* [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-23 10:12 ` Pablo Neira Ayuso
2012-05-14 8:52 ` [PATCH 02/17] netfilter: add namespace support for l4proto Gao feng
` (17 subsequent siblings)
18 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
From: Gao feng <gaofeng@cn.fujitus.com>
the struct nf_proto_net stroes proto's ctl_table_header and ctl_table,
nf_ct_l4proto_(un)register_sysctl use it to register sysctl.
there are some changes for struct nf_conntrack_l4proto:
- add field compat to identify if this proto should do compat.
- the net_id field is used to store the pernet_operations id
that belones to l4proto.
- init_net will be used to initial the proto's pernet data
and add init_net for struct nf_conntrack_l3proto too.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitus.com>
---
include/net/netfilter/nf_conntrack_l3proto.h | 3 +++
include/net/netfilter/nf_conntrack_l4proto.h | 6 ++++++
include/net/netns/conntrack.h | 12 ++++++++++++
3 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index 9699c02..9766005 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -69,6 +69,9 @@ struct nf_conntrack_l3proto {
struct ctl_table *ctl_table;
#endif /* CONFIG_SYSCTL */
+ /* Init l3proto pernet data */
+ int (*init_net)(struct net *net);
+
/* Module (if any) which this is connected to. */
struct module *me;
};
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index 3b572bb..a90eab5 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -22,6 +22,8 @@ struct nf_conntrack_l4proto {
/* L4 Protocol number. */
u_int8_t l4proto;
+ u_int8_t compat;
+
/* Try to fill in the third arg: dataoff is offset past network protocol
hdr. Return true if possible. */
bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff,
@@ -103,6 +105,10 @@ struct nf_conntrack_l4proto {
struct ctl_table *ctl_compat_table;
#endif
#endif
+ int *net_id;
+ /* Init l4proto pernet data */
+ int (*init_net)(struct net *net, u_int8_t compat);
+
/* Protocol name */
const char *name;
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index a053a19..1f53038 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -8,6 +8,18 @@
struct ctl_table_header;
struct nf_conntrack_ecache;
+struct nf_proto_net {
+#ifdef CONFIG_SYSCTL
+ struct ctl_table_header *ctl_table_header;
+ struct ctl_table *ctl_table;
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ struct ctl_table_header *ctl_compat_header;
+ struct ctl_table *ctl_compat_table;
+#endif
+#endif
+ unsigned int users;
+};
+
struct netns_ct {
atomic_t count;
unsigned int expect_count;
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl
2012-05-14 8:52 ` [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl Gao feng
@ 2012-05-23 10:12 ` Pablo Neira Ayuso
2012-05-24 1:35 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-23 10:12 UTC (permalink / raw)
To: Gao feng
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
On Mon, May 14, 2012 at 04:52:11PM +0800, Gao feng wrote:
> From: Gao feng <gaofeng@cn.fujitus.com>
>
> the struct nf_proto_net stroes proto's ctl_table_header and ctl_table,
> nf_ct_l4proto_(un)register_sysctl use it to register sysctl.
>
> there are some changes for struct nf_conntrack_l4proto:
> - add field compat to identify if this proto should do compat.
> - the net_id field is used to store the pernet_operations id
> that belones to l4proto.
> - init_net will be used to initial the proto's pernet data
>
> and add init_net for struct nf_conntrack_l3proto too.
This patchset looks bette but there are still things that we have to
resolve.
The first one (regarding this patch 1/17) changes in:
* include/net/netfilter/nf_conntrack_l4proto.h
* include/net/netns/conntrack.h
should be included in:
[PATCH] netfilter: add namespace support for l4proto
And changes in:
* include/net/netfilter/nf_conntrack_l3proto.h
should be included in:
[PATCH] netfilter: add namespace support for l3proto
I already told you. A patch that adds a structure without using it,
is not good. The structure has to go together with the code uses it.
More comments below.
> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
> Signed-off-by: Gao feng <gaofeng@cn.fujitus.com>
> ---
> include/net/netfilter/nf_conntrack_l3proto.h | 3 +++
> include/net/netfilter/nf_conntrack_l4proto.h | 6 ++++++
> include/net/netns/conntrack.h | 12 ++++++++++++
> 3 files changed, 21 insertions(+), 0 deletions(-)
>
> diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
> index 9699c02..9766005 100644
> --- a/include/net/netfilter/nf_conntrack_l3proto.h
> +++ b/include/net/netfilter/nf_conntrack_l3proto.h
> @@ -69,6 +69,9 @@ struct nf_conntrack_l3proto {
> struct ctl_table *ctl_table;
> #endif /* CONFIG_SYSCTL */
>
> + /* Init l3proto pernet data */
> + int (*init_net)(struct net *net);
> +
> /* Module (if any) which this is connected to. */
> struct module *me;
> };
> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
> index 3b572bb..a90eab5 100644
> --- a/include/net/netfilter/nf_conntrack_l4proto.h
> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
> @@ -22,6 +22,8 @@ struct nf_conntrack_l4proto {
> /* L4 Protocol number. */
> u_int8_t l4proto;
>
> + u_int8_t compat;
I don't see why we need this new field.
It seems to be set to 1 in each structure that has set:
.ctl_compat_table
to non-NULL. So, it's redundant.
Moreover, you already know from the protocol tracker itself if you
have to allocate the compat ctl table or not.
In other words: You set compat to 1 for nf_conntrack_l4proto_generic.
Then, you pass that compat value to generic_init_net via ->inet_net
again, but this information (that determines if the compat has to be
done or not) is already in the scope of the protocol tracker.
You have to fix this.
> +
> /* Try to fill in the third arg: dataoff is offset past network protocol
> hdr. Return true if possible. */
> bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff,
> @@ -103,6 +105,10 @@ struct nf_conntrack_l4proto {
> struct ctl_table *ctl_compat_table;
> #endif
> #endif
> + int *net_id;
> + /* Init l4proto pernet data */
> + int (*init_net)(struct net *net, u_int8_t compat);
> +
> /* Protocol name */
> const char *name;
>
> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
> index a053a19..1f53038 100644
> --- a/include/net/netns/conntrack.h
> +++ b/include/net/netns/conntrack.h
> @@ -8,6 +8,18 @@
> struct ctl_table_header;
> struct nf_conntrack_ecache;
>
> +struct nf_proto_net {
> +#ifdef CONFIG_SYSCTL
> + struct ctl_table_header *ctl_table_header;
> + struct ctl_table *ctl_table;
> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> + struct ctl_table_header *ctl_compat_header;
> + struct ctl_table *ctl_compat_table;
> +#endif
> +#endif
> + unsigned int users;
> +};
> +
> struct netns_ct {
> atomic_t count;
> unsigned int expect_count;
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl
2012-05-23 10:12 ` Pablo Neira Ayuso
@ 2012-05-24 1:35 ` Gao feng
2012-05-24 9:58 ` Pablo Neira Ayuso
0 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-24 1:35 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
Hi pablo:
于 2012年05月23日 18:12, Pablo Neira Ayuso 写道:
> On Mon, May 14, 2012 at 04:52:11PM +0800, Gao feng wrote:
>> From: Gao feng <gaofeng@cn.fujitus.com>
>>
>> the struct nf_proto_net stroes proto's ctl_table_header and ctl_table,
>> nf_ct_l4proto_(un)register_sysctl use it to register sysctl.
>>
>> there are some changes for struct nf_conntrack_l4proto:
>> - add field compat to identify if this proto should do compat.
>> - the net_id field is used to store the pernet_operations id
>> that belones to l4proto.
>> - init_net will be used to initial the proto's pernet data
>>
>> and add init_net for struct nf_conntrack_l3proto too.
>
> This patchset looks bette but there are still things that we have to
> resolve.
>
> The first one (regarding this patch 1/17) changes in:
> * include/net/netfilter/nf_conntrack_l4proto.h
> * include/net/netns/conntrack.h
>
> should be included in:
> [PATCH] netfilter: add namespace support for l4proto
>
> And changes in:
> * include/net/netfilter/nf_conntrack_l3proto.h
>
> should be included in:
> [PATCH] netfilter: add namespace support for l3proto
>
> I already told you. A patch that adds a structure without using it,
> is not good. The structure has to go together with the code uses it.
>
It seams this patch should be merged to "netfilter: add namespace support for l4proto"
the struct nf_proto_net is first used there.
> More comments below.
>
>> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
>> Signed-off-by: Gao feng <gaofeng@cn.fujitus.com>
>> ---
>> include/net/netfilter/nf_conntrack_l3proto.h | 3 +++
>> include/net/netfilter/nf_conntrack_l4proto.h | 6 ++++++
>> include/net/netns/conntrack.h | 12 ++++++++++++
>> 3 files changed, 21 insertions(+), 0 deletions(-)
>>
>> diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
>> index 9699c02..9766005 100644
>> --- a/include/net/netfilter/nf_conntrack_l3proto.h
>> +++ b/include/net/netfilter/nf_conntrack_l3proto.h
>> @@ -69,6 +69,9 @@ struct nf_conntrack_l3proto {
>> struct ctl_table *ctl_table;
>> #endif /* CONFIG_SYSCTL */
>>
>> + /* Init l3proto pernet data */
>> + int (*init_net)(struct net *net);
>> +
>> /* Module (if any) which this is connected to. */
>> struct module *me;
>> };
>> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
>> index 3b572bb..a90eab5 100644
>> --- a/include/net/netfilter/nf_conntrack_l4proto.h
>> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
>> @@ -22,6 +22,8 @@ struct nf_conntrack_l4proto {
>> /* L4 Protocol number. */
>> u_int8_t l4proto;
>>
>> + u_int8_t compat;
>
> I don't see why we need this new field.
>
> It seems to be set to 1 in each structure that has set:
>
> .ctl_compat_table
>
> to non-NULL. So, it's redundant.
>
> Moreover, you already know from the protocol tracker itself if you
> have to allocate the compat ctl table or not.
>
> In other words: You set compat to 1 for nf_conntrack_l4proto_generic.
> Then, you pass that compat value to generic_init_net via ->inet_net
> again, but this information (that determines if the compat has to be
> done or not) is already in the scope of the protocol tracker.
>
because some protocols such l4proto_tcp6 and l4proto_tcp use the same init_net
function. the l4proto_tcp6 doesn't need compat sysctl, so we should use this new
field to identify if we should kmemdup compat_sysctl_table.
and beacuse protocols will have pernet ctl_compat_table and ctl_table,the .ctl_compat_table
field will be deleted in patch 15/17. so we should the new field compat.
actually, we don't need to pass compat value for generic_init_net,beacuse
we know l4proto_generic need compat. But consider there are l4proto_tcp(6), and in order to keep
code readable,I prefer to add compat field and pass it to init_net.
> You have to fix this.
>
>> +
>> /* Try to fill in the third arg: dataoff is offset past network protocol
>> hdr. Return true if possible. */
>> bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff,
>> @@ -103,6 +105,10 @@ struct nf_conntrack_l4proto {
>> struct ctl_table *ctl_compat_table;
>> #endif
>> #endif
>> + int *net_id;
>> + /* Init l4proto pernet data */
>> + int (*init_net)(struct net *net, u_int8_t compat);
>> +
>> /* Protocol name */
>> const char *name;
>>
>> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
>> index a053a19..1f53038 100644
>> --- a/include/net/netns/conntrack.h
>> +++ b/include/net/netns/conntrack.h
>> @@ -8,6 +8,18 @@
>> struct ctl_table_header;
>> struct nf_conntrack_ecache;
>>
>> +struct nf_proto_net {
>> +#ifdef CONFIG_SYSCTL
>> + struct ctl_table_header *ctl_table_header;
>> + struct ctl_table *ctl_table;
>> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> + struct ctl_table_header *ctl_compat_header;
>> + struct ctl_table *ctl_compat_table;
>> +#endif
>> +#endif
>> + unsigned int users;
>> +};
>> +
>> struct netns_ct {
>> atomic_t count;
>> unsigned int expect_count;
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl
2012-05-24 1:35 ` Gao feng
@ 2012-05-24 9:58 ` Pablo Neira Ayuso
2012-05-24 10:54 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-24 9:58 UTC (permalink / raw)
To: Gao feng
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
On Thu, May 24, 2012 at 09:35:50AM +0800, Gao feng wrote:
> Hi pablo:
>
> 于 2012年05月23日 18:12, Pablo Neira Ayuso 写道:
> > On Mon, May 14, 2012 at 04:52:11PM +0800, Gao feng wrote:
> >> From: Gao feng <gaofeng@cn.fujitus.com>
> >>
> >> the struct nf_proto_net stroes proto's ctl_table_header and ctl_table,
> >> nf_ct_l4proto_(un)register_sysctl use it to register sysctl.
> >>
> >> there are some changes for struct nf_conntrack_l4proto:
> >> - add field compat to identify if this proto should do compat.
> >> - the net_id field is used to store the pernet_operations id
> >> that belones to l4proto.
> >> - init_net will be used to initial the proto's pernet data
> >>
> >> and add init_net for struct nf_conntrack_l3proto too.
> >
> > This patchset looks bette but there are still things that we have to
> > resolve.
> >
> > The first one (regarding this patch 1/17) changes in:
> > * include/net/netfilter/nf_conntrack_l4proto.h
> > * include/net/netns/conntrack.h
> >
> > should be included in:
> > [PATCH] netfilter: add namespace support for l4proto
> >
> > And changes in:
> > * include/net/netfilter/nf_conntrack_l3proto.h
> >
> > should be included in:
> > [PATCH] netfilter: add namespace support for l3proto
> >
> > I already told you. A patch that adds a structure without using it,
> > is not good. The structure has to go together with the code uses it.
> >
>
> It seams this patch should be merged to "netfilter: add namespace support for l4proto"
> the struct nf_proto_net is first used there.
>
> > More comments below.
