diff options
Diffstat (limited to 'nixos/modules/kernel-patches/0060-netfilter-add-support-for-flushing-conntrack-via-pro.patch')
-rw-r--r-- | nixos/modules/kernel-patches/0060-netfilter-add-support-for-flushing-conntrack-via-pro.patch | 95 |
1 files changed, 0 insertions, 95 deletions
diff --git a/nixos/modules/kernel-patches/0060-netfilter-add-support-for-flushing-conntrack-via-pro.patch b/nixos/modules/kernel-patches/0060-netfilter-add-support-for-flushing-conntrack-via-pro.patch deleted file mode 100644 index 76e1590..0000000 --- a/nixos/modules/kernel-patches/0060-netfilter-add-support-for-flushing-conntrack-via-pro.patch +++ /dev/null @@ -1,95 +0,0 @@ -From ec5167f51145842fe3aee19df68dc0fcebcd54e7 Mon Sep 17 00:00:00 2001 -From: Felix Fietkau <nbd@nbd.name> -Date: Tue, 27 Sep 2022 16:22:04 +0200 -Subject: [PATCH 60/96] netfilter: add support for flushing conntrack via /proc - -lede-commit 8193bbe59a74d34d6a26d4a8cb857b1952905314 -Signed-off-by: Felix Fietkau <nbd@nbd.name> ---- - net/netfilter/nf_conntrack_standalone.c | 56 ++++++++++++++++++++++++- - 1 file changed, 54 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c -index 05895878610c..8d3be4cc340e 100644 ---- a/net/netfilter/nf_conntrack_standalone.c -+++ b/net/netfilter/nf_conntrack_standalone.c -@@ -9,6 +9,7 @@ - #include <linux/percpu.h> - #include <linux/netdevice.h> - #include <linux/security.h> -+#include <linux/inet.h> - #include <net/net_namespace.h> - #ifdef CONFIG_SYSCTL - #include <linux/sysctl.h> -@@ -465,6 +466,56 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v) - return 0; - } - -+struct kill_request { -+ u16 family; -+ union nf_inet_addr addr; -+}; -+ -+static int kill_matching(struct nf_conn *i, void *data) -+{ -+ struct kill_request *kr = data; -+ struct nf_conntrack_tuple *t1 = &i->tuplehash[IP_CT_DIR_ORIGINAL].tuple; -+ struct nf_conntrack_tuple *t2 = &i->tuplehash[IP_CT_DIR_REPLY].tuple; -+ -+ if (!kr->family) -+ return 1; -+ -+ if (t1->src.l3num != kr->family) -+ return 0; -+ -+ return (nf_inet_addr_cmp(&kr->addr, &t1->src.u3) || -+ nf_inet_addr_cmp(&kr->addr, &t1->dst.u3) || -+ nf_inet_addr_cmp(&kr->addr, &t2->src.u3) || -+ nf_inet_addr_cmp(&kr->addr, &t2->dst.u3)); -+} -+ -+static int ct_file_write(struct file *file, char *buf, size_t count) -+{ -+ struct seq_file *seq = file->private_data; -+ struct net *net = seq_file_net(seq); -+ struct kill_request kr = { }; -+ -+ if (count == 0) -+ return 0; -+ -+ if (count >= INET6_ADDRSTRLEN) -+ count = INET6_ADDRSTRLEN - 1; -+ -+ if (strnchr(buf, count, ':')) { -+ kr.family = AF_INET6; -+ if (!in6_pton(buf, count, (void *)&kr.addr, '\n', NULL)) -+ return -EINVAL; -+ } else if (strnchr(buf, count, '.')) { -+ kr.family = AF_INET; -+ if (!in4_pton(buf, count, (void *)&kr.addr, '\n', NULL)) -+ return -EINVAL; -+ } -+ -+ nf_ct_iterate_cleanup_net(net, kill_matching, &kr, 0, 0); -+ -+ return 0; -+} -+ - static const struct seq_operations ct_cpu_seq_ops = { - .start = ct_cpu_seq_start, - .next = ct_cpu_seq_next, -@@ -478,8 +529,9 @@ static int nf_conntrack_standalone_init_proc(struct net *net) - kuid_t root_uid; - kgid_t root_gid; - -- pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops, -- sizeof(struct ct_iter_state)); -+ pde = proc_create_net_data_write("nf_conntrack", 0440, net->proc_net, -+ &ct_seq_ops, &ct_file_write, -+ sizeof(struct ct_iter_state), NULL); - if (!pde) - goto out_nf_conntrack; - --- -2.37.2 - |