netfilter: optional tcp window check

Signed-off-by: Felix Fietkau <nbd@nbd.name>

netfilter: optional tcp window check
d65eb54f · Felix Fietkau · Kenneth Johansson · a05009d5 · d65eb54f
Commit d65eb54f authored Oct 30, 2017 by Felix Fietkau Committed by Kenneth Johansson Oct 24, 2018
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -33,6 +33,9 @@
 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>

+/* Do not check the TCP window for incoming packets  */
+static int nf_ct_tcp_no_window_check __read_mostly = 1;
+
 /* "Be conservative in what you do,
    be liberal in what you accept from others."
    If it's non-zero, we mark only out of window RST segments as INVALID. */
@@ -513,6 +516,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
 	s32 receiver_offset;
 	bool res, in_recv_win;

+	if (nf_ct_tcp_no_window_check)
+		return true;
+
 	/*
 	 * Get the required data from the packet.
 	 */
@@ -1479,6 +1485,13 @@ static struct ctl_table tcp_sysctl_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
+	{
+		.procname       = "nf_conntrack_tcp_no_window_check",
+		.data           = &nf_ct_tcp_no_window_check,
+		.maxlen         = sizeof(unsigned int),
+		.mode           = 0644,
+		.proc_handler   = proc_dointvec,
+	},
 	{ }
 };
 #endif /* CONFIG_SYSCTL */