summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2016-11-29 12:27:42 +0100
committerJo-Philipp Wich <jo@mein.io>2016-11-29 12:27:42 +0100
commit13698aafb52c45817ee7815da3405e620657c8d0 (patch)
tree2773965e8ecf70d33b3fa4987404dac71c853bf0
parent0367860636aa55e9ee064709ec2814906e1f246b (diff)
downloadfirewall3-13698aafb52c45817ee7815da3405e620657c8d0.tar.gz
global: remove automatic notrack rules
With recent Kernel versions and the introduction of the conntrack routing cache there is no need to maintain performance hacks in userspace anymore, so simply drop the generation of automatic -j CT --notrack rules for zones. This also fixes some cases where traffic is not matched for zones that do not explicitely enforce connection tracking. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat
-rw-r--r--forwards.c28
-rw-r--r--options.h1
-rw-r--r--redirects.c2
-rw-r--r--snats.c3
-rw-r--r--utils.c5
-rw-r--r--zones.c15
6 files changed, 6 insertions, 48 deletions
diff --git a/forwards.c b/forwards.c
index c610247..997c307 100644
--- a/forwards.c
+++ b/forwards.c
@@ -38,7 +38,6 @@ fw3_load_forwards(struct fw3_state *state, struct uci_package *p)
struct uci_section *s;
struct uci_element *e;
struct fw3_forward *forward;
- bool changed;
INIT_LIST_HEAD(&state->forwards);
@@ -88,30 +87,15 @@ fw3_load_forwards(struct fw3_state *state, struct uci_package *p)
continue;
}
- /* Propagate conntrack requirement flag into all zones connected through
- forwarding entries and repeat until all zones are normalized */
- do {
- changed = false;
-
- list_for_each_entry(forward, &state->forwards, list)
+ list_for_each_entry(forward, &state->forwards, list)
+ {
+ /* NB: forward family... */
+ if (forward->_dest)
{
- /* NB: forward family... */
- if (forward->_dest)
- {
- fw3_setbit(forward->_dest->flags[0], FW3_FLAG_ACCEPT);
- fw3_setbit(forward->_dest->flags[1], FW3_FLAG_ACCEPT);
-
- if (forward->_src &&
- (forward->_src->conntrack != forward->_dest->conntrack))
- {
- forward->_src->conntrack = true;
- forward->_dest->conntrack = true;
- changed = true;
- }
- }
+ fw3_setbit(forward->_dest->flags[0], FW3_FLAG_ACCEPT);
+ fw3_setbit(forward->_dest->flags[1], FW3_FLAG_ACCEPT);
}
}
- while (changed);
}
diff --git a/options.h b/options.h
index 307c5af..089242f 100644
--- a/options.h
+++ b/options.h
@@ -307,7 +307,6 @@ struct fw3_zone
struct list_head masq_src;
struct list_head masq_dest;
- bool conntrack;
bool mtu_fix;
bool log;
diff --git a/redirects.c b/redirects.c
index be1bfcb..a657b6d 100644
--- a/redirects.c
+++ b/redirects.c
@@ -278,7 +278,6 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p)
else
{
set(redir->_src->flags, FW3_FAMILY_V4, redir->target);
- redir->_src->conntrack = true;
valid = true;
if (!check_local(e, redir, state) && !redir->dest.set &&
@@ -309,7 +308,6 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p)
else
{
set(redir->_dest->flags, FW3_FAMILY_V4, redir->target);
- redir->_dest->conntrack = true;
valid = true;
}
}
diff --git a/snats.c b/snats.c
index f43daf2..fad6008 100644
--- a/snats.c
+++ b/snats.c
@@ -252,10 +252,7 @@ fw3_load_snats(struct fw3_state *state, struct uci_package *p, struct blob_attr
}
if (snat->_src)
- {
set(snat->_src->flags, FW3_FAMILY_V4, FW3_FLAG_SNAT);
- snat->_src->conntrack = true;
- }
}
}
diff --git a/utils.c b/utils.c
index aca98d5..537c629 100644
--- a/utils.c
+++ b/utils.c
@@ -463,11 +463,6 @@ write_zone_uci(struct uci_context *ctx, struct fw3_zone *z,
uci_set(ctx, &ptr);
ptr.o = NULL;
- ptr.option = "conntrack";
- ptr.value = z->conntrack ? "1" : "0";
- uci_set(ctx, &ptr);
-
- ptr.o = NULL;
ptr.option = "mtu_fix";
ptr.value = z->mtu_fix ? "1" : "0";
uci_set(ctx, &ptr);
diff --git a/zones.c b/zones.c
index a95e363..8b4bbcd 100644
--- a/zones.c
+++ b/zones.c
@@ -73,7 +73,6 @@ const struct fw3_option fw3_zone_opts[] = {
FW3_OPT("extra_src", string, zone, extra_src),
FW3_OPT("extra_dest", string, zone, extra_dest),
- FW3_OPT("conntrack", bool, zone, conntrack),
FW3_OPT("mtu_fix", bool, zone, mtu_fix),
FW3_OPT("custom_chains", bool, zone, custom_chains),
@@ -217,7 +216,6 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
if (zone->masq)
{
fw3_setbit(zone->flags[0], FW3_FLAG_SNAT);
- zone->conntrack = true;
}
if (zone->custom_chains)
@@ -268,9 +266,6 @@ print_zone_chain(struct fw3_ipt_handle *handle, struct fw3_state *state,
if (zone->custom_chains)
set(zone->flags, handle->family, FW3_FLAG_CUSTOM_CHAINS);
- if (!zone->conntrack && !state->defaults.drop_invalid)
- set(zone->flags, handle->family, FW3_FLAG_NOTRACK);
-
for (c = zone_chains; c->format; c++)
{
/* don't touch user chains on selective stop */
@@ -488,7 +483,6 @@ static void
print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
bool reload, struct fw3_zone *zone)
{
- bool disable_notrack = state->defaults.drop_invalid;
bool first_src, first_dest;
struct fw3_address *msrc;
struct fw3_address *mdest;
@@ -620,15 +614,6 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
break;
case FW3_TABLE_RAW:
- if (!zone->conntrack && !disable_notrack)
- {
- r = fw3_ipt_rule_new(handle);
- fw3_ipt_rule_target(r, "CT");
- fw3_ipt_rule_addarg(r, false, "--notrack", NULL);
- fw3_ipt_rule_append(r, "zone_%s_notrack", zone->name);
- }
- break;
-
case FW3_TABLE_MANGLE:
break;
}
View Lorry Controller Status