[PATCH 00/12] add namespace support for netfilter protos

[PATCH 00/12] add namespace support for netfilter protos

[Gao feng]

Currently the sysctl of netfilter proto is not isolated, so when 
changing proto's sysctl in container will cause the host's sysctl 
be changed too. it's not expected.

This patch set adds the namespace support for netfilter protos.

impletement four pernet_operations to register sysctl,and disable 
register sysctl when protos are registered.

nf_conntrack_net_proto_ipv4_ops is used to register tcp4(compat),
udp4(compat),icmp(compat),ipv4(compat).
nf_conntrack_net_proto_ipv6_ops is used to register tcp6,udp6 and 
icmpv6.
nf_conntrack_net_proto_sctp_ops is used to register sctp4(compat) 
and sctp6.
nf_conntrack_net_proto_udplite_ops is used to register udplite4
and udplite6

these operations will be registered when module be loaded.

And this will break the cttimeout, because timeout_nlattr_to_obj
function use the orig timeout(such as tcp_timeouts) to set timeouts.

I will fix this in my next patch.

Gao feng (12):
  netfilter: add struct netns_ct_proto to support netfilter namespace
  netfilter: don't register sysctl when register proto
  netfilter: generic proto sysctl support for net namespace
  netfilter: tcp proto sysctl support for net namespace
  netfilter: udp proto sysctl support for net namespace
  netfilter: icmp proto sysctl support for net namespace
  netfilter: icmpv6 proto sysctl support for net
  netfilter: ipv4 sysctl support for net namespace
  netfilter: ipv6 sysctl support for net namespace
  netfilter: sctp proto sysctl support for net namespace
  netfilter: udplite proto sysctl support for net
  netfilter: export necessary function for generic proto

 include/linux/netfilter/nf_conntrack_udp.h     |   10 +
 include/linux/netfilter/nf_conntrack_udplite.h |   10 +
 include/net/netfilter/nf_conntrack_core.h      |    3 +
 include/net/netfilter/nf_conntrack_l3proto.h   |    6 -
 include/net/netfilter/nf_conntrack_l4proto.h   |   38 +++-
 include/net/netns/conntrack.h                  |   37 ++++
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |   96 ++++++++-
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c   |  116 +++++++++-
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |   48 ++++
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |   54 ++++-
 net/netfilter/nf_conntrack_core.c              |    6 +
 net/netfilter/nf_conntrack_proto.c             |  109 ++--------
 net/netfilter/nf_conntrack_proto_generic.c     |   93 ++++++++-
 net/netfilter/nf_conntrack_proto_sctp.c        |  205 +++++++++++++++---
 net/netfilter/nf_conntrack_proto_tcp.c         |  275 ++++++++++++++++++++----
 net/netfilter/nf_conntrack_proto_udp.c         |  160 ++++++++++++--
 net/netfilter/nf_conntrack_proto_udplite.c     |   83 ++++++--
 17 files changed, 1096 insertions(+), 253 deletions(-)
 create mode 100644 include/linux/netfilter/nf_conntrack_udp.h
 create mode 100644 include/linux/netfilter/nf_conntrack_udplite.h

-- 
1.7.7.6

[PATCH 01/12] netfilter: add struct netns_ct_proto to support netfilter namespace

[Gao feng]

the struct netns_ct_proto is used to store ctl_table_header and sysctl vars.
because udp_conntrack and udplite_conntrack are used by netns_ct_proto,
so move the udp_conntrack and udplite_conntrack to the header file,

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 include/linux/netfilter/nf_conntrack_udp.h     |   10 ++++++
 include/linux/netfilter/nf_conntrack_udplite.h |   10 ++++++
 include/net/netns/conntrack.h                  |   37 ++++++++++++++++++++++++
 3 files changed, 57 insertions(+), 0 deletions(-)
 create mode 100644 include/linux/netfilter/nf_conntrack_udp.h
 create mode 100644 include/linux/netfilter/nf_conntrack_udplite.h

diff --git a/include/linux/netfilter/nf_conntrack_udp.h b/include/linux/netfilter/nf_conntrack_udp.h
new file mode 100644
index 0000000..02869fc
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_udp.h
@@ -0,0 +1,10 @@
+#ifndef _NF_CONNTRACK_UDP_H
+#define _NF_CONNTRACK_UDP_H
+
+enum udp_conntrack {
+	UDP_CT_UNREPLIED,
+	UDP_CT_REPLIED,
+	UDP_CT_MAX
+};
+
+#endif /* _NF_CONNTRACK_UDP_H */
diff --git a/include/linux/netfilter/nf_conntrack_udplite.h b/include/linux/netfilter/nf_conntrack_udplite.h
new file mode 100644
index 0000000..62b90a2
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_udplite.h
@@ -0,0 +1,10 @@
+#ifndef _NF_CONNTRACK_UDPLITE_H
+#define _NF_CONNTRACK_UDPLITE_H
+
+enum udplite_conntrack {
+	UDPLITE_CT_UNREPLIED,
+	UDPLITE_CT_REPLIED,
+	UDPLITE_CT_MAX
+};
+
+#endif /* _NF_CONNTRACK_UDPLITE_H */
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 7a911ec..5845665 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -4,10 +4,46 @@
 #include <linux/list.h>
 #include <linux/list_nulls.h>
 #include <linux/atomic.h>
+#include <linux/netfilter/nf_conntrack_tcp.h>
+#include <linux/netfilter/nf_conntrack_udp.h>
+#include <linux/netfilter/nf_conntrack_udplite.h>
+#include <linux/netfilter/nf_conntrack_sctp.h>
 
 struct ctl_table_header;
 struct nf_conntrack_ecache;
 
+struct netns_ct_proto {
+	unsigned int            sysctl_generic_timeout;
+	unsigned int		sysctl_tcp_timeouts[TCP_CONNTRACK_TIMEOUT_MAX];
+	unsigned int		sysctl_tcp_loose;
+	unsigned int		sysctl_tcp_be_liberal;
+	unsigned int		sysctl_tcp_max_retrans;
+	unsigned int		sysctl_udp_timeouts[UDP_CT_MAX];
+	unsigned int		sysctl_udplite_timeouts[UDPLITE_CT_MAX];
+	unsigned int		sysctl_sctp_timeouts[SCTP_CONNTRACK_MAX];
+	unsigned int		sysctl_icmp_timeout;
+	unsigned int		sysctl_icmpv6_timeout;
+#ifdef CONFIG_SYSCTL
+	struct ctl_table_header *generic_sysctl_header;
+	struct ctl_table_header *tcp_sysctl_header;
+	struct ctl_table_header *udp_sysctl_header;
+	struct ctl_table_header *udplite_sysctl_header;
+	struct ctl_table_header *sctp_sysctl_header;
+	struct ctl_table_header *icmp_sysctl_header;
+	struct ctl_table_header *icmpv6_sysctl_header;
+	unsigned int		tcp_table_users;
+	unsigned int		udp_table_users;
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 
+	struct ctl_table_header *generic_compat_header;
+	struct ctl_table_header *tcp_compat_header;
+	struct ctl_table_header *udp_compat_header;
+	struct ctl_table_header *sctp_compat_header;
+	struct ctl_table_header *icmp_compat_header;
+	struct ctl_table_header *ipv4_compat_header;
+#endif
+#endif
+};
+
 struct netns_ct {
 	atomic_t		count;
 	unsigned int		expect_count;
@@ -26,6 +62,7 @@ struct netns_ct {
 	int			sysctl_tstamp;
 	int			sysctl_checksum;
 	unsigned int		sysctl_log_invalid; /* Log invalid packets */
+	struct netns_ct_proto	proto;
 #ifdef CONFIG_SYSCTL
 	struct ctl_table_header	*sysctl_header;
 	struct ctl_table_header	*acct_sysctl_header;
-- 
1.7.7.6

[PATCH 02/12] netfilter: don't register sysctl when register proto

[Gao feng]

delete nf_ct_l[3,4]proto_register_sysctl when register l[3,4]proto.
and add nf_ct_register_net_sysctl,nf_ct_unregister_net_sysctl to
register the sysctl for net namespace.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 net/netfilter/nf_conntrack_proto.c |  109 +++++-------------------------------
 1 files changed, 15 insertions(+), 94 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index be3da2c..207cdd8 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -35,12 +35,15 @@ EXPORT_SYMBOL_GPL(nf_ct_l3protos);
 static DEFINE_MUTEX(nf_ct_proto_mutex);
 
 #ifdef CONFIG_SYSCTL
-static int
-nf_ct_register_sysctl(struct ctl_table_header **header, struct ctl_path *path,
-		      struct ctl_table *table, unsigned int *users)
+int
+nf_ct_register_net_sysctl(struct net *net, 
+			  struct ctl_table_header **header,
+			  struct ctl_path *path,
+			  struct ctl_table *table,
+			  unsigned int *users)
 {
 	if (*header == NULL) {
-		*header = register_sysctl_paths(path, table);
+		*header = register_net_sysctl_table(net, path, table);
 		if (*header == NULL)
 			return -ENOMEM;
 	}
@@ -48,17 +51,21 @@ nf_ct_register_sysctl(struct ctl_table_header **header, struct ctl_path *path,
 		(*users)++;
 	return 0;
 }
+EXPORT_SYMBOL_GPL(nf_ct_register_net_sysctl);
 
-static void
-nf_ct_unregister_sysctl(struct ctl_table_header **header,
-			struct ctl_table *table, unsigned int *users)
+void
+nf_ct_unregister_net_sysctl(struct ctl_table_header **header,
+			    struct ctl_table *table,
+			    unsigned int *users)
 {
 	if (users != NULL && --*users > 0)
 		return;
 
 	unregister_sysctl_table(*header);
+	kfree(table);
 	*header = NULL;
 }
+EXPORT_SYMBOL_GPL(nf_ct_unregister_net_sysctl);
 #endif
 
 struct nf_conntrack_l4proto *
@@ -161,29 +168,6 @@ static int kill_l4proto(struct nf_conn *i, void *data)
 	       nf_ct_l3num(i) == l4proto->l3proto;
 }
 
-static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
-{
-	int err = 0;
-
-#ifdef CONFIG_SYSCTL
-	if (l3proto->ctl_table != NULL) {
-		err = nf_ct_register_sysctl(&l3proto->ctl_table_header,
-					    l3proto->ctl_table_path,
-					    l3proto->ctl_table, NULL);
-	}
-#endif
-	return err;
-}
-
-static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto)
-{
-#ifdef CONFIG_SYSCTL
-	if (l3proto->ctl_table_header != NULL)
-		nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
-					l3proto->ctl_table, NULL);
-#endif
-}
-
 int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
 {
 	int ret = 0;
@@ -203,10 +187,6 @@ int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
 		goto out_unlock;
 	}
 
-	ret = nf_ct_l3proto_register_sysctl(proto);
-	if (ret < 0)
-		goto out_unlock;
-
 	if (proto->nlattr_tuple_size)
 		proto->nla_size = 3 * proto->nlattr_tuple_size();
 
@@ -230,7 +210,6 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
 					 ) != proto);
 	rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
 			   &nf_conntrack_l3proto_generic);
-	nf_ct_l3proto_unregister_sysctl(proto);
 	mutex_unlock(&nf_ct_proto_mutex);
 
 	synchronize_rcu();
@@ -243,52 +222,6 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
 
-static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
-{
-	int err = 0;
-
-#ifdef CONFIG_SYSCTL
-	if (l4proto->ctl_table != NULL) {
-		err = nf_ct_register_sysctl(l4proto->ctl_table_header,
-					    nf_net_netfilter_sysctl_path,
-					    l4proto->ctl_table,
-					    l4proto->ctl_table_users);
-		if (err < 0)
-			goto out;
-	}
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
-	if (l4proto->ctl_compat_table != NULL) {
-		err = nf_ct_register_sysctl(&l4proto->ctl_compat_table_header,
-					    nf_net_ipv4_netfilter_sysctl_path,
-					    l4proto->ctl_compat_table, NULL);
-		if (err == 0)
-			goto out;
-		nf_ct_unregister_sysctl(l4proto->ctl_table_header,
-					l4proto->ctl_table,
-					l4proto->ctl_table_users);
-	}
-#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
-out:
-#endif /* CONFIG_SYSCTL */
-	return err;
-}
-
-static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto)
-{
-#ifdef CONFIG_SYSCTL
-	if (l4proto->ctl_table_header != NULL &&
-	    *l4proto->ctl_table_header != NULL)
-		nf_ct_unregister_sysctl(l4proto->ctl_table_header,
-					l4proto->ctl_table,
-					l4proto->ctl_table_users);
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
-	if (l4proto->ctl_compat_table_header != NULL)
-		nf_ct_unregister_sysctl(&l4proto->ctl_compat_table_header,
-					l4proto->ctl_compat_table, NULL);
-#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
-#endif /* CONFIG_SYSCTL */
-}
-
 /* FIXME: Allow NULL functions and sub in pointers to generic for
    them. --RR */
 int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
@@ -333,10 +266,6 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
 		goto out_unlock;
 	}
 
-	ret = nf_ct_l4proto_register_sysctl(l4proto);
-	if (ret < 0)
-		goto out_unlock;
-
 	l4proto->nla_size = 0;
 	if (l4proto->nlattr_size)
 		l4proto->nla_size += l4proto->nlattr_size();
@@ -365,7 +294,6 @@ void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)
 			) != l4proto);
 	rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
 			   &nf_conntrack_l4proto_generic);
-	nf_ct_l4proto_unregister_sysctl(l4proto);
 	mutex_unlock(&nf_ct_proto_mutex);
 
 	synchronize_rcu();
@@ -380,12 +308,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
 
 int nf_conntrack_proto_init(void)
 {
-	unsigned int i;
-	int err;
-
-	err = nf_ct_l4proto_register_sysctl(&nf_conntrack_l4proto_generic);
-	if (err < 0)
-		return err;
+	unsigned int i;	
 
 	for (i = 0; i < AF_MAX; i++)
 		rcu_assign_pointer(nf_ct_l3protos[i],
@@ -397,8 +320,6 @@ void nf_conntrack_proto_fini(void)
 {
 	unsigned int i;
 
-	nf_ct_l4proto_unregister_sysctl(&nf_conntrack_l4proto_generic);
-
 	/* free l3proto protocol tables */
 	for (i = 0; i < PF_MAX; i++)
 		kfree(nf_ct_protos[i]);
-- 
1.7.7.6

[PATCH 03/12] netfilter: generic proto sysctl support for net namespace

[Gao feng]

register the generic proto's sysctl in pernet_operations.init.
and use net->ct.proto.sysctl_generic_timeout replaces nf_ct_generic_timeout.

in the after patch,the timeout_nlattr_to_obj will be modified too.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 net/netfilter/nf_conntrack_core.c          |    6 ++
 net/netfilter/nf_conntrack_proto_generic.c |   93 +++++++++++++++++++++++++---
 2 files changed, 91 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 729f157..bf11dd6 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1358,6 +1358,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
 	nf_conntrack_tstamp_fini(net);
 	nf_conntrack_acct_fini(net);
 	nf_conntrack_expect_fini(net);
+	nf_conntrack_proto_generic_net_fini(net);
 	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
 	kfree(net->ct.slabname);
 	free_percpu(net->ct.stat);
@@ -1573,6 +1574,9 @@ static int nf_conntrack_init_net(struct net *net)
 		printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
 		goto err_hash;
 	}
+	ret = nf_conntrack_proto_generic_net_init(net);
+	if (ret < 0)
+		goto err_generic;
 	ret = nf_conntrack_expect_init(net);
 	if (ret < 0)
 		goto err_expect;
@@ -1600,6 +1604,8 @@ err_tstamp:
 err_acct:
 	nf_conntrack_expect_fini(net);
 err_expect:
+	nf_conntrack_proto_generic_net_fini(net);
+err_generic:
 	nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
 err_hash:
 	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 835e24c..0d4545b 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -42,7 +42,7 @@ static int generic_print_tuple(struct seq_file *s,
 
 static unsigned int *generic_get_timeouts(struct net *net)
 {
-	return &nf_ct_generic_timeout;
+	return &(net->ct.proto.sysctl_generic_timeout);
 }
 
