Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 39a27a35 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: conntrack: add sysctl to disable checksumming 



Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 6442f1cf

include/linux/netfilter_ipv4/ip_conntrack.h

+1 −0
Original line number Diff line number Diff line
@@ -293,6 +293,7 @@ static inline int is_dying(struct ip_conntrack *ct) 
}



extern unsigned int ip_conntrack_htable_size;

extern int ip_conntrack_checksum;

 

#define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)

include/linux/sysctl.h

+2 −0
Original line number Diff line number Diff line
@@ -313,6 +313,7 @@ enum 
	NET_NF_CONNTRACK_FRAG6_TIMEOUT=29,

	NET_NF_CONNTRACK_FRAG6_LOW_THRESH=30,

	NET_NF_CONNTRACK_FRAG6_HIGH_THRESH=31,

	NET_NF_CONNTRACK_CHECKSUM=32,

};



/* /proc/sys/net/ipv4 */
@@ -492,6 +493,7 @@ enum 
 	NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD=25,

 	NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT=26,

	NET_IPV4_NF_CONNTRACK_COUNT=27,

	NET_IPV4_NF_CONNTRACK_CHECKSUM=28,

};

 

/* /proc/sys/net/ipv6 */

include/net/netfilter/nf_conntrack.h

+1 −0
Original line number Diff line number Diff line
@@ -285,6 +285,7 @@ static inline int nf_ct_is_dying(struct nf_conn *ct) 
}



extern unsigned int nf_conntrack_htable_size;

extern int nf_conntrack_checksum;



#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++)

net/ipv4/netfilter/ip_conntrack_proto_icmp.c

+1 −1
Original line number Diff line number Diff line
@@ -224,7 +224,7 @@ icmp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, 
	}



	/* See ip_conntrack_proto_tcp.c */

	if (hooknum == NF_IP_PRE_ROUTING &&

	if (ip_conntrack_checksum && hooknum == NF_IP_PRE_ROUTING &&

	    nf_ip_checksum(skb, hooknum, skb->nh.iph->ihl * 4, 0)) {

		if (LOG_INVALID(IPPROTO_ICMP))

			nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,

net/ipv4/netfilter/ip_conntrack_proto_tcp.c

+1 −1
Original line number Diff line number Diff line
@@ -870,7 +870,7 @@ static int tcp_error(struct sk_buff *skb, 
	 * and moreover root might send raw packets.

	 */

	/* FIXME: Source route IP option packets --RR */

	if (hooknum == NF_IP_PRE_ROUTING &&

	if (ip_conntrack_checksum && hooknum == NF_IP_PRE_ROUTING &&

	    nf_ip_checksum(skb, hooknum, iph->ihl * 4, IPPROTO_TCP)) {

		if (LOG_INVALID(IPPROTO_TCP))

			nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,