> >
> >> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
> >> Signed-off-by: Gao feng <gaofeng@cn.fujitus.com>
> >> ---
> >> include/net/netfilter/nf_conntrack_l3proto.h | 3 +++
> >> include/net/netfilter/nf_conntrack_l4proto.h | 6 ++++++
> >> include/net/netns/conntrack.h | 12 ++++++++++++
> >> 3 files changed, 21 insertions(+), 0 deletions(-)
> >>
> >> diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
> >> index 9699c02..9766005 100644
> >> --- a/include/net/netfilter/nf_conntrack_l3proto.h
> >> +++ b/include/net/netfilter/nf_conntrack_l3proto.h
> >> @@ -69,6 +69,9 @@ struct nf_conntrack_l3proto {
> >> struct ctl_table *ctl_table;
> >> #endif /* CONFIG_SYSCTL */
> >>
> >> + /* Init l3proto pernet data */
> >> + int (*init_net)(struct net *net);
> >> +
> >> /* Module (if any) which this is connected to. */
> >> struct module *me;
> >> };
> >> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
> >> index 3b572bb..a90eab5 100644
> >> --- a/include/net/netfilter/nf_conntrack_l4proto.h
> >> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
> >> @@ -22,6 +22,8 @@ struct nf_conntrack_l4proto {
> >> /* L4 Protocol number. */
> >> u_int8_t l4proto;
> >>
> >> + u_int8_t compat;
> >
> > I don't see why we need this new field.
> >
> > It seems to be set to 1 in each structure that has set:
> >
> > .ctl_compat_table
> >
> > to non-NULL. So, it's redundant.
> >
> > Moreover, you already know from the protocol tracker itself if you
> > have to allocate the compat ctl table or not.
> >
> > In other words: You set compat to 1 for nf_conntrack_l4proto_generic.
> > Then, you pass that compat value to generic_init_net via ->inet_net
> > again, but this information (that determines if the compat has to be
> > done or not) is already in the scope of the protocol tracker.
> >
>
> because some protocols such l4proto_tcp6 and l4proto_tcp use the same init_net
> function. the l4proto_tcp6 doesn't need compat sysctl, so we should use this new
> field to identify if we should kmemdup compat_sysctl_table.
Then, could you use two init_net functions? one for TCP for IPv4 and another
for TCP for IPv6?
> and beacuse protocols will have pernet ctl_compat_table and ctl_table,the .ctl_compat_table
> field will be deleted in patch 15/17. so we should the new field compat.
>
> actually, we don't need to pass compat value for generic_init_net,beacuse
> we know l4proto_generic need compat. But consider there are l4proto_tcp(6), and in order to keep
> code readable,I prefer to add compat field and pass it to init_net.
>
> > You have to fix this.
> >
> >> +
> >> /* Try to fill in the third arg: dataoff is offset past network protocol
> >> hdr. Return true if possible. */
> >> bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff,
> >> @@ -103,6 +105,10 @@ struct nf_conntrack_l4proto {
> >> struct ctl_table *ctl_compat_table;
> >> #endif
> >> #endif
> >> + int *net_id;
> >> + /* Init l4proto pernet data */
> >> + int (*init_net)(struct net *net, u_int8_t compat);
> >> +
> >> /* Protocol name */
> >> const char *name;
> >>
> >> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
> >> index a053a19..1f53038 100644
> >> --- a/include/net/netns/conntrack.h
> >> +++ b/include/net/netns/conntrack.h
> >> @@ -8,6 +8,18 @@
> >> struct ctl_table_header;
> >> struct nf_conntrack_ecache;
> >>
> >> +struct nf_proto_net {
> >> +#ifdef CONFIG_SYSCTL
> >> + struct ctl_table_header *ctl_table_header;
> >> + struct ctl_table *ctl_table;
> >> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> >> + struct ctl_table_header *ctl_compat_header;
> >> + struct ctl_table *ctl_compat_table;
> >> +#endif
> >> +#endif
> >> + unsigned int users;
> >> +};
> >> +
> >> struct netns_ct {
> >> atomic_t count;
> >> unsigned int expect_count;
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl
2012-05-24 9:58 ` Pablo Neira Ayuso
@ 2012-05-24 10:54 ` Gao feng
2012-05-24 14:38 ` Pablo Neira Ayuso
0 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-24 10:54 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
于 2012年05月24日 17:58, Pablo Neira Ayuso 写道:
> On Thu, May 24, 2012 at 09:35:50AM +0800, Gao feng wrote:
>> Hi pablo:
>>
>> 于 2012年05月23日 18:12, Pablo Neira Ayuso 写道:
>>> On Mon, May 14, 2012 at 04:52:11PM +0800, Gao feng wrote:
>>>> From: Gao feng <gaofeng@cn.fujitus.com>
>>>>
>>>> the struct nf_proto_net stroes proto's ctl_table_header and ctl_table,
>>>> nf_ct_l4proto_(un)register_sysctl use it to register sysctl.
>>>>
>>>> there are some changes for struct nf_conntrack_l4proto:
>>>> - add field compat to identify if this proto should do compat.
>>>> - the net_id field is used to store the pernet_operations id
>>>> that belones to l4proto.
>>>> - init_net will be used to initial the proto's pernet data
>>>>
>>>> and add init_net for struct nf_conntrack_l3proto too.
>>>
>>> This patchset looks bette but there are still things that we have to
>>> resolve.
>>>
>>> The first one (regarding this patch 1/17) changes in:
>>> * include/net/netfilter/nf_conntrack_l4proto.h
>>> * include/net/netns/conntrack.h
>>>
>>> should be included in:
>>> [PATCH] netfilter: add namespace support for l4proto
>>>
>>> And changes in:
>>> * include/net/netfilter/nf_conntrack_l3proto.h
>>>
>>> should be included in:
>>> [PATCH] netfilter: add namespace support for l3proto
>>>
>>> I already told you. A patch that adds a structure without using it,
>>> is not good. The structure has to go together with the code uses it.
>>>
>>
>> It seams this patch should be merged to "netfilter: add namespace support for l4proto"
>> the struct nf_proto_net is first used there.
>>
>>> More comments below.
>>>
>>>> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
>>>> Signed-off-by: Gao feng <gaofeng@cn.fujitus.com>
>>>> ---
>>>> include/net/netfilter/nf_conntrack_l3proto.h | 3 +++
>>>> include/net/netfilter/nf_conntrack_l4proto.h | 6 ++++++
>>>> include/net/netns/conntrack.h | 12 ++++++++++++
>>>> 3 files changed, 21 insertions(+), 0 deletions(-)
>>>>
>>>> diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
>>>> index 9699c02..9766005 100644
>>>> --- a/include/net/netfilter/nf_conntrack_l3proto.h
>>>> +++ b/include/net/netfilter/nf_conntrack_l3proto.h
>>>> @@ -69,6 +69,9 @@ struct nf_conntrack_l3proto {
>>>> struct ctl_table *ctl_table;
>>>> #endif /* CONFIG_SYSCTL */
>>>>
>>>> + /* Init l3proto pernet data */
>>>> + int (*init_net)(struct net *net);
>>>> +
>>>> /* Module (if any) which this is connected to. */
>>>> struct module *me;
>>>> };
>>>> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
>>>> index 3b572bb..a90eab5 100644
>>>> --- a/include/net/netfilter/nf_conntrack_l4proto.h
>>>> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
>>>> @@ -22,6 +22,8 @@ struct nf_conntrack_l4proto {
>>>> /* L4 Protocol number. */
>>>> u_int8_t l4proto;
>>>>
>>>> + u_int8_t compat;
>>>
>>> I don't see why we need this new field.
>>>
>>> It seems to be set to 1 in each structure that has set:
>>>
>>> .ctl_compat_table
>>>
>>> to non-NULL. So, it's redundant.
>>>
>>> Moreover, you already know from the protocol tracker itself if you
>>> have to allocate the compat ctl table or not.
>>>
>>> In other words: You set compat to 1 for nf_conntrack_l4proto_generic.
>>> Then, you pass that compat value to generic_init_net via ->inet_net
>>> again, but this information (that determines if the compat has to be
>>> done or not) is already in the scope of the protocol tracker.
>>>
>>
>> because some protocols such l4proto_tcp6 and l4proto_tcp use the same init_net
>> function. the l4proto_tcp6 doesn't need compat sysctl, so we should use this new
>> field to identify if we should kmemdup compat_sysctl_table.
>
> Then, could you use two init_net functions? one for TCP for IPv4 and another
> for TCP for IPv6?
Of cause, if you prefer to impletment it in this way.
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl
2012-05-24 10:54 ` Gao feng
@ 2012-05-24 14:38 ` Pablo Neira Ayuso
2012-05-25 1:05 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-24 14:38 UTC (permalink / raw)
To: Gao feng
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
On Thu, May 24, 2012 at 06:54:42PM +0800, Gao feng wrote:
[...]
> >>> I don't see why we need this new field.
> >>>
> >>> It seems to be set to 1 in each structure that has set:
> >>>
> >>> .ctl_compat_table
> >>>
> >>> to non-NULL. So, it's redundant.
> >>>
> >>> Moreover, you already know from the protocol tracker itself if you
> >>> have to allocate the compat ctl table or not.
> >>>
> >>> In other words: You set compat to 1 for nf_conntrack_l4proto_generic.
> >>> Then, you pass that compat value to generic_init_net via ->inet_net
> >>> again, but this information (that determines if the compat has to be
> >>> done or not) is already in the scope of the protocol tracker.
> >>>
> >>
> >> because some protocols such l4proto_tcp6 and l4proto_tcp use the same init_net
> >> function. the l4proto_tcp6 doesn't need compat sysctl, so we should use this new
> >> field to identify if we should kmemdup compat_sysctl_table.
> >
> > Then, could you use two init_net functions? one for TCP for IPv4 and another
> > for TCP for IPv6?
>
> Of cause, if you prefer to impletment it in this way.
If this removes the .compat field that you added, then use two
init_net functions, yes.
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl
2012-05-24 14:38 ` Pablo Neira Ayuso
@ 2012-05-25 1:05 ` Gao feng
2012-05-25 2:54 ` Pablo Neira Ayuso
0 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-25 1:05 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
于 2012年05月24日 22:38, Pablo Neira Ayuso 写道:
> On Thu, May 24, 2012 at 06:54:42PM +0800, Gao feng wrote:
> [...]
>>>>> I don't see why we need this new field.
>>>>>
>>>>> It seems to be set to 1 in each structure that has set:
>>>>>
>>>>> .ctl_compat_table
>>>>>
>>>>> to non-NULL. So, it's redundant.
>>>>>
>>>>> Moreover, you already know from the protocol tracker itself if you
>>>>> have to allocate the compat ctl table or not.
>>>>>
>>>>> In other words: You set compat to 1 for nf_conntrack_l4proto_generic.
>>>>> Then, you pass that compat value to generic_init_net via ->inet_net
>>>>> again, but this information (that determines if the compat has to be
>>>>> done or not) is already in the scope of the protocol tracker.
>>>>>
>>>>
>>>> because some protocols such l4proto_tcp6 and l4proto_tcp use the same init_net
>>>> function. the l4proto_tcp6 doesn't need compat sysctl, so we should use this new
>>>> field to identify if we should kmemdup compat_sysctl_table.
>>>
>>> Then, could you use two init_net functions? one for TCP for IPv4 and another
>>> for TCP for IPv6?
>>
>> Of cause, if you prefer to impletment it in this way.
>
> If this removes the .compat field that you added, then use two
> init_net functions, yes.
Sorry I miss something.
nf_ct_l4proto_unregister_sysctl also uses .compat to identify if we
can unregister the compat sysctl.
if we register l4proto_tcp and l4proto_tcp6 both. without .compat,
when unregister l4proto_tcp6, the compat sysctl will be unregister too.
So maybe we have to use .compat.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl
2012-05-25 1:05 ` Gao feng
@ 2012-05-25 2:54 ` Pablo Neira Ayuso
2012-05-25 6:02 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-25 2:54 UTC (permalink / raw)
To: Gao feng
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
On Fri, May 25, 2012 at 09:05:34AM +0800, Gao feng wrote:
> 于 2012年05月24日 22:38, Pablo Neira Ayuso 写道:
> > On Thu, May 24, 2012 at 06:54:42PM +0800, Gao feng wrote:
> > [...]
> >>>>> I don't see why we need this new field.
> >>>>>
> >>>>> It seems to be set to 1 in each structure that has set:
> >>>>>
> >>>>> .ctl_compat_table
> >>>>>
> >>>>> to non-NULL. So, it's redundant.
> >>>>>
> >>>>> Moreover, you already know from the protocol tracker itself if you
> >>>>> have to allocate the compat ctl table or not.
> >>>>>
> >>>>> In other words: You set compat to 1 for nf_conntrack_l4proto_generic.
> >>>>> Then, you pass that compat value to generic_init_net via ->inet_net
> >>>>> again, but this information (that determines if the compat has to be
> >>>>> done or not) is already in the scope of the protocol tracker.
> >>>>>
> >>>>
> >>>> because some protocols such l4proto_tcp6 and l4proto_tcp use the same init_net
> >>>> function. the l4proto_tcp6 doesn't need compat sysctl, so we should use this new
> >>>> field to identify if we should kmemdup compat_sysctl_table.
> >>>
> >>> Then, could you use two init_net functions? one for TCP for IPv4 and another
> >>> for TCP for IPv6?
> >>
> >> Of cause, if you prefer to impletment it in this way.
> >
> > If this removes the .compat field that you added, then use two
> > init_net functions, yes.
>
> Sorry I miss something.
>
> nf_ct_l4proto_unregister_sysctl also uses .compat to identify if we
> can unregister the compat sysctl.
>
> if we register l4proto_tcp and l4proto_tcp6 both. without .compat,
> when unregister l4proto_tcp6, the compat sysctl will be unregister too.
>
> So maybe we have to use .compat.
Could you resolve this by checking pn->ctl_compat_header != NULL ?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl
2012-05-25 2:54 ` Pablo Neira Ayuso
@ 2012-05-25 6:02 ` Gao feng
2012-05-26 2:28 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-25 6:02 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
于 2012年05月25日 10:54, Pablo Neira Ayuso 写道:
> On Fri, May 25, 2012 at 09:05:34AM +0800, Gao feng wrote:
>> 于 2012年05月24日 22:38, Pablo Neira Ayuso 写道:
>>> On Thu, May 24, 2012 at 06:54:42PM +0800, Gao feng wrote:
>>> [...]
>>>>>>> I don't see why we need this new field.
>>>>>>>
>>>>>>> It seems to be set to 1 in each structure that has set:
>>>>>>>
>>>>>>> .ctl_compat_table
>>>>>>>
>>>>>>> to non-NULL. So, it's redundant.