 /* Returns verdict for packet, or -1 for invalid. */
@@ -105,11 +105,10 @@ generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
-static struct ctl_table_header *generic_sysctl_header;
 static struct ctl_table generic_sysctl_table[] = {
 	{
 		.procname	= "nf_conntrack_generic_timeout",
-		.data		= &nf_ct_generic_timeout,
+		.data		= &init_net.ct.proto.sysctl_generic_timeout,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
@@ -120,7 +119,7 @@ static struct ctl_table generic_sysctl_table[] = {
 static struct ctl_table generic_compat_sysctl_table[] = {
 	{
 		.procname	= "ip_conntrack_generic_timeout",
-		.data		= &nf_ct_generic_timeout,
+		.data		= &init_net.ct.proto.sysctl_generic_timeout,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
@@ -150,11 +149,89 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
 		.nla_policy	= generic_timeout_nla_policy,
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+};
+
+int nf_conntrack_proto_generic_net_init(struct net *net)
+{
+	struct ctl_table *table;
+	int ret = 0;
 #ifdef CONFIG_SYSCTL
-	.ctl_table_header	= &generic_sysctl_header,
-	.ctl_table		= generic_sysctl_table,
 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
-	.ctl_compat_table	= generic_compat_sysctl_table,
+	struct ctl_table *compat_table;
 #endif
 #endif
-};
+	net->ct.proto.sysctl_generic_timeout = nf_ct_generic_timeout;
+#ifdef CONFIG_SYSCTL
+	table = kmemdup(generic_sysctl_table,
+			sizeof(generic_sysctl_table),
+			GFP_KERNEL);
+	if (!table)
+		return -ENOMEM;
+	
+	table[0].data = &net->ct.proto.sysctl_generic_timeout;
+
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.generic_sysctl_header,
+					nf_net_netfilter_sysctl_path,
+					table,
+					NULL);
+	if (ret < 0) {
+		printk(KERN_ERR 
+			"nf_conntrack_proto_generic:"
+			" can't register to sysctl.\n");
+		kfree(table);
+		return ret;
+	}
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	compat_table = kmemdup(generic_compat_sysctl_table,
+			       sizeof(generic_compat_sysctl_table),
+			       GFP_KERNEL);
+	if (!compat_table) {
+		ret = -ENOMEM;
+		goto out_compat;
+	}
+	compat_table[0].data = &net->ct.proto.sysctl_generic_timeout;
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.generic_compat_header,
+					nf_net_ipv4_netfilter_sysctl_path,
+					compat_table,
+					NULL);
+	if (ret < 0) {
+		printk(KERN_ERR 
+			"nf_conntrack_proto_generic:"
+			" can't register to compat sysctl.\n");
+		goto out_compat_register;
+	}
+#endif
+	return 0;
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+out_compat_register:
+	kfree(compat_table);
+out_compat:
+	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_sysctl_header,
+				    table,
+				    NULL);
+#endif
+#endif
+	return ret;
+}
+
+void nf_conntrack_proto_generic_net_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+	struct ctl_table *table;
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table *compat_table;
+#endif
+	table = net->ct.proto.generic_sysctl_header->ctl_table_arg;
+	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_sysctl_header,
+				    table,
+				    NULL);
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	compat_table = net->ct.proto.generic_compat_header->ctl_table_arg;
+	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_compat_header,
+				    compat_table,
+				    NULL);
+#endif
+#endif
+}
-- 
1.7.7.6

[PATCH 04/12] netfilter: tcp proto sysctl support for net namespace

[Gao feng]

add and export four functions nf_conntrack_proto_ipv[4,6]_tcp_[init,fini]
for the nf_conntrack_ipv[4,6] modules.

modify the tcp_timeouts to net->ct.proto.sysctl_tcp_timeouts,
and use net->ct.proto.sysctl_tcp* to replace nf_ct_tcp*.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 net/netfilter/nf_conntrack_proto_tcp.c |  275 ++++++++++++++++++++++++++-----
 1 files changed, 230 insertions(+), 45 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 361eade..da0d240 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -720,7 +720,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
 	} else {
 		res = false;
 		if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
-		    nf_ct_tcp_be_liberal)
+		    net->ct.proto.sysctl_tcp_be_liberal)
 			res = true;
 		if (!res && LOG_INVALID(net, IPPROTO_TCP))
 			nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
@@ -815,7 +815,7 @@ static int tcp_error(struct net *net, struct nf_conn *tmpl,
 
 static unsigned int *tcp_get_timeouts(struct net *net)
 {
-	return tcp_timeouts;
+	return net->ct.proto.sysctl_tcp_timeouts;
 }
 
 /* Returns verdict for packet, or -1 for invalid. */
@@ -1019,7 +1019,7 @@ static int tcp_packet(struct nf_conn *ct,
 	    && new_state == TCP_CONNTRACK_FIN_WAIT)
 		ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
 
-	if (ct->proto.tcp.retrans >= nf_ct_tcp_max_retrans &&
+	if (ct->proto.tcp.retrans >= net->ct.proto.sysctl_tcp_max_retrans &&
 	    timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
 		timeout = timeouts[TCP_CONNTRACK_RETRANS];
 	else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) &
@@ -1062,6 +1062,7 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
 		    unsigned int dataoff, unsigned int *timeouts)
 {
 	enum tcp_conntrack new_state;
+	struct net *net = nf_ct_net(ct);
 	const struct tcphdr *th;
 	struct tcphdr _tcph;
 	const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
@@ -1092,7 +1093,7 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
 			ct->proto.tcp.seen[0].td_end;
 
 		tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]);
-	} else if (nf_ct_tcp_loose == 0) {
+	} else if (net->ct.proto.sysctl_tcp_loose == 0) {
 		/* Don't try to pick up connections. */
 		return false;
 	} else {
@@ -1352,96 +1353,104 @@ static const struct nla_policy tcp_timeout_nla_policy[CTA_TIMEOUT_TCP_MAX+1] = {
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
-static unsigned int tcp_sysctl_table_users;
-static struct ctl_table_header *tcp_sysctl_header;
 static struct ctl_table tcp_sysctl_table[] = {
 	{
 		.procname	= "nf_conntrack_tcp_timeout_syn_sent",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_tcp_timeout_syn_recv",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_tcp_timeout_established",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_tcp_timeout_fin_wait",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_tcp_timeout_close_wait",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_tcp_timeout_last_ack",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_tcp_timeout_time_wait",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_tcp_timeout_close",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_CLOSE],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_CLOSE],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_tcp_timeout_max_retrans",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_RETRANS],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_RETRANS],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_tcp_timeout_unacknowledged",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_UNACK],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_UNACK],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_tcp_loose",
-		.data		= &nf_ct_tcp_loose,
+		.data		= &init_net.ct.proto.sysctl_tcp_loose,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
 	{
 		.procname       = "nf_conntrack_tcp_be_liberal",
-		.data           = &nf_ct_tcp_be_liberal,
+		.data           = &init_net.ct.proto.sysctl_tcp_be_liberal,
 		.maxlen         = sizeof(unsigned int),
 		.mode           = 0644,
 		.proc_handler   = proc_dointvec,
 	},
 	{
 		.procname	= "nf_conntrack_tcp_max_retrans",
-		.data		= &nf_ct_tcp_max_retrans,
+		.data		= &init_net.ct.proto.sysctl_tcp_max_retrans,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
@@ -1453,91 +1462,101 @@ static struct ctl_table tcp_sysctl_table[] = {
 static struct ctl_table tcp_compat_sysctl_table[] = {
 	{
 		.procname	= "ip_conntrack_tcp_timeout_syn_sent",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_timeout_syn_sent2",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_SYN_SENT2],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_SYN_SENT2],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_timeout_syn_recv",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_timeout_established",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_timeout_fin_wait",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_timeout_close_wait",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_timeout_last_ack",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_timeout_time_wait",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_timeout_close",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_CLOSE],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_CLOSE],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_timeout_max_retrans",
-		.data		= &tcp_timeouts[TCP_CONNTRACK_RETRANS],
+		.data		= &init_net.ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_RETRANS],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_loose",
-		.data		= &nf_ct_tcp_loose,
+		.data		= &init_net.ct.proto.sysctl_tcp_loose,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_be_liberal",
-		.data		= &nf_ct_tcp_be_liberal,
+		.data		= &init_net.ct.proto.sysctl_tcp_be_liberal,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
 	{
 		.procname	= "ip_conntrack_tcp_max_retrans",
-		.data		= &nf_ct_tcp_max_retrans,
+		.data		= &init_net.ct.proto.sysctl_tcp_max_retrans,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
@@ -1579,14 +1598,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
 		.nla_policy	= tcp_timeout_nla_policy,
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
-	.ctl_table_users	= &tcp_sysctl_table_users,
-	.ctl_table_header	= &tcp_sysctl_header,
-	.ctl_table		= tcp_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
-	.ctl_compat_table	= tcp_compat_sysctl_table,
-#endif
-#endif
 };
 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4);
 
@@ -1622,10 +1633,184 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
 		.nla_policy	= tcp_timeout_nla_policy,
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
-	.ctl_table_users	= &tcp_sysctl_table_users,
-	.ctl_table_header	= &tcp_sysctl_header,
-	.ctl_table		= tcp_sysctl_table,
-#endif
 };
 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6);
+
+static int nf_conntrack_proto_tcp_net_init(struct net *net)
+{
+	struct ctl_table *table;
+	int i, ret;
+
+#ifdef CONFIG_SYSCTL
+	if (!net->ct.proto.tcp_sysctl_header) {
+		for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++)
+			net->ct.proto.sysctl_tcp_timeouts[i] = tcp_timeouts[i];
+		net->ct.proto.sysctl_tcp_loose = nf_ct_tcp_loose;
+		net->ct.proto.sysctl_tcp_be_liberal = nf_ct_tcp_be_liberal;
+		net->ct.proto.sysctl_tcp_max_retrans = nf_ct_tcp_max_retrans;
+		net->ct.proto.tcp_table_users = 0;	
+        	table = kmemdup(tcp_sysctl_table,
+				sizeof(tcp_sysctl_table),
+				GFP_KERNEL);
+        	if (!table) 
+                	return -ENOMEM;
+
+		table[0].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_SYN_SENT];
+		table[1].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_SYN_RECV];
+		table[2].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_ESTABLISHED];
+		table[3].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_FIN_WAIT];
+		table[4].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT];
+		table[5].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_LAST_ACK];
+		table[6].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_TIME_WAIT];
+		table[7].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_CLOSE];
+		table[8].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_RETRANS];
+		table[9].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_UNACK];
+		table[10].data = &net->ct.proto.sysctl_tcp_loose;
+		table[11].data = &net->ct.proto.sysctl_tcp_be_liberal;
+		table[12].data = &net->ct.proto.sysctl_tcp_max_retrans;
+	} else
+		table = net->ct.proto.tcp_sysctl_header->ctl_table_arg;
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.tcp_sysctl_header,
+					nf_net_netfilter_sysctl_path,
+					table,
+					&net->ct.proto.tcp_table_users);
+	if (ret < 0) {
+		printk(KERN_ERR
+			"nf_conntrack_proto_tcp:"
+			" can't register to sysctl.\n");
+		goto out_register;
+	}
+	return 0;
+out_register:
+	if (!net->ct.proto.tcp_sysctl_header)
+		kfree(table);
+#else
+	for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++)
+		net->ct.proto.sysctl_tcp_timeouts[i] = tcp_timeouts[i];
+	net->ct.proto.sysctl_tcp_loose = nf_ct_tcp_loose;
+	net->ct.proto.sysctl_tcp_be_liberal = nf_ct_tcp_be_liberal;
+	net->ct.proto.sysctl_tcp_max_retrans = nf_ct_tcp_max_retrans;
+#endif
+	return ret;
+}
+
+static void nf_conntrack_proto_tcp_net_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+	struct ctl_table *table;
+	table = net->ct.proto.tcp_sysctl_header->ctl_table_arg;
+
+	nf_ct_unregister_net_sysctl(&net->ct.proto.tcp_sysctl_header,
+				    table,
+				    &net->ct.proto.tcp_table_users);
+#endif
+}
+
+static int nf_conntrack_proto_tcp_compat_init(struct net *net)
+{
+	int ret = 0;
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table *compat_table;
+	compat_table = kmemdup(tcp_compat_sysctl_table,
+			       sizeof(tcp_compat_sysctl_table),
+			       GFP_KERNEL);
+	if (!compat_table) 
+		return -ENOMEM;
+        
+	compat_table[0].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_SYN_SENT];
+	compat_table[1].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_SYN_SENT2];
+	compat_table[2].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_SYN_RECV];
+	compat_table[3].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_ESTABLISHED];
+	compat_table[4].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_FIN_WAIT];
+	compat_table[5].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT];
+	compat_table[6].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_LAST_ACK];
+	compat_table[7].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_TIME_WAIT];
+	compat_table[8].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_CLOSE];
+	compat_table[9].data = &net->ct.proto.
+				sysctl_tcp_timeouts[TCP_CONNTRACK_RETRANS];
+	compat_table[10].data = &net->ct.proto.sysctl_tcp_loose;
+	compat_table[11].data = &net->ct.proto.sysctl_tcp_be_liberal;
+	compat_table[12].data = &net->ct.proto.sysctl_tcp_max_retrans;
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.tcp_compat_header,
+					nf_net_ipv4_netfilter_sysctl_path,
+					compat_table, NULL);
+	if (ret < 0) {
+		printk(KERN_ERR
+			"nf_conntrack_proto_tcp:"
+			" can't register to compat sysctl.\n");
+		goto out_register;
+	}
+	return 0;
+out_register:
+	kfree(compat_table);
+#endif
+#endif
+	return ret;
+}
+
+static void nf_conntrack_proto_tcp_compat_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table *compat_table;
+	compat_table = net->ct.proto.tcp_compat_header->ctl_table_arg;
+	nf_ct_unregister_net_sysctl(&net->ct.proto.tcp_compat_header,
+				    compat_table,
+				    NULL);
+#endif
+#endif
+}
+
+int nf_conntrack_proto_ipv4_tcp_init(struct net *net)
+{
+	int ret = 0;
+	ret = nf_conntrack_proto_tcp_net_init(net);
+	if (ret < 0)
+		return ret;
+	ret = nf_conntrack_proto_tcp_compat_init(net);
+	if (ret < 0)
+		nf_conntrack_proto_tcp_net_fini(net);
+	return ret;
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_ipv4_tcp_init);
+
+void nf_conntrack_proto_ipv4_tcp_fini(struct net *net)
+{
+	nf_conntrack_proto_tcp_net_fini(net);
+	nf_conntrack_proto_tcp_compat_fini(net);
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_ipv4_tcp_fini);
+
+int nf_conntrack_proto_ipv6_tcp_init(struct net *net)
+{
+	return nf_conntrack_proto_tcp_net_init(net);
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_ipv6_tcp_init);
+
+void nf_conntrack_proto_ipv6_tcp_fini(struct net *net)
+{
+	nf_conntrack_proto_tcp_net_fini(net);
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_ipv6_tcp_fini);
-- 
1.7.7.6

[PATCH 05/12] netfilter: udp proto sysctl support for net namespace

[Gao feng]

add and export four functions nf_conntrack_proto_ipv[4,6]_udp_[init,fini]
for the nf_conntrack_ipv[4,6] modules.

modify the udp_timeouts to net->ct.proto.sysctl_udp_timeouts
---
 net/netfilter/nf_conntrack_proto_udp.c |  160 +++++++++++++++++++++++++++-----
 1 files changed, 138 insertions(+), 22 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index a9073dc..8e2935a 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -19,18 +19,13 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_ipv6.h>
+#include <linux/netfilter/nf_conntrack_udp.h>
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_ecache.h>
 #include <net/netfilter/nf_log.h>
 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
 
-enum udp_conntrack {
-	UDP_CT_UNREPLIED,
-	UDP_CT_REPLIED,
-	UDP_CT_MAX
-};
-
 static unsigned int udp_timeouts[UDP_CT_MAX] = {
 	[UDP_CT_UNREPLIED]	= 30*HZ,
 	[UDP_CT_REPLIED]	= 180*HZ,
@@ -73,7 +68,7 @@ static int udp_print_tuple(struct seq_file *s,
 
 static unsigned int *udp_get_timeouts(struct net *net)
 {
-	return udp_timeouts;
+	return net->ct.proto.sysctl_udp_timeouts;
 }
 
 /* Returns verdict for packet, and may modify conntracktype */
@@ -199,8 +194,6 @@ udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
-static unsigned int udp_sysctl_table_users;
-static struct ctl_table_header *udp_sysctl_header;
 static struct ctl_table udp_sysctl_table[] = {
 	{
 		.procname	= "nf_conntrack_udp_timeout",
@@ -266,14 +259,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
 		.nla_policy	= udp_timeout_nla_policy,
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
-	.ctl_table_users	= &udp_sysctl_table_users,
-	.ctl_table_header	= &udp_sysctl_header,
-	.ctl_table		= udp_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
-	.ctl_compat_table	= udp_compat_sysctl_table,
-#endif
-#endif
 };
 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp4);
 
