From 2de8d7252dfb25868df5fe954c064812c4efc33c Mon Sep 17 00:00:00 2001
From: Fedor Kozhevnikov <fedork@ubuntu.(none)>
Date: Wed, 30 Mar 2011 22:37:02 -0400
Subject: [PATCH] BCM CTF: use the same conditions to disable CTF as used for
 BCM fast NAT

---
 .../src-rt/linux/linux-2.6/include/linux/sysctl.h  |  2 +-
 .../linux-2.6/include/net/netfilter/nf_conntrack.h |  1 +
 .../net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |  4 +--
 .../linux-2.6/net/ipv4/netfilter/nf_nat_core.c     |  6 ++--
 .../linux/linux-2.6/net/netfilter/xt_CONNMARK.c    |  6 ++++
 .../src-rt/linux/linux-2.6/net/netfilter/xt_MARK.c | 40 ++++++++++++----------
 6 files changed, 36 insertions(+), 23 deletions(-)

diff --git a/release/src-rt/linux/linux-2.6/include/linux/sysctl.h b/release/src-rt/linux/linux-2.6/include/linux/sysctl.h
index a76d60b227..d3f4ab9517 100644
--- a/release/src-rt/linux/linux-2.6/include/linux/sysctl.h
+++ b/release/src-rt/linux/linux-2.6/include/linux/sysctl.h
@@ -530,7 +530,7 @@ enum
  	NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT=26,
 	NET_IPV4_NF_CONNTRACK_COUNT=27,
 	NET_IPV4_NF_CONNTRACK_CHECKSUM=28,
-#if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE)
+#if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE) || defined(HNDCTF)
 	NET_IPV4_CONNTRACK_FASTNAT=29,
 #endif
 };
diff --git a/release/src-rt/linux/linux-2.6/include/net/netfilter/nf_conntrack.h b/release/src-rt/linux/linux-2.6/include/net/netfilter/nf_conntrack.h
index 20f900f539..216c38e619 100644
--- a/release/src-rt/linux/linux-2.6/include/net/netfilter/nf_conntrack.h
+++ b/release/src-rt/linux/linux-2.6/include/net/netfilter/nf_conntrack.h
@@ -116,6 +116,7 @@ struct nf_conn_help {
 };
 
 #define CTF_FLAGS_CACHED	(1 << 0)	/* Indicates cached connection */
+#define CTF_FLAGS_EXCLUDED	(1 << 30)
 
 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
diff --git a/release/src-rt/linux/linux-2.6/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/release/src-rt/linux/linux-2.6/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index f2b4afcc11..ec6d4d3df1 100644
--- a/release/src-rt/linux/linux-2.6/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/release/src-rt/linux/linux-2.6/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -30,7 +30,7 @@
 #define DEBUGP(format, args...)
 #endif
 
-#if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE)
+#if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE) || defined(HNDCTF)
 int ipv4_conntrack_fastnat = 0;
 EXPORT_SYMBOL_GPL(ipv4_conntrack_fastnat);
 #endif
@@ -310,7 +310,7 @@ static ctl_table ip_ct_sysctl_table[] = {
 		.extra1		= &log_invalid_proto_min,
 		.extra2		= &log_invalid_proto_max,
 	},
-#if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE)
+#if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE) || defined(HNDCTF)
 	{
 		.ctl_name	= NET_IPV4_CONNTRACK_FASTNAT,
 		.procname	= "ip_conntrack_fastnat",
diff --git a/release/src-rt/linux/linux-2.6/net/ipv4/netfilter/nf_nat_core.c b/release/src-rt/linux/linux-2.6/net/ipv4/netfilter/nf_nat_core.c
index e2d90ba7d4..c8eb11c0b7 100644
--- a/release/src-rt/linux/linux-2.6/net/ipv4/netfilter/nf_nat_core.c
+++ b/release/src-rt/linux/linux-2.6/net/ipv4/netfilter/nf_nat_core.c
@@ -104,12 +104,14 @@ hash_by_src(const struct nf_conntrack_tuple *tuple)
 }
 
 #ifdef HNDCTF
+extern int ipv4_conntrack_fastnat;
+
 bool
 ip_conntrack_is_ipc_allowed(struct sk_buff *skb, u_int32_t hooknum)
 {
 	struct net_device *dev;
 
