git.baikalelectronics.ru Git - kernel.git/commit

netfilter: nf_defrag: Skip defrag if NOTRACK is set

conntrack defrag is needed only if some module like CONNTRACK or NAT
explicitly requests it. For plain forwarding scenarios, defrag is
not needed and can be skipped if NOTRACK is set in a rule.

Since conntrack defrag is currently higher priority than raw table,
setting NOTRACK is not sufficient. We need to move raw to a higher
priority for iptables only.

This is achieved by introducing a module parameter "raw_before_defrag"
which allows to change the priority of raw table to place it before
defrag. By default, the parameter is disabled and the priority of raw
table is NF_IP_PRI_RAW to support legacy behavior. If the module
parameter is enabled, then the priority of the raw table is set to
NF_IP_PRI_RAW_BEFORE_DEFRAG.

Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

author	Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
	Thu, 11 Jan 2018 03:51:57 +0000 (20:51 -0700)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 11 Jan 2018 12:14:20 +0000 (13:14 +0100)
commit	35a7e70c5056a26cd1740f9acad08237b1404406
tree	d6fd5a1753739180282014315c57aecc52efaf2f	tree \| snapshot
parent	93d855695268f93a259951d61349f4a71ba00018	commit \| diff

include/uapi/linux/netfilter_ipv4.h		diff \| blob \| history
include/uapi/linux/netfilter_ipv6.h		diff \| blob \| history
net/ipv4/netfilter/iptable_raw.c		diff \| blob \| history
net/ipv4/netfilter/nf_defrag_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/ip6table_raw.c		diff \| blob \| history
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c		diff \| blob \| history