From d1565a54e81adab0aacc2baf20079ed1f84a111d Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Tue, 22 Nov 2016 17:06:02 +0100 Subject: device: conntrack is optional --- src/Kconfig | 1 - src/device.c | 16 ++++++++++++---- 2 files changed, 12 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/Kconfig b/src/Kconfig index ef127da..84fed02 100644 --- a/src/Kconfig +++ b/src/Kconfig @@ -6,7 +6,6 @@ config WIREGUARD select NETFILTER select NETFILTER_XTABLES select NETFILTER_ADVANCED - select NF_CONNTRACK select CRYPTO_BLKCIPHER select IP6_NF_IPTABLES if IPV6 default y diff --git a/src/device.c b/src/device.c index 634d3be..478efef 100644 --- a/src/device.c +++ b/src/device.c @@ -18,8 +18,10 @@ #include #include #include +#if IS_ENABLED(CONFIG_NF_CONNTRACK) #include #include +#endif static int init(struct net_device *dev) { @@ -71,24 +73,30 @@ static int stop(struct net_device *dev) static void skb_unsendable(struct sk_buff *skb, struct net_device *dev) { +#if IS_ENABLED(CONFIG_NF_CONNTRACK) /* This conntrack stuff is because the rate limiting needs to be applied - * to the original src IP, so we have to restore saddr in the IP header. */ - struct nf_conn *ct = NULL; + * to the original src IP, so we have to restore saddr in the IP header. + * It's not needed if conntracking isn't in the kernel, because in that + * case the saddr wouldn't be NAT-transformed anyway. */ enum ip_conntrack_info ctinfo; - - ct = nf_ct_get(skb, &ctinfo); + struct nf_conn *ct = nf_ct_get(skb, &ctinfo); +#endif ++dev->stats.tx_errors; if (skb->len < sizeof(struct iphdr)) goto free; if (ip_hdr(skb)->version == 4) { +#if IS_ENABLED(CONFIG_NF_CONNTRACK) if (ct) ip_hdr(skb)->saddr = ct->tuplehash[0].tuple.src.u3.ip; +#endif icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); } else if (ip_hdr(skb)->version == 6) { +#if IS_ENABLED(CONFIG_NF_CONNTRACK) if (ct) ipv6_hdr(skb)->saddr = ct->tuplehash[0].tuple.src.u3.in6; +#endif icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); } free: -- cgit v1.2.3-59-g8ed1b