>>>>>>>
>>>>>>> Moreover, you already know from the protocol tracker itself if you
>>>>>>> have to allocate the compat ctl table or not.
>>>>>>>
>>>>>>> In other words: You set compat to 1 for nf_conntrack_l4proto_generic.
>>>>>>> Then, you pass that compat value to generic_init_net via ->inet_net
>>>>>>> again, but this information (that determines if the compat has to be
>>>>>>> done or not) is already in the scope of the protocol tracker.
>>>>>>>
>>>>>>
>>>>>> because some protocols such l4proto_tcp6 and l4proto_tcp use the same init_net
>>>>>> function. the l4proto_tcp6 doesn't need compat sysctl, so we should use this new
>>>>>> field to identify if we should kmemdup compat_sysctl_table.
>>>>>
>>>>> Then, could you use two init_net functions? one for TCP for IPv4 and another
>>>>> for TCP for IPv6?
>>>>
>>>> Of cause, if you prefer to impletment it in this way.
>>>
>>> If this removes the .compat field that you added, then use two
>>> init_net functions, yes.
>>
>> Sorry I miss something.
>>
>> nf_ct_l4proto_unregister_sysctl also uses .compat to identify if we
>> can unregister the compat sysctl.
>>
>> if we register l4proto_tcp and l4proto_tcp6 both. without .compat,
>> when unregister l4proto_tcp6, the compat sysctl will be unregister too.
>>
>> So maybe we have to use .compat.
>
> Could you resolve this by checking pn->ctl_compat_header != NULL ?
pn->ctl_table_header and ctl_compat_header is shared by l4proto_tcp and l4proto_tcp6.
if we both register l4proto_tcp and l4proto_tcp6, when unregister l4proto_tcp6
pn->ctl_compat_header must not be NULL.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl
2012-05-25 6:02 ` Gao feng
@ 2012-05-26 2:28 ` Gao feng
2012-05-28 9:53 ` Pablo Neira Ayuso
0 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-26 2:28 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
于 2012年05月25日 14:02, Gao feng 写道:
> 于 2012年05月25日 10:54, Pablo Neira Ayuso 写道:
>> On Fri, May 25, 2012 at 09:05:34AM +0800, Gao feng wrote:
>>> 于 2012年05月24日 22:38, Pablo Neira Ayuso 写道:
>>>> On Thu, May 24, 2012 at 06:54:42PM +0800, Gao feng wrote:
>>>> [...]
>>>>>>>> I don't see why we need this new field.
>>>>>>>>
>>>>>>>> It seems to be set to 1 in each structure that has set:
>>>>>>>>
>>>>>>>> .ctl_compat_table
>>>>>>>>
>>>>>>>> to non-NULL. So, it's redundant.
>>>>>>>>
>>>>>>>> Moreover, you already know from the protocol tracker itself if you
>>>>>>>> have to allocate the compat ctl table or not.
>>>>>>>>
>>>>>>>> In other words: You set compat to 1 for nf_conntrack_l4proto_generic.
>>>>>>>> Then, you pass that compat value to generic_init_net via ->inet_net
>>>>>>>> again, but this information (that determines if the compat has to be
>>>>>>>> done or not) is already in the scope of the protocol tracker.
>>>>>>>>
>>>>>>>
>>>>>>> because some protocols such l4proto_tcp6 and l4proto_tcp use the same init_net
>>>>>>> function. the l4proto_tcp6 doesn't need compat sysctl, so we should use this new
>>>>>>> field to identify if we should kmemdup compat_sysctl_table.
>>>>>>
>>>>>> Then, could you use two init_net functions? one for TCP for IPv4 and another
>>>>>> for TCP for IPv6?
>>>>>
>>>>> Of cause, if you prefer to impletment it in this way.
>>>>
>>>> If this removes the .compat field that you added, then use two
>>>> init_net functions, yes.
>>>
>>> Sorry I miss something.
>>>
>>> nf_ct_l4proto_unregister_sysctl also uses .compat to identify if we
>>> can unregister the compat sysctl.
>>>
>>> if we register l4proto_tcp and l4proto_tcp6 both. without .compat,
>>> when unregister l4proto_tcp6, the compat sysctl will be unregister too.
>>>
>>> So maybe we have to use .compat.
>>
>> Could you resolve this by checking pn->ctl_compat_header != NULL ?
>
> pn->ctl_table_header and ctl_compat_header is shared by l4proto_tcp and l4proto_tcp6.
> if we both register l4proto_tcp and l4proto_tcp6, when unregister l4proto_tcp6
> pn->ctl_compat_header must not be NULL.
>
Maybe we can resolve this by nf_conntrack_l4proto.l3proto == AF_INET && pn->ctl_compat_header != NULL
Because compat sysctl is registered by AF_INET's proto only.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl
2012-05-26 2:28 ` Gao feng
@ 2012-05-28 9:53 ` Pablo Neira Ayuso
0 siblings, 0 replies; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-28 9:53 UTC (permalink / raw)
To: Gao feng
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
On Sat, May 26, 2012 at 10:28:33AM +0800, Gao feng wrote:
> 于 2012年05月25日 14:02, Gao feng 写道:
> > 于 2012年05月25日 10:54, Pablo Neira Ayuso 写道:
[...]
> >> Could you resolve this by checking pn->ctl_compat_header != NULL ?
> >
> > pn->ctl_table_header and ctl_compat_header is shared by l4proto_tcp and l4proto_tcp6.
> > if we both register l4proto_tcp and l4proto_tcp6, when unregister l4proto_tcp6
> > pn->ctl_compat_header must not be NULL.
> >
>
> Maybe we can resolve this by nf_conntrack_l4proto.l3proto == AF_INET && pn->ctl_compat_header != NULL
> Because compat sysctl is registered by AF_INET's proto only.
OK, as soon as it can remove the compat field, I prefer it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* [PATCH 02/17] netfilter: add namespace support for l4proto
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
2012-05-14 8:52 ` [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-23 10:25 ` Pablo Neira Ayuso
2012-05-14 8:52 ` [PATCH 03/17] netfilter: add namespace support for l3proto Gao feng
` (16 subsequent siblings)
18 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
From: Gao feng <gaofeng@cn.fujitus.com>
-nf_ct_(un)register_sysctl are changed to support net namespace,
use (un)register_net_sysctl_table replaces (un)register_sysctl_paths.
and in nf_ct_unregister_sysctl,kfree table only when users is 0.
-Add the struct net as param of nf_conntrack_l4proto_(un)register.
register or unregister the l4proto only when the net is init_net.
-nf_conntrack_l4proto_register call init_net to initial the pernet
data of l4proto.
-nf_ct_l4proto_net is used to get the pernet data of l4proto.
-use init_net as a param of nf_conntrack_l4proto_(un)register.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitus.com>
---
include/net/netfilter/nf_conntrack_l4proto.h | 13 +-
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 18 +-
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18 +-
net/netfilter/nf_conntrack_proto.c | 245 ++++++++++++++----------
net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
net/netfilter/nf_conntrack_proto_gre.c | 6 +-
net/netfilter/nf_conntrack_proto_sctp.c | 10 +-
net/netfilter/nf_conntrack_proto_udplite.c | 10 +-
8 files changed, 191 insertions(+), 139 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index a90eab5..a93dcd5 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -12,7 +12,7 @@
#include <linux/netlink.h>
#include <net/netlink.h>
#include <net/netfilter/nf_conntrack.h>
-
+#include <net/netns/generic.h>
struct seq_file;
struct nf_conntrack_l4proto {
@@ -129,8 +129,15 @@ nf_ct_l4proto_find_get(u_int16_t l3proto, u_int8_t l4proto);
extern void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p);
/* Protocol registration. */
-extern int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *proto);
-extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto);
+extern int nf_conntrack_l4proto_register(struct net *net,
+ struct nf_conntrack_l4proto *proto);
+extern void nf_conntrack_l4proto_unregister(struct net *net,
+ struct nf_conntrack_l4proto *proto);
+
+extern int nf_ct_l4proto_register_sysctl(struct net *net,
+ struct nf_conntrack_l4proto *l4proto);
+extern void nf_ct_l4proto_unregister_sysctl(struct net *net,
+ struct nf_conntrack_l4proto *l4proto);
/* Generic netlink helpers */
extern int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 91747d4..46ec515 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -391,19 +391,19 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
return ret;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp4);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp4);
if (ret < 0) {
pr_err("nf_conntrack_ipv4: can't register tcp.\n");
goto cleanup_sockopt;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp4);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp4);
if (ret < 0) {
pr_err("nf_conntrack_ipv4: can't register udp.\n");
goto cleanup_tcp;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmp);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmp);
if (ret < 0) {
pr_err("nf_conntrack_ipv4: can't register icmp.\n");
goto cleanup_udp;
@@ -434,11 +434,11 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
cleanup_ipv4:
nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
cleanup_icmp:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmp);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
cleanup_udp:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
cleanup_tcp:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
cleanup_sockopt:
nf_unregister_sockopt(&so_getorigdst);
return ret;
@@ -452,9 +452,9 @@ static void __exit nf_conntrack_l3proto_ipv4_fini(void)
#endif
nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmp);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp4);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
nf_unregister_sockopt(&so_getorigdst);
}
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index fe925e4..55f379f 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -341,19 +341,19 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
need_conntrack();
nf_defrag_ipv6_enable();
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp6);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp6);
if (ret < 0) {
pr_err("nf_conntrack_ipv6: can't register tcp.\n");
return ret;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp6);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp6);
if (ret < 0) {
pr_err("nf_conntrack_ipv6: can't register udp.\n");
goto cleanup_tcp;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmpv6);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmpv6);
if (ret < 0) {
pr_err("nf_conntrack_ipv6: can't register icmpv6.\n");
goto cleanup_udp;
@@ -377,11 +377,11 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
cleanup_ipv6:
nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
cleanup_icmpv6:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
cleanup_udp:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
cleanup_tcp:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
return ret;
}
@@ -390,9 +390,9 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
synchronize_net();
nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp6);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
}
module_init(nf_conntrack_l3proto_ipv6_init);
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 8b631b0..6d68727 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -35,30 +35,39 @@ EXPORT_SYMBOL_GPL(nf_ct_l3protos);
static DEFINE_MUTEX(nf_ct_proto_mutex);
#ifdef CONFIG_SYSCTL
-static int
-nf_ct_register_sysctl(struct ctl_table_header **header, const char *path,
- struct ctl_table *table, unsigned int *users)
+int
+nf_ct_register_sysctl(struct net *net,
+ struct ctl_table_header **header,
+ const char *path,
+ struct ctl_table *table,
+ unsigned int *users)
{
if (*header == NULL) {
- *header = register_net_sysctl(&init_net, path, table);
+ *header = register_net_sysctl(net, path, table);
if (*header == NULL)
return -ENOMEM;
}
if (users != NULL)
(*users)++;
+
return 0;
}
+EXPORT_SYMBOL_GPL(nf_ct_register_sysctl);
-static void
+void
nf_ct_unregister_sysctl(struct ctl_table_header **header,
- struct ctl_table *table, unsigned int *users)
+ struct ctl_table **table,
+ unsigned int *users)
{
if (users != NULL && --*users > 0)
return;
unregister_net_sysctl_table(*header);
+ kfree(*table);
*header = NULL;
+ *table = NULL;
}
+EXPORT_SYMBOL_GPL(nf_ct_unregister_sysctl);
#endif
struct nf_conntrack_l4proto *
@@ -167,7 +176,8 @@ static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
#ifdef CONFIG_SYSCTL
if (l3proto->ctl_table != NULL) {
- err = nf_ct_register_sysctl(&l3proto->ctl_table_header,
+ err = nf_ct_register_sysctl(&init_net,
+ &l3proto->ctl_table_header,
l3proto->ctl_table_path,
l3proto->ctl_table, NULL);
}
@@ -180,7 +190,7 @@ static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto
#ifdef CONFIG_SYSCTL
if (l3proto->ctl_table_header != NULL)
nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
- l3proto->ctl_table, NULL);
+ &l3proto->ctl_table, NULL);
#endif
}
@@ -243,137 +253,172 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
}
EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
-static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
+static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
+ struct nf_conntrack_l4proto *l4proto)
{
- int err = 0;
+ if (l4proto->net_id)
+ return net_generic(net, *l4proto->net_id);
+ else
+ return NULL;
+}
+int nf_ct_l4proto_register_sysctl(struct net *net,
+ struct nf_conntrack_l4proto *l4proto)
+{
+ int err = 0;
+ struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
+ if (pn == NULL)
+ return 0;
#ifdef CONFIG_SYSCTL
- if (l4proto->ctl_table != NULL) {
- err = nf_ct_register_sysctl(l4proto->ctl_table_header,
+ if (pn->ctl_table != NULL) {
+ err = nf_ct_register_sysctl(net,
+ &pn->ctl_table_header,
"net/netfilter",
- l4proto->ctl_table,
- l4proto->ctl_table_users);
- if (err < 0)
+ pn->ctl_table,
+ &pn->users);
+ if (err < 0) {
+ kfree(pn->ctl_table);
+ pn->ctl_table = NULL;
goto out;
+ }
}
#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- if (l4proto->ctl_compat_table != NULL) {
- err = nf_ct_register_sysctl(&l4proto->ctl_compat_table_header,
+ if (l4proto->compat && pn->ctl_compat_table != NULL) {
+ err = nf_ct_register_sysctl(net,
+ &pn->ctl_compat_header,
"net/ipv4/netfilter",
- l4proto->ctl_compat_table, NULL);
+ pn->ctl_compat_table,
+ NULL);
if (err == 0)
goto out;
- nf_ct_unregister_sysctl(l4proto->ctl_table_header,
- l4proto->ctl_table,
- l4proto->ctl_table_users);
+
+ kfree(pn->ctl_compat_table);
+ pn->ctl_compat_table = NULL;
+ nf_ct_unregister_sysctl(&pn->ctl_table_header,
+ &pn->ctl_table,
+ &pn->users);
}
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
out:
#endif /* CONFIG_SYSCTL */
return err;
}
+EXPORT_SYMBOL_GPL(nf_ct_l4proto_register_sysctl);
-static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto)
+void nf_ct_l4proto_unregister_sysctl(struct net *net,
+ struct nf_conntrack_l4proto *l4proto)
{
+ struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
+ if (pn == NULL)
+ return;
#ifdef CONFIG_SYSCTL
- if (l4proto->ctl_table_header != NULL &&
- *l4proto->ctl_table_header != NULL)
- nf_ct_unregister_sysctl(l4proto->ctl_table_header,
- l4proto->ctl_table,
- l4proto->ctl_table_users);
+ if (pn->ctl_table_header != NULL)
+ nf_ct_unregister_sysctl(&pn->ctl_table_header,
+ &pn->ctl_table,
+ &pn->users);
+
#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- if (l4proto->ctl_compat_table_header != NULL)
- nf_ct_unregister_sysctl(&l4proto->ctl_compat_table_header,
- l4proto->ctl_compat_table, NULL);
+ if (l4proto->compat && pn->ctl_compat_header != NULL)
+ nf_ct_unregister_sysctl(&pn->ctl_compat_header,
+ &pn->ctl_compat_table,
+ NULL);
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
+#else
+ pn->users--;
#endif /* CONFIG_SYSCTL */
}
+EXPORT_SYMBOL_GPL(nf_ct_l4proto_unregister_sysctl);
/* FIXME: Allow NULL functions and sub in pointers to generic for
them. --RR */
-int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
+int nf_conntrack_l4proto_register(struct net *net,
+ struct nf_conntrack_l4proto *l4proto)
{
int ret = 0;
- if (l4proto->l3proto >= PF_MAX)
- return -EBUSY;
-
- if ((l4proto->to_nlattr && !l4proto->nlattr_size)
- || (l4proto->tuple_to_nlattr && !l4proto->nlattr_tuple_size))
- return -EINVAL;
-
- mutex_lock(&nf_ct_proto_mutex);
- if (!nf_ct_protos[l4proto->l3proto]) {
- /* l3proto may be loaded latter. */
- struct nf_conntrack_l4proto __rcu **proto_array;
- int i;
-
- proto_array = kmalloc(MAX_NF_CT_PROTO *
- sizeof(struct nf_conntrack_l4proto *),
- GFP_KERNEL);
- if (proto_array == NULL) {
- ret = -ENOMEM;
+ if (net == &init_net) {
+ if (l4proto->l3proto >= PF_MAX)
+ return -EBUSY;
+
+ if ((l4proto->to_nlattr && !l4proto->nlattr_size)
+ || (l4proto->tuple_to_nlattr && !l4proto->nlattr_tuple_size))
+ return -EINVAL;
+
+ mutex_lock(&nf_ct_proto_mutex);
+ if (!nf_ct_protos[l4proto->l3proto]) {
+ /* l3proto may be loaded latter. */
+ struct nf_conntrack_l4proto __rcu **proto_array;
+ int i;
+
+ proto_array = kmalloc(MAX_NF_CT_PROTO *
+ sizeof(struct nf_conntrack_l4proto *),
+ GFP_KERNEL);
+ if (proto_array == NULL) {
+ ret = -ENOMEM;
+ goto out_unlock;
+ }
+
+ for (i = 0; i < MAX_NF_CT_PROTO; i++)
+ RCU_INIT_POINTER(proto_array[i], &nf_conntrack_l4proto_generic);
+
+ /* Before making proto_array visible to lockless readers,
+ * we must make sure its content is committed to memory.