@@ -304,10 +289,141 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
 		.nla_policy	= udp_timeout_nla_policy,
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
-	.ctl_table_users	= &udp_sysctl_table_users,
-	.ctl_table_header	= &udp_sysctl_header,
-	.ctl_table		= udp_sysctl_table,
-#endif
 };
 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp6);
+
+static int nf_conntrack_proto_udp_net_init(struct net *net)
+{
+	struct ctl_table *table;
+	int i, ret = 0;
+
+#ifdef CONFIG_SYSCTL
+	if (!net->ct.proto.udp_sysctl_header) {
+		net->ct.proto.udp_table_users = 0;
+		for (i = 0; i < UDP_CT_MAX; i++)
+			net->ct.proto.sysctl_udp_timeouts[i] = udp_timeouts[i];
+		table = kmemdup(udp_sysctl_table,
+				sizeof(udp_sysctl_table),
+				GFP_KERNEL);
+		if (!table)
+			return -ENOMEM;
+		table[0].data = &net->ct.proto.
+				sysctl_udp_timeouts[UDP_CT_UNREPLIED];
+		table[1].data = &net->ct.proto.
+				sysctl_udp_timeouts[UDP_CT_REPLIED];
+	} else
+		table = net->ct.proto.udp_sysctl_header->ctl_table_arg;
+
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.udp_sysctl_header,
+					nf_net_netfilter_sysctl_path,
+					table,
+					&net->ct.proto.udp_table_users);
+	if (ret < 0) {
+		printk(KERN_ERR
+			"nf_conntrack_proto_udp:"
+			" can't register to sysctl.\n");
+		goto out_register;
+	}
+	return 0;
+out_register:
+	if (!net->ct.proto.udp_sysctl_header)
+		kfree(table);
+#else
+	for (i = 0; i < UDP_CT_MAX; i++)
+		net->ct.proto.sysctl_udp_timeouts[i] = udp_timeouts[i];
+#endif
+	return ret;
+}
+
+static void nf_conntrack_proto_udp_net_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+	struct ctl_table *table;
+	table = net->ct.proto.udp_sysctl_header->ctl_table_arg;
+
+	nf_ct_unregister_net_sysctl(&net->ct.proto.udp_sysctl_header,
+				    table,
+				    &net->ct.proto.udp_table_users);
+#endif
+}
+
+static int nf_conntrack_proto_udp_compat_init(struct net *net)
+{
+	int ret = 0;
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table *compat_table;
+	compat_table = kmemdup(udp_compat_sysctl_table,
+			       sizeof(udp_compat_sysctl_table),
+			       GFP_KERNEL);
+	if (!compat_table)
+		return -ENOMEM;
+	compat_table[0].data = &net->ct.proto.
+				sysctl_udp_timeouts[UDP_CT_UNREPLIED];
+	compat_table[1].data = &net->ct.proto.
+				sysctl_udp_timeouts[UDP_CT_REPLIED];
+
+	ret = nf_ct_register_net_sysctl(net, 
+					&net->ct.proto.udp_compat_header,
+					nf_net_ipv4_netfilter_sysctl_path,
+					compat_table,
+					NULL);
+	if (ret < 0) {
+		printk(KERN_ERR
+			"nf_conntrack_proto_udp:"
+			" can't register to compat sysctl.\n");
+		goto out_register;
+	}
+	return 0;
+out_register:
+	kfree(compat_table);
+#endif
+#endif
+	return ret;
+}
+
+static void nf_conntrack_proto_udp_compat_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table *compat_table;
+	compat_table = net->ct.proto.udp_compat_header->ctl_table_arg;
+	nf_ct_unregister_net_sysctl(&net->ct.proto.udp_compat_header,
+				    compat_table,
+				    NULL);
+#endif
+#endif
+}
+
+int nf_conntrack_proto_ipv4_udp_init(struct net *net)
+{
+	int ret = 0;
+	ret = nf_conntrack_proto_udp_net_init(net);
+	if (ret < 0)
+		return ret;
+	ret = nf_conntrack_proto_udp_compat_init(net);
+	if (ret < 0)
+		nf_conntrack_proto_udp_net_fini(net);
+	return ret;
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_ipv4_udp_init);
+
+void nf_conntrack_proto_ipv4_udp_fini(struct net *net)
+{
+	nf_conntrack_proto_udp_compat_fini(net);
+	nf_conntrack_proto_udp_net_fini(net);
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_ipv4_udp_fini);
+
+int nf_conntrack_proto_ipv6_udp_init(struct net *net)
+{
+	return nf_conntrack_proto_udp_net_init(net);
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_ipv6_udp_init);
+
+void nf_conntrack_proto_ipv6_udp_fini(struct net *net)
+{
+	return nf_conntrack_proto_udp_net_fini(net);
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_ipv6_udp_fini);
-- 
1.7.7.6

[PATCH 06/12] netfilter: icmp proto sysctl support for net namespace

[Gao feng]

add and export functions nf_conntrack_proto_ipv4_icmp_[init,fini]
for the nf_conntrack_ipv4 modules.

modify the nf_ct_icmp_timeout to net->ct.proto.sysctl_icmp_timeout
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c |  116 ++++++++++++++++++++++++--
 1 files changed, 108 insertions(+), 8 deletions(-)

diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 7cbe9cb..fa827ee 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -12,6 +12,7 @@
 #include <linux/in.h>
 #include <linux/icmp.h>
 #include <linux/seq_file.h>
+#include <linux/module.h>
 #include <net/ip.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
@@ -77,7 +78,7 @@ static int icmp_print_tuple(struct seq_file *s,
 
 static unsigned int *icmp_get_timeouts(struct net *net)
 {
-	return &nf_ct_icmp_timeout;
+	return &net->ct.proto.sysctl_icmp_timeout;
 }
 
 /* Returns verdict for packet, or -1 for invalid. */
@@ -308,11 +309,10 @@ icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = {
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
-static struct ctl_table_header *icmp_sysctl_header;
 static struct ctl_table icmp_sysctl_table[] = {
 	{
 		.procname	= "nf_conntrack_icmp_timeout",
-		.data		= &nf_ct_icmp_timeout,
+		.data		= &init_net.ct.proto.sysctl_icmp_timeout,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
@@ -323,7 +323,7 @@ static struct ctl_table icmp_sysctl_table[] = {
 static struct ctl_table icmp_compat_sysctl_table[] = {
 	{
 		.procname	= "ip_conntrack_icmp_timeout",
-		.data		= &nf_ct_icmp_timeout,
+		.data		= &init_net.ct.proto.sysctl_icmp_timeout,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
@@ -362,11 +362,111 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
 		.nla_policy	= icmp_timeout_nla_policy,
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+};
+
+static int nf_conntrack_proto_icmp_net_init(struct net *net)
+{
+	struct ctl_table *table;
+	int ret = 0;
+
+	net->ct.proto.sysctl_icmp_timeout = nf_ct_icmp_timeout;
+#ifdef CONFIG_SYSCTL
+	table = kmemdup(icmp_sysctl_table,
+			sizeof(icmp_sysctl_table),
+			GFP_KERNEL);
+	if (!table)
+		return -ENOMEM;
+	table[0].data = &net->ct.proto.sysctl_icmp_timeout;
+
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.icmp_sysctl_header,
+					nf_net_netfilter_sysctl_path,
+					table,
+					NULL);
+	if (ret < 0) {
+		printk(KERN_ERR
+			"nf_conntrack icmp: can't register to sysctl.\n");
+		goto out_register;
+	}
+	return 0;
+out_register:
+	kfree(table);
+#endif
+	return ret;
+}
+
+static void nf_conntrack_proto_icmp_net_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+	struct ctl_table *table;
+	table = net->ct.proto.icmp_sysctl_header->ctl_table_arg;
+
+	nf_ct_unregister_net_sysctl(&net->ct.proto.icmp_sysctl_header,
+				    table,
+				    NULL);
+#endif
+}
+
+static int nf_conntrack_proto_icmp_compat_init(struct net *net)
+{
+	int ret = 0;
 #ifdef CONFIG_SYSCTL
-	.ctl_table_header	= &icmp_sysctl_header,
-	.ctl_table		= icmp_sysctl_table,
 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
-	.ctl_compat_table	= icmp_compat_sysctl_table,
+	struct ctl_table *compat_table;
+	compat_table = kmemdup(icmp_compat_sysctl_table,
+			       sizeof(icmp_compat_sysctl_table),
+			       GFP_KERNEL);
+	if (!compat_table)
+		return -ENOMEM;
+	compat_table[0].data = &net->ct.proto.sysctl_icmp_timeout;
+
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.icmp_compat_header,
+					nf_net_ipv4_netfilter_sysctl_path,
+					compat_table,
+					NULL);
+	if (ret < 0) {
+		printk(KERN_ERR
+			"nf_conntrack icmp: register compat sysctl failed.\n");
+		goto out_register;
+	}
+	return 0;
+out_register:
+	kfree(compat_table);
 #endif
 #endif
-};
+	return ret;
+}
+
+static void nf_conntrack_proto_icmp_compat_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table *compat_table;
+	compat_table = net->ct.proto.icmp_compat_header->ctl_table_arg;
+	nf_ct_unregister_net_sysctl(&net->ct.proto.icmp_compat_header,
+				    compat_table,
+				    NULL);
+#endif
+#endif
+}
+
+int nf_conntrack_proto_ipv4_icmp_init(struct net *net)
+{
+	int ret = 0;
+	ret = nf_conntrack_proto_icmp_net_init(net);
+	if (ret < 0)
+		return ret;
+	ret = nf_conntrack_proto_icmp_compat_init(net);
+	if (ret < 0)
+		nf_conntrack_proto_icmp_net_fini(net);
+	return ret;
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_ipv4_icmp_init);
+
+void nf_conntrack_proto_ipv4_icmp_fini(struct net *net)
+{
+	nf_conntrack_proto_icmp_compat_fini(net);
+	nf_conntrack_proto_icmp_net_fini(net);
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_ipv4_icmp_fini);
-- 
1.7.7.6

[PATCH 07/12] netfilter: icmpv6 proto sysctl support for net

[Gao feng]

add and export functions nf_conntrack_proto_icmpv6_net_[init,fini]
for the nf_conntrack_ipv6 modules.

modify the nf_ct_icmpv6_timeout to net->ct.proto.sysctl_icmpv6_timeout

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |   54 +++++++++++++++++++++---
 1 files changed, 48 insertions(+), 6 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 92cc9f2..ef33f31 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -90,7 +90,7 @@ static int icmpv6_print_tuple(struct seq_file *s,
 
 static unsigned int *icmpv6_get_timeouts(struct net *net)
 {
-	return &nf_ct_icmpv6_timeout;
+	return &net->ct.proto.sysctl_icmpv6_timeout;
 }
 
 /* Returns verdict for packet, or -1 for invalid. */
@@ -315,11 +315,10 @@ icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = {
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
-static struct ctl_table_header *icmpv6_sysctl_header;
 static struct ctl_table icmpv6_sysctl_table[] = {
 	{
 		.procname	= "nf_conntrack_icmpv6_timeout",
-		.data		= &nf_ct_icmpv6_timeout,
+		.data		= &init_net.ct.proto.sysctl_icmpv6_timeout,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
@@ -355,8 +354,51 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
 		.nla_policy	= icmpv6_timeout_nla_policy,
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+};
+
+int nf_conntrack_proto_icmpv6_net_init(struct net *net)
+{
+	struct ctl_table *table;
+	int ret = 0;
+
+	net->ct.proto.sysctl_icmpv6_timeout = nf_ct_icmpv6_timeout;
+
 #ifdef CONFIG_SYSCTL
-	.ctl_table_header	= &icmpv6_sysctl_header,
-	.ctl_table		= icmpv6_sysctl_table,
+	table = kmemdup(icmpv6_sysctl_table,
+			sizeof(icmpv6_sysctl_table),
+			GFP_KERNEL);
+	if (!table)
+		return -ENOMEM;
+	table[0].data = &net->ct.proto.sysctl_icmpv6_timeout;
+
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.icmpv6_sysctl_header,
+					nf_net_netfilter_sysctl_path,
+					table,
+					NULL);
+	if (ret < 0) {
+		printk(KERN_ERR
+			"nf_conntrack_proto_icmpv6:"
+			" can't register to sysctl.\n");
+		goto out_register;
+	}
+	return 0;
+out_register:
+	kfree(table);
 #endif
-};
+	return ret;
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_icmpv6_net_init);
+
+void nf_conntrack_proto_icmpv6_net_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+	struct ctl_table *table;
+	table = net->ct.proto.icmpv6_sysctl_header->ctl_table_arg;
+
+	nf_ct_unregister_net_sysctl(&net->ct.proto.icmpv6_sysctl_header,
+				    table, NULL);
+#endif
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_proto_icmpv6_net_fini);
+
-- 
1.7.7.6

[PATCH 08/12] netfilter: ipv4 sysctl support for net namespace

[Gao feng]

delete the ctl_table_header, ctl_table_path, ctl_table
from struct nf_conntrack_l3proto,
delete the ctl_table_header, ctl_table, ctl_table_users,
ctl_compat_table_header, ctl_compat_table from struct
nf_conntract_l4proto.
we have removed these field to the struct netns_ct_proto.

register pernet_operations nf_conntrack_net_proto_ipv4_ops
when loading nf_conntrack_ipv4 module,and unregister it when
removing.

nf_conntrack_l4proto.h exports the init,fini functions of l4proto.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 include/net/netfilter/nf_conntrack_l3proto.h   |    6 --
 include/net/netfilter/nf_conntrack_l4proto.h   |   38 +++++++---
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |   96 ++++++++++++++++++++++-
 3 files changed, 119 insertions(+), 21 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index e8010f4..cf14b99 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -63,12 +63,6 @@ struct nf_conntrack_l3proto {
 
 	size_t nla_size;
 
-#ifdef CONFIG_SYSCTL
-	struct ctl_table_header	*ctl_table_header;
-	struct ctl_path		*ctl_table_path;
-	struct ctl_table	*ctl_table;
-#endif /* CONFIG_SYSCTL */
-
 	/* Module (if any) which this is connected to. */
 	struct module *me;
 };
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index 3b572bb..167d9c2 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -93,16 +93,6 @@ struct nf_conntrack_l4proto {
 		const struct nla_policy *nla_policy;
 	} ctnl_timeout;
 #endif
-
-#ifdef CONFIG_SYSCTL
-	struct ctl_table_header	**ctl_table_header;
-	struct ctl_table	*ctl_table;
-	unsigned int		*ctl_table_users;
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
-	struct ctl_table_header	*ctl_compat_table_header;
-	struct ctl_table	*ctl_compat_table;
-#endif
-#endif
 	/* Protocol name */
 	const char *name;
 
@@ -134,6 +124,34 @@ extern int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[],
 extern int nf_ct_port_nlattr_tuple_size(void);
 extern const struct nla_policy nf_ct_port_nla_policy[];
 
+extern int nf_ct_register_net_sysctl(struct net *net,
+				     struct ctl_table_header **header,
+				     struct ctl_path *path,
+				     struct ctl_table *table,
+				     unsigned int *users);
+
+extern void nf_ct_unregister_net_sysctl(struct ctl_table_header **header,
+					struct ctl_table *table,
+					unsigned int *users);
+
+extern int nf_conntrack_proto_ipv4_tcp_init(struct net *net);
+extern void nf_conntrack_proto_ipv4_tcp_fini(struct net *net);
+
+extern int nf_conntrack_proto_ipv6_tcp_init(struct net *net);
+extern void nf_conntrack_proto_ipv6_tcp_fini(struct net *net);
+
+extern int nf_conntrack_proto_ipv4_udp_init(struct net *net);
+extern void nf_conntrack_proto_ipv4_udp_fini(struct net *net);
+
+extern int nf_conntrack_proto_ipv6_udp_init(struct net *net);
+extern void nf_conntrack_proto_ipv6_udp_fini(struct net *net);
+
+extern int nf_conntrack_proto_ipv4_icmp_init(struct net *net);
+extern void nf_conntrack_proto_ipv4_icmp_fini(struct net *net);
+
+extern int nf_conntrack_proto_icmpv6_net_init(struct net *net);
+extern void nf_conntrack_proto_icmpv6_net_fini(struct net *net);
+
 #ifdef CONFIG_SYSCTL
 #ifdef DEBUG_INVALID_PACKETS
 #define LOG_INVALID(net, proto)				\
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index de9da21..234ff9a 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -355,10 +355,6 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
 	.nlattr_to_tuple = ipv4_nlattr_to_tuple,
 	.nla_policy	 = ipv4_nla_policy,
 #endif
-#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
-	.ctl_table_path  = nf_net_ipv4_netfilter_sysctl_path,
-	.ctl_table	 = ip_ct_sysctl_table,
-#endif
 	.me		 = THIS_MODULE,
 };
 
@@ -369,6 +365,86 @@ MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
 MODULE_ALIAS("ip_conntrack");
 MODULE_LICENSE("GPL");
 
+static int nf_conntrack_proto_ipv4_net_init(struct net *net)
+{
+	int ret = 0;
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table *table;
+	table = kmemdup(ip_ct_sysctl_table,
+			sizeof(ip_ct_sysctl_table),
+			GFP_KERNEL);
+	if (!table)
+		return -ENOMEM;
+	table[1].data = &net->ct.count;
+	table[2].data = &net->ct.htable_size;
+	table[3].data = &net->ct.sysctl_checksum;
+	table[4].data = &net->ct.sysctl_log_invalid;
+	net->ct.proto.ipv4_compat_header =
+		register_net_sysctl_table(net,
+					  nf_net_ipv4_netfilter_sysctl_path,
+					  table);
+	if (!net->ct.proto.ipv4_compat_header)
+		goto out_register;
+	return 0;
+out_register:
+	kfree(table);
+#endif
+#endif
+	return ret;
+}
+
+static void nf_conntrack_proto_ipv4_net_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table *table;
+	table = net->ct.proto.ipv4_compat_header->ctl_table_arg;
+	unregister_net_sysctl_table(net->ct.proto.ipv4_compat_header);
+	kfree(table);
+#endif
+#endif
+}
+
+static int nf_conntrack_net_proto_ipv4_init(struct net *net)
+{
+	int ret;
+	
+	ret = nf_conntrack_proto_ipv4_net_init(net);
+	if (ret < 0)
+		return ret;
+	ret = nf_conntrack_proto_ipv4_tcp_init(net);
+	if (ret < 0)
+		goto cleanup_ipv4;
+	ret = nf_conntrack_proto_ipv4_udp_init(net);
+	if (ret < 0)
+		goto cleanup_tcp;
+	ret = nf_conntrack_proto_ipv4_icmp_init(net);
+	if (ret < 0)
+		goto cleanup_udp;
+	return 0;
+ cleanup_udp:
+	nf_conntrack_proto_ipv4_udp_fini(net);
+ cleanup_tcp:
+	nf_conntrack_proto_ipv4_tcp_fini(net);
+ cleanup_ipv4:
+	nf_conntrack_proto_ipv4_net_fini(net);
+	return ret;
+}
+
+static void nf_conntrack_net_proto_ipv4_fini(struct net *net)
+{
+	nf_conntrack_proto_ipv4_icmp_fini(net);
+	nf_conntrack_proto_ipv4_udp_fini(net);
+	nf_conntrack_proto_ipv4_tcp_fini(net);
+	nf_conntrack_proto_ipv4_net_fini(net);
+}
+
+static struct pernet_operations nf_conntrack_net_proto_ipv4_ops = {
+	.init = nf_conntrack_net_proto_ipv4_init,
+	.exit = nf_conntrack_net_proto_ipv4_fini,
+};
+
 static int __init nf_conntrack_l3proto_ipv4_init(void)
 {
 	int ret = 0;
@@ -417,11 +493,20 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
 	if (ret < 0)
 		goto cleanup_hooks;
 #endif
+	ret = register_pernet_subsys(&nf_conntrack_net_proto_ipv4_ops);
+	if (ret < 0)
+		goto cleanup_compat;
+
 	return ret;
+
+ cleanup_compat:
 #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
+	nf_conntrack_ipv4_compat_fini();
+
  cleanup_hooks:
-	nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
 #endif
+	nf_unregister_hooks(ipv4_conntrack_ops,
+			    ARRAY_SIZE(ipv4_conntrack_ops));
  cleanup_ipv4:
 	nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
  cleanup_icmp:
@@ -438,6 +523,7 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
 static void __exit nf_conntrack_l3proto_ipv4_fini(void)
 {
 	synchronize_net();
+	unregister_pernet_subsys(&nf_conntrack_net_proto_ipv4_ops);
 #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
 	nf_conntrack_ipv4_compat_fini();
 #endif
-- 
1.7.7.6

