M7350v3_en_gpl

2024-09-09 08:55:19 +00:00
parent 801e6d2ad8
commit 2d95e8761a
2791 changed files with 89608 additions and 390711 deletions
--- a/kernel/net/netfilter/nf_conntrack_core.c
+++ b/kernel/net/netfilter/nf_conntrack_core.c
@ -986,8 +986,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
 	if (!ct) {
 		/* Not valid part of a connection */
 		NF_CT_STAT_INC_ATOMIC(net, invalid);
-                /* [houjihai] if accept, it'll result in NO-NAT_PASS, but we are a NAT router */
-		ret = NF_DROP;
+		ret = NF_ACCEPT;
 		goto out;
 	}

--- a/kernel/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/kernel/net/netfilter/nf_conntrack_proto_tcp.c
@ -64,24 +64,22 @@ static const char *const tcp_conntrack_names[] = {
 #define HOURS * 60 MINS
 #define DAYS * 24 HOURS

-/* [houjihai start] modify tcp timeout */
 static unsigned int tcp_timeouts[TCP_CONNTRACK_TIMEOUT_MAX] __read_mostly = {
-	[TCP_CONNTRACK_SYN_SENT]	= 30 SECS,
-	[TCP_CONNTRACK_SYN_RECV]	= 30 SECS,
-	[TCP_CONNTRACK_ESTABLISHED]	= 30 MINS,
-	[TCP_CONNTRACK_FIN_WAIT]	= 30 SECS,
-	[TCP_CONNTRACK_CLOSE_WAIT]	= 30 SECS,
+	[TCP_CONNTRACK_SYN_SENT]	= 2 MINS,
+	[TCP_CONNTRACK_SYN_RECV]	= 60 SECS,
+	[TCP_CONNTRACK_ESTABLISHED]	= 5 DAYS,
+	[TCP_CONNTRACK_FIN_WAIT]	= 2 MINS,
+	[TCP_CONNTRACK_CLOSE_WAIT]	= 60 SECS,
 	[TCP_CONNTRACK_LAST_ACK]	= 30 SECS,
-	[TCP_CONNTRACK_TIME_WAIT]	= 30 SECS,
-	[TCP_CONNTRACK_CLOSE]		= 1  SECS,
-	[TCP_CONNTRACK_SYN_SENT2]	= 30 SECS,
+	[TCP_CONNTRACK_TIME_WAIT]	= 2 MINS,
+	[TCP_CONNTRACK_CLOSE]		= 10 SECS,
+	[TCP_CONNTRACK_SYN_SENT2]	= 2 MINS,
 /* RFC1122 says the R2 limit should be at least 100 seconds.
   Linux uses 15 packets as limit, which corresponds
   to ~13-30min depending on RTO. */
 	[TCP_CONNTRACK_RETRANS]		= 5 MINS,
 	[TCP_CONNTRACK_UNACK]		= 5 MINS,
 };
-/* [houjihai end] */

 #define sNO TCP_CONNTRACK_NONE
 #define sSS TCP_CONNTRACK_SYN_SENT
--- a/kernel/net/netfilter/nf_conntrack_proto_udp.c
+++ b/kernel/net/netfilter/nf_conntrack_proto_udp.c
@ -31,16 +31,11 @@ enum udp_conntrack {
 	UDP_CT_MAX
 };

-/* [houjihai start] modify udp timeout and add dns timeout */
 static unsigned int udp_timeouts[UDP_CT_MAX] = {
-	[UDP_CT_UNREPLIED]	= 60*HZ,
-	[UDP_CT_REPLIED]	= 120*HZ,
+	[UDP_CT_UNREPLIED]	= 30*HZ,
+	[UDP_CT_REPLIED]	= 180*HZ,
 };

-static unsigned int nf_ct_udp_dns_replied_timeout __read_mostly = 20*HZ;
-static unsigned int nf_ct_udp_dns_unreplied_timeout __read_mostly = 3*HZ;
-/* [houjihai end] */
-
 static bool udp_pkt_to_tuple(const struct sk_buff *skb,
 			     unsigned int dataoff,
 			     struct nf_conntrack_tuple *tuple)
@ -90,38 +85,17 @@ static int udp_packet(struct nf_conn *ct,
 		      unsigned int hooknum,
 		      unsigned int *timeouts)
 {
-        const struct iphdr *iph = ip_hdr(skb);
-        const struct udphdr *udph = (void *)iph + iph->ihl * 4;
-        const __u16 dport = ntohs(udph->dest);
-        const __u16 sport = ntohs(udph->source);
 	/* If we've seen traffic both ways, this is some kind of UDP
 	   stream.  Extend timeout. */
 	if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
-                /* [houjihai] if is a dns connection, shorten timeout */
-                if ((dport == 53) || (sport == 53)) {
-                    nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_dns_replied_timeout);
-                } else {
-		    nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_REPLIED]);
-                }
+		nf_ct_refresh_acct(ct, ctinfo, skb,
+				   timeouts[UDP_CT_REPLIED]);
 		/* Also, more likely to be important, and not a probe */
 		if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
 			nf_conntrack_event_cache(IPCT_ASSURED, ct);
 	} else {
-                /* [houjihai] handle unreplied dns
-                * from BRCM 89xx:16Jun08, LiShaozhang
-                * Special handling of UNRPLIED DNS query packet: Song Wang
-                * Before NAT and WAN interface are UP, during that time window,
-                * if a DNS query is sent out, there will be an UNRPLIED DNS connection track entry
-                * in which expected src/dst are private IP addresses in the tuple.
-                * After NAT and WAN interface are UP, the UNRPLIED DNS connection track
-                * entry should go away ASAP to enable the establishment  of the tuple with
-                * the expected src/dst that are public IP addresses.
-                */
-                if (dport == 53) {
-                    nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_dns_unreplied_timeout);
-                } else {
-	            nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_UNREPLIED]);
-                }
+		nf_ct_refresh_acct(ct, ctinfo, skb,
+				   timeouts[UDP_CT_UNREPLIED]);
 	}
 	return NF_ACCEPT;
 }