+ */
+ smp_wmb();
+
+ nf_ct_protos[l4proto->l3proto] = proto_array;
+ } else if (rcu_dereference_protected(
+ nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
+ lockdep_is_held(&nf_ct_proto_mutex)
+ ) != &nf_conntrack_l4proto_generic) {
+ ret = -EBUSY;
goto out_unlock;
}
- for (i = 0; i < MAX_NF_CT_PROTO; i++)
- RCU_INIT_POINTER(proto_array[i], &nf_conntrack_l4proto_generic);
-
- /* Before making proto_array visible to lockless readers,
- * we must make sure its content is committed to memory.
- */
- smp_wmb();
-
- nf_ct_protos[l4proto->l3proto] = proto_array;
- } else if (rcu_dereference_protected(
- nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
- lockdep_is_held(&nf_ct_proto_mutex)
- ) != &nf_conntrack_l4proto_generic) {
- ret = -EBUSY;
- goto out_unlock;
- }
-
- ret = nf_ct_l4proto_register_sysctl(l4proto);
- if (ret < 0)
- goto out_unlock;
-
- l4proto->nla_size = 0;
- if (l4proto->nlattr_size)
- l4proto->nla_size += l4proto->nlattr_size();
- if (l4proto->nlattr_tuple_size)
- l4proto->nla_size += 3 * l4proto->nlattr_tuple_size();
-
- rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
- l4proto);
+ l4proto->nla_size = 0;
+ if (l4proto->nlattr_size)
+ l4proto->nla_size += l4proto->nlattr_size();
+ if (l4proto->nlattr_tuple_size)
+ l4proto->nla_size += 3 * l4proto->nlattr_tuple_size();
+ rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
+ l4proto);
out_unlock:
- mutex_unlock(&nf_ct_proto_mutex);
- return ret;
+ mutex_unlock(&nf_ct_proto_mutex);
+ if (ret < 0)
+ return ret;
+ }
+ if (l4proto->init_net) {
+ ret = l4proto->init_net(net, l4proto->compat);
+ if (ret < 0)
+ return ret;
+ }
+ return nf_ct_l4proto_register_sysctl(net, l4proto);
}
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_register);
-void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)
+void nf_conntrack_l4proto_unregister(struct net *net,
+ struct nf_conntrack_l4proto *l4proto)
{
- struct net *net;
-
- BUG_ON(l4proto->l3proto >= PF_MAX);
-
- mutex_lock(&nf_ct_proto_mutex);
- BUG_ON(rcu_dereference_protected(
- nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
- lockdep_is_held(&nf_ct_proto_mutex)
- ) != l4proto);
- rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
- &nf_conntrack_l4proto_generic);
- nf_ct_l4proto_unregister_sysctl(l4proto);
- mutex_unlock(&nf_ct_proto_mutex);
-
- synchronize_rcu();
+ if (net == &init_net) {
+ BUG_ON(l4proto->l3proto >= PF_MAX);
+ mutex_lock(&nf_ct_proto_mutex);
+
+ BUG_ON(rcu_dereference_protected(
+ nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
+ lockdep_is_held(&nf_ct_proto_mutex)
+ ) != l4proto);
+ rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
+ &nf_conntrack_l4proto_generic);
+ mutex_unlock(&nf_ct_proto_mutex);
+
+ synchronize_rcu();
+ }
+ nf_ct_l4proto_unregister_sysctl(net, l4proto);
/* Remove all contrack entries for this protocol */
rtnl_lock();
- for_each_net(net)
- nf_ct_iterate_cleanup(net, kill_l4proto, l4proto);
+ nf_ct_iterate_cleanup(net, kill_l4proto, l4proto);
rtnl_unlock();
}
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
@@ -383,7 +428,7 @@ int nf_conntrack_proto_init(void)
unsigned int i;
int err;
- err = nf_ct_l4proto_register_sysctl(&nf_conntrack_l4proto_generic);
+ err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
if (err < 0)
return err;
@@ -397,7 +442,7 @@ void nf_conntrack_proto_fini(void)
{
unsigned int i;
- nf_ct_l4proto_unregister_sysctl(&nf_conntrack_l4proto_generic);
+ nf_ct_l4proto_unregister_sysctl(&init_net, &nf_conntrack_l4proto_generic);
/* free l3proto protocol tables */
for (i = 0; i < PF_MAX; i++)
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index ef706a4..5a8e037 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -945,17 +945,17 @@ static int __init nf_conntrack_proto_dccp_init(void)
if (err < 0)
goto err1;
- err = nf_conntrack_l4proto_register(&dccp_proto4);
+ err = nf_conntrack_l4proto_register(&init_net, &dccp_proto4);
if (err < 0)
goto err2;
- err = nf_conntrack_l4proto_register(&dccp_proto6);
+ err = nf_conntrack_l4proto_register(&init_net, &dccp_proto6);
if (err < 0)
goto err3;
return 0;
err3:
- nf_conntrack_l4proto_unregister(&dccp_proto4);
+ nf_conntrack_l4proto_unregister(&init_net, &dccp_proto4);
err2:
unregister_pernet_subsys(&dccp_net_ops);
err1:
@@ -965,8 +965,8 @@ err1:
static void __exit nf_conntrack_proto_dccp_fini(void)
{
unregister_pernet_subsys(&dccp_net_ops);
- nf_conntrack_l4proto_unregister(&dccp_proto6);
- nf_conntrack_l4proto_unregister(&dccp_proto4);
+ nf_conntrack_l4proto_unregister(&init_net, &dccp_proto6);
+ nf_conntrack_l4proto_unregister(&init_net, &dccp_proto4);
}
module_init(nf_conntrack_proto_dccp_init);
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index 4bf6b4e..132f0d2 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -396,18 +396,18 @@ static int __init nf_ct_proto_gre_init(void)
{
int rv;
- rv = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_gre4);
+ rv = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_gre4);
if (rv < 0)
return rv;
rv = register_pernet_subsys(&proto_gre_net_ops);
if (rv < 0)
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_gre4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_gre4);
return rv;
}
static void __exit nf_ct_proto_gre_fini(void)
{
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_gre4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_gre4);
unregister_pernet_subsys(&proto_gre_net_ops);
}
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 996db2f..97bbc20 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -791,12 +791,12 @@ static int __init nf_conntrack_proto_sctp_init(void)
{
int ret;
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp4);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_sctp4);
if (ret) {
pr_err("nf_conntrack_l4proto_sctp4: protocol register failed\n");
goto out;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp6);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_sctp6);
if (ret) {
pr_err("nf_conntrack_l4proto_sctp6: protocol register failed\n");
goto cleanup_sctp4;
@@ -805,15 +805,15 @@ static int __init nf_conntrack_proto_sctp_init(void)
return ret;
cleanup_sctp4:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp4);
out:
return ret;
}
static void __exit nf_conntrack_proto_sctp_fini(void)
{
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp4);
}
module_init(nf_conntrack_proto_sctp_init);
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 4d60a53..fa142a8 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -299,23 +299,23 @@ static int __init nf_conntrack_proto_udplite_init(void)
{
int err;
- err = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udplite4);
+ err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite4);
if (err < 0)
goto err1;
- err = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udplite6);
+ err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite6);
if (err < 0)
goto err2;
return 0;
err2:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
err1:
return err;
}
static void __exit nf_conntrack_proto_udplite_exit(void)
{
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite6);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
}
module_init(nf_conntrack_proto_udplite_init);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* Re: [PATCH 02/17] netfilter: add namespace support for l4proto
2012-05-14 8:52 ` [PATCH 02/17] netfilter: add namespace support for l4proto Gao feng
@ 2012-05-23 10:25 ` Pablo Neira Ayuso
2012-05-24 1:52 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-23 10:25 UTC (permalink / raw)
To: Gao feng
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
On Mon, May 14, 2012 at 04:52:12PM +0800, Gao feng wrote:
> From: Gao feng <gaofeng@cn.fujitus.com>
>
> -nf_ct_(un)register_sysctl are changed to support net namespace,
> use (un)register_net_sysctl_table replaces (un)register_sysctl_paths.
> and in nf_ct_unregister_sysctl,kfree table only when users is 0.
>
> -Add the struct net as param of nf_conntrack_l4proto_(un)register.
> register or unregister the l4proto only when the net is init_net.
>
> -nf_conntrack_l4proto_register call init_net to initial the pernet
> data of l4proto.
>
> -nf_ct_l4proto_net is used to get the pernet data of l4proto.
>
> -use init_net as a param of nf_conntrack_l4proto_(un)register.
>
> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
> Signed-off-by: Gao feng <gaofeng@cn.fujitus.com>
> ---
> include/net/netfilter/nf_conntrack_l4proto.h | 13 +-
> net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 18 +-
> net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18 +-
> net/netfilter/nf_conntrack_proto.c | 245 ++++++++++++++----------
> net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
> net/netfilter/nf_conntrack_proto_gre.c | 6 +-
> net/netfilter/nf_conntrack_proto_sctp.c | 10 +-
> net/netfilter/nf_conntrack_proto_udplite.c | 10 +-
> 8 files changed, 191 insertions(+), 139 deletions(-)
>
> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
> index a90eab5..a93dcd5 100644
> --- a/include/net/netfilter/nf_conntrack_l4proto.h
> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
> @@ -12,7 +12,7 @@
> #include <linux/netlink.h>
> #include <net/netlink.h>
> #include <net/netfilter/nf_conntrack.h>
> -
> +#include <net/netns/generic.h>
Minor nitpick: make sure there's still one line between this structure
below and the include headers.