[PATCH 09/12] netfilter: ipv6 sysctl support for net namespace

[Gao feng]

register pernet_operations nf_conntrack_net_proto_ipv6_ops
when loading nf_conntrack_ipv6 module,and unregister it when
removing.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |   48 ++++++++++++++++++++++++
 1 files changed, 48 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 4111050..8c0456c 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -333,6 +333,43 @@ MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yasuyuki KOZAKAI @USAGI <yasuyuki.kozakai@toshiba.co.jp>");
 
+static int nf_conntrack_net_proto_ipv6_init(struct net *net)
+{
+	int ret;
+
+	ret = nf_conntrack_proto_ipv6_tcp_init(net);
+	if (ret < 0)
+		return ret;
+
+	ret = nf_conntrack_proto_ipv6_udp_init(net);
+	if (ret < 0)
+		goto cleanup_tcp;
+
+	ret = nf_conntrack_proto_icmpv6_net_init(net);
+	if (ret < 0)
+		goto cleanup_udp;
+	return 0;
+ cleanup_udp:
+	nf_conntrack_proto_ipv6_udp_fini(net);
+ 
+ cleanup_tcp:
+	nf_conntrack_proto_ipv6_tcp_fini(net);
+
+	return ret;
+}
+
+static void nf_conntrack_net_proto_ipv6_fini(struct net *net)
+{
+	nf_conntrack_proto_icmpv6_net_fini(net);
+	nf_conntrack_proto_ipv6_udp_fini(net);
+	nf_conntrack_proto_ipv6_tcp_fini(net);
+}
+
+static struct pernet_operations nf_conntrack_net_proto_ipv6_ops = {
+	.init = nf_conntrack_net_proto_ipv6_init,
+	.exit = nf_conntrack_net_proto_ipv6_fini,
+};
+
 static int __init nf_conntrack_l3proto_ipv6_init(void)
 {
 	int ret = 0;
@@ -371,8 +408,18 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
 		       "hook.\n");
 		goto cleanup_ipv6;
 	}
+
+	ret = register_pernet_subsys(&nf_conntrack_net_proto_ipv6_ops);
+	if (ret < 0) {
+		pr_err("nf_conntrack_ipv6: can't register pernet subsys.\n");
+		goto cleanup_hooks;
+	}
+
 	return ret;
 
+ cleanup_hooks:
+	nf_unregister_hooks(ipv6_conntrack_ops,
+			    ARRAY_SIZE(ipv6_conntrack_ops));
  cleanup_ipv6:
 	nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
  cleanup_icmpv6:
@@ -387,6 +434,7 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
 static void __exit nf_conntrack_l3proto_ipv6_fini(void)
 {
 	synchronize_net();
+	unregister_pernet_subsys(&nf_conntrack_net_proto_ipv6_ops);
 	nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
 	nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
 	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);
-- 
1.7.7.6

[PATCH 10/12] netfilter: sctp proto sysctl support for net namespace

[Gao feng]

register pernet_operations nf_conntrack_net_proto_sctp_ops
when loading nf_conntrack_proto_sctp module,and unregister
it when removing.

It makes no senes to register subsys for sctp and sctp6,because
the nf_conntrack_l4proto_sctp4 and nf_conntrack_l4proto_sctp6 are
register or unregister together.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 net/netfilter/nf_conntrack_proto_sctp.c |  205 ++++++++++++++++++++++++++-----
 1 files changed, 175 insertions(+), 30 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 72b5088..866d151 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -281,7 +281,7 @@ static int sctp_new_state(enum ip_conntrack_dir dir,
 
 static unsigned int *sctp_get_timeouts(struct net *net)
 {
-	return sctp_timeouts;
+	return net->ct.proto.sysctl_sctp_timeouts;
 }
 
 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
@@ -599,56 +599,60 @@ sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
 };
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 
-
 #ifdef CONFIG_SYSCTL
-static unsigned int sctp_sysctl_table_users;
-static struct ctl_table_header *sctp_sysctl_header;
 static struct ctl_table sctp_sysctl_table[] = {
 	{
 		.procname	= "nf_conntrack_sctp_timeout_closed",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_CLOSED],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_sctp_timeout_cookie_wait",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_sctp_timeout_cookie_echoed",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_sctp_timeout_established",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_sctp_timeout_shutdown_sent",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_sctp_timeout_shutdown_recd",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_sctp_timeout_shutdown_ack_sent",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
@@ -660,49 +664,56 @@ static struct ctl_table sctp_sysctl_table[] = {
 static struct ctl_table sctp_compat_sysctl_table[] = {
 	{
 		.procname	= "ip_conntrack_sctp_timeout_closed",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_CLOSED],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_sctp_timeout_cookie_wait",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_sctp_timeout_cookie_echoed",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_sctp_timeout_established",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_sctp_timeout_shutdown_sent",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_sctp_timeout_shutdown_recd",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "ip_conntrack_sctp_timeout_shutdown_ack_sent",
-		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
+		.data		= &init_net.ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
@@ -742,14 +753,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
 		.nla_policy	= sctp_timeout_nla_policy,
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
-	.ctl_table_users	= &sctp_sysctl_table_users,
-	.ctl_table_header	= &sctp_sysctl_header,
-	.ctl_table		= sctp_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
-	.ctl_compat_table	= sctp_compat_sysctl_table,
-#endif
-#endif
 };
 
 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
@@ -782,11 +785,146 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 #endif
+};
+
+static int nf_conntrack_proto_sctp_net_init(struct net *net)
+{
+	struct ctl_table *table;
+	int i, ret = 0;
+	for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
+		net->ct.proto.sysctl_sctp_timeouts[i] = sctp_timeouts[i];
+
 #ifdef CONFIG_SYSCTL
-	.ctl_table_users	= &sctp_sysctl_table_users,
-	.ctl_table_header	= &sctp_sysctl_header,
-	.ctl_table		= sctp_sysctl_table,
+	table = kmemdup(sctp_sysctl_table,
+			sizeof(sctp_sysctl_table),
+			GFP_KERNEL);
+	if (!table)
+		return -ENOMEM;
+	table[0].data = &net->ct.proto.
+			sysctl_sctp_timeouts[SCTP_CONNTRACK_CLOSED];
+	table[1].data = &net->ct.proto.
+			sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
+	table[2].data = &net->ct.proto.
+			sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
+	table[3].data = &net->ct.proto.
+			sysctl_sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED];
+	table[4].data = &net->ct.proto.
+			sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
+	table[5].data = &net->ct.proto.
+			sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
+	table[6].data = &net->ct.proto.
+			sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
+
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.sctp_sysctl_header,
+					nf_net_netfilter_sysctl_path,
+					table,
+					NULL);
+	if (ret < 0) {
+		printk(KERN_ERR
+			"nf_conntrack_proto_sctp:"
+			" can't register to sysctl.\n");
+		goto out_register;
+	}
+	return 0;
+out_register:
+	kfree(table);
 #endif
+	return ret;
+}
+
+static void nf_conntrack_proto_sctp_net_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+	struct ctl_table *table;
+	table = net->ct.proto.sctp_sysctl_header->ctl_table_arg;
+
+	nf_ct_unregister_net_sysctl(&net->ct.proto.sctp_sysctl_header,
+				    table,
+				    NULL);
+#endif
+}
+
+static int nf_conntrack_proto_sctp_compat_init(struct net *net)
+{
+	int ret = 0;
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table *compat_table;
+	compat_table = kmemdup(sctp_compat_sysctl_table,
+			       sizeof(sctp_compat_sysctl_table),
+			       GFP_KERNEL);
+	if (!compat_table)
+		return -ENOMEM;
+
+	compat_table[0].data = &net->ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_CLOSED];
+	compat_table[1].data = &net->ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
+	compat_table[2].data = &net->ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
+	compat_table[3].data = &net->ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED];
+	compat_table[4].data = &net->ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
+	compat_table[5].data = &net->ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
+	compat_table[6].data = &net->ct.proto.
+				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
+
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.sctp_compat_header,
+					nf_net_ipv4_netfilter_sysctl_path,
+					compat_table,
+					NULL);
+	if (ret < 0) {
+		printk(KERN_ERR
+			"nf_conntrack_proto_sctp:"
+			" can't register to compat sysctl.\n");
+		goto out_register;
+	}
+	return 0;
+out_register:
+	kfree(compat_table);
+#endif
+#endif
+	return ret;
+}
+
+static void nf_conntrack_proto_sctp_compat_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table *compat_table;
+	compat_table = net->ct.proto.sctp_compat_header->ctl_table_arg;
+	nf_ct_unregister_net_sysctl(&net->ct.proto.sctp_compat_header,
+				    compat_table,
+				    NULL);
+#endif
+#endif
+}
+
+static int nf_conntrack_net_proto_sctp_init(struct net *net)
+{
+	int ret;
+	ret = nf_conntrack_proto_sctp_net_init(net);
+	if (ret < 0)
+		return ret;
+	ret = nf_conntrack_proto_sctp_compat_init(net);
+	if (ret < 0)
+		nf_conntrack_proto_sctp_net_fini(net);
+	return ret;
+}
+
+static void nf_conntrack_net_proto_sctp_fini(struct net *net)
+{
+	nf_conntrack_proto_sctp_compat_fini(net);
+	nf_conntrack_proto_sctp_net_fini(net);
+}
+
+static struct pernet_operations nf_conntrack_net_proto_sctp_ops = {
+	.init = nf_conntrack_net_proto_sctp_init,
+	.exit = nf_conntrack_net_proto_sctp_fini,
 };
 
 static int __init nf_conntrack_proto_sctp_init(void)
@@ -803,9 +941,15 @@ static int __init nf_conntrack_proto_sctp_init(void)
 		pr_err("nf_conntrack_l4proto_sctp6: protocol register failed\n");
 		goto cleanup_sctp4;
 	}
-
+	ret = register_pernet_subsys(&nf_conntrack_net_proto_sctp_ops);
+	if (ret) {
+		pr_err("nf_conntrack: sctp pernet subsys register failed\n");
+		goto cleanup_sctp6;
+	}
 	return ret;
 
+ cleanup_sctp6:
+	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
  cleanup_sctp4:
 	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
  out:
@@ -814,6 +958,7 @@ static int __init nf_conntrack_proto_sctp_init(void)
 
 static void __exit nf_conntrack_proto_sctp_fini(void)
 {
+	unregister_pernet_subsys(&nf_conntrack_net_proto_sctp_ops);
 	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
 	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
 }
-- 
1.7.7.6

[PATCH 11/12] netfilter: udplite proto sysctl support for net

[Gao feng]

register pernet_operations nf_conntrack_net_proto_udplite_ops
when loading nf_conntrack_proto_udplite module,and unregister
it when removing.

It makes no senes to register subsys for udplite and udplite6,because
the nf_conntrack_l4proto_udplite4 and nf_conntrack_l4proto_udplite6 are
register or unregister together.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 net/netfilter/nf_conntrack_proto_udplite.c |   83 +++++++++++++++++++++------
 1 files changed, 64 insertions(+), 19 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index e060639..61881bc 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -20,16 +20,11 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_ipv6.h>
+#include <linux/netfilter/nf_conntrack_udplite.h>
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_ecache.h>
 #include <net/netfilter/nf_log.h>
 
-enum udplite_conntrack {
-	UDPLITE_CT_UNREPLIED,
-	UDPLITE_CT_REPLIED,
-	UDPLITE_CT_MAX
-};
-
 static unsigned int udplite_timeouts[UDPLITE_CT_MAX] = {
 	[UDPLITE_CT_UNREPLIED]	= 30*HZ,
 	[UDPLITE_CT_REPLIED]	= 180*HZ,
@@ -70,7 +65,7 @@ static int udplite_print_tuple(struct seq_file *s,
 
 static unsigned int *udplite_get_timeouts(struct net *net)
 {
-	return udplite_timeouts;
+	return net->ct.proto.sysctl_udplite_timeouts;
 }
 
 /* Returns verdict for packet, and may modify conntracktype */
@@ -203,19 +198,19 @@ udplite_timeout_nla_policy[CTA_TIMEOUT_UDPLITE_MAX+1] = {
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
-static unsigned int udplite_sysctl_table_users;
-static struct ctl_table_header *udplite_sysctl_header;
 static struct ctl_table udplite_sysctl_table[] = {
 	{
 		.procname	= "nf_conntrack_udplite_timeout",
-		.data		= &udplite_timeouts[UDPLITE_CT_UNREPLIED],
+		.data		= &init_net.ct.proto.
+				sysctl_udplite_timeouts[UDPLITE_CT_UNREPLIED],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
 	{
 		.procname	= "nf_conntrack_udplite_timeout_stream",
-		.data		= &udplite_timeouts[UDPLITE_CT_REPLIED],
+		.data		= &init_net.ct.proto.
+				sysctl_udplite_timeouts[UDPLITE_CT_REPLIED],
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
@@ -252,11 +247,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
 		.nla_policy	= udplite_timeout_nla_policy,
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
-	.ctl_table_users	= &udplite_sysctl_table_users,
-	.ctl_table_header	= &udplite_sysctl_header,
-	.ctl_table		= udplite_sysctl_table,
-#endif
 };
 
 static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
@@ -287,11 +277,60 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
 		.nla_policy	= udplite_timeout_nla_policy,
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+};
+
+static int nf_conntrack_proto_udplite_net_init(struct net *net)
+{
+	struct ctl_table *table;
+	int i, ret = 0;
+	for (i = 0; i < UDPLITE_CT_MAX; i++)
+		net->ct.proto.sysctl_udplite_timeouts[i] = udplite_timeouts[i];
+
+#ifdef CONFIG_SYSCTL
+	table = kmemdup(udplite_sysctl_table,
+			sizeof(udplite_sysctl_table),
+			GFP_KERNEL);
+	if (!table)
+		return -ENOMEM;
+
+	table[0].data = &net->ct.proto.
+			sysctl_udplite_timeouts[UDPLITE_CT_UNREPLIED];
+	table[1].data = &net->ct.proto.
+			sysctl_udplite_timeouts[UDPLITE_CT_REPLIED];
+
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.udplite_sysctl_header,
+					nf_net_netfilter_sysctl_path,
+					table,
+					NULL);
+	if (ret < 0) {
+		printk(KERN_ERR
+			"nf_conntrack_proto_udplite:"
+			" can't register to sysctl.\n");
+		goto out_register;
+	}
+	return 0;
+out_register:
+	kfree(table);
+#endif
+	return ret;
+}
+
+static void nf_conntrack_proto_udplite_net_fini(struct net *net)
+{
 #ifdef CONFIG_SYSCTL
-	.ctl_table_users	= &udplite_sysctl_table_users,
-	.ctl_table_header	= &udplite_sysctl_header,
-	.ctl_table		= udplite_sysctl_table,
+	struct ctl_table *table;
+	table = net->ct.proto.udplite_sysctl_header->ctl_table_arg;
+
+	nf_ct_unregister_net_sysctl(&net->ct.proto.udplite_sysctl_header,
+				    table,
+				    NULL);
 #endif
+}
+
+static struct pernet_operations nf_conntrack_net_proto_udplite_ops = {
+	.init = nf_conntrack_proto_udplite_net_init,
+	.exit = nf_conntrack_proto_udplite_net_fini,
 };
 
 static int __init nf_conntrack_proto_udplite_init(void)
@@ -304,7 +343,12 @@ static int __init nf_conntrack_proto_udplite_init(void)
 	err = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udplite6);
 	if (err < 0)
 		goto err2;
+	err = register_pernet_subsys(&nf_conntrack_net_proto_udplite_ops);
+	if (err < 0)
+		goto err3;
 	return 0;
+err3:
+	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite6);
 err2:
 	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite4);
 err1:
@@ -313,6 +357,7 @@ err1:
 
 static void __exit nf_conntrack_proto_udplite_exit(void)
 {
+	unregister_pernet_subsys(&nf_conntrack_net_proto_udplite_ops);
 	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite6);
 	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite4);
 }
-- 
1.7.7.6

[PATCH 12/12] netfilter: export necessary function for generic proto

[Gao feng]

export two functions nf_conntrack_proto_generic_net_init and
nf_conntrack_proto_generic_net_fini.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 include/net/netfilter/nf_conntrack_core.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index aced085..3c3fabe 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -31,6 +31,9 @@ extern void nf_conntrack_cleanup(struct net *net);
 extern int nf_conntrack_proto_init(void);
 extern void nf_conntrack_proto_fini(void);
 
+extern int nf_conntrack_proto_generic_net_init(struct net *net);
+extern void nf_conntrack_proto_generic_net_fini(struct net *net);
+
 extern bool
 nf_ct_get_tuple(const struct sk_buff *skb,
 		unsigned int nhoff,
-- 
1.7.7.6

Re: [PATCH 00/12] add namespace support for netfilter protos

[Pablo Neira Ayuso]

Hi Gao,

On Tue, Apr 17, 2012 at 10:56:11AM +0800, Gao feng wrote:
> Currently the sysctl of netfilter proto is not isolated, so when 
> changing proto's sysctl in container will cause the host's sysctl 
> be changed too. it's not expected.
> 
> This patch set adds the namespace support for netfilter protos.
> 
> impletement four pernet_operations to register sysctl,and disable 
> register sysctl when protos are registered.

