5-e1000e-Fix-wrong-comment-related-to-link-detection.patch pending-4.19/478-mtd-spi-nor-Add-support-for-XM25QH64A-and-XM25QH128A.patch pending-4.19/479-mtd-spi-nor-add-eon-en25qh32.patch pending-4.19/950-tty-serial-exar-generalize-rs485-setup.patch pending-4.19/340-MIPS-mm-remove-mips_dma_mapping_error.patch Bigger changes were introduced to the m25p80 spi nor driver, as far as I saw it in the new code, it now has the functionality provided in this patch: pending-4.19/450-mtd-m25p80-allow-fallback-from-spi_flash_read-to-reg.patch Part of this patch went upstream independent of OpenWrt: hack-4.19/220-gc_sections.patch This patch was reworked to match the changes done upstream. The MIPS DMA API changed a lot, this patch was rewritten to match the new DMA handling: pending-4.19/341-MIPS-mm-remove-no-op-dma_map_ops-where-possible.patch I did bigger manual changes to the following patches and I am not 100% sure if they are all correct: pending-4.19/0931-w1-gpio-fix-problem-with-platfom-data-in-w1-gpio.patch pending-4.19/411-mtd-partial_eraseblock_write.patch pending-4.19/600-netfilter_conntrack_flush.patch pending-4.19/611-netfilter_match_bypass_default_table.patch pending-4.19/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch hack-4.19/211-host_tools_portability.patch hack-4.19/221-module_exports.patch hack-4.19/321-powerpc_crtsavres_prereq.patch hack-4.19/902-debloat_proc.patch This is based on patchset from Marko Ratkaj <marko.ratkaj@sartura.hr> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 6 years ago			`@@ -34,6 +34,9 @@`
kernel: Copy patches from kernel 4.14 to 4.19 This just copies the files from the kernel 4.14 specific folders into the kernel 4.19 specific folder, no changes are done to the files in this commit. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 6 years ago			`#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>`
			`#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>`

			`+/* Do not check the TCP window for incoming packets */`
			`+static int nf_ct_tcp_no_window_check __read_mostly = 1;`
			`+`
			`/* "Be conservative in what you do,`
			`be liberal in what you accept from others."`
			`If it's non-zero, we mark only out of window RST segments as INVALID. */`
kernel: bump 4.19 to 4.19.67 Refreshed all patches. Also add a missing symbol for x86 which got used now in this bump. - ISCSI_IBFT Compile-tested on: cns3xxx Runtime-tested on: cns3xxx Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> 5 years ago			`@@ -484,6 +487,9 @@ static bool tcp_in_window(const struct n`
kernel: Copy patches from kernel 4.14 to 4.19 This just copies the files from the kernel 4.14 specific folders into the kernel 4.19 specific folder, no changes are done to the files in this commit. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 6 years ago			`s32 receiver_offset;`
			`bool res, in_recv_win;`

			`+ if (nf_ct_tcp_no_window_check)`
			`+ return true;`
			`+`
			`/*`
			`* Get the required data from the packet.`
			`*/`
kernel: bump 4.19 to 4.19.67 Refreshed all patches. Also add a missing symbol for x86 which got used now in this bump. - ISCSI_IBFT Compile-tested on: cns3xxx Runtime-tested on: cns3xxx Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> 5 years ago			`@@ -1059,7 +1065,7 @@ static int tcp_packet(struct nf_conn *ct`
kernel: fix regression on 4.19 with 613-netfilter_optional_tcp_window_check.patch (FS#2253) Since ct->proto.tcp.last_win isn't updated when nf_ct_tcp_no_window_check is enabled, the retransmission timeout check needs to be bypassed. Based on patch by Rob Mosher Signed-off-by: Felix Fietkau <nbd@nbd.name> 5 years ago			`IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&`
			`timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK])`
			`timeout = timeouts[TCP_CONNTRACK_UNACK];`
			`- else if (ct->proto.tcp.last_win == 0 &&`
			`+ else if (!nf_ct_tcp_no_window_check && ct->proto.tcp.last_win == 0 &&`
			`timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])`
			`timeout = timeouts[TCP_CONNTRACK_RETRANS];`
			`else`
kernel: bump 4.19 to 4.19.67 Refreshed all patches. Also add a missing symbol for x86 which got used now in this bump. - ISCSI_IBFT Compile-tested on: cns3xxx Runtime-tested on: cns3xxx Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> 5 years ago			`@@ -1508,6 +1514,13 @@ static struct ctl_table tcp_sysctl_table`
kernel: Copy patches from kernel 4.14 to 4.19 This just copies the files from the kernel 4.14 specific folders into the kernel 4.19 specific folder, no changes are done to the files in this commit. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 6 years ago			`.mode = 0644,`
			`.proc_handler = proc_dointvec,`
			`},`
			`+ {`
			`+ .procname = "nf_conntrack_tcp_no_window_check",`
			`+ .data = &nf_ct_tcp_no_window_check,`
			`+ .maxlen = sizeof(unsigned int),`
			`+ .mode = 0644,`
			`+ .proc_handler = proc_dointvec,`
			`+ },`
			`{ }`
			`};`
			`#endif /* CONFIG_SYSCTL */`