> struct seq_file;
>
> struct nf_conntrack_l4proto {
> @@ -129,8 +129,15 @@ nf_ct_l4proto_find_get(u_int16_t l3proto, u_int8_t l4proto);
> extern void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p);
>
> /* Protocol registration. */
> -extern int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *proto);
> -extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto);
> +extern int nf_conntrack_l4proto_register(struct net *net,
> + struct nf_conntrack_l4proto *proto);
> +extern void nf_conntrack_l4proto_unregister(struct net *net,
> + struct nf_conntrack_l4proto *proto);
> +
> +extern int nf_ct_l4proto_register_sysctl(struct net *net,
> + struct nf_conntrack_l4proto *l4proto);
> +extern void nf_ct_l4proto_unregister_sysctl(struct net *net,
> + struct nf_conntrack_l4proto *l4proto);
>
> /* Generic netlink helpers */
> extern int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
> diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> index 91747d4..46ec515 100644
> --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> @@ -391,19 +391,19 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
> return ret;
> }
>
> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp4);
> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp4);
> if (ret < 0) {
> pr_err("nf_conntrack_ipv4: can't register tcp.\n");
> goto cleanup_sockopt;
> }
>
> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp4);
> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp4);
> if (ret < 0) {
> pr_err("nf_conntrack_ipv4: can't register udp.\n");
> goto cleanup_tcp;
> }
>
> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmp);
> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmp);
> if (ret < 0) {
> pr_err("nf_conntrack_ipv4: can't register icmp.\n");
> goto cleanup_udp;
> @@ -434,11 +434,11 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
> cleanup_ipv4:
> nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
> cleanup_icmp:
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmp);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
> cleanup_udp:
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp4);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
> cleanup_tcp:
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp4);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
> cleanup_sockopt:
> nf_unregister_sockopt(&so_getorigdst);
> return ret;
> @@ -452,9 +452,9 @@ static void __exit nf_conntrack_l3proto_ipv4_fini(void)
> #endif
> nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
> nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmp);
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp4);
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp4);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
> nf_unregister_sockopt(&so_getorigdst);
> }
>
> diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
> index fe925e4..55f379f 100644
> --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
> +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
> @@ -341,19 +341,19 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
> need_conntrack();
> nf_defrag_ipv6_enable();
>
> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp6);
> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp6);
> if (ret < 0) {
> pr_err("nf_conntrack_ipv6: can't register tcp.\n");
> return ret;
> }
>
> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp6);
> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp6);
> if (ret < 0) {
> pr_err("nf_conntrack_ipv6: can't register udp.\n");
> goto cleanup_tcp;
> }
>
> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmpv6);
> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmpv6);
> if (ret < 0) {
> pr_err("nf_conntrack_ipv6: can't register icmpv6.\n");
> goto cleanup_udp;
> @@ -377,11 +377,11 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
> cleanup_ipv6:
> nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
> cleanup_icmpv6:
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
> cleanup_udp:
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp6);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
> cleanup_tcp:
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp6);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
> return ret;
> }
>
> @@ -390,9 +390,9 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
> synchronize_net();
> nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
> nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp6);
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp6);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
> }
>
> module_init(nf_conntrack_l3proto_ipv6_init);
> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
> index 8b631b0..6d68727 100644
> --- a/net/netfilter/nf_conntrack_proto.c
> +++ b/net/netfilter/nf_conntrack_proto.c
> @@ -35,30 +35,39 @@ EXPORT_SYMBOL_GPL(nf_ct_l3protos);
> static DEFINE_MUTEX(nf_ct_proto_mutex);
>
> #ifdef CONFIG_SYSCTL
> -static int
> -nf_ct_register_sysctl(struct ctl_table_header **header, const char *path,
> - struct ctl_table *table, unsigned int *users)
> +int
> +nf_ct_register_sysctl(struct net *net,
> + struct ctl_table_header **header,
> + const char *path,
> + struct ctl_table *table,
> + unsigned int *users)
> {
> if (*header == NULL) {
> - *header = register_net_sysctl(&init_net, path, table);
> + *header = register_net_sysctl(net, path, table);
> if (*header == NULL)
> return -ENOMEM;
> }
> if (users != NULL)
> (*users)++;
> +
> return 0;
> }
> +EXPORT_SYMBOL_GPL(nf_ct_register_sysctl);
I don't see why we need to export nf_ct_register_sysctl. I think this
is a left-over from the previous patchset.
> -static void
> +void
> nf_ct_unregister_sysctl(struct ctl_table_header **header,
> - struct ctl_table *table, unsigned int *users)
> + struct ctl_table **table,
> + unsigned int *users)
> {
> if (users != NULL && --*users > 0)
> return;
>
> unregister_net_sysctl_table(*header);
> + kfree(*table);
> *header = NULL;
> + *table = NULL;
> }
> +EXPORT_SYMBOL_GPL(nf_ct_unregister_sysctl);
Same thing. I don't find any external user of this new exported
function in your entire patchset.
You have to fix this.
> #endif
>
> struct nf_conntrack_l4proto *
> @@ -167,7 +176,8 @@ static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
>
> #ifdef CONFIG_SYSCTL
> if (l3proto->ctl_table != NULL) {
> - err = nf_ct_register_sysctl(&l3proto->ctl_table_header,
> + err = nf_ct_register_sysctl(&init_net,
> + &l3proto->ctl_table_header,
> l3proto->ctl_table_path,
> l3proto->ctl_table, NULL);
> }
> @@ -180,7 +190,7 @@ static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto
> #ifdef CONFIG_SYSCTL
> if (l3proto->ctl_table_header != NULL)
> nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
> - l3proto->ctl_table, NULL);
> + &l3proto->ctl_table, NULL);
> #endif
> }
>
> @@ -243,137 +253,172 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
> }
> EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
>
> -static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
> +static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
> + struct nf_conntrack_l4proto *l4proto)
> {
> - int err = 0;
> + if (l4proto->net_id)
> + return net_generic(net, *l4proto->net_id);
> + else
> + return NULL;
> +}
>
> +int nf_ct_l4proto_register_sysctl(struct net *net,
> + struct nf_conntrack_l4proto *l4proto)
> +{
> + int err = 0;
> + struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
> + if (pn == NULL)
> + return 0;
> #ifdef CONFIG_SYSCTL
> - if (l4proto->ctl_table != NULL) {
> - err = nf_ct_register_sysctl(l4proto->ctl_table_header,
> + if (pn->ctl_table != NULL) {
> + err = nf_ct_register_sysctl(net,
> + &pn->ctl_table_header,
> "net/netfilter",
> - l4proto->ctl_table,
> - l4proto->ctl_table_users);
> - if (err < 0)
> + pn->ctl_table,
> + &pn->users);
> + if (err < 0) {
> + kfree(pn->ctl_table);
> + pn->ctl_table = NULL;
^^^^^^^^^^^
Do you really need to set this above to NULL? Is there any existing
bug trap? If not, it's superfluous, please, remove it.
> goto out;
> + }
> }
> #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> - if (l4proto->ctl_compat_table != NULL) {
> - err = nf_ct_register_sysctl(&l4proto->ctl_compat_table_header,
> + if (l4proto->compat && pn->ctl_compat_table != NULL) {
> + err = nf_ct_register_sysctl(net,
> + &pn->ctl_compat_header,
> "net/ipv4/netfilter",
> - l4proto->ctl_compat_table, NULL);
> + pn->ctl_compat_table,
> + NULL);
> if (err == 0)
> goto out;
> - nf_ct_unregister_sysctl(l4proto->ctl_table_header,
> - l4proto->ctl_table,
> - l4proto->ctl_table_users);
> +
> + kfree(pn->ctl_compat_table);
> + pn->ctl_compat_table = NULL;
> + nf_ct_unregister_sysctl(&pn->ctl_table_header,
> + &pn->ctl_table,
> + &pn->users);
> }
> #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
> out:
> #endif /* CONFIG_SYSCTL */
> return err;
> }
> +EXPORT_SYMBOL_GPL(nf_ct_l4proto_register_sysctl);
>
> -static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto)
> +void nf_ct_l4proto_unregister_sysctl(struct net *net,
> + struct nf_conntrack_l4proto *l4proto)
> {
> + struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
> + if (pn == NULL)
> + return;
> #ifdef CONFIG_SYSCTL
> - if (l4proto->ctl_table_header != NULL &&
> - *l4proto->ctl_table_header != NULL)
> - nf_ct_unregister_sysctl(l4proto->ctl_table_header,
> - l4proto->ctl_table,
> - l4proto->ctl_table_users);
> + if (pn->ctl_table_header != NULL)
> + nf_ct_unregister_sysctl(&pn->ctl_table_header,
> + &pn->ctl_table,
> + &pn->users);
> +
> #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> - if (l4proto->ctl_compat_table_header != NULL)
> - nf_ct_unregister_sysctl(&l4proto->ctl_compat_table_header,
> - l4proto->ctl_compat_table, NULL);
> + if (l4proto->compat && pn->ctl_compat_header != NULL)
> + nf_ct_unregister_sysctl(&pn->ctl_compat_header,
> + &pn->ctl_compat_table,
> + NULL);
> #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
> +#else
> + pn->users--;
> #endif /* CONFIG_SYSCTL */
> }
> +EXPORT_SYMBOL_GPL(nf_ct_l4proto_unregister_sysctl);
>
> /* FIXME: Allow NULL functions and sub in pointers to generic for
> them. --RR */
> -int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
> +int nf_conntrack_l4proto_register(struct net *net,
> + struct nf_conntrack_l4proto *l4proto)
> {
> int ret = 0;
Minor nitpick: you save this amount of edits in this function that
result from the extra tabbing by moving all ...
if (net == &init_net) {
... this code ...
}
into some new static int nf_conntrack_l4proto_register_net(...) that
will be called by nf_conntrack_l4proto_register.
It will result more maintainable code. We still stick to 80-chars
columns, saving that extra tabbing makes the code more readable.
>
> - if (l4proto->l3proto >= PF_MAX)
> - return -EBUSY;
> -
> - if ((l4proto->to_nlattr && !l4proto->nlattr_size)
> - || (l4proto->tuple_to_nlattr && !l4proto->nlattr_tuple_size))
> - return -EINVAL;
> -
> - mutex_lock(&nf_ct_proto_mutex);
> - if (!nf_ct_protos[l4proto->l3proto]) {
> - /* l3proto may be loaded latter. */
> - struct nf_conntrack_l4proto __rcu **proto_array;
> - int i;
> -
> - proto_array = kmalloc(MAX_NF_CT_PROTO *
> - sizeof(struct nf_conntrack_l4proto *),
> - GFP_KERNEL);
> - if (proto_array == NULL) {
> - ret = -ENOMEM;
> + if (net == &init_net) {
> + if (l4proto->l3proto >= PF_MAX)
> + return -EBUSY;
> +
> + if ((l4proto->to_nlattr && !l4proto->nlattr_size)
> + || (l4proto->tuple_to_nlattr && !l4proto->nlattr_tuple_size))
> + return -EINVAL;
> +
> + mutex_lock(&nf_ct_proto_mutex);
> + if (!nf_ct_protos[l4proto->l3proto]) {
> + /* l3proto may be loaded latter. */
> + struct nf_conntrack_l4proto __rcu **proto_array;
> + int i;
> +
> + proto_array = kmalloc(MAX_NF_CT_PROTO *
> + sizeof(struct nf_conntrack_l4proto *),
> + GFP_KERNEL);
> + if (proto_array == NULL) {
> + ret = -ENOMEM;
> + goto out_unlock;
> + }
> +
> + for (i = 0; i < MAX_NF_CT_PROTO; i++)
> + RCU_INIT_POINTER(proto_array[i], &nf_conntrack_l4proto_generic);
> +
> + /* Before making proto_array visible to lockless readers,
> + * we must make sure its content is committed to memory.
> + */
> + smp_wmb();
> +
> + nf_ct_protos[l4proto->l3proto] = proto_array;
> + } else if (rcu_dereference_protected(
> + nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
> + lockdep_is_held(&nf_ct_proto_mutex)
> + ) != &nf_conntrack_l4proto_generic) {
> + ret = -EBUSY;
> goto out_unlock;
> }
>
> - for (i = 0; i < MAX_NF_CT_PROTO; i++)
> - RCU_INIT_POINTER(proto_array[i], &nf_conntrack_l4proto_generic);
> -
> - /* Before making proto_array visible to lockless readers,
> - * we must make sure its content is committed to memory.
> - */
> - smp_wmb();
> -
> - nf_ct_protos[l4proto->l3proto] = proto_array;
> - } else if (rcu_dereference_protected(
> - nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
> - lockdep_is_held(&nf_ct_proto_mutex)
> - ) != &nf_conntrack_l4proto_generic) {
> - ret = -EBUSY;
> - goto out_unlock;
> - }
> -
> - ret = nf_ct_l4proto_register_sysctl(l4proto);
> - if (ret < 0)
> - goto out_unlock;
> -
> - l4proto->nla_size = 0;
> - if (l4proto->nlattr_size)
> - l4proto->nla_size += l4proto->nlattr_size();
> - if (l4proto->nlattr_tuple_size)
> - l4proto->nla_size += 3 * l4proto->nlattr_tuple_size();
> -
> - rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
> - l4proto);
> + l4proto->nla_size = 0;
> + if (l4proto->nlattr_size)
> + l4proto->nla_size += l4proto->nlattr_size();
> + if (l4proto->nlattr_tuple_size)
> + l4proto->nla_size += 3 * l4proto->nlattr_tuple_size();
>
> + rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
> + l4proto);
> out_unlock:
> - mutex_unlock(&nf_ct_proto_mutex);
> - return ret;
> + mutex_unlock(&nf_ct_proto_mutex);
> + if (ret < 0)
> + return ret;
> + }
> + if (l4proto->init_net) {
> + ret = l4proto->init_net(net, l4proto->compat);
> + if (ret < 0)
> + return ret;
> + }
> + return nf_ct_l4proto_register_sysctl(net, l4proto);
> }
> EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_register);
>
> -void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)
> +void nf_conntrack_l4proto_unregister(struct net *net,
> + struct nf_conntrack_l4proto *l4proto)
> {
> - struct net *net;
> -
> - BUG_ON(l4proto->l3proto >= PF_MAX);
> -
> - mutex_lock(&nf_ct_proto_mutex);
> - BUG_ON(rcu_dereference_protected(
> - nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
> - lockdep_is_held(&nf_ct_proto_mutex)
> - ) != l4proto);
> - rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
> - &nf_conntrack_l4proto_generic);
> - nf_ct_l4proto_unregister_sysctl(l4proto);
> - mutex_unlock(&nf_ct_proto_mutex);
> -
> - synchronize_rcu();
> + if (net == &init_net) {
Same thing as above here.