This indeed needs to be fixed, but this patchset has several
deficiencies. I'll spot them in follow-up emails.

> nf_conntrack_net_proto_ipv4_ops is used to register tcp4(compat),
> udp4(compat),icmp(compat),ipv4(compat).
> nf_conntrack_net_proto_ipv6_ops is used to register tcp6,udp6 and 
> icmpv6.
> nf_conntrack_net_proto_sctp_ops is used to register sctp4(compat) 
> and sctp6.
> nf_conntrack_net_proto_udplite_ops is used to register udplite4
> and udplite6
> 
> these operations will be registered when module be loaded.
> 
> And this will break the cttimeout, because timeout_nlattr_to_obj
> function use the orig timeout(such as tcp_timeouts) to set timeouts.
> 
> I will fix this in my next patch.

No way.

You cannot leave the repository in broken / inconsistent state because
you are not making things good.

Please, hang on until this patchset is fixed to send more patches.

Re: [PATCH 01/12] netfilter: add struct netns_ct_proto to support netfilter namespace

[Pablo Neira Ayuso]

On Tue, Apr 17, 2012 at 10:56:12AM +0800, Gao feng wrote:
> the struct netns_ct_proto is used to store ctl_table_header and sysctl vars.
> because udp_conntrack and udplite_conntrack are used by netns_ct_proto,
> so move the udp_conntrack and udplite_conntrack to the header file,
> 
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> ---
>  include/linux/netfilter/nf_conntrack_udp.h     |   10 ++++++
>  include/linux/netfilter/nf_conntrack_udplite.h |   10 ++++++
>  include/net/netns/conntrack.h                  |   37 ++++++++++++++++++++++++
>  3 files changed, 57 insertions(+), 0 deletions(-)
>  create mode 100644 include/linux/netfilter/nf_conntrack_udp.h
>  create mode 100644 include/linux/netfilter/nf_conntrack_udplite.h
> 
> diff --git a/include/linux/netfilter/nf_conntrack_udp.h b/include/linux/netfilter/nf_conntrack_udp.h
> new file mode 100644
> index 0000000..02869fc
> --- /dev/null
> +++ b/include/linux/netfilter/nf_conntrack_udp.h
> @@ -0,0 +1,10 @@
> +#ifndef _NF_CONNTRACK_UDP_H
> +#define _NF_CONNTRACK_UDP_H
> +
> +enum udp_conntrack {
> +	UDP_CT_UNREPLIED,
> +	UDP_CT_REPLIED,
> +	UDP_CT_MAX
> +};

This will be exported to user-space. We don't need this.

> +
> +#endif /* _NF_CONNTRACK_UDP_H */
> diff --git a/include/linux/netfilter/nf_conntrack_udplite.h b/include/linux/netfilter/nf_conntrack_udplite.h
> new file mode 100644
> index 0000000..62b90a2
> --- /dev/null
> +++ b/include/linux/netfilter/nf_conntrack_udplite.h
> @@ -0,0 +1,10 @@
> +#ifndef _NF_CONNTRACK_UDPLITE_H
> +#define _NF_CONNTRACK_UDPLITE_H
> +
> +enum udplite_conntrack {
> +	UDPLITE_CT_UNREPLIED,
> +	UDPLITE_CT_REPLIED,
> +	UDPLITE_CT_MAX
> +};
> +
> +#endif /* _NF_CONNTRACK_UDPLITE_H */
> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
> index 7a911ec..5845665 100644
> --- a/include/net/netns/conntrack.h
> +++ b/include/net/netns/conntrack.h
> @@ -4,10 +4,46 @@
>  #include <linux/list.h>
>  #include <linux/list_nulls.h>
>  #include <linux/atomic.h>
> +#include <linux/netfilter/nf_conntrack_tcp.h>
> +#include <linux/netfilter/nf_conntrack_udp.h>
> +#include <linux/netfilter/nf_conntrack_udplite.h>
> +#include <linux/netfilter/nf_conntrack_sctp.h>
>  
>  struct ctl_table_header;
>  struct nf_conntrack_ecache;
>  
> +struct netns_ct_proto {
> +	unsigned int            sysctl_generic_timeout;
> +	unsigned int		sysctl_tcp_timeouts[TCP_CONNTRACK_TIMEOUT_MAX];
> +	unsigned int		sysctl_tcp_loose;
> +	unsigned int		sysctl_tcp_be_liberal;
> +	unsigned int		sysctl_tcp_max_retrans;
> +	unsigned int		sysctl_udp_timeouts[UDP_CT_MAX];
> +	unsigned int		sysctl_udplite_timeouts[UDPLITE_CT_MAX];
> +	unsigned int		sysctl_sctp_timeouts[SCTP_CONNTRACK_MAX];
> +	unsigned int		sysctl_icmp_timeout;
> +	unsigned int		sysctl_icmpv6_timeout;
> +#ifdef CONFIG_SYSCTL
> +	struct ctl_table_header *generic_sysctl_header;
> +	struct ctl_table_header *tcp_sysctl_header;
> +	struct ctl_table_header *udp_sysctl_header;
> +	struct ctl_table_header *udplite_sysctl_header;
> +	struct ctl_table_header *sctp_sysctl_header;
> +	struct ctl_table_header *icmp_sysctl_header;
> +	struct ctl_table_header *icmpv6_sysctl_header;
> +	unsigned int		tcp_table_users;
> +	unsigned int		udp_table_users;
> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 
> +	struct ctl_table_header *generic_compat_header;
> +	struct ctl_table_header *tcp_compat_header;
> +	struct ctl_table_header *udp_compat_header;
> +	struct ctl_table_header *sctp_compat_header;
> +	struct ctl_table_header *icmp_compat_header;
> +	struct ctl_table_header *ipv4_compat_header;
> +#endif
> +#endif
> +};

No.

You cannot just send a patch that adds a structure like this and use
it in follow-up patches.

You have to make patches that leave the repository in consistent state.
Instead, you have to populate the structure little by little in your
patches.

> +
>  struct netns_ct {
>  	atomic_t		count;
>  	unsigned int		expect_count;
> @@ -26,6 +62,7 @@ struct netns_ct {
>  	int			sysctl_tstamp;
>  	int			sysctl_checksum;
>  	unsigned int		sysctl_log_invalid; /* Log invalid packets */
> +	struct netns_ct_proto	proto;
>  #ifdef CONFIG_SYSCTL
>  	struct ctl_table_header	*sysctl_header;
>  	struct ctl_table_header	*acct_sysctl_header;
> -- 
> 1.7.7.6
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 02/12] netfilter: don't register sysctl when register proto

[Pablo Neira Ayuso]

On Tue, Apr 17, 2012 at 10:56:13AM +0800, Gao feng wrote:
> delete nf_ct_l[3,4]proto_register_sysctl when register l[3,4]proto.
> and add nf_ct_register_net_sysctl,nf_ct_unregister_net_sysctl to
> register the sysctl for net namespace.
> 
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> ---
>  net/netfilter/nf_conntrack_proto.c |  109 +++++-------------------------------
>  1 files changed, 15 insertions(+), 94 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
> index be3da2c..207cdd8 100644
> --- a/net/netfilter/nf_conntrack_proto.c
> +++ b/net/netfilter/nf_conntrack_proto.c
> @@ -35,12 +35,15 @@ EXPORT_SYMBOL_GPL(nf_ct_l3protos);
>  static DEFINE_MUTEX(nf_ct_proto_mutex);
>  
>  #ifdef CONFIG_SYSCTL
> -static int
> -nf_ct_register_sysctl(struct ctl_table_header **header, struct ctl_path *path,
> -		      struct ctl_table *table, unsigned int *users)
> +int
> +nf_ct_register_net_sysctl(struct net *net, 
> +			  struct ctl_table_header **header,
> +			  struct ctl_path *path,
> +			  struct ctl_table *table,
> +			  unsigned int *users)

Please, don't rename this function. Just add the *net parameter
instead.

>  {
>  	if (*header == NULL) {
> -		*header = register_sysctl_paths(path, table);
> +		*header = register_net_sysctl_table(net, path, table);
>  		if (*header == NULL)
>  			return -ENOMEM;
>  	}
> @@ -48,17 +51,21 @@ nf_ct_register_sysctl(struct ctl_table_header **header, struct ctl_path *path,
>  		(*users)++;
>  	return 0;
>  }
> +EXPORT_SYMBOL_GPL(nf_ct_register_net_sysctl);
>  
> -static void
> -nf_ct_unregister_sysctl(struct ctl_table_header **header,
> -			struct ctl_table *table, unsigned int *users)
> +void
> +nf_ct_unregister_net_sysctl(struct ctl_table_header **header,
> +			    struct ctl_table *table,
> +			    unsigned int *users)
>  {
>  	if (users != NULL && --*users > 0)
>  		return;
>  
>  	unregister_sysctl_table(*header);
> +	kfree(table);
>  	*header = NULL;
>  }
> +EXPORT_SYMBOL_GPL(nf_ct_unregister_net_sysctl);
>  #endif
>  
>  struct nf_conntrack_l4proto *
> @@ -161,29 +168,6 @@ static int kill_l4proto(struct nf_conn *i, void *data)
>  	       nf_ct_l3num(i) == l4proto->l3proto;
>  }
>  
> -static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
> -{
> -	int err = 0;
> -
> -#ifdef CONFIG_SYSCTL
> -	if (l3proto->ctl_table != NULL) {
> -		err = nf_ct_register_sysctl(&l3proto->ctl_table_header,
> -					    l3proto->ctl_table_path,
> -					    l3proto->ctl_table, NULL);
> -	}
> -#endif
> -	return err;
> -}
> -
> -static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto)
> -{
> -#ifdef CONFIG_SYSCTL
> -	if (l3proto->ctl_table_header != NULL)
> -		nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
> -					l3proto->ctl_table, NULL);
> -#endif
> -}
> -
>  int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
>  {
>  	int ret = 0;
> @@ -203,10 +187,6 @@ int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
>  		goto out_unlock;
>  	}
>  
> -	ret = nf_ct_l3proto_register_sysctl(proto);
> -	if (ret < 0)
> -		goto out_unlock;
> -
>  	if (proto->nlattr_tuple_size)
>  		proto->nla_size = 3 * proto->nlattr_tuple_size();
>  
> @@ -230,7 +210,6 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
>  					 ) != proto);
>  	rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
>  			   &nf_conntrack_l3proto_generic);
> -	nf_ct_l3proto_unregister_sysctl(proto);
>  	mutex_unlock(&nf_ct_proto_mutex);
>  
>  	synchronize_rcu();
> @@ -243,52 +222,6 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
>  }
>  EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
>  
> -static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
> -{
> -	int err = 0;
> -
> -#ifdef CONFIG_SYSCTL
> -	if (l4proto->ctl_table != NULL) {
> -		err = nf_ct_register_sysctl(l4proto->ctl_table_header,
> -					    nf_net_netfilter_sysctl_path,
> -					    l4proto->ctl_table,
> -					    l4proto->ctl_table_users);
> -		if (err < 0)
> -			goto out;
> -	}
> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> -	if (l4proto->ctl_compat_table != NULL) {
> -		err = nf_ct_register_sysctl(&l4proto->ctl_compat_table_header,
> -					    nf_net_ipv4_netfilter_sysctl_path,
> -					    l4proto->ctl_compat_table, NULL);
> -		if (err == 0)
> -			goto out;
> -		nf_ct_unregister_sysctl(l4proto->ctl_table_header,
> -					l4proto->ctl_table,
> -					l4proto->ctl_table_users);
> -	}
> -#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
> -out:
> -#endif /* CONFIG_SYSCTL */
> -	return err;
> -}
> -
> -static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto)
> -{
> -#ifdef CONFIG_SYSCTL
> -	if (l4proto->ctl_table_header != NULL &&
> -	    *l4proto->ctl_table_header != NULL)
> -		nf_ct_unregister_sysctl(l4proto->ctl_table_header,
> -					l4proto->ctl_table,
> -					l4proto->ctl_table_users);
> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> -	if (l4proto->ctl_compat_table_header != NULL)
> -		nf_ct_unregister_sysctl(&l4proto->ctl_compat_table_header,
> -					l4proto->ctl_compat_table, NULL);
> -#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
> -#endif /* CONFIG_SYSCTL */
> -}
> -

Where did this function go?

>  /* FIXME: Allow NULL functions and sub in pointers to generic for
>     them. --RR */
>  int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
> @@ -333,10 +266,6 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
>  		goto out_unlock;
>  	}
>  
> -	ret = nf_ct_l4proto_register_sysctl(l4proto);
> -	if (ret < 0)
> -		goto out_unlock;
> -
>  	l4proto->nla_size = 0;
>  	if (l4proto->nlattr_size)
>  		l4proto->nla_size += l4proto->nlattr_size();
> @@ -365,7 +294,6 @@ void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)
>  			) != l4proto);
>  	rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
>  			   &nf_conntrack_l4proto_generic);
> -	nf_ct_l4proto_unregister_sysctl(l4proto);
>  	mutex_unlock(&nf_ct_proto_mutex);
>  
>  	synchronize_rcu();
> @@ -380,12 +308,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
>  
>  int nf_conntrack_proto_init(void)
>  {
> -	unsigned int i;
> -	int err;
> -
> -	err = nf_ct_l4proto_register_sysctl(&nf_conntrack_l4proto_generic);
> -	if (err < 0)
> -		return err;
> +	unsigned int i;	
>  
>  	for (i = 0; i < AF_MAX; i++)
>  		rcu_assign_pointer(nf_ct_l3protos[i],
> @@ -397,8 +320,6 @@ void nf_conntrack_proto_fini(void)
>  {
>  	unsigned int i;
>  
> -	nf_ct_l4proto_unregister_sysctl(&nf_conntrack_l4proto_generic);
> -
>  	/* free l3proto protocol tables */
>  	for (i = 0; i < PF_MAX; i++)
>  		kfree(nf_ct_protos[i]);
> -- 
> 1.7.7.6
> 

Re: [PATCH 03/12] netfilter: generic proto sysctl support for net namespace

[Pablo Neira Ayuso]

On Tue, Apr 17, 2012 at 10:56:14AM +0800, Gao feng wrote:
> register the generic proto's sysctl in pernet_operations.init.
> and use net->ct.proto.sysctl_generic_timeout replaces nf_ct_generic_timeout.
> 
> in the after patch,the timeout_nlattr_to_obj will be modified too.
> 
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> ---
>  net/netfilter/nf_conntrack_core.c          |    6 ++
>  net/netfilter/nf_conntrack_proto_generic.c |   93 +++++++++++++++++++++++++---
>  2 files changed, 91 insertions(+), 8 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index 729f157..bf11dd6 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -1358,6 +1358,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
>  	nf_conntrack_tstamp_fini(net);
>  	nf_conntrack_acct_fini(net);
>  	nf_conntrack_expect_fini(net);
> +	nf_conntrack_proto_generic_net_fini(net);
>  	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
>  	kfree(net->ct.slabname);
>  	free_percpu(net->ct.stat);
> @@ -1573,6 +1574,9 @@ static int nf_conntrack_init_net(struct net *net)
>  		printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
>  		goto err_hash;
>  	}
> +	ret = nf_conntrack_proto_generic_net_init(net);
> +	if (ret < 0)
> +		goto err_generic;
>  	ret = nf_conntrack_expect_init(net);
>  	if (ret < 0)
>  		goto err_expect;
> @@ -1600,6 +1604,8 @@ err_tstamp:
>  err_acct:
>  	nf_conntrack_expect_fini(net);
>  err_expect:
> +	nf_conntrack_proto_generic_net_fini(net);
> +err_generic:
>  	nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
>  err_hash:
>  	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
> diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
> index 835e24c..0d4545b 100644
> --- a/net/netfilter/nf_conntrack_proto_generic.c
> +++ b/net/netfilter/nf_conntrack_proto_generic.c
> @@ -42,7 +42,7 @@ static int generic_print_tuple(struct seq_file *s,
>  
>  static unsigned int *generic_get_timeouts(struct net *net)
>  {
> -	return &nf_ct_generic_timeout;
> +	return &(net->ct.proto.sysctl_generic_timeout);
>  }
>  
>  /* Returns verdict for packet, or -1 for invalid. */
> @@ -105,11 +105,10 @@ generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
>  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>  
>  #ifdef CONFIG_SYSCTL
> -static struct ctl_table_header *generic_sysctl_header;
>  static struct ctl_table generic_sysctl_table[] = {
>  	{
>  		.procname	= "nf_conntrack_generic_timeout",
> -		.data		= &nf_ct_generic_timeout,
> +		.data		= &init_net.ct.proto.sysctl_generic_timeout,
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
> @@ -120,7 +119,7 @@ static struct ctl_table generic_sysctl_table[] = {
>  static struct ctl_table generic_compat_sysctl_table[] = {
>  	{
>  		.procname	= "ip_conntrack_generic_timeout",
> -		.data		= &nf_ct_generic_timeout,
> +		.data		= &init_net.ct.proto.sysctl_generic_timeout,
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
> @@ -150,11 +149,89 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
>  		.nla_policy	= generic_timeout_nla_policy,
>  	},
>  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> +};
> +
> +int nf_conntrack_proto_generic_net_init(struct net *net)

Please, check int nf_conntrack_ecache_init(struct net *net) for
instance on how we're doing the per-net registration of netfilter
modules.

