From fa661bcf54d8f41528bff20a9745875862e12e9e Mon Sep 17 00:00:00 2001
From: nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Date: Thu, 7 Aug 2014 19:31:18 +0000
Subject: [PATCH] kernel: add a patch to allow disabling processing of the
 netfilter "filter" table for established connection packets

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

Backport of r42046

git-svn-id: svn://svn.openwrt.org/openwrt/branches/barrier_breaker@42050 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
 .../617-netfilter_skip_filter_sysctl.patch    | 87 +++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch

diff --git a/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch
new file mode 100644
index 0000000..a570834
--- /dev/null
+++ b/target/linux/generic/patches-3.10/617-netfilter_skip_filter_sysctl.patch
@@ -0,0 +1,87 @@
+--- a/include/net/netns/conntrack.h
++++ b/include/net/netns/conntrack.h
+@@ -80,6 +80,7 @@ struct netns_ct {
+ 	int			sysctl_acct;
+ 	int			sysctl_tstamp;
+ 	int			sysctl_checksum;
++	int			skip_filter;
+ 	unsigned int		sysctl_log_invalid; /* Log invalid packets */
+ 	int			sysctl_auto_assign_helper;
+ 	bool			auto_assign_helper_warned;
+--- a/net/ipv4/netfilter/iptable_filter.c
++++ b/net/ipv4/netfilter/iptable_filter.c
+@@ -15,6 +15,7 @@
+ #include <linux/netfilter_ipv4/ip_tables.h>
+ #include <linux/slab.h>
+ #include <net/ip.h>
++#include <net/netfilter/nf_conntrack.h>
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
+@@ -37,6 +38,7 @@ iptable_filter_hook(unsigned int hook, s
+ 		    const struct net_device *in, const struct net_device *out,
+ 		    int (*okfn)(struct sk_buff *))
+ {
++	enum ip_conntrack_info ctinfo;
+ 	const struct net *net;
+ 
+ 	if (hook == NF_INET_LOCAL_OUT &&
+@@ -46,6 +48,11 @@ iptable_filter_hook(unsigned int hook, s
+ 		return NF_ACCEPT;
+ 
+ 	net = dev_net((in != NULL) ? in : out);
++	nf_ct_get(skb, &ctinfo);
++	if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) &&
++	    net->ct.skip_filter)
++	    return NF_ACCEPT;
++
+ 	return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter);
+ }
+ 
+--- a/net/ipv6/netfilter/ip6table_filter.c
++++ b/net/ipv6/netfilter/ip6table_filter.c
+@@ -13,6 +13,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/netfilter_ipv6/ip6_tables.h>
+ #include <linux/slab.h>
++#include <net/netfilter/nf_conntrack.h>
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
+@@ -37,6 +38,12 @@ ip6table_filter_hook(unsigned int hook, 
+ 		     int (*okfn)(struct sk_buff *))
+ {
+ 	const struct net *net = dev_net((in != NULL) ? in : out);
++	enum ip_conntrack_info ctinfo;
++
++	nf_ct_get(skb, &ctinfo);
++	if ((ctinfo == IP_CT_ESTABLISHED_REPLY || ctinfo == IP_CT_ESTABLISHED) &&
++	    net->ct.skip_filter)
++	    return NF_ACCEPT;
+ 
+ 	return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter);
+ }
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -477,6 +477,13 @@ static ctl_table nf_ct_sysctl_table[] = 
+ 		.extra2		= &log_invalid_proto_max,
+ 	},
+ 	{
++		.procname	= "nf_conntrack_skip_filter",
++		.data		= &init_net.ct.skip_filter,
++		.maxlen		= sizeof(int),
++		.mode		= 0644,
++		.proc_handler	= proc_dointvec,
++	},
++	{
+ 		.procname	= "nf_conntrack_expect_max",
+ 		.data		= &nf_ct_expect_max,
+ 		.maxlen		= sizeof(int),
+@@ -512,6 +519,7 @@ static int nf_conntrack_standalone_init_
+ 	table[2].data = &net->ct.htable_size;
+ 	table[3].data = &net->ct.sysctl_checksum;
+ 	table[4].data = &net->ct.sysctl_log_invalid;
++	table[5].data = &net->ct.skip_filter;
+ 
+ 	/* Don't export sysctls to unprivileged users */
+ 	if (net->user_ns != &init_user_ns)