> + BUG_ON(l4proto->l3proto >= PF_MAX);
> + mutex_lock(&nf_ct_proto_mutex);
> +
> + BUG_ON(rcu_dereference_protected(
> + nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
> + lockdep_is_held(&nf_ct_proto_mutex)
> + ) != l4proto);
> + rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
> + &nf_conntrack_l4proto_generic);
> + mutex_unlock(&nf_ct_proto_mutex);
> +
> + synchronize_rcu();
> + }
> + nf_ct_l4proto_unregister_sysctl(net, l4proto);
>
> /* Remove all contrack entries for this protocol */
> rtnl_lock();
> - for_each_net(net)
> - nf_ct_iterate_cleanup(net, kill_l4proto, l4proto);
> + nf_ct_iterate_cleanup(net, kill_l4proto, l4proto);
> rtnl_unlock();
> }
> EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
> @@ -383,7 +428,7 @@ int nf_conntrack_proto_init(void)
> unsigned int i;
> int err;
>
> - err = nf_ct_l4proto_register_sysctl(&nf_conntrack_l4proto_generic);
> + err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
> if (err < 0)
> return err;
>
> @@ -397,7 +442,7 @@ void nf_conntrack_proto_fini(void)
> {
> unsigned int i;
>
> - nf_ct_l4proto_unregister_sysctl(&nf_conntrack_l4proto_generic);
> + nf_ct_l4proto_unregister_sysctl(&init_net, &nf_conntrack_l4proto_generic);
>
> /* free l3proto protocol tables */
> for (i = 0; i < PF_MAX; i++)
> diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
> index ef706a4..5a8e037 100644
> --- a/net/netfilter/nf_conntrack_proto_dccp.c
> +++ b/net/netfilter/nf_conntrack_proto_dccp.c
> @@ -945,17 +945,17 @@ static int __init nf_conntrack_proto_dccp_init(void)
> if (err < 0)
> goto err1;
>
> - err = nf_conntrack_l4proto_register(&dccp_proto4);
> + err = nf_conntrack_l4proto_register(&init_net, &dccp_proto4);
> if (err < 0)
> goto err2;
>
> - err = nf_conntrack_l4proto_register(&dccp_proto6);
> + err = nf_conntrack_l4proto_register(&init_net, &dccp_proto6);
> if (err < 0)
> goto err3;
> return 0;
>
> err3:
> - nf_conntrack_l4proto_unregister(&dccp_proto4);
> + nf_conntrack_l4proto_unregister(&init_net, &dccp_proto4);
> err2:
> unregister_pernet_subsys(&dccp_net_ops);
> err1:
> @@ -965,8 +965,8 @@ err1:
> static void __exit nf_conntrack_proto_dccp_fini(void)
> {
> unregister_pernet_subsys(&dccp_net_ops);
> - nf_conntrack_l4proto_unregister(&dccp_proto6);
> - nf_conntrack_l4proto_unregister(&dccp_proto4);
> + nf_conntrack_l4proto_unregister(&init_net, &dccp_proto6);
> + nf_conntrack_l4proto_unregister(&init_net, &dccp_proto4);
> }
>
> module_init(nf_conntrack_proto_dccp_init);
> diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
> index 4bf6b4e..132f0d2 100644
> --- a/net/netfilter/nf_conntrack_proto_gre.c
> +++ b/net/netfilter/nf_conntrack_proto_gre.c
> @@ -396,18 +396,18 @@ static int __init nf_ct_proto_gre_init(void)
> {
> int rv;
>
> - rv = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_gre4);
> + rv = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_gre4);
> if (rv < 0)
> return rv;
> rv = register_pernet_subsys(&proto_gre_net_ops);
> if (rv < 0)
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_gre4);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_gre4);
> return rv;
> }
>
> static void __exit nf_ct_proto_gre_fini(void)
> {
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_gre4);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_gre4);
> unregister_pernet_subsys(&proto_gre_net_ops);
> }
>
> diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
> index 996db2f..97bbc20 100644
> --- a/net/netfilter/nf_conntrack_proto_sctp.c
> +++ b/net/netfilter/nf_conntrack_proto_sctp.c
> @@ -791,12 +791,12 @@ static int __init nf_conntrack_proto_sctp_init(void)
> {
> int ret;
>
> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp4);
> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_sctp4);
> if (ret) {
> pr_err("nf_conntrack_l4proto_sctp4: protocol register failed\n");
> goto out;
> }
> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp6);
> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_sctp6);
> if (ret) {
> pr_err("nf_conntrack_l4proto_sctp6: protocol register failed\n");
> goto cleanup_sctp4;
> @@ -805,15 +805,15 @@ static int __init nf_conntrack_proto_sctp_init(void)
> return ret;
>
> cleanup_sctp4:
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp4);
> out:
> return ret;
> }
>
> static void __exit nf_conntrack_proto_sctp_fini(void)
> {
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp6);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp4);
> }
>
> module_init(nf_conntrack_proto_sctp_init);
> diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
> index 4d60a53..fa142a8 100644
> --- a/net/netfilter/nf_conntrack_proto_udplite.c
> +++ b/net/netfilter/nf_conntrack_proto_udplite.c
> @@ -299,23 +299,23 @@ static int __init nf_conntrack_proto_udplite_init(void)
> {
> int err;
>
> - err = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udplite4);
> + err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite4);
> if (err < 0)
> goto err1;
> - err = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udplite6);
> + err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite6);
> if (err < 0)
> goto err2;
> return 0;
> err2:
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite4);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
> err1:
> return err;
> }
>
> static void __exit nf_conntrack_proto_udplite_exit(void)
> {
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite6);
> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite4);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite6);
> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
> }
>
> module_init(nf_conntrack_proto_udplite_init);
> --
> 1.7.7.6
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 02/17] netfilter: add namespace support for l4proto
2012-05-23 10:25 ` Pablo Neira Ayuso
@ 2012-05-24 1:52 ` Gao feng
2012-05-24 10:00 ` Pablo Neira Ayuso
0 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-24 1:52 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
于 2012年05月23日 18:25, Pablo Neira Ayuso 写道:
> On Mon, May 14, 2012 at 04:52:12PM +0800, Gao feng wrote:
>> From: Gao feng <gaofeng@cn.fujitus.com>
>>
>> -nf_ct_(un)register_sysctl are changed to support net namespace,
>> use (un)register_net_sysctl_table replaces (un)register_sysctl_paths.
>> and in nf_ct_unregister_sysctl,kfree table only when users is 0.
>>
>> -Add the struct net as param of nf_conntrack_l4proto_(un)register.
>> register or unregister the l4proto only when the net is init_net.
>>
>> -nf_conntrack_l4proto_register call init_net to initial the pernet
>> data of l4proto.
>>
>> -nf_ct_l4proto_net is used to get the pernet data of l4proto.
>>
>> -use init_net as a param of nf_conntrack_l4proto_(un)register.
>>
>> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
>> Signed-off-by: Gao feng <gaofeng@cn.fujitus.com>
>> ---
>> include/net/netfilter/nf_conntrack_l4proto.h | 13 +-
>> net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 18 +-
>> net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18 +-
>> net/netfilter/nf_conntrack_proto.c | 245 ++++++++++++++----------
>> net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
>> net/netfilter/nf_conntrack_proto_gre.c | 6 +-
>> net/netfilter/nf_conntrack_proto_sctp.c | 10 +-
>> net/netfilter/nf_conntrack_proto_udplite.c | 10 +-
>> 8 files changed, 191 insertions(+), 139 deletions(-)
>>
>> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
>> index a90eab5..a93dcd5 100644
>> --- a/include/net/netfilter/nf_conntrack_l4proto.h
>> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
>> @@ -12,7 +12,7 @@
>> #include <linux/netlink.h>
>> #include <net/netlink.h>
>> #include <net/netfilter/nf_conntrack.h>
>> -
>> +#include <net/netns/generic.h>
>
> Minor nitpick: make sure there's still one line between this structure
> below and the include headers.
thanks! I will fix it.
>
>> struct seq_file;
>>
>> struct nf_conntrack_l4proto {
>> @@ -129,8 +129,15 @@ nf_ct_l4proto_find_get(u_int16_t l3proto, u_int8_t l4proto);
>> extern void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p);
>>
>> /* Protocol registration. */
>> -extern int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *proto);
>> -extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto);
>> +extern int nf_conntrack_l4proto_register(struct net *net,
>> + struct nf_conntrack_l4proto *proto);
>> +extern void nf_conntrack_l4proto_unregister(struct net *net,
>> + struct nf_conntrack_l4proto *proto);
>> +
>> +extern int nf_ct_l4proto_register_sysctl(struct net *net,
>> + struct nf_conntrack_l4proto *l4proto);
>> +extern void nf_ct_l4proto_unregister_sysctl(struct net *net,
>> + struct nf_conntrack_l4proto *l4proto);
>>
>> /* Generic netlink helpers */
>> extern int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
>> diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
>> index 91747d4..46ec515 100644
>> --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
>> +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
>> @@ -391,19 +391,19 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
>> return ret;
>> }
>>
>> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp4);
>> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp4);
>> if (ret < 0) {
>> pr_err("nf_conntrack_ipv4: can't register tcp.\n");
>> goto cleanup_sockopt;
>> }
>>
>> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp4);
>> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp4);
>> if (ret < 0) {
>> pr_err("nf_conntrack_ipv4: can't register udp.\n");
>> goto cleanup_tcp;
>> }
>>
>> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmp);
>> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmp);
>> if (ret < 0) {
>> pr_err("nf_conntrack_ipv4: can't register icmp.\n");
>> goto cleanup_udp;
>> @@ -434,11 +434,11 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
>> cleanup_ipv4:
>> nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
>> cleanup_icmp:
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmp);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
>> cleanup_udp:
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp4);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
>> cleanup_tcp:
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp4);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
>> cleanup_sockopt:
>> nf_unregister_sockopt(&so_getorigdst);
>> return ret;
>> @@ -452,9 +452,9 @@ static void __exit nf_conntrack_l3proto_ipv4_fini(void)
>> #endif
>> nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
>> nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmp);
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp4);
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp4);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
>> nf_unregister_sockopt(&so_getorigdst);
>> }
>>
>> diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
>> index fe925e4..55f379f 100644
>> --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
>> +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
>> @@ -341,19 +341,19 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
>> need_conntrack();
>> nf_defrag_ipv6_enable();
>>
>> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp6);
>> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp6);
>> if (ret < 0) {
>> pr_err("nf_conntrack_ipv6: can't register tcp.\n");
>> return ret;
>> }
>>
>> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp6);
>> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp6);
>> if (ret < 0) {
>> pr_err("nf_conntrack_ipv6: can't register udp.\n");
>> goto cleanup_tcp;
>> }
>>
>> - ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmpv6);
>> + ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmpv6);
>> if (ret < 0) {
>> pr_err("nf_conntrack_ipv6: can't register icmpv6.\n");
>> goto cleanup_udp;
>> @@ -377,11 +377,11 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
>> cleanup_ipv6:
>> nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
>> cleanup_icmpv6:
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
>> cleanup_udp:
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp6);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
>> cleanup_tcp:
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp6);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
>> return ret;
>> }
>>
>> @@ -390,9 +390,9 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
>> synchronize_net();
>> nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
>> nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp6);
>> - nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp6);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
>> + nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
>> }
>>
>> module_init(nf_conntrack_l3proto_ipv6_init);
>> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
>> index 8b631b0..6d68727 100644
>> --- a/net/netfilter/nf_conntrack_proto.c
>> +++ b/net/netfilter/nf_conntrack_proto.c
>> @@ -35,30 +35,39 @@ EXPORT_SYMBOL_GPL(nf_ct_l3protos);
>> static DEFINE_MUTEX(nf_ct_proto_mutex);
>>
>> #ifdef CONFIG_SYSCTL
>> -static int
>> -nf_ct_register_sysctl(struct ctl_table_header **header, const char *path,
>> - struct ctl_table *table, unsigned int *users)
>> +int
>> +nf_ct_register_sysctl(struct net *net,
>> + struct ctl_table_header **header,
>> + const char *path,
>> + struct ctl_table *table,
>> + unsigned int *users)
>> {
>> if (*header == NULL) {
>> - *header = register_net_sysctl(&init_net, path, table);
>> + *header = register_net_sysctl(net, path, table);
>> if (*header == NULL)
>> return -ENOMEM;
>> }
>> if (users != NULL)
>> (*users)++;
>> +
>> return 0;
>> }
>> +EXPORT_SYMBOL_GPL(nf_ct_register_sysctl);
>
> I don't see why we need to export nf_ct_register_sysctl. I think this
> is a left-over from the previous patchset.
I miss it...
thanks
>
>> -static void
>> +void
>> nf_ct_unregister_sysctl(struct ctl_table_header **header,
>> - struct ctl_table *table, unsigned int *users)
>> + struct ctl_table **table,
>> + unsigned int *users)
>> {
>> if (users != NULL && --*users > 0)
>> return;
>>
>> unregister_net_sysctl_table(*header);
>> + kfree(*table);
>> *header = NULL;
>> + *table = NULL;
>> }
>> +EXPORT_SYMBOL_GPL(nf_ct_unregister_sysctl);
>
> Same thing. I don't find any external user of this new exported
> function in your entire patchset.
>
> You have to fix this.
>
>> #endif
>>
>> struct nf_conntrack_l4proto *
>> @@ -167,7 +176,8 @@ static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
>>
>> #ifdef CONFIG_SYSCTL
>> if (l3proto->ctl_table != NULL) {
>> - err = nf_ct_register_sysctl(&l3proto->ctl_table_header,
>> + err = nf_ct_register_sysctl(&init_net,
>> + &l3proto->ctl_table_header,
>> l3proto->ctl_table_path,
>> l3proto->ctl_table, NULL);
>> }
>> @@ -180,7 +190,7 @@ static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto
>> #ifdef CONFIG_SYSCTL
>> if (l3proto->ctl_table_header != NULL)
>> nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
>> - l3proto->ctl_table, NULL);
>> + &l3proto->ctl_table, NULL);
>> #endif
>> }
>>
>> @@ -243,137 +253,172 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
>> }
>> EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
>>
>> -static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
>> +static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
>> + struct nf_conntrack_l4proto *l4proto)
>> {
>> - int err = 0;
>> + if (l4proto->net_id)
>> + return net_generic(net, *l4proto->net_id);
>> + else
>> + return NULL;
>> +}
>>
>> +int nf_ct_l4proto_register_sysctl(struct net *net,
>> + struct nf_conntrack_l4proto *l4proto)
>> +{
>> + int err = 0;
>> + struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
>> + if (pn == NULL)
>> + return 0;
>> #ifdef CONFIG_SYSCTL
>> - if (l4proto->ctl_table != NULL) {
>> - err = nf_ct_register_sysctl(l4proto->ctl_table_header,
>> + if (pn->ctl_table != NULL) {
>> + err = nf_ct_register_sysctl(net,
>> + &pn->ctl_table_header,
>> "net/netfilter",
>> - l4proto->ctl_table,
>> - l4proto->ctl_table_users);
>> - if (err < 0)
>> + pn->ctl_table,
>> + &pn->users);
>> + if (err < 0) {
>> + kfree(pn->ctl_table);
>> + pn->ctl_table = NULL;
> ^^^^^^^^^^^
> Do you really need to set this above to NULL? Is there any existing
> bug trap? If not, it's superfluous, please, remove it.