-	if (!CTF_ENAB(kcih))
+	if (!ipv4_conntrack_fastnat || !CTF_ENAB(kcih))
 		return FALSE;
 
 	if (hooknum == NF_IP_PRE_ROUTING) {
@@ -157,7 +159,7 @@ ip_conntrack_ipct_add(struct sk_buff *skb, u_int32_t hooknum,
 	 * pre or post routing hooks.
 	 */
 	help = nfct_help(ct);
-	if ((help && help->helper) ||
+	if ((help && help->helper) || (ct->ctf_flags & CTF_FLAGS_EXCLUDED) ||
 	    ((hooknum != NF_IP_PRE_ROUTING) && (hooknum != NF_IP_POST_ROUTING)))
 		return;
 
diff --git a/release/src-rt/linux/linux-2.6/net/netfilter/xt_CONNMARK.c b/release/src-rt/linux/linux-2.6/net/netfilter/xt_CONNMARK.c
index c37d5d7363..c18bd140b4 100644
--- a/release/src-rt/linux/linux-2.6/net/netfilter/xt_CONNMARK.c
+++ b/release/src-rt/linux/linux-2.6/net/netfilter/xt_CONNMARK.c
@@ -66,6 +66,9 @@ target(struct sk_buff *skb,
 				if (ipv4_conntrack_fastnat && (nat = nfct_nat(ct)))
 					nat->info.nat_type |= BCM_FASTNAT_DENY;
 #endif
+#ifdef HNDCTF
+				ct->ctf_flags |= CTF_FLAGS_EXCLUDED;
+#endif /* HNDCTF */
 				nf_conntrack_event_cache(IPCT_MARK, skb);
 			}
 			break;
@@ -80,6 +83,9 @@ target(struct sk_buff *skb,
 				if (ipv4_conntrack_fastnat && (nat = nfct_nat(ct)))
 					nat->info.nat_type |= BCM_FASTNAT_DENY;
 #endif
+#ifdef HNDCTF
+				ct->ctf_flags |= CTF_FLAGS_EXCLUDED;
+#endif /* HNDCTF */
 			}				
 			return XT_RETURN;
 		case XT_CONNMARK_SAVE:
diff --git a/release/src-rt/linux/linux-2.6/net/netfilter/xt_MARK.c b/release/src-rt/linux/linux-2.6/net/netfilter/xt_MARK.c
index 758f9d373c..fb919fd694 100644
--- a/release/src-rt/linux/linux-2.6/net/netfilter/xt_MARK.c
+++ b/release/src-rt/linux/linux-2.6/net/netfilter/xt_MARK.c
@@ -34,19 +34,21 @@ target_v0(struct sk_buff *skb,
 	  const struct xt_target *target,
 	  const void *targinfo)
 {
-#if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE)
-	struct nf_conn *ct;
-	struct nf_conn_nat *nat;
-	enum ip_conntrack_info ctinfo;
-#endif
-
 	const struct xt_mark_target_info *markinfo = targinfo;
 
 	skb->mark = markinfo->mark;
+#if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE) || defined(HNDCTF)
+	{
+		enum ip_conntrack_info ctinfo;
+		struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+
 #if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE)
-	if (ipv4_conntrack_fastnat) {
-		nat = (ct = nf_ct_get(skb, &ctinfo)) ? nfct_nat(ct) : NULL;
+		struct nf_conn_nat *nat = (ipv4_conntrack_fastnat && ct) ? nfct_nat(ct) : NULL;
 		if (nat) nat->info.nat_type |= BCM_FASTNAT_DENY;
+#endif	// BCM_NAT
+#ifdef HNDCTF
+		ct->ctf_flags |= CTF_FLAGS_EXCLUDED;
+#endif /* HNDCTF */
 	}
 #endif
 	return XT_CONTINUE;
@@ -60,23 +62,25 @@ target_v1(struct sk_buff *skb,
 	  const struct xt_target *target,
 	  const void *targinfo)
 {
-#if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE)
-	struct nf_conn *ct;
-	struct nf_conn_nat *nat;
-	enum ip_conntrack_info ctinfo;
-#endif
-
 	const struct xt_mark_target_info_v1 *markinfo = targinfo;
 	int mark = 0;
 
 	switch (markinfo->mode) {
 	case XT_MARK_SET:
 		mark = markinfo->mark;
+#if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE) || defined(HNDCTF)
+		{
+			enum ip_conntrack_info ctinfo;
+			struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+
 #if defined(CONFIG_BCM_NAT) || defined(CONFIG_BCM_NAT_MODULE)
-	if (ipv4_conntrack_fastnat) {
-		nat = (ct = nf_ct_get(skb, &ctinfo)) ? nfct_nat(ct) : NULL;
-		if (nat) nat->info.nat_type |= BCM_FASTNAT_DENY;
-	}
+			struct nf_conn_nat *nat = (ipv4_conntrack_fastnat && ct) ? nfct_nat(ct) : NULL;
+			if (nat) nat->info.nat_type |= BCM_FASTNAT_DENY;
+#endif	// BCM_NAT
+#ifdef HNDCTF
+			ct->ctf_flags |= CTF_FLAGS_EXCLUDED;
+#endif /* HNDCTF */
+		}
 #endif
 		break;
 
-- 
2.11.4.GIT