Basically, we register the module only once for the init_net case.
Then, we register one sysctl per-net.

> +{
> +	struct ctl_table *table;
> +	int ret = 0;
>  #ifdef CONFIG_SYSCTL
> -	.ctl_table_header	= &generic_sysctl_header,
> -	.ctl_table		= generic_sysctl_table,
>  #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> -	.ctl_compat_table	= generic_compat_sysctl_table,
> +	struct ctl_table *compat_table;
>  #endif
>  #endif
> -};
> +	net->ct.proto.sysctl_generic_timeout = nf_ct_generic_timeout;
> +#ifdef CONFIG_SYSCTL
> +	table = kmemdup(generic_sysctl_table,
> +			sizeof(generic_sysctl_table),
> +			GFP_KERNEL);
> +	if (!table)
> +		return -ENOMEM;
> +	
> +	table[0].data = &net->ct.proto.sysctl_generic_timeout;
> +
> +	ret = nf_ct_register_net_sysctl(net,
> +					&net->ct.proto.generic_sysctl_header,
> +					nf_net_netfilter_sysctl_path,
> +					table,
> +					NULL);
> +	if (ret < 0) {
> +		printk(KERN_ERR 
> +			"nf_conntrack_proto_generic:"
> +			" can't register to sysctl.\n");
> +		kfree(table);
> +		return ret;
> +	}
> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> +	compat_table = kmemdup(generic_compat_sysctl_table,
> +			       sizeof(generic_compat_sysctl_table),
> +			       GFP_KERNEL);
> +	if (!compat_table) {
> +		ret = -ENOMEM;
> +		goto out_compat;
> +	}
> +	compat_table[0].data = &net->ct.proto.sysctl_generic_timeout;
> +	ret = nf_ct_register_net_sysctl(net,
> +					&net->ct.proto.generic_compat_header,
> +					nf_net_ipv4_netfilter_sysctl_path,
> +					compat_table,
> +					NULL);
> +	if (ret < 0) {
> +		printk(KERN_ERR 
> +			"nf_conntrack_proto_generic:"
> +			" can't register to compat sysctl.\n");
> +		goto out_compat_register;
> +	}
> +#endif
> +	return 0;
> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> +out_compat_register:
> +	kfree(compat_table);
> +out_compat:
> +	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_sysctl_header,
> +				    table,
> +				    NULL);
> +#endif
> +#endif
> +	return ret;
> +}
> +
> +void nf_conntrack_proto_generic_net_fini(struct net *net)
> +{
> +#ifdef CONFIG_SYSCTL
> +	struct ctl_table *table;
> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> +	struct ctl_table *compat_table;
> +#endif
> +	table = net->ct.proto.generic_sysctl_header->ctl_table_arg;
> +	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_sysctl_header,
> +				    table,
> +				    NULL);
> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> +	compat_table = net->ct.proto.generic_compat_header->ctl_table_arg;
> +	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_compat_header,
> +				    compat_table,
> +				    NULL);
> +#endif
> +#endif
> +}
> -- 
> 1.7.7.6
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 12/12] netfilter: export necessary function for generic proto

[Pablo Neira Ayuso]

On Tue, Apr 17, 2012 at 10:56:23AM +0800, Gao feng wrote:
> export two functions nf_conntrack_proto_generic_net_init and
> nf_conntrack_proto_generic_net_fini.
> 
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> ---
>  include/net/netfilter/nf_conntrack_core.h |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
> index aced085..3c3fabe 100644
> --- a/include/net/netfilter/nf_conntrack_core.h
> +++ b/include/net/netfilter/nf_conntrack_core.h
> @@ -31,6 +31,9 @@ extern void nf_conntrack_cleanup(struct net *net);
>  extern int nf_conntrack_proto_init(void);
>  extern void nf_conntrack_proto_fini(void);
>  
> +extern int nf_conntrack_proto_generic_net_init(struct net *net);
> +extern void nf_conntrack_proto_generic_net_fini(struct net *net);

This does not require a separated patch only for this.

Please, review the logic that you've follow to split changes.

Thank you.

Re: [PATCH 00/12] add namespace support for netfilter protos

[Gao feng]

Hi pablo

于 2012年04月17日 16:52, Pablo Neira Ayuso 写道:
> Hi Gao,
> 
> On Tue, Apr 17, 2012 at 10:56:11AM +0800, Gao feng wrote:
>> Currently the sysctl of netfilter proto is not isolated, so when 
>> changing proto's sysctl in container will cause the host's sysctl 
>> be changed too. it's not expected.
>>
>> This patch set adds the namespace support for netfilter protos.
>>
>> impletement four pernet_operations to register sysctl,and disable 
>> register sysctl when protos are registered.
> 
> This indeed needs to be fixed, but this patchset has several
> deficiencies. I'll spot them in follow-up emails.
> 
>> nf_conntrack_net_proto_ipv4_ops is used to register tcp4(compat),
>> udp4(compat),icmp(compat),ipv4(compat).
>> nf_conntrack_net_proto_ipv6_ops is used to register tcp6,udp6 and 
>> icmpv6.
>> nf_conntrack_net_proto_sctp_ops is used to register sctp4(compat) 
>> and sctp6.
>> nf_conntrack_net_proto_udplite_ops is used to register udplite4
>> and udplite6
>>
>> these operations will be registered when module be loaded.
>>
>> And this will break the cttimeout, because timeout_nlattr_to_obj
>> function use the orig timeout(such as tcp_timeouts) to set timeouts.
>>
>> I will fix this in my next patch.
> 
> No way.

OK... I will fix all and resend the patch ;)

> 
> You cannot leave the repository in broken / inconsistent state because
> you are not making things good.
> 
> Please, hang on until this patchset is fixed to send more patches.
> 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 03/12] netfilter: generic proto sysctl support for net namespace

[Gao feng]

于 2012年04月17日 16:58, Pablo Neira Ayuso 写道:
> On Tue, Apr 17, 2012 at 10:56:14AM +0800, Gao feng wrote:
>> register the generic proto's sysctl in pernet_operations.init.
>> and use net->ct.proto.sysctl_generic_timeout replaces nf_ct_generic_timeout.
>>
>> in the after patch,the timeout_nlattr_to_obj will be modified too.
>>
>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>> ---
>>  net/netfilter/nf_conntrack_core.c          |    6 ++
>>  net/netfilter/nf_conntrack_proto_generic.c |   93 +++++++++++++++++++++++++---
>>  2 files changed, 91 insertions(+), 8 deletions(-)
>>
>> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
>> index 729f157..bf11dd6 100644
>> --- a/net/netfilter/nf_conntrack_core.c
>> +++ b/net/netfilter/nf_conntrack_core.c
>> @@ -1358,6 +1358,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
>>  	nf_conntrack_tstamp_fini(net);
>>  	nf_conntrack_acct_fini(net);
>>  	nf_conntrack_expect_fini(net);
>> +	nf_conntrack_proto_generic_net_fini(net);
>>  	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
>>  	kfree(net->ct.slabname);
>>  	free_percpu(net->ct.stat);
>> @@ -1573,6 +1574,9 @@ static int nf_conntrack_init_net(struct net *net)
>>  		printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
>>  		goto err_hash;
>>  	}
>> +	ret = nf_conntrack_proto_generic_net_init(net);
>> +	if (ret < 0)
>> +		goto err_generic;
>>  	ret = nf_conntrack_expect_init(net);
>>  	if (ret < 0)
>>  		goto err_expect;
>> @@ -1600,6 +1604,8 @@ err_tstamp:
>>  err_acct:
>>  	nf_conntrack_expect_fini(net);
>>  err_expect:
>> +	nf_conntrack_proto_generic_net_fini(net);
>> +err_generic:
>>  	nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
>>  err_hash:
>>  	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
>> diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
>> index 835e24c..0d4545b 100644
>> --- a/net/netfilter/nf_conntrack_proto_generic.c
>> +++ b/net/netfilter/nf_conntrack_proto_generic.c
>> @@ -42,7 +42,7 @@ static int generic_print_tuple(struct seq_file *s,
>>  
>>  static unsigned int *generic_get_timeouts(struct net *net)
>>  {
>> -	return &nf_ct_generic_timeout;
>> +	return &(net->ct.proto.sysctl_generic_timeout);
>>  }
>>  
>>  /* Returns verdict for packet, or -1 for invalid. */
>> @@ -105,11 +105,10 @@ generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
>>  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>>  
>>  #ifdef CONFIG_SYSCTL
>> -static struct ctl_table_header *generic_sysctl_header;
>>  static struct ctl_table generic_sysctl_table[] = {
>>  	{
>>  		.procname	= "nf_conntrack_generic_timeout",
>> -		.data		= &nf_ct_generic_timeout,
>> +		.data		= &init_net.ct.proto.sysctl_generic_timeout,
>>  		.maxlen		= sizeof(unsigned int),
>>  		.mode		= 0644,
>>  		.proc_handler	= proc_dointvec_jiffies,
>> @@ -120,7 +119,7 @@ static struct ctl_table generic_sysctl_table[] = {
>>  static struct ctl_table generic_compat_sysctl_table[] = {
>>  	{
>>  		.procname	= "ip_conntrack_generic_timeout",
>> -		.data		= &nf_ct_generic_timeout,
>> +		.data		= &init_net.ct.proto.sysctl_generic_timeout,
>>  		.maxlen		= sizeof(unsigned int),
>>  		.mode		= 0644,
>>  		.proc_handler	= proc_dointvec_jiffies,
>> @@ -150,11 +149,89 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
>>  		.nla_policy	= generic_timeout_nla_policy,
>>  	},
>>  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>> +};
>> +
>> +int nf_conntrack_proto_generic_net_init(struct net *net)
> 
> Please, check int nf_conntrack_ecache_init(struct net *net) for
> instance on how we're doing the per-net registration of netfilter
> modules.


nf_conntrack_l4proto_generic is registered when loading nf_conntrack module.
so we should register sysctl in nf_conntrack_init_net.

I don't know what's wrong here...

> 
> Basically, we register the module only once for the init_net case.
> Then, we register one sysctl per-net.
> 
>> +{
>> +	struct ctl_table *table;
>> +	int ret = 0;
>>  #ifdef CONFIG_SYSCTL
>> -	.ctl_table_header	= &generic_sysctl_header,
>> -	.ctl_table		= generic_sysctl_table,
>>  #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> -	.ctl_compat_table	= generic_compat_sysctl_table,
>> +	struct ctl_table *compat_table;
>>  #endif
>>  #endif
>> -};
>> +	net->ct.proto.sysctl_generic_timeout = nf_ct_generic_timeout;
>> +#ifdef CONFIG_SYSCTL
>> +	table = kmemdup(generic_sysctl_table,
>> +			sizeof(generic_sysctl_table),
>> +			GFP_KERNEL);
>> +	if (!table)
>> +		return -ENOMEM;
>> +	
>> +	table[0].data = &net->ct.proto.sysctl_generic_timeout;
>> +
>> +	ret = nf_ct_register_net_sysctl(net,
>> +					&net->ct.proto.generic_sysctl_header,
>> +					nf_net_netfilter_sysctl_path,
>> +					table,
>> +					NULL);
>> +	if (ret < 0) {
>> +		printk(KERN_ERR 
>> +			"nf_conntrack_proto_generic:"
>> +			" can't register to sysctl.\n");
>> +		kfree(table);
>> +		return ret;
>> +	}
>> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> +	compat_table = kmemdup(generic_compat_sysctl_table,
>> +			       sizeof(generic_compat_sysctl_table),
>> +			       GFP_KERNEL);
>> +	if (!compat_table) {
>> +		ret = -ENOMEM;
>> +		goto out_compat;
>> +	}
>> +	compat_table[0].data = &net->ct.proto.sysctl_generic_timeout;
>> +	ret = nf_ct_register_net_sysctl(net,
>> +					&net->ct.proto.generic_compat_header,
>> +					nf_net_ipv4_netfilter_sysctl_path,
>> +					compat_table,
>> +					NULL);
>> +	if (ret < 0) {
>> +		printk(KERN_ERR 
>> +			"nf_conntrack_proto_generic:"
>> +			" can't register to compat sysctl.\n");
>> +		goto out_compat_register;
>> +	}
>> +#endif
>> +	return 0;
>> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> +out_compat_register:
>> +	kfree(compat_table);
>> +out_compat:
>> +	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_sysctl_header,
>> +				    table,
>> +				    NULL);
>> +#endif
>> +#endif
>> +	return ret;
>> +}
>> +
>> +void nf_conntrack_proto_generic_net_fini(struct net *net)
>> +{
>> +#ifdef CONFIG_SYSCTL
>> +	struct ctl_table *table;
>> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> +	struct ctl_table *compat_table;
>> +#endif
>> +	table = net->ct.proto.generic_sysctl_header->ctl_table_arg;
>> +	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_sysctl_header,
>> +				    table,
>> +				    NULL);
>> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> +	compat_table = net->ct.proto.generic_compat_header->ctl_table_arg;
>> +	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_compat_header,
>> +				    compat_table,
>> +				    NULL);
>> +#endif
>> +#endif
>> +}
>> -- 
>> 1.7.7.6
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 02/12] netfilter: don't register sysctl when register proto

[Gao feng]

于 2012年04月17日 16:56, Pablo Neira Ayuso 写道:
> On Tue, Apr 17, 2012 at 10:56:13AM +0800, Gao feng wrote:
>> delete nf_ct_l[3,4]proto_register_sysctl when register l[3,4]proto.
>> and add nf_ct_register_net_sysctl,nf_ct_unregister_net_sysctl to
>> register the sysctl for net namespace.
>>
>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>> ---
>>  net/netfilter/nf_conntrack_proto.c |  109 +++++-------------------------------
>>  1 files changed, 15 insertions(+), 94 deletions(-)
>>
>> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
>> index be3da2c..207cdd8 100644
>> --- a/net/netfilter/nf_conntrack_proto.c
>> +++ b/net/netfilter/nf_conntrack_proto.c
>> @@ -35,12 +35,15 @@ EXPORT_SYMBOL_GPL(nf_ct_l3protos);
>>  static DEFINE_MUTEX(nf_ct_proto_mutex);
>>  
>>  #ifdef CONFIG_SYSCTL
>> -static int
>> -nf_ct_register_sysctl(struct ctl_table_header **header, struct ctl_path *path,
>> -		      struct ctl_table *table, unsigned int *users)
>> +int
>> +nf_ct_register_net_sysctl(struct net *net, 
>> +			  struct ctl_table_header **header,
>> +			  struct ctl_path *path,
>> +			  struct ctl_table *table,
>> +			  unsigned int *users)
> 
> Please, don't rename this function. Just add the *net parameter
> instead.
> 

OK,i will modify it.

