Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c04d0552 authored by Alexey Dobriyan's avatar Alexey Dobriyan Committed by Patrick McHardy
Browse files

netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_checksum sysctl 



Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 80250707

include/net/netfilter/nf_conntrack.h

+0 −1
Original line number Diff line number Diff line
@@ -287,7 +287,6 @@ static inline int nf_ct_is_untracked(const struct sk_buff *skb) 


extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp);

extern unsigned int nf_conntrack_htable_size;

extern int nf_conntrack_checksum;

extern int nf_conntrack_max;



#define NF_CT_STAT_INC(net, count)	\

include/net/netns/conntrack.h

+1 −0
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ struct netns_ct { 
#ifdef CONFIG_NF_CONNTRACK_EVENTS

	struct nf_conntrack_ecache *ecache;

#endif

	int			sysctl_checksum;

#ifdef CONFIG_SYSCTL

	struct ctl_table_header	*sysctl_header;

#endif

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c

+1 −1
Original line number Diff line number Diff line
@@ -270,7 +270,7 @@ static ctl_table ip_ct_sysctl_table[] = { 
	{

		.ctl_name	= NET_IPV4_NF_CONNTRACK_CHECKSUM,

		.procname	= "ip_conntrack_checksum",

		.data		= &nf_conntrack_checksum,

		.data		= &init_net.ct.sysctl_checksum,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= &proc_dointvec,

net/ipv4/netfilter/nf_conntrack_proto_icmp.c

+1 −1
Original line number Diff line number Diff line
@@ -188,7 +188,7 @@ icmp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, 
	}



	/* See ip_conntrack_proto_tcp.c */

	if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING &&

	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&

	    nf_ip_checksum(skb, hooknum, dataoff, 0)) {

		if (LOG_INVALID(IPPROTO_ICMP))

			nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,

net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c

+1 −1
Original line number Diff line number Diff line
@@ -187,7 +187,7 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, 
		return -NF_ACCEPT;

	}



	if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING &&

	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&

	    nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) {

		nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,

			      "nf_ct_icmpv6: ICMPv6 checksum failed\n");