>
yes,l4proto_tcp(udp,icmp)'s ctl_table is stored in netns_ct.proto,
so when we register l4proto_tcp's sysctl failed,ctl_table will still
point to the kfreed memory. this will cause panic the next
time we register l4proto_tcp's sysctl.
>> goto out;
>> + }
>> }
>> #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> - if (l4proto->ctl_compat_table != NULL) {
>> - err = nf_ct_register_sysctl(&l4proto->ctl_compat_table_header,
>> + if (l4proto->compat && pn->ctl_compat_table != NULL) {
>> + err = nf_ct_register_sysctl(net,
>> + &pn->ctl_compat_header,
>> "net/ipv4/netfilter",
>> - l4proto->ctl_compat_table, NULL);
>> + pn->ctl_compat_table,
>> + NULL);
>> if (err == 0)
>> goto out;
>> - nf_ct_unregister_sysctl(l4proto->ctl_table_header,
>> - l4proto->ctl_table,
>> - l4proto->ctl_table_users);
>> +
>> + kfree(pn->ctl_compat_table);
>> + pn->ctl_compat_table = NULL;
>> + nf_ct_unregister_sysctl(&pn->ctl_table_header,
>> + &pn->ctl_table,
>> + &pn->users);
>> }
>> #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
>> out:
>> #endif /* CONFIG_SYSCTL */
>> return err;
>> }
>> +EXPORT_SYMBOL_GPL(nf_ct_l4proto_register_sysctl);
>>
>> -static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto)
>> +void nf_ct_l4proto_unregister_sysctl(struct net *net,
>> + struct nf_conntrack_l4proto *l4proto)
>> {
>> + struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
>> + if (pn == NULL)
>> + return;
>> #ifdef CONFIG_SYSCTL
>> - if (l4proto->ctl_table_header != NULL &&
>> - *l4proto->ctl_table_header != NULL)
>> - nf_ct_unregister_sysctl(l4proto->ctl_table_header,
>> - l4proto->ctl_table,
>> - l4proto->ctl_table_users);
>> + if (pn->ctl_table_header != NULL)
>> + nf_ct_unregister_sysctl(&pn->ctl_table_header,
>> + &pn->ctl_table,
>> + &pn->users);
>> +
>> #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> - if (l4proto->ctl_compat_table_header != NULL)
>> - nf_ct_unregister_sysctl(&l4proto->ctl_compat_table_header,
>> - l4proto->ctl_compat_table, NULL);
>> + if (l4proto->compat && pn->ctl_compat_header != NULL)
>> + nf_ct_unregister_sysctl(&pn->ctl_compat_header,
>> + &pn->ctl_compat_table,
>> + NULL);
>> #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
>> +#else
>> + pn->users--;
>> #endif /* CONFIG_SYSCTL */
>> }
>> +EXPORT_SYMBOL_GPL(nf_ct_l4proto_unregister_sysctl);
>>
>> /* FIXME: Allow NULL functions and sub in pointers to generic for
>> them. --RR */
>> -int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
>> +int nf_conntrack_l4proto_register(struct net *net,
>> + struct nf_conntrack_l4proto *l4proto)
>> {
>> int ret = 0;
>
> Minor nitpick: you save this amount of edits in this function that
> result from the extra tabbing by moving all ...
>
> if (net == &init_net) {
> ... this code ...
> }
>
> into some new static int nf_conntrack_l4proto_register_net(...) that
> will be called by nf_conntrack_l4proto_register.
>
> It will result more maintainable code. We still stick to 80-chars
> columns, saving that extra tabbing makes the code more readable.
>
Yes,it will be more readable,I will do it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 02/17] netfilter: add namespace support for l4proto
2012-05-24 1:52 ` Gao feng
@ 2012-05-24 10:00 ` Pablo Neira Ayuso
0 siblings, 0 replies; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-24 10:00 UTC (permalink / raw)
To: Gao feng
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
On Thu, May 24, 2012 at 09:52:51AM +0800, Gao feng wrote:
> 于 2012年05月23日 18:25, Pablo Neira Ayuso 写道:
> > On Mon, May 14, 2012 at 04:52:12PM +0800, Gao feng wrote:
> >> From: Gao feng <gaofeng@cn.fujitus.com>
[...]
> >> @@ -243,137 +253,172 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
> >> }
> >> EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
> >>
> >> -static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
> >> +static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
> >> + struct nf_conntrack_l4proto *l4proto)
> >> {
> >> - int err = 0;
> >> + if (l4proto->net_id)
> >> + return net_generic(net, *l4proto->net_id);
> >> + else
> >> + return NULL;
> >> +}
> >>
> >> +int nf_ct_l4proto_register_sysctl(struct net *net,
> >> + struct nf_conntrack_l4proto *l4proto)
> >> +{
> >> + int err = 0;
> >> + struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
> >> + if (pn == NULL)
> >> + return 0;
> >> #ifdef CONFIG_SYSCTL
> >> - if (l4proto->ctl_table != NULL) {
> >> - err = nf_ct_register_sysctl(l4proto->ctl_table_header,
> >> + if (pn->ctl_table != NULL) {
> >> + err = nf_ct_register_sysctl(net,
> >> + &pn->ctl_table_header,
> >> "net/netfilter",
> >> - l4proto->ctl_table,
> >> - l4proto->ctl_table_users);
> >> - if (err < 0)
> >> + pn->ctl_table,
> >> + &pn->users);
> >> + if (err < 0) {
> >> + kfree(pn->ctl_table);
> >> + pn->ctl_table = NULL;
> > ^^^^^^^^^^^
> > Do you really need to set this above to NULL? Is there any existing
> > bug trap? If not, it's superfluous, please, remove it.
> >
> yes,l4proto_tcp(udp,icmp)'s ctl_table is stored in netns_ct.proto,
> so when we register l4proto_tcp's sysctl failed,ctl_table will still
> point to the kfreed memory. this will cause panic the next
> time we register l4proto_tcp's sysctl.
I see, thanks for the clarification.
^ permalink raw reply [flat|nested] 52+ messages in thread
* [PATCH 03/17] netfilter: add namespace support for l3proto
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
2012-05-14 8:52 ` [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl Gao feng
2012-05-14 8:52 ` [PATCH 02/17] netfilter: add namespace support for l4proto Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-23 10:29 ` Pablo Neira Ayuso
2012-05-14 8:52 ` [PATCH 04/17] netfilter: add namespace support for l4proto_generic Gao feng
` (15 subsequent siblings)
18 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
-Add the struct net as param of nf_conntrack_l3proto_(un)register.
register or unregister the l3proto only when the net is init_net.
-The new struct nf_ip_net is used to store the sysctl header and data
of l3proto_ipv4,l4proto_tcp(6),l4proto_udp(6),l4proto_icmp(v6).
because the protos such tcp and tcp6 use the same data,so making
nf_ip_net as a field of netns_ct is the easiest way to manager it.
-nf_ct_l3proto_register_sysctl call init_net to initial the pernet data
of l3proto.
-nf_ct_l3proto_net is used to get the pernet data of l3proto.
-export nf_conntrack_l3proto_(un)register
-use init_net as param of nf_conntrack_l3proto_(un)register.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netfilter/nf_conntrack_l3proto.h | 6 +-
include/net/netns/conntrack.h | 8 ++
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 +-
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 6 +-
net/netfilter/nf_conntrack_proto.c | 127 +++++++++++++++---------
5 files changed, 97 insertions(+), 56 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index 9766005..d6df8c7 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -79,8 +79,10 @@ struct nf_conntrack_l3proto {
extern struct nf_conntrack_l3proto __rcu *nf_ct_l3protos[AF_MAX];
/* Protocol registration. */
-extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto);
-extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto);
+extern int nf_conntrack_l3proto_register(struct net *net,
+ struct nf_conntrack_l3proto *proto);
+extern void nf_conntrack_l3proto_unregister(struct net *net,
+ struct nf_conntrack_l3proto *proto);
extern struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto);
extern void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p);
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 1f53038..94992e9 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -20,6 +20,13 @@ struct nf_proto_net {
unsigned int users;
};
+struct nf_ip_net {
+#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
+ struct ctl_table_header *ctl_table_header;
+ struct ctl_table *ctl_table;
+#endif
+};
+
struct netns_ct {
atomic_t count;
unsigned int expect_count;
@@ -40,6 +47,7 @@ struct netns_ct {
unsigned int sysctl_log_invalid; /* Log invalid packets */
int sysctl_auto_assign_helper;
bool auto_assign_helper_warned;
+ struct nf_ip_net proto;
#ifdef CONFIG_SYSCTL
struct ctl_table_header *sysctl_header;
struct ctl_table_header *acct_sysctl_header;
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 46ec515..0c0fb90 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -409,7 +409,7 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
goto cleanup_udp;
}
- ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv4);
+ ret = nf_conntrack_l3proto_register(&init_net, &nf_conntrack_l3proto_ipv4);
if (ret < 0) {
pr_err("nf_conntrack_ipv4: can't register ipv4\n");
goto cleanup_icmp;
@@ -432,7 +432,7 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
#endif
cleanup_ipv4:
- nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
+ nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv4);
cleanup_icmp:
nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
cleanup_udp:
@@ -451,7 +451,7 @@ static void __exit nf_conntrack_l3proto_ipv4_fini(void)
nf_conntrack_ipv4_compat_fini();
#endif
nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
- nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
+ nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv4);
nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 55f379f..6cfbe7b 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -359,7 +359,7 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
goto cleanup_udp;
}
- ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv6);
+ ret = nf_conntrack_l3proto_register(&init_net, &nf_conntrack_l3proto_ipv6);
if (ret < 0) {
pr_err("nf_conntrack_ipv6: can't register ipv6\n");
goto cleanup_icmpv6;
@@ -375,7 +375,7 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
return ret;
cleanup_ipv6:
- nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
+ nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv6);
cleanup_icmpv6:
nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
cleanup_udp:
@@ -389,7 +389,7 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
{
synchronize_net();
nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
- nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
+ nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv6);
nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 6d68727..7ee6653 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -170,85 +170,116 @@ static int kill_l4proto(struct nf_conn *i, void *data)
nf_ct_l3num(i) == l4proto->l3proto;
}
-static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
+static struct nf_ip_net *nf_ct_l3proto_net(struct net *net,
+ struct nf_conntrack_l3proto *l3proto)
+{
+ if (l3proto->l3proto == PF_INET)
+ return &net->ct.proto;
+ else
+ return NULL;
+}
+
+static int nf_ct_l3proto_register_sysctl(struct net *net,
+ struct nf_conntrack_l3proto *l3proto)
{
int err = 0;
+ struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto);
-#ifdef CONFIG_SYSCTL
- if (l3proto->ctl_table != NULL) {
- err = nf_ct_register_sysctl(&init_net,
- &l3proto->ctl_table_header,
+ if (in == NULL)
+ return 0;
+
+#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
+ if (in->ctl_table != NULL) {
+ err = nf_ct_register_sysctl(net,
+ &in->ctl_table_header,
l3proto->ctl_table_path,
- l3proto->ctl_table, NULL);
+ in->ctl_table,
+ NULL);
+ if (err < 0) {
+ kfree(in->ctl_table);
+ in->ctl_table = NULL;
+ }
}
#endif
return err;
}
-static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto)
+static void nf_ct_l3proto_unregister_sysctl(struct net *net,
+ struct nf_conntrack_l3proto *l3proto)
{
-#ifdef CONFIG_SYSCTL
- if (l3proto->ctl_table_header != NULL)
- nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
- &l3proto->ctl_table, NULL);
+ struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto);
+
+ if (in == NULL)
+ return;
+#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
+ if (in->ctl_table_header != NULL)
+ nf_ct_unregister_sysctl(&in->ctl_table_header,
+ &in->ctl_table,
+ NULL);
#endif
}
-int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
+int nf_conntrack_l3proto_register(struct net *net,
+ struct nf_conntrack_l3proto *proto)
{
int ret = 0;
- struct nf_conntrack_l3proto *old;
-
- if (proto->l3proto >= AF_MAX)
- return -EBUSY;
- if (proto->tuple_to_nlattr && !proto->nlattr_tuple_size)
- return -EINVAL;
+ if (net == &init_net) {
+ struct nf_conntrack_l3proto *old;
- mutex_lock(&nf_ct_proto_mutex);
- old = rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
- lockdep_is_held(&nf_ct_proto_mutex));
- if (old != &nf_conntrack_l3proto_generic) {
- ret = -EBUSY;
- goto out_unlock;
- }
+ if (proto->l3proto >= AF_MAX)
+ return -EBUSY;
- ret = nf_ct_l3proto_register_sysctl(proto);
- if (ret < 0)
- goto out_unlock;
+ if (proto->tuple_to_nlattr && !proto->nlattr_tuple_size)
+ return -EINVAL;
- if (proto->nlattr_tuple_size)
- proto->nla_size = 3 * proto->nlattr_tuple_size();
+ mutex_lock(&nf_ct_proto_mutex);
+ old = rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
+ lockdep_is_held(&nf_ct_proto_mutex));
+ if (old != &nf_conntrack_l3proto_generic) {
+ ret = -EBUSY;
+ goto out_unlock;
+ }
- rcu_assign_pointer(nf_ct_l3protos[proto->l3proto], proto);
+ if (proto->nlattr_tuple_size)
+ proto->nla_size = 3 * proto->nlattr_tuple_size();
+ rcu_assign_pointer(nf_ct_l3protos[proto->l3proto], proto);
out_unlock:
- mutex_unlock(&nf_ct_proto_mutex);
- return ret;
+ mutex_unlock(&nf_ct_proto_mutex);
+ if (ret < 0)
+ return ret;
+ }
+ if (proto->init_net) {
+ ret = proto->init_net(net);
+ if (ret < 0)
+ return ret;
+ }
+ return nf_ct_l3proto_register_sysctl(net, proto);
}
EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_register);
-void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
+void nf_conntrack_l3proto_unregister(struct net *net,
+ struct nf_conntrack_l3proto *proto)
{
- struct net *net;
-
- BUG_ON(proto->l3proto >= AF_MAX);
+ if (net == &init_net) {
+ BUG_ON(proto->l3proto >= AF_MAX);
- mutex_lock(&nf_ct_proto_mutex);
- BUG_ON(rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
- lockdep_is_held(&nf_ct_proto_mutex)
- ) != proto);
- rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
- &nf_conntrack_l3proto_generic);
- nf_ct_l3proto_unregister_sysctl(proto);
- mutex_unlock(&nf_ct_proto_mutex);
+ mutex_lock(&nf_ct_proto_mutex);
+ BUG_ON(rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
+ lockdep_is_held(&nf_ct_proto_mutex)
+ ) != proto);
+ rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
+ &nf_conntrack_l3proto_generic);
+ mutex_unlock(&nf_ct_proto_mutex);
- synchronize_rcu();
+ synchronize_rcu();
+ }
+ nf_ct_l3proto_unregister_sysctl(net, proto);
/* Remove all contrack entries for this protocol */
rtnl_lock();
- for_each_net(net)
- nf_ct_iterate_cleanup(net, kill_l3proto, proto);
+ nf_ct_iterate_cleanup(net, kill_l3proto, proto);
rtnl_unlock();
}
EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* Re: [PATCH 03/17] netfilter: add namespace support for l3proto
2012-05-14 8:52 ` [PATCH 03/17] netfilter: add namespace support for l3proto Gao feng
@ 2012-05-23 10:29 ` Pablo Neira Ayuso
2012-05-24 1:58 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-23 10:29 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
On Mon, May 14, 2012 at 04:52:13PM +0800, Gao feng wrote:
> -Add the struct net as param of nf_conntrack_l3proto_(un)register.