>>  {
>>  	if (*header == NULL) {
>> -		*header = register_sysctl_paths(path, table);
>> +		*header = register_net_sysctl_table(net, path, table);
>>  		if (*header == NULL)
>>  			return -ENOMEM;
>>  	}
>> @@ -48,17 +51,21 @@ nf_ct_register_sysctl(struct ctl_table_header **header, struct ctl_path *path,
>>  		(*users)++;
>>  	return 0;
>>  }
>> +EXPORT_SYMBOL_GPL(nf_ct_register_net_sysctl);
>>  
>> -static void
>> -nf_ct_unregister_sysctl(struct ctl_table_header **header,
>> -			struct ctl_table *table, unsigned int *users)
>> +void
>> +nf_ct_unregister_net_sysctl(struct ctl_table_header **header,
>> +			    struct ctl_table *table,
>> +			    unsigned int *users)
>>  {
>>  	if (users != NULL && --*users > 0)
>>  		return;
>>  
>>  	unregister_sysctl_table(*header);
>> +	kfree(table);
>>  	*header = NULL;
>>  }
>> +EXPORT_SYMBOL_GPL(nf_ct_unregister_net_sysctl);
>>  #endif
>>  
>>  struct nf_conntrack_l4proto *
>> @@ -161,29 +168,6 @@ static int kill_l4proto(struct nf_conn *i, void *data)
>>  	       nf_ct_l3num(i) == l4proto->l3proto;
>>  }
>>  
>> -static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
>> -{
>> -	int err = 0;
>> -
>> -#ifdef CONFIG_SYSCTL
>> -	if (l3proto->ctl_table != NULL) {
>> -		err = nf_ct_register_sysctl(&l3proto->ctl_table_header,
>> -					    l3proto->ctl_table_path,
>> -					    l3proto->ctl_table, NULL);
>> -	}
>> -#endif
>> -	return err;
>> -}
>> -
>> -static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto)
>> -{
>> -#ifdef CONFIG_SYSCTL
>> -	if (l3proto->ctl_table_header != NULL)
>> -		nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
>> -					l3proto->ctl_table, NULL);
>> -#endif
>> -}
>> -
>>  int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
>>  {
>>  	int ret = 0;
>> @@ -203,10 +187,6 @@ int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
>>  		goto out_unlock;
>>  	}
>>  
>> -	ret = nf_ct_l3proto_register_sysctl(proto);
>> -	if (ret < 0)
>> -		goto out_unlock;
>> -
>>  	if (proto->nlattr_tuple_size)
>>  		proto->nla_size = 3 * proto->nlattr_tuple_size();
>>  
>> @@ -230,7 +210,6 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
>>  					 ) != proto);
>>  	rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
>>  			   &nf_conntrack_l3proto_generic);
>> -	nf_ct_l3proto_unregister_sysctl(proto);
>>  	mutex_unlock(&nf_ct_proto_mutex);
>>  
>>  	synchronize_rcu();
>> @@ -243,52 +222,6 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
>>  }
>>  EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
>>  
>> -static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
>> -{
>> -	int err = 0;
>> -
>> -#ifdef CONFIG_SYSCTL
>> -	if (l4proto->ctl_table != NULL) {
>> -		err = nf_ct_register_sysctl(l4proto->ctl_table_header,
>> -					    nf_net_netfilter_sysctl_path,
>> -					    l4proto->ctl_table,
>> -					    l4proto->ctl_table_users);
>> -		if (err < 0)
>> -			goto out;
>> -	}
>> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> -	if (l4proto->ctl_compat_table != NULL) {
>> -		err = nf_ct_register_sysctl(&l4proto->ctl_compat_table_header,
>> -					    nf_net_ipv4_netfilter_sysctl_path,
>> -					    l4proto->ctl_compat_table, NULL);
>> -		if (err == 0)
>> -			goto out;
>> -		nf_ct_unregister_sysctl(l4proto->ctl_table_header,
>> -					l4proto->ctl_table,
>> -					l4proto->ctl_table_users);
>> -	}
>> -#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
>> -out:
>> -#endif /* CONFIG_SYSCTL */
>> -	return err;
>> -}
>> -
>> -static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto)
>> -{
>> -#ifdef CONFIG_SYSCTL
>> -	if (l4proto->ctl_table_header != NULL &&
>> -	    *l4proto->ctl_table_header != NULL)
>> -		nf_ct_unregister_sysctl(l4proto->ctl_table_header,
>> -					l4proto->ctl_table,
>> -					l4proto->ctl_table_users);
>> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> -	if (l4proto->ctl_compat_table_header != NULL)
>> -		nf_ct_unregister_sysctl(&l4proto->ctl_compat_table_header,
>> -					l4proto->ctl_compat_table, NULL);
>> -#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
>> -#endif /* CONFIG_SYSCTL */
>> -}
>> -
> 
> Where did this function go?


nf_ct_l4proto_unregister_sysctl just register sysctl,and we move this logic
to the pernet_operations.init, so this function has no use.

> 
>>  /* FIXME: Allow NULL functions and sub in pointers to generic for
>>     them. --RR */
>>  int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
>> @@ -333,10 +266,6 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
>>  		goto out_unlock;
>>  	}
>>  
>> -	ret = nf_ct_l4proto_register_sysctl(l4proto);
>> -	if (ret < 0)
>> -		goto out_unlock;
>> -
>>  	l4proto->nla_size = 0;
>>  	if (l4proto->nlattr_size)
>>  		l4proto->nla_size += l4proto->nlattr_size();
>> @@ -365,7 +294,6 @@ void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)
>>  			) != l4proto);
>>  	rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
>>  			   &nf_conntrack_l4proto_generic);
>> -	nf_ct_l4proto_unregister_sysctl(l4proto);
>>  	mutex_unlock(&nf_ct_proto_mutex);
>>  
>>  	synchronize_rcu();
>> @@ -380,12 +308,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
>>  
>>  int nf_conntrack_proto_init(void)
>>  {
>> -	unsigned int i;
>> -	int err;
>> -
>> -	err = nf_ct_l4proto_register_sysctl(&nf_conntrack_l4proto_generic);
>> -	if (err < 0)
>> -		return err;
>> +	unsigned int i;	
>>  
>>  	for (i = 0; i < AF_MAX; i++)
>>  		rcu_assign_pointer(nf_ct_l3protos[i],
>> @@ -397,8 +320,6 @@ void nf_conntrack_proto_fini(void)
>>  {
>>  	unsigned int i;
>>  
>> -	nf_ct_l4proto_unregister_sysctl(&nf_conntrack_l4proto_generic);
>> -
>>  	/* free l3proto protocol tables */
>>  	for (i = 0; i < PF_MAX; i++)
>>  		kfree(nf_ct_protos[i]);
>> -- 
>> 1.7.7.6
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 10/12] netfilter: sctp proto sysctl support for net namespace

[Gao feng]

于 2012年04月17日 10:56, Gao feng 写道:
> register pernet_operations nf_conntrack_net_proto_sctp_ops
> when loading nf_conntrack_proto_sctp module,and unregister
> it when removing.
> 
> It makes no senes to register subsys for sctp and sctp6,because
> the nf_conntrack_l4proto_sctp4 and nf_conntrack_l4proto_sctp6 are
> register or unregister together.
> 
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>


I think it's better to impletement this as dccp,
dccp stores the timeouts and ctl_table in net_generic.

This will don't cause waste when sctp module is not loaded.

> ---
>  net/netfilter/nf_conntrack_proto_sctp.c |  205 ++++++++++++++++++++++++++-----
>  1 files changed, 175 insertions(+), 30 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
> index 72b5088..866d151 100644
> --- a/net/netfilter/nf_conntrack_proto_sctp.c
> +++ b/net/netfilter/nf_conntrack_proto_sctp.c
> @@ -281,7 +281,7 @@ static int sctp_new_state(enum ip_conntrack_dir dir,
>  
>  static unsigned int *sctp_get_timeouts(struct net *net)
>  {
> -	return sctp_timeouts;
> +	return net->ct.proto.sysctl_sctp_timeouts;
>  }
>  
>  /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
> @@ -599,56 +599,60 @@ sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
>  };
>  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>  
> -
>  #ifdef CONFIG_SYSCTL
> -static unsigned int sctp_sysctl_table_users;
> -static struct ctl_table_header *sctp_sysctl_header;
>  static struct ctl_table sctp_sysctl_table[] = {
>  	{
>  		.procname	= "nf_conntrack_sctp_timeout_closed",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_CLOSED],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "nf_conntrack_sctp_timeout_cookie_wait",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "nf_conntrack_sctp_timeout_cookie_echoed",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "nf_conntrack_sctp_timeout_established",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "nf_conntrack_sctp_timeout_shutdown_sent",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "nf_conntrack_sctp_timeout_shutdown_recd",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "nf_conntrack_sctp_timeout_shutdown_ack_sent",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
> @@ -660,49 +664,56 @@ static struct ctl_table sctp_sysctl_table[] = {
>  static struct ctl_table sctp_compat_sysctl_table[] = {
>  	{
>  		.procname	= "ip_conntrack_sctp_timeout_closed",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_CLOSED],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "ip_conntrack_sctp_timeout_cookie_wait",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "ip_conntrack_sctp_timeout_cookie_echoed",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "ip_conntrack_sctp_timeout_established",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "ip_conntrack_sctp_timeout_shutdown_sent",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "ip_conntrack_sctp_timeout_shutdown_recd",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
>  	},
>  	{
>  		.procname	= "ip_conntrack_sctp_timeout_shutdown_ack_sent",
> -		.data		= &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
> +		.data		= &init_net.ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
>  		.maxlen		= sizeof(unsigned int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_jiffies,
> @@ -742,14 +753,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
>  		.nla_policy	= sctp_timeout_nla_policy,
>  	},
>  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> -#ifdef CONFIG_SYSCTL
> -	.ctl_table_users	= &sctp_sysctl_table_users,
> -	.ctl_table_header	= &sctp_sysctl_header,
> -	.ctl_table		= sctp_sysctl_table,
> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> -	.ctl_compat_table	= sctp_compat_sysctl_table,
> -#endif
> -#endif
>  };
>  
>  static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
> @@ -782,11 +785,146 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
>  	},
>  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>  #endif
> +};
> +
> +static int nf_conntrack_proto_sctp_net_init(struct net *net)
> +{
> +	struct ctl_table *table;
> +	int i, ret = 0;
> +	for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
> +		net->ct.proto.sysctl_sctp_timeouts[i] = sctp_timeouts[i];
> +
>  #ifdef CONFIG_SYSCTL
> -	.ctl_table_users	= &sctp_sysctl_table_users,
> -	.ctl_table_header	= &sctp_sysctl_header,
> -	.ctl_table		= sctp_sysctl_table,
> +	table = kmemdup(sctp_sysctl_table,
> +			sizeof(sctp_sysctl_table),
> +			GFP_KERNEL);
> +	if (!table)
> +		return -ENOMEM;
> +	table[0].data = &net->ct.proto.
> +			sysctl_sctp_timeouts[SCTP_CONNTRACK_CLOSED];
> +	table[1].data = &net->ct.proto.
> +			sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
> +	table[2].data = &net->ct.proto.
> +			sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
> +	table[3].data = &net->ct.proto.
> +			sysctl_sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED];
> +	table[4].data = &net->ct.proto.
> +			sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
> +	table[5].data = &net->ct.proto.
> +			sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
> +	table[6].data = &net->ct.proto.
> +			sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
> +
> +	ret = nf_ct_register_net_sysctl(net,
> +					&net->ct.proto.sctp_sysctl_header,
> +					nf_net_netfilter_sysctl_path,
> +					table,
> +					NULL);
> +	if (ret < 0) {
> +		printk(KERN_ERR
> +			"nf_conntrack_proto_sctp:"
> +			" can't register to sysctl.\n");
> +		goto out_register;
> +	}
> +	return 0;
> +out_register:
> +	kfree(table);
>  #endif
> +	return ret;
> +}
> +
> +static void nf_conntrack_proto_sctp_net_fini(struct net *net)
> +{
> +#ifdef CONFIG_SYSCTL
> +	struct ctl_table *table;
> +	table = net->ct.proto.sctp_sysctl_header->ctl_table_arg;
> +
> +	nf_ct_unregister_net_sysctl(&net->ct.proto.sctp_sysctl_header,
> +				    table,
> +				    NULL);
> +#endif
> +}
> +
> +static int nf_conntrack_proto_sctp_compat_init(struct net *net)
> +{
> +	int ret = 0;
> +#ifdef CONFIG_SYSCTL
> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> +	struct ctl_table *compat_table;
> +	compat_table = kmemdup(sctp_compat_sysctl_table,
> +			       sizeof(sctp_compat_sysctl_table),
> +			       GFP_KERNEL);
> +	if (!compat_table)
> +		return -ENOMEM;
> +
> +	compat_table[0].data = &net->ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_CLOSED];
> +	compat_table[1].data = &net->ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
> +	compat_table[2].data = &net->ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
> +	compat_table[3].data = &net->ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED];
> +	compat_table[4].data = &net->ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
> +	compat_table[5].data = &net->ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
> +	compat_table[6].data = &net->ct.proto.
> +				sysctl_sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
> +
> +	ret = nf_ct_register_net_sysctl(net,
> +					&net->ct.proto.sctp_compat_header,
> +					nf_net_ipv4_netfilter_sysctl_path,
> +					compat_table,
> +					NULL);
> +	if (ret < 0) {
> +		printk(KERN_ERR
> +			"nf_conntrack_proto_sctp:"
> +			" can't register to compat sysctl.\n");
> +		goto out_register;
> +	}
> +	return 0;
> +out_register:
> +	kfree(compat_table);
> +#endif
> +#endif
> +	return ret;
> +}
> +
> +static void nf_conntrack_proto_sctp_compat_fini(struct net *net)
> +{
> +#ifdef CONFIG_SYSCTL
> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> +	struct ctl_table *compat_table;
> +	compat_table = net->ct.proto.sctp_compat_header->ctl_table_arg;
> +	nf_ct_unregister_net_sysctl(&net->ct.proto.sctp_compat_header,
> +				    compat_table,
> +				    NULL);
> +#endif
> +#endif
> +}
> +
> +static int nf_conntrack_net_proto_sctp_init(struct net *net)
> +{
> +	int ret;
> +	ret = nf_conntrack_proto_sctp_net_init(net);
> +	if (ret < 0)
> +		return ret;
> +	ret = nf_conntrack_proto_sctp_compat_init(net);
> +	if (ret < 0)
> +		nf_conntrack_proto_sctp_net_fini(net);
> +	return ret;
> +}
> +
> +static void nf_conntrack_net_proto_sctp_fini(struct net *net)
> +{
> +	nf_conntrack_proto_sctp_compat_fini(net);
> +	nf_conntrack_proto_sctp_net_fini(net);
> +}
> +
> +static struct pernet_operations nf_conntrack_net_proto_sctp_ops = {
> +	.init = nf_conntrack_net_proto_sctp_init,
> +	.exit = nf_conntrack_net_proto_sctp_fini,
>  };
>  
>  static int __init nf_conntrack_proto_sctp_init(void)
> @@ -803,9 +941,15 @@ static int __init nf_conntrack_proto_sctp_init(void)
>  		pr_err("nf_conntrack_l4proto_sctp6: protocol register failed\n");
>  		goto cleanup_sctp4;
>  	}
> -
> +	ret = register_pernet_subsys(&nf_conntrack_net_proto_sctp_ops);
> +	if (ret) {
> +		pr_err("nf_conntrack: sctp pernet subsys register failed\n");
> +		goto cleanup_sctp6;
> +	}
>  	return ret;
>  
> + cleanup_sctp6:
> +	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
>   cleanup_sctp4:
>  	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
>   out:
> @@ -814,6 +958,7 @@ static int __init nf_conntrack_proto_sctp_init(void)
>  
>  static void __exit nf_conntrack_proto_sctp_fini(void)
>  {
> +	unregister_pernet_subsys(&nf_conntrack_net_proto_sctp_ops);
>  	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
>  	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
>  }

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 00/12] add namespace support for netfilter protos

[Jan Engelhardt]

On Tuesday 2012-04-17 04:56, Gao feng wrote:

>Currently the sysctl of netfilter proto is not isolated, so when 
>changing proto's sysctl in container will cause the host's sysctl 
>be changed too. it's not expected.

I wonder if it made sense to do the configuration of NFCT via
netlink as well, and deprecate the sysctl interface.

Re: [PATCH 00/12] add namespace support for netfilter protos

[Pablo Neira Ayuso]

On Tue, Apr 17, 2012 at 12:34:48PM +0200, Jan Engelhardt wrote:
> 
> On Tuesday 2012-04-17 04:56, Gao feng wrote:
> 
> >Currently the sysctl of netfilter proto is not isolated, so when 
> >changing proto's sysctl in container will cause the host's sysctl 
> >be changed too. it's not expected.
> 
> I wonder if it made sense to do the configuration of NFCT via
> netlink as well, and deprecate the sysctl interface.

Good point Jan.

However, we're in inconsistent state now and removing interfaces is
not easy / fast.

So I think we have to fix it first and then, if we decide to do so,
deprecate them.

It seems to me like a good idea to target to providing netlink
interfaces for all netfilter tweaks and use iptables (or whatsoever.
command line tool we'll have in the future) to attach specific
configurations to flow.

Thus, having no more sysctl stuff and module parameters tweaks.

