diff --git a/patches/openwrt/0018-Revert-kernel-add-netfilter-actual-sk-patch.patch b/patches/openwrt/0018-Revert-kernel-add-netfilter-actual-sk-patch.patch new file mode 100644 index 00000000..0757984d --- /dev/null +++ b/patches/openwrt/0018-Revert-kernel-add-netfilter-actual-sk-patch.patch @@ -0,0 +1,246 @@ +From: Martin Weinelt +Date: Sun, 6 Dec 2020 00:21:49 +0100 +Subject: Revert "kernel: add netfilter-actual-sk patch" + +This reverts commit c9c7b4b3945c01c2aadf3ef5d9a77c8200db80f1. + +diff --git a/target/linux/generic/backport-4.14/373-netfilter_actual_sk.patch b/target/linux/generic/backport-4.14/373-netfilter_actual_sk.patch +deleted file mode 100644 +index 21722ceb23bdb7cbc1126e7cc08e6151115ed0c9..0000000000000000000000000000000000000000 +--- a/target/linux/generic/backport-4.14/373-netfilter_actual_sk.patch ++++ /dev/null +@@ -1,234 +0,0 @@ +-From: "Jason A. Donenfeld" +-To: Pablo Neira Ayuso , +- netfilter-devel@vger.kernel.org, netdev@vger.kernel.org +-Cc: "Jason A. Donenfeld" +-Subject: [PATCH nf 2/2] netfilter: use actual socket sk rather than skb sk when routing harder +-Date: Thu, 29 Oct 2020 03:56:06 +0100 +-Message-ID: <20201029025606.3523771-3-Jason@zx2c4.com> (raw) +-In-Reply-To: <20201029025606.3523771-1-Jason@zx2c4.com> +- +-If netfilter changes the packet mark when mangling, the packet is +-rerouted using the route_me_harder set of functions. Prior to this +-commit, there's one big difference between route_me_harder and the +-ordinary initial routing functions, described in the comment above +-__ip_queue_xmit(): +- +- /* Note: skb->sk can be different from sk, in case of tunnels */ +- int __ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl, +- +-That function goes on to correctly make use of sk->sk_bound_dev_if, +-rather than skb->sk->sk_bound_dev_if. And indeed the comment is true: a +-tunnel will receive a packet in ndo_start_xmit with an initial skb->sk. +-It will make some transformations to that packet, and then it will send +-the encapsulated packet out of a *new* socket. That new socket will +-basically always have a different sk_bound_dev_if (otherwise there'd be +-a routing loop). So for the purposes of routing the encapsulated packet, +-the routing information as it pertains to the socket should come from +-that socket's sk, rather than the packet's original skb->sk. For that +-reason __ip_queue_xmit() and related functions all do the right thing. +- +-One might argue that all tunnels should just call skb_orphan(skb) before +-transmitting the encapsulated packet into the new socket. But tunnels do +-*not* do this -- and this is wisely avoided in skb_scrub_packet() too -- +-because features like TSQ rely on skb->destructor() being called when +-that buffer space is truely available again. Calling skb_orphan(skb) too +-early would result in buffers filling up unnecessarily and accounting +-info being all wrong. Instead, additional routing must take into account +-the new sk, just as __ip_queue_xmit() notes. +- +-So, this commit addresses the problem by fishing the correct sk out of +-state->sk -- it's already set properly in the call to nf_hook() in +-__ip_local_out(), which receives the sk as part of its normal +-functionality. So we make sure to plumb state->sk through the various +-route_me_harder functions, and then make correct use of it following the +-example of __ip_queue_xmit(). +- +-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +-Signed-off-by: Jason A. Donenfeld +-[aaronjg@stanford.edu: backported to 4.14] +-Signed-off-by: Aaron Goodman +---- a/include/linux/netfilter_ipv4.h +-+++ b/include/linux/netfilter_ipv4.h +-@@ -16,7 +16,7 @@ struct ip_rt_info { +- u_int32_t mark; +- }; +- +--int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type); +-+int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned addr_type); +- +- struct nf_queue_entry; +- +---- a/include/linux/netfilter_ipv6.h +-+++ b/include/linux/netfilter_ipv6.h +-@@ -41,7 +41,7 @@ struct nf_ipv6_ops { +- }; +- +- #ifdef CONFIG_NETFILTER +--int ip6_route_me_harder(struct net *net, struct sk_buff *skb); +-+int ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb); +- __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook, +- unsigned int dataoff, u_int8_t protocol); +- +---- a/net/ipv4/netfilter.c +-+++ b/net/ipv4/netfilter.c +-@@ -17,17 +17,19 @@ +- #include +- +- /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */ +--int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_type) +-+int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned int addr_type) +- { +- const struct iphdr *iph = ip_hdr(skb); +- struct rtable *rt; +- struct flowi4 fl4 = {}; +- __be32 saddr = iph->saddr; +-- const struct sock *sk = skb_to_full_sk(skb); +-- __u8 flags = sk ? inet_sk_flowi_flags(sk) : 0; +-+ __u8 flags; +- struct net_device *dev = skb_dst(skb)->dev; +- unsigned int hh_len; +- +-+ sk = sk_to_full_sk(sk); +-+ flags = sk ? inet_sk_flowi_flags(sk) : 0; +-+ +- if (addr_type == RTN_UNSPEC) +- addr_type = inet_addr_type_dev_table(net, dev, saddr); +- if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST) +-@@ -91,7 +93,7 @@ int nf_ip_reroute(struct sk_buff *skb, c +- skb->mark == rt_info->mark && +- iph->daddr == rt_info->daddr && +- iph->saddr == rt_info->saddr)) +-- return ip_route_me_harder(entry->state.net, skb, +-+ return ip_route_me_harder(entry->state.net, entry->state.sk, skb, +- RTN_UNSPEC); +- } +- return 0; +---- a/net/ipv4/netfilter/ipt_SYNPROXY.c +-+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c +-@@ -53,7 +53,7 @@ synproxy_send_tcp(struct net *net, +- +- skb_dst_set_noref(nskb, skb_dst(skb)); +- nskb->protocol = htons(ETH_P_IP); +-- if (ip_route_me_harder(net, nskb, RTN_UNSPEC)) +-+ if (ip_route_me_harder(net, nskb->sk, nskb, RTN_UNSPEC)) +- goto free_nskb; +- +- if (nfct) { +---- a/net/ipv4/netfilter/iptable_mangle.c +-+++ b/net/ipv4/netfilter/iptable_mangle.c +-@@ -65,7 +65,7 @@ ipt_mangle_out(struct sk_buff *skb, cons +- iph->daddr != daddr || +- skb->mark != mark || +- iph->tos != tos) { +-- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC); +-+ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC); +- if (err < 0) +- ret = NF_DROP_ERR(err); +- } +---- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c +-+++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c +-@@ -397,7 +397,7 @@ nf_nat_ipv4_local_fn(void *priv, struct +- +- if (ct->tuplehash[dir].tuple.dst.u3.ip != +- ct->tuplehash[!dir].tuple.src.u3.ip) { +-- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC); +-+ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC); +- if (err < 0) +- ret = NF_DROP_ERR(err); +- } +---- a/net/ipv4/netfilter/nf_reject_ipv4.c +-+++ b/net/ipv4/netfilter/nf_reject_ipv4.c +-@@ -129,7 +129,7 @@ void nf_send_reset(struct net *net, stru +- ip4_dst_hoplimit(skb_dst(nskb))); +- nf_reject_ip_tcphdr_put(nskb, oldskb, oth); +- +-- if (ip_route_me_harder(net, nskb, RTN_UNSPEC)) +-+ if (ip_route_me_harder(net, nskb->sk, nskb, RTN_UNSPEC)) +- goto free_nskb; +- +- niph = ip_hdr(nskb); +---- a/net/ipv4/netfilter/nft_chain_route_ipv4.c +-+++ b/net/ipv4/netfilter/nft_chain_route_ipv4.c +-@@ -50,7 +50,7 @@ static unsigned int nf_route_table_hook( +- iph->daddr != daddr || +- skb->mark != mark || +- iph->tos != tos) { +-- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC); +-+ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC); +- if (err < 0) +- ret = NF_DROP_ERR(err); +- } +---- a/net/ipv6/netfilter.c +-+++ b/net/ipv6/netfilter.c +-@@ -18,10 +18,10 @@ +- #include +- #include +- +--int ip6_route_me_harder(struct net *net, struct sk_buff *skb) +-+int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff *skb) +- { +- const struct ipv6hdr *iph = ipv6_hdr(skb); +-- struct sock *sk = sk_to_full_sk(skb->sk); +-+ struct sock *sk = sk_to_full_sk(sk_partial); +- unsigned int hh_len; +- struct dst_entry *dst; +- int strict = (ipv6_addr_type(&iph->daddr) & +-@@ -82,7 +82,7 @@ static int nf_ip6_reroute(struct sk_buff +- if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) || +- !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) || +- skb->mark != rt_info->mark) +-- return ip6_route_me_harder(entry->state.net, skb); +-+ return ip6_route_me_harder(entry->state.net, entry->state.sk, skb); +- } +- return 0; +- } +---- a/net/ipv6/netfilter/ip6table_mangle.c +-+++ b/net/ipv6/netfilter/ip6table_mangle.c +-@@ -60,7 +60,7 @@ ip6t_mangle_out(struct sk_buff *skb, con +- skb->mark != mark || +- ipv6_hdr(skb)->hop_limit != hop_limit || +- flowlabel != *((u_int32_t *)ipv6_hdr(skb)))) { +-- err = ip6_route_me_harder(state->net, skb); +-+ err = ip6_route_me_harder(state->net, state->sk, skb); +- if (err < 0) +- ret = NF_DROP_ERR(err); +- } +---- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c +-+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c +-@@ -414,7 +414,7 @@ nf_nat_ipv6_local_fn(void *priv, struct +- +- if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, +- &ct->tuplehash[!dir].tuple.src.u3)) { +-- err = ip6_route_me_harder(state->net, skb); +-+ err = ip6_route_me_harder(state->net, state->sk, skb); +- if (err < 0) +- ret = NF_DROP_ERR(err); +- } +---- a/net/ipv6/netfilter/nft_chain_route_ipv6.c +-+++ b/net/ipv6/netfilter/nft_chain_route_ipv6.c +-@@ -52,7 +52,7 @@ static unsigned int nf_route_table_hook( +- skb->mark != mark || +- ipv6_hdr(skb)->hop_limit != hop_limit || +- flowlabel != *((u_int32_t *)ipv6_hdr(skb)))) { +-- err = ip6_route_me_harder(state->net, skb); +-+ err = ip6_route_me_harder(state->net, state->sk, skb); +- if (err < 0) +- ret = NF_DROP_ERR(err); +- } +---- a/net/netfilter/ipvs/ip_vs_core.c +-+++ b/net/netfilter/ipvs/ip_vs_core.c +-@@ -713,12 +713,12 @@ static int ip_vs_route_me_harder(struct +- struct dst_entry *dst = skb_dst(skb); +- +- if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) && +-- ip6_route_me_harder(ipvs->net, skb) != 0) +-+ ip6_route_me_harder(ipvs->net, skb->sk, skb) != 0) +- return 1; +- } else +- #endif +- if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) && +-- ip_route_me_harder(ipvs->net, skb, RTN_LOCAL) != 0) +-+ ip_route_me_harder(ipvs->net, skb->sk, skb, RTN_LOCAL) != 0) +- return 1; +- +- return 0;