From 13698aafb52c45817ee7815da3405e620657c8d0 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 29 Nov 2016 12:27:42 +0100 Subject: [PATCH] global: remove automatic notrack rules With recent Kernel versions and the introduction of the conntrack routing cache there is no need to maintain performance hacks in userspace anymore, so simply drop the generation of automatic -j CT --notrack rules for zones. This also fixes some cases where traffic is not matched for zones that do not explicitely enforce connection tracking. Signed-off-by: Jo-Philipp Wich --- forwards.c | 28 ++++++---------------------- options.h | 1 - redirects.c | 2 -- snats.c | 3 --- utils.c | 5 ----- zones.c | 15 --------------- 6 files changed, 6 insertions(+), 48 deletions(-) diff --git a/forwards.c b/forwards.c index c610247..997c307 100644 --- a/forwards.c +++ b/forwards.c @@ -38,7 +38,6 @@ fw3_load_forwards(struct fw3_state *state, struct uci_package *p) struct uci_section *s; struct uci_element *e; struct fw3_forward *forward; - bool changed; INIT_LIST_HEAD(&state->forwards); @@ -88,30 +87,15 @@ fw3_load_forwards(struct fw3_state *state, struct uci_package *p) continue; } - /* Propagate conntrack requirement flag into all zones connected through - forwarding entries and repeat until all zones are normalized */ - do { - changed = false; - - list_for_each_entry(forward, &state->forwards, list) + list_for_each_entry(forward, &state->forwards, list) + { + /* NB: forward family... */ + if (forward->_dest) { - /* NB: forward family... */ - if (forward->_dest) - { - fw3_setbit(forward->_dest->flags[0], FW3_FLAG_ACCEPT); - fw3_setbit(forward->_dest->flags[1], FW3_FLAG_ACCEPT); - - if (forward->_src && - (forward->_src->conntrack != forward->_dest->conntrack)) - { - forward->_src->conntrack = true; - forward->_dest->conntrack = true; - changed = true; - } - } + fw3_setbit(forward->_dest->flags[0], FW3_FLAG_ACCEPT); + fw3_setbit(forward->_dest->flags[1], FW3_FLAG_ACCEPT); } } - while (changed); } diff --git a/options.h b/options.h index 307c5af..089242f 100644 --- a/options.h +++ b/options.h @@ -307,7 +307,6 @@ struct fw3_zone struct list_head masq_src; struct list_head masq_dest; - bool conntrack; bool mtu_fix; bool log; diff --git a/redirects.c b/redirects.c index be1bfcb..a657b6d 100644 --- a/redirects.c +++ b/redirects.c @@ -278,7 +278,6 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p) else { set(redir->_src->flags, FW3_FAMILY_V4, redir->target); - redir->_src->conntrack = true; valid = true; if (!check_local(e, redir, state) && !redir->dest.set && @@ -309,7 +308,6 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p) else { set(redir->_dest->flags, FW3_FAMILY_V4, redir->target); - redir->_dest->conntrack = true; valid = true; } } diff --git a/snats.c b/snats.c index f43daf2..fad6008 100644 --- a/snats.c +++ b/snats.c @@ -252,10 +252,7 @@ fw3_load_snats(struct fw3_state *state, struct uci_package *p, struct blob_attr } if (snat->_src) - { set(snat->_src->flags, FW3_FAMILY_V4, FW3_FLAG_SNAT); - snat->_src->conntrack = true; - } } } diff --git a/utils.c b/utils.c index aca98d5..537c629 100644 --- a/utils.c +++ b/utils.c @@ -462,11 +462,6 @@ write_zone_uci(struct uci_context *ctx, struct fw3_zone *z, ptr.value = z->masq ? "1" : "0"; uci_set(ctx, &ptr); - ptr.o = NULL; - ptr.option = "conntrack"; - ptr.value = z->conntrack ? "1" : "0"; - uci_set(ctx, &ptr); - ptr.o = NULL; ptr.option = "mtu_fix"; ptr.value = z->mtu_fix ? "1" : "0"; diff --git a/zones.c b/zones.c index a95e363..8b4bbcd 100644 --- a/zones.c +++ b/zones.c @@ -73,7 +73,6 @@ const struct fw3_option fw3_zone_opts[] = { FW3_OPT("extra_src", string, zone, extra_src), FW3_OPT("extra_dest", string, zone, extra_dest), - FW3_OPT("conntrack", bool, zone, conntrack), FW3_OPT("mtu_fix", bool, zone, mtu_fix), FW3_OPT("custom_chains", bool, zone, custom_chains), @@ -217,7 +216,6 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p) if (zone->masq) { fw3_setbit(zone->flags[0], FW3_FLAG_SNAT); - zone->conntrack = true; } if (zone->custom_chains) @@ -268,9 +266,6 @@ print_zone_chain(struct fw3_ipt_handle *handle, struct fw3_state *state, if (zone->custom_chains) set(zone->flags, handle->family, FW3_FLAG_CUSTOM_CHAINS); - if (!zone->conntrack && !state->defaults.drop_invalid) - set(zone->flags, handle->family, FW3_FLAG_NOTRACK); - for (c = zone_chains; c->format; c++) { /* don't touch user chains on selective stop */ @@ -488,7 +483,6 @@ static void print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, bool reload, struct fw3_zone *zone) { - bool disable_notrack = state->defaults.drop_invalid; bool first_src, first_dest; struct fw3_address *msrc; struct fw3_address *mdest; @@ -620,15 +614,6 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, break; case FW3_TABLE_RAW: - if (!zone->conntrack && !disable_notrack) - { - r = fw3_ipt_rule_new(handle); - fw3_ipt_rule_target(r, "CT"); - fw3_ipt_rule_addarg(r, false, "--notrack", NULL); - fw3_ipt_rule_append(r, "zone_%s_notrack", zone->name); - } - break; - case FW3_TABLE_MANGLE: break; } -- 2.25.1