Re: [PATCH 02/12] netfilter: don't register sysctl when register proto

[Pablo Neira Ayuso]

On Tue, Apr 17, 2012 at 06:25:57PM +0800, Gao feng wrote:
> 于 2012年04月17日 16:56, Pablo Neira Ayuso 写道:
> > On Tue, Apr 17, 2012 at 10:56:13AM +0800, Gao feng wrote:
> >> delete nf_ct_l[3,4]proto_register_sysctl when register l[3,4]proto.
> >> and add nf_ct_register_net_sysctl,nf_ct_unregister_net_sysctl to
> >> register the sysctl for net namespace.
> >>
> >> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> >> ---
> >>  net/netfilter/nf_conntrack_proto.c |  109 +++++-------------------------------
> >>  1 files changed, 15 insertions(+), 94 deletions(-)
> >>
> >> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
> >> index be3da2c..207cdd8 100644
> >> --- a/net/netfilter/nf_conntrack_proto.c
> >> +++ b/net/netfilter/nf_conntrack_proto.c
> >> @@ -35,12 +35,15 @@ EXPORT_SYMBOL_GPL(nf_ct_l3protos);
> >>  static DEFINE_MUTEX(nf_ct_proto_mutex);
> >>  
> >>  #ifdef CONFIG_SYSCTL
> >> -static int
> >> -nf_ct_register_sysctl(struct ctl_table_header **header, struct ctl_path *path,
> >> -		      struct ctl_table *table, unsigned int *users)
> >> +int
> >> +nf_ct_register_net_sysctl(struct net *net, 
> >> +			  struct ctl_table_header **header,
> >> +			  struct ctl_path *path,
> >> +			  struct ctl_table *table,
> >> +			  unsigned int *users)
> > 
> > Please, don't rename this function. Just add the *net parameter
> > instead.
> > 
> 
> OK,i will modify it.
> 
> >>  {
> >>  	if (*header == NULL) {
> >> -		*header = register_sysctl_paths(path, table);
> >> +		*header = register_net_sysctl_table(net, path, table);
> >>  		if (*header == NULL)
> >>  			return -ENOMEM;
> >>  	}
> >> @@ -48,17 +51,21 @@ nf_ct_register_sysctl(struct ctl_table_header **header, struct ctl_path *path,
> >>  		(*users)++;
> >>  	return 0;
> >>  }
> >> +EXPORT_SYMBOL_GPL(nf_ct_register_net_sysctl);
> >>  
> >> -static void
> >> -nf_ct_unregister_sysctl(struct ctl_table_header **header,
> >> -			struct ctl_table *table, unsigned int *users)
> >> +void
> >> +nf_ct_unregister_net_sysctl(struct ctl_table_header **header,
> >> +			    struct ctl_table *table,
> >> +			    unsigned int *users)
> >>  {
> >>  	if (users != NULL && --*users > 0)
> >>  		return;
> >>  
> >>  	unregister_sysctl_table(*header);
> >> +	kfree(table);
> >>  	*header = NULL;
> >>  }
> >> +EXPORT_SYMBOL_GPL(nf_ct_unregister_net_sysctl);
> >>  #endif
> >>  
> >>  struct nf_conntrack_l4proto *
> >> @@ -161,29 +168,6 @@ static int kill_l4proto(struct nf_conn *i, void *data)
> >>  	       nf_ct_l3num(i) == l4proto->l3proto;
> >>  }
> >>  
> >> -static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
> >> -{
> >> -	int err = 0;
> >> -
> >> -#ifdef CONFIG_SYSCTL
> >> -	if (l3proto->ctl_table != NULL) {
> >> -		err = nf_ct_register_sysctl(&l3proto->ctl_table_header,
> >> -					    l3proto->ctl_table_path,
> >> -					    l3proto->ctl_table, NULL);
> >> -	}
> >> -#endif
> >> -	return err;
> >> -}
> >> -
> >> -static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto)
> >> -{
> >> -#ifdef CONFIG_SYSCTL
> >> -	if (l3proto->ctl_table_header != NULL)
> >> -		nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
> >> -					l3proto->ctl_table, NULL);
> >> -#endif
> >> -}
> >> -
> >>  int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
> >>  {
> >>  	int ret = 0;
> >> @@ -203,10 +187,6 @@ int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
> >>  		goto out_unlock;
> >>  	}
> >>  
> >> -	ret = nf_ct_l3proto_register_sysctl(proto);
> >> -	if (ret < 0)
> >> -		goto out_unlock;
> >> -
> >>  	if (proto->nlattr_tuple_size)
> >>  		proto->nla_size = 3 * proto->nlattr_tuple_size();
> >>  
> >> @@ -230,7 +210,6 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
> >>  					 ) != proto);
> >>  	rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
> >>  			   &nf_conntrack_l3proto_generic);
> >> -	nf_ct_l3proto_unregister_sysctl(proto);
> >>  	mutex_unlock(&nf_ct_proto_mutex);
> >>  
> >>  	synchronize_rcu();
> >> @@ -243,52 +222,6 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
> >>  }
> >>  EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
> >>  
> >> -static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
> >> -{
> >> -	int err = 0;
> >> -
> >> -#ifdef CONFIG_SYSCTL
> >> -	if (l4proto->ctl_table != NULL) {
> >> -		err = nf_ct_register_sysctl(l4proto->ctl_table_header,
> >> -					    nf_net_netfilter_sysctl_path,
> >> -					    l4proto->ctl_table,
> >> -					    l4proto->ctl_table_users);
> >> -		if (err < 0)
> >> -			goto out;
> >> -	}
> >> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> >> -	if (l4proto->ctl_compat_table != NULL) {
> >> -		err = nf_ct_register_sysctl(&l4proto->ctl_compat_table_header,
> >> -					    nf_net_ipv4_netfilter_sysctl_path,
> >> -					    l4proto->ctl_compat_table, NULL);
> >> -		if (err == 0)
> >> -			goto out;
> >> -		nf_ct_unregister_sysctl(l4proto->ctl_table_header,
> >> -					l4proto->ctl_table,
> >> -					l4proto->ctl_table_users);
> >> -	}
> >> -#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
> >> -out:
> >> -#endif /* CONFIG_SYSCTL */
> >> -	return err;
> >> -}
> >> -
> >> -static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto)
> >> -{
> >> -#ifdef CONFIG_SYSCTL
> >> -	if (l4proto->ctl_table_header != NULL &&
> >> -	    *l4proto->ctl_table_header != NULL)
> >> -		nf_ct_unregister_sysctl(l4proto->ctl_table_header,
> >> -					l4proto->ctl_table,
> >> -					l4proto->ctl_table_users);
> >> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> >> -	if (l4proto->ctl_compat_table_header != NULL)
> >> -		nf_ct_unregister_sysctl(&l4proto->ctl_compat_table_header,
> >> -					l4proto->ctl_compat_table, NULL);
> >> -#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
> >> -#endif /* CONFIG_SYSCTL */
> >> -}
> >> -
> > 
> > Where did this function go?
> 
> 
> nf_ct_l4proto_unregister_sysctl just register sysctl,and we move this logic
> to the pernet_operations.init, so this function has no use.

I think I prefer if you add struct net *net to all those functions to
reduce the amount of changes in the patch.

Have a look per-net helper registration in this patch:

http://patchwork.ozlabs.org/patch/152096/

We needed to add a new sysctl to disable helper assignment. I made it
in a way that it supports per-net.

I'm pointing to that patch as example because I think it's similar to the
protocol registration. Before, the helper registration was not made
per-net at all.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 10/12] netfilter: sctp proto sysctl support for net namespace

[Pablo Neira Ayuso]

On Tue, Apr 17, 2012 at 06:30:14PM +0800, Gao feng wrote:
> 于 2012年04月17日 10:56, Gao feng 写道:
> > register pernet_operations nf_conntrack_net_proto_sctp_ops
> > when loading nf_conntrack_proto_sctp module,and unregister
> > it when removing.
> > 
> > It makes no senes to register subsys for sctp and sctp6,because
> > the nf_conntrack_l4proto_sctp4 and nf_conntrack_l4proto_sctp6 are
> > register or unregister together.
> > 
> > Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> 
> 
> I think it's better to impletement this as dccp,
> dccp stores the timeouts and ctl_table in net_generic.
> 
> This will don't cause waste when sctp module is not loaded.

Agreed.

Re: [PATCH 03/12] netfilter: generic proto sysctl support for net namespace

[Pablo Neira Ayuso]

On Tue, Apr 17, 2012 at 06:22:42PM +0800, Gao feng wrote:
> 于 2012年04月17日 16:58, Pablo Neira Ayuso 写道:
> > On Tue, Apr 17, 2012 at 10:56:14AM +0800, Gao feng wrote:
> >> register the generic proto's sysctl in pernet_operations.init.
> >> and use net->ct.proto.sysctl_generic_timeout replaces nf_ct_generic_timeout.
> >>
> >> in the after patch,the timeout_nlattr_to_obj will be modified too.
> >>
> >> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> >> ---
> >>  net/netfilter/nf_conntrack_core.c          |    6 ++
> >>  net/netfilter/nf_conntrack_proto_generic.c |   93 +++++++++++++++++++++++++---
> >>  2 files changed, 91 insertions(+), 8 deletions(-)
> >>
> >> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> >> index 729f157..bf11dd6 100644
> >> --- a/net/netfilter/nf_conntrack_core.c
> >> +++ b/net/netfilter/nf_conntrack_core.c
> >> @@ -1358,6 +1358,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
> >>  	nf_conntrack_tstamp_fini(net);
> >>  	nf_conntrack_acct_fini(net);
> >>  	nf_conntrack_expect_fini(net);
> >> +	nf_conntrack_proto_generic_net_fini(net);
> >>  	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
> >>  	kfree(net->ct.slabname);
> >>  	free_percpu(net->ct.stat);
> >> @@ -1573,6 +1574,9 @@ static int nf_conntrack_init_net(struct net *net)
> >>  		printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
> >>  		goto err_hash;
> >>  	}
> >> +	ret = nf_conntrack_proto_generic_net_init(net);
> >> +	if (ret < 0)
> >> +		goto err_generic;
> >>  	ret = nf_conntrack_expect_init(net);
> >>  	if (ret < 0)
> >>  		goto err_expect;
> >> @@ -1600,6 +1604,8 @@ err_tstamp:
> >>  err_acct:
> >>  	nf_conntrack_expect_fini(net);
> >>  err_expect:
> >> +	nf_conntrack_proto_generic_net_fini(net);
> >> +err_generic:
> >>  	nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
> >>  err_hash:
> >>  	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
> >> diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
> >> index 835e24c..0d4545b 100644
> >> --- a/net/netfilter/nf_conntrack_proto_generic.c
> >> +++ b/net/netfilter/nf_conntrack_proto_generic.c
> >> @@ -42,7 +42,7 @@ static int generic_print_tuple(struct seq_file *s,
> >>  
> >>  static unsigned int *generic_get_timeouts(struct net *net)
> >>  {
> >> -	return &nf_ct_generic_timeout;
> >> +	return &(net->ct.proto.sysctl_generic_timeout);
> >>  }
> >>  
> >>  /* Returns verdict for packet, or -1 for invalid. */
> >> @@ -105,11 +105,10 @@ generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
> >>  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> >>  
> >>  #ifdef CONFIG_SYSCTL
> >> -static struct ctl_table_header *generic_sysctl_header;
> >>  static struct ctl_table generic_sysctl_table[] = {
> >>  	{
> >>  		.procname	= "nf_conntrack_generic_timeout",
> >> -		.data		= &nf_ct_generic_timeout,
> >> +		.data		= &init_net.ct.proto.sysctl_generic_timeout,
> >>  		.maxlen		= sizeof(unsigned int),
> >>  		.mode		= 0644,
> >>  		.proc_handler	= proc_dointvec_jiffies,
> >> @@ -120,7 +119,7 @@ static struct ctl_table generic_sysctl_table[] = {
> >>  static struct ctl_table generic_compat_sysctl_table[] = {
> >>  	{
> >>  		.procname	= "ip_conntrack_generic_timeout",
> >> -		.data		= &nf_ct_generic_timeout,
> >> +		.data		= &init_net.ct.proto.sysctl_generic_timeout,
> >>  		.maxlen		= sizeof(unsigned int),
> >>  		.mode		= 0644,
> >>  		.proc_handler	= proc_dointvec_jiffies,
> >> @@ -150,11 +149,89 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
> >>  		.nla_policy	= generic_timeout_nla_policy,
> >>  	},
> >>  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> >> +};
> >> +
> >> +int nf_conntrack_proto_generic_net_init(struct net *net)
> > 
> > Please, check int nf_conntrack_ecache_init(struct net *net) for
> > instance on how we're doing the per-net registration of netfilter
> > modules.
> 
> nf_conntrack_l4proto_generic is registered when loading nf_conntrack module.
> so we should register sysctl in nf_conntrack_init_net.
> 
> I don't know what's wrong here...

Nothing wrong, just a comestic change.

I'd like that the protocol and sysctl registration happen in the same
function, like in other part of the code, for consistency.

Probably, you can use http://patchwork.ozlabs.org/patch/152096/ as
reference.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 00/12] add namespace support for netfilter protos

[Serge Hallyn]

Quoting Gao feng (gaofeng@cn.fujitsu.com):
> Currently the sysctl of netfilter proto is not isolated, so when 
> changing proto's sysctl in container will cause the host's sysctl 
> be changed too. it's not expected.
> 
> This patch set adds the namespace support for netfilter protos.

Thanks for doing this, Gao, sounds good.

(The set has gotten better scrutiny than I could give it, so I'll
wait until at least the next submission to attempt a review)

-serge

Re: [PATCH 03/12] netfilter: generic proto sysctl support for net namespace

[Gao feng]

于 2012年04月17日 19:35, Pablo Neira Ayuso 写道:
> On Tue, Apr 17, 2012 at 06:22:42PM +0800, Gao feng wrote:
>> 于 2012年04月17日 16:58, Pablo Neira Ayuso 写道:
>>> On Tue, Apr 17, 2012 at 10:56:14AM +0800, Gao feng wrote:
>>>> register the generic proto's sysctl in pernet_operations.init.
>>>> and use net->ct.proto.sysctl_generic_timeout replaces nf_ct_generic_timeout.
>>>>
>>>> in the after patch,the timeout_nlattr_to_obj will be modified too.
>>>>
>>>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>>>> ---
>>>>  net/netfilter/nf_conntrack_core.c          |    6 ++
>>>>  net/netfilter/nf_conntrack_proto_generic.c |   93 +++++++++++++++++++++++++---
>>>>  2 files changed, 91 insertions(+), 8 deletions(-)
>>>>
>>>> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
>>>> index 729f157..bf11dd6 100644
>>>> --- a/net/netfilter/nf_conntrack_core.c
>>>> +++ b/net/netfilter/nf_conntrack_core.c
>>>> @@ -1358,6 +1358,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
>>>>  	nf_conntrack_tstamp_fini(net);
>>>>  	nf_conntrack_acct_fini(net);
>>>>  	nf_conntrack_expect_fini(net);
>>>> +	nf_conntrack_proto_generic_net_fini(net);
>>>>  	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
>>>>  	kfree(net->ct.slabname);
>>>>  	free_percpu(net->ct.stat);
>>>> @@ -1573,6 +1574,9 @@ static int nf_conntrack_init_net(struct net *net)
>>>>  		printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
>>>>  		goto err_hash;
>>>>  	}
>>>> +	ret = nf_conntrack_proto_generic_net_init(net);
>>>> +	if (ret < 0)
>>>> +		goto err_generic;
>>>>  	ret = nf_conntrack_expect_init(net);
>>>>  	if (ret < 0)
>>>>  		goto err_expect;
>>>> @@ -1600,6 +1604,8 @@ err_tstamp:
>>>>  err_acct:
>>>>  	nf_conntrack_expect_fini(net);
>>>>  err_expect:
>>>> +	nf_conntrack_proto_generic_net_fini(net);
>>>> +err_generic:
>>>>  	nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
>>>>  err_hash:
>>>>  	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
>>>> diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
>>>> index 835e24c..0d4545b 100644
>>>> --- a/net/netfilter/nf_conntrack_proto_generic.c
>>>> +++ b/net/netfilter/nf_conntrack_proto_generic.c
>>>> @@ -42,7 +42,7 @@ static int generic_print_tuple(struct seq_file *s,
>>>>  
>>>>  static unsigned int *generic_get_timeouts(struct net *net)
>>>>  {
>>>> -	return &nf_ct_generic_timeout;
>>>> +	return &(net->ct.proto.sysctl_generic_timeout);
>>>>  }
>>>>  
>>>>  /* Returns verdict for packet, or -1 for invalid. */
>>>> @@ -105,11 +105,10 @@ generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
>>>>  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>>>>  
>>>>  #ifdef CONFIG_SYSCTL
>>>> -static struct ctl_table_header *generic_sysctl_header;
>>>>  static struct ctl_table generic_sysctl_table[] = {
>>>>  	{
>>>>  		.procname	= "nf_conntrack_generic_timeout",
>>>> -		.data		= &nf_ct_generic_timeout,
>>>> +		.data		= &init_net.ct.proto.sysctl_generic_timeout,
>>>>  		.maxlen		= sizeof(unsigned int),
>>>>  		.mode		= 0644,
>>>>  		.proc_handler	= proc_dointvec_jiffies,
>>>> @@ -120,7 +119,7 @@ static struct ctl_table generic_sysctl_table[] = {
>>>>  static struct ctl_table generic_compat_sysctl_table[] = {
>>>>  	{
>>>>  		.procname	= "ip_conntrack_generic_timeout",
>>>> -		.data		= &nf_ct_generic_timeout,
>>>> +		.data		= &init_net.ct.proto.sysctl_generic_timeout,
>>>>  		.maxlen		= sizeof(unsigned int),
>>>>  		.mode		= 0644,
>>>>  		.proc_handler	= proc_dointvec_jiffies,
>>>> @@ -150,11 +149,89 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
>>>>  		.nla_policy	= generic_timeout_nla_policy,
>>>>  	},
>>>>  #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>>>> +};
>>>> +
>>>> +int nf_conntrack_proto_generic_net_init(struct net *net)
>>>
>>> Please, check int nf_conntrack_ecache_init(struct net *net) for
>>> instance on how we're doing the per-net registration of netfilter
>>> modules.
>>
>> nf_conntrack_l4proto_generic is registered when loading nf_conntrack module.
>> so we should register sysctl in nf_conntrack_init_net.
>>
>> I don't know what's wrong here...
> 
> Nothing wrong, just a comestic change.
> 
> I'd like that the protocol and sysctl registration happen in the same
> function, like in other part of the code, for consistency.

I got it,maybe we can add a field pernet_operations for nf_conntrack_l[3,4]proto,
and change nf_ct_l[3,4]proto_register_sysctl to register the pernet_operations.

I think it will work well. ;)
> 
> Probably, you can use http://patchwork.ozlabs.org/patch/152096/ as
> reference.
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html