Allow to disable conntrack in userspace

README.md

@@ -198,7 +198,9 @@ Flags that do not scoped to a specific section, used over all the youtubeUnblock
 
 - `--instaflush` Used with tracing. Flushes the buffer instantly, without waiting for explicit new line. Highly useful for debugging crushes.
 
-- `--no-gso` Disables support for Google Chrome fat packets which uses GSO. This feature is well tested now, so this flag probably won't fix anything.
+- `--no-gso` Disables support for TCP fat packets which uses GSO. This feature is well tested now, so this flag probably won't fix anything.
+
+- `--no-conntrack` Disables support for conntrack in youtubeUnblock.
 
 - `--no-ipv6` Disables support for ipv6. May be useful if you don't want for ipv6 socket to be opened.
 

src/args.c

@@ -273,6 +273,7 @@ enum {
 	OPT_THREADS,
 	OPT_SILENT,
 	OPT_NO_GSO,
+	OPT_NO_CONNTRACK,
 	OPT_QUEUE_NUM,
 	OPT_UDP_MODE,
 	OPT_UDP_FAKE_SEQ_LEN,
@@ -322,6 +323,7 @@ static struct option long_opt[] = {
 	{"trace",		0, 0, OPT_TRACE},
 	{"instaflush",		0, 0, OPT_INSTAFLUSH},
 	{"no-gso",		0, 0, OPT_NO_GSO},
+	{"no-conntrack",	0, 0, OPT_NO_CONNTRACK},
 	{"no-ipv6",		0, 0, OPT_NO_IPV6},
 	{"daemonize",		0, 0, OPT_DAEMONIZE},
 	{"noclose",		0, 0, OPT_NOCLOSE},
@@ -386,6 +388,7 @@ void print_usage(const char *argv0) {
 	printf("\t--trace\n");
 	printf("\t--instaflush\n");
 	printf("\t--no-gso\n");
+	printf("\t--no-conntrack\n");
 	printf("\t--no-ipv6\n");
 	printf("\t--daemonize\n");
 	printf("\t--noclose\n");
@@ -459,7 +462,20 @@ int yparse_args(int argc, char *argv[]) {
 			rep_config.verbose = VERBOSE_INFO;
 			break;
 		case OPT_NO_GSO:
+#ifndef KERNEL_SPACE
 			rep_config.use_gso = 0;
+#else
+			lgerr("--no-gso is not supported in kernel space");
+			goto invalid_opt;
+#endif
+			break;
+		case OPT_NO_CONNTRACK:
+#ifndef KERNEL_SPACE
+			rep_config.use_conntrack = 0;
+#else
+			lgerr("--no-conntrack is not supported in kernel space. Compile with make kmake EXTRA_CFLAGS=\"-DNO_CONNTRACK\" instead." );
+			goto invalid_opt;
+#endif
 			break;
 		case OPT_NO_IPV6:
 			rep_config.use_ipv6 = 0;
@@ -1017,6 +1033,9 @@ size_t print_config(char *buffer, size_t buffer_size) {
 	if (!config.use_gso) {
 		print_cnf_buf("--no-gso");
 	}
+	if (!config.use_conntrack) {
+		print_cnf_buf("--no-conntrack");
+	}
 #endif
 
 #ifdef KERNEL_SPACE

src/config.h

@@ -113,6 +113,7 @@ struct config_t {
 	int threads;
 	int use_gso;
 	int use_ipv6;
+	int use_conntrack;
 	unsigned int mark;
 	int daemonize;
 	// Same as daemon() noclose
@@ -269,6 +270,7 @@ enum {
                                                                 \
 	.verbose = VERBOSE_DEBUG,                               \
 	.use_gso = 1,                                           \
+	.use_conntrack = 1,					\
                                                                 \
 	.first_section = NULL,					\
 	.last_section = NULL,					\

src/youtubeUnblock.c

@@ -788,7 +788,9 @@ int init_queue(int queue_num) {
 	if (config.use_gso) {
 		cfg_mask |= NFQA_CFG_F_GSO;
 	}
-	cfg_mask |= NFQA_CFG_F_CONNTRACK;
+	if (config.use_conntrack) {
+		cfg_mask |= NFQA_CFG_F_CONNTRACK;
+	}
 	cfg_mask |= NFQA_CFG_F_FAIL_OPEN;
 
 	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(cfg_flags));