> register or unregister the l3proto only when the net is init_net.
>
> -The new struct nf_ip_net is used to store the sysctl header and data
> of l3proto_ipv4,l4proto_tcp(6),l4proto_udp(6),l4proto_icmp(v6).
> because the protos such tcp and tcp6 use the same data,so making
> nf_ip_net as a field of netns_ct is the easiest way to manager it.
>
> -nf_ct_l3proto_register_sysctl call init_net to initial the pernet data
> of l3proto.
>
> -nf_ct_l3proto_net is used to get the pernet data of l3proto.
>
> -export nf_conntrack_l3proto_(un)register
>
> -use init_net as param of nf_conntrack_l3proto_(un)register.
>
> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> ---
> include/net/netfilter/nf_conntrack_l3proto.h | 6 +-
> include/net/netns/conntrack.h | 8 ++
> net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 +-
> net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 6 +-
> net/netfilter/nf_conntrack_proto.c | 127 +++++++++++++++---------
> 5 files changed, 97 insertions(+), 56 deletions(-)
>
> diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
> index 9766005..d6df8c7 100644
> --- a/include/net/netfilter/nf_conntrack_l3proto.h
> +++ b/include/net/netfilter/nf_conntrack_l3proto.h
> @@ -79,8 +79,10 @@ struct nf_conntrack_l3proto {
> extern struct nf_conntrack_l3proto __rcu *nf_ct_l3protos[AF_MAX];
>
> /* Protocol registration. */
> -extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto);
> -extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto);
> +extern int nf_conntrack_l3proto_register(struct net *net,
> + struct nf_conntrack_l3proto *proto);
> +extern void nf_conntrack_l3proto_unregister(struct net *net,
> + struct nf_conntrack_l3proto *proto);
> extern struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto);
> extern void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p);
>
> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
> index 1f53038..94992e9 100644
> --- a/include/net/netns/conntrack.h
> +++ b/include/net/netns/conntrack.h
> @@ -20,6 +20,13 @@ struct nf_proto_net {
> unsigned int users;
> };
>
> +struct nf_ip_net {
> +#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
> + struct ctl_table_header *ctl_table_header;
> + struct ctl_table *ctl_table;
> +#endif
> +};
> +
> struct netns_ct {
> atomic_t count;
> unsigned int expect_count;
> @@ -40,6 +47,7 @@ struct netns_ct {
> unsigned int sysctl_log_invalid; /* Log invalid packets */
> int sysctl_auto_assign_helper;
> bool auto_assign_helper_warned;
> + struct nf_ip_net proto;
^^^^^
please, rename this to something like nf_ct_proto.
> #ifdef CONFIG_SYSCTL
> struct ctl_table_header *sysctl_header;
> struct ctl_table_header *acct_sysctl_header;
> diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> index 46ec515..0c0fb90 100644
> --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> @@ -409,7 +409,7 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
> goto cleanup_udp;
> }
>
> - ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv4);
> + ret = nf_conntrack_l3proto_register(&init_net, &nf_conntrack_l3proto_ipv4);
> if (ret < 0) {
> pr_err("nf_conntrack_ipv4: can't register ipv4\n");
> goto cleanup_icmp;
> @@ -432,7 +432,7 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
> nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
> #endif
> cleanup_ipv4:
> - nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
> + nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv4);
> cleanup_icmp:
> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
> cleanup_udp:
> @@ -451,7 +451,7 @@ static void __exit nf_conntrack_l3proto_ipv4_fini(void)
> nf_conntrack_ipv4_compat_fini();
> #endif
> nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
> - nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
> + nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv4);
> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
> diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
> index 55f379f..6cfbe7b 100644
> --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
> +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
> @@ -359,7 +359,7 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
> goto cleanup_udp;
> }
>
> - ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv6);
> + ret = nf_conntrack_l3proto_register(&init_net, &nf_conntrack_l3proto_ipv6);
> if (ret < 0) {
> pr_err("nf_conntrack_ipv6: can't register ipv6\n");
> goto cleanup_icmpv6;
> @@ -375,7 +375,7 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
> return ret;
>
> cleanup_ipv6:
> - nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
> + nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv6);
> cleanup_icmpv6:
> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
> cleanup_udp:
> @@ -389,7 +389,7 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
> {
> synchronize_net();
> nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
> - nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
> + nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv6);
> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
> index 6d68727..7ee6653 100644
> --- a/net/netfilter/nf_conntrack_proto.c
> +++ b/net/netfilter/nf_conntrack_proto.c
> @@ -170,85 +170,116 @@ static int kill_l4proto(struct nf_conn *i, void *data)
> nf_ct_l3num(i) == l4proto->l3proto;
> }
>
> -static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
> +static struct nf_ip_net *nf_ct_l3proto_net(struct net *net,
> + struct nf_conntrack_l3proto *l3proto)
> +{
> + if (l3proto->l3proto == PF_INET)
> + return &net->ct.proto;
> + else
> + return NULL;
> +}
> +
> +static int nf_ct_l3proto_register_sysctl(struct net *net,
> + struct nf_conntrack_l3proto *l3proto)
> {
> int err = 0;
> + struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto);
>
> -#ifdef CONFIG_SYSCTL
> - if (l3proto->ctl_table != NULL) {
> - err = nf_ct_register_sysctl(&init_net,
> - &l3proto->ctl_table_header,
> + if (in == NULL)
> + return 0;
Under what circunstances that in be NULL?
> +
> +#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
> + if (in->ctl_table != NULL) {
> + err = nf_ct_register_sysctl(net,
> + &in->ctl_table_header,
> l3proto->ctl_table_path,
> - l3proto->ctl_table, NULL);
> + in->ctl_table,
> + NULL);
> + if (err < 0) {
> + kfree(in->ctl_table);
> + in->ctl_table = NULL;
do we need this extra NULL assignment?
> + }
> }
> #endif
> return err;
> }
>
> -static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto)
> +static void nf_ct_l3proto_unregister_sysctl(struct net *net,
> + struct nf_conntrack_l3proto *l3proto)
> {
> -#ifdef CONFIG_SYSCTL
> - if (l3proto->ctl_table_header != NULL)
> - nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
> - &l3proto->ctl_table, NULL);
> + struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto);
> +
> + if (in == NULL)
> + return;
> +#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
> + if (in->ctl_table_header != NULL)
> + nf_ct_unregister_sysctl(&in->ctl_table_header,
> + &in->ctl_table,
> + NULL);
> #endif
> }
>
> -int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
> +int nf_conntrack_l3proto_register(struct net *net,
> + struct nf_conntrack_l3proto *proto)
> {
> int ret = 0;
> - struct nf_conntrack_l3proto *old;
> -
> - if (proto->l3proto >= AF_MAX)
> - return -EBUSY;
>
> - if (proto->tuple_to_nlattr && !proto->nlattr_tuple_size)
> - return -EINVAL;
> + if (net == &init_net) {
Same things as in previous patch. Move...
if (net == &init_net) {
... this code ...
}
into some static int nf_conntrack_l3proto_register_net function.
> + struct nf_conntrack_l3proto *old;
>
> - mutex_lock(&nf_ct_proto_mutex);
> - old = rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
> - lockdep_is_held(&nf_ct_proto_mutex));
> - if (old != &nf_conntrack_l3proto_generic) {
> - ret = -EBUSY;
> - goto out_unlock;
> - }
> + if (proto->l3proto >= AF_MAX)
> + return -EBUSY;
>
> - ret = nf_ct_l3proto_register_sysctl(proto);
> - if (ret < 0)
> - goto out_unlock;
> + if (proto->tuple_to_nlattr && !proto->nlattr_tuple_size)
> + return -EINVAL;
>
> - if (proto->nlattr_tuple_size)
> - proto->nla_size = 3 * proto->nlattr_tuple_size();
> + mutex_lock(&nf_ct_proto_mutex);
> + old = rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
> + lockdep_is_held(&nf_ct_proto_mutex));
> + if (old != &nf_conntrack_l3proto_generic) {
> + ret = -EBUSY;
> + goto out_unlock;
> + }
>
> - rcu_assign_pointer(nf_ct_l3protos[proto->l3proto], proto);
> + if (proto->nlattr_tuple_size)
> + proto->nla_size = 3 * proto->nlattr_tuple_size();
>
> + rcu_assign_pointer(nf_ct_l3protos[proto->l3proto], proto);
> out_unlock:
> - mutex_unlock(&nf_ct_proto_mutex);
> - return ret;
> + mutex_unlock(&nf_ct_proto_mutex);
> + if (ret < 0)
> + return ret;
> + }
> + if (proto->init_net) {
> + ret = proto->init_net(net);
> + if (ret < 0)
> + return ret;
> + }
> + return nf_ct_l3proto_register_sysctl(net, proto);
> }
> EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_register);
>
> -void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
> +void nf_conntrack_l3proto_unregister(struct net *net,
> + struct nf_conntrack_l3proto *proto)
> {
> - struct net *net;
> -
> - BUG_ON(proto->l3proto >= AF_MAX);
> + if (net == &init_net) {
> + BUG_ON(proto->l3proto >= AF_MAX);
Same thing as above.
>
> - mutex_lock(&nf_ct_proto_mutex);
> - BUG_ON(rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
> - lockdep_is_held(&nf_ct_proto_mutex)
> - ) != proto);
> - rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
> - &nf_conntrack_l3proto_generic);
> - nf_ct_l3proto_unregister_sysctl(proto);
> - mutex_unlock(&nf_ct_proto_mutex);
> + mutex_lock(&nf_ct_proto_mutex);
> + BUG_ON(rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
> + lockdep_is_held(&nf_ct_proto_mutex)
> + ) != proto);
> + rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
> + &nf_conntrack_l3proto_generic);
> + mutex_unlock(&nf_ct_proto_mutex);
>
> - synchronize_rcu();
> + synchronize_rcu();
> + }
> + nf_ct_l3proto_unregister_sysctl(net, proto);
>
> /* Remove all contrack entries for this protocol */
> rtnl_lock();
> - for_each_net(net)
> - nf_ct_iterate_cleanup(net, kill_l3proto, proto);
> + nf_ct_iterate_cleanup(net, kill_l3proto, proto);
> rtnl_unlock();
> }
> EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
> --
> 1.7.7.6
>
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 03/17] netfilter: add namespace support for l3proto
2012-05-23 10:29 ` Pablo Neira Ayuso
@ 2012-05-24 1:58 ` Gao feng
2012-05-24 10:04 ` Pablo Neira Ayuso
0 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-24 1:58 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
于 2012年05月23日 18:29, Pablo Neira Ayuso 写道:
> On Mon, May 14, 2012 at 04:52:13PM +0800, Gao feng wrote:
>> -Add the struct net as param of nf_conntrack_l3proto_(un)register.
>> register or unregister the l3proto only when the net is init_net.
>>
>> -The new struct nf_ip_net is used to store the sysctl header and data
>> of l3proto_ipv4,l4proto_tcp(6),l4proto_udp(6),l4proto_icmp(v6).
>> because the protos such tcp and tcp6 use the same data,so making
>> nf_ip_net as a field of netns_ct is the easiest way to manager it.
>>
>> -nf_ct_l3proto_register_sysctl call init_net to initial the pernet data
>> of l3proto.
>>
>> -nf_ct_l3proto_net is used to get the pernet data of l3proto.
>>
>> -export nf_conntrack_l3proto_(un)register
>>
>> -use init_net as param of nf_conntrack_l3proto_(un)register.
>>
>> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>> ---
>> include/net/netfilter/nf_conntrack_l3proto.h | 6 +-
>> include/net/netns/conntrack.h | 8 ++
>> net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 +-
>> net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 6 +-
>> net/netfilter/nf_conntrack_proto.c | 127 +++++++++++++++---------
>> 5 files changed, 97 insertions(+), 56 deletions(-)
>>
>> diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
>> index 9766005..d6df8c7 100644
>> --- a/include/net/netfilter/nf_conntrack_l3proto.h
>> +++ b/include/net/netfilter/nf_conntrack_l3proto.h
>> @@ -79,8 +79,10 @@ struct nf_conntrack_l3proto {
>> extern struct nf_conntrack_l3proto __rcu *nf_ct_l3protos[AF_MAX];
>>
>> /* Protocol registration. */
>> -extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto);
>> -extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto);
>> +extern int nf_conntrack_l3proto_register(struct net *net,
>> + struct nf_conntrack_l3proto *proto);
>> +extern void nf_conntrack_l3proto_unregister(struct net *net,
>> + struct nf_conntrack_l3proto *proto);
>> extern struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto);
>> extern void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p);
>>
>> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
>> index 1f53038..94992e9 100644
>> --- a/include/net/netns/conntrack.h
>> +++ b/include/net/netns/conntrack.h
>> @@ -20,6 +20,13 @@ struct nf_proto_net {
>> unsigned int users;
>> };
>>
>> +struct nf_ip_net {
>> +#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
>> + struct ctl_table_header *ctl_table_header;
>> + struct ctl_table *ctl_table;
>> +#endif
>> +};
>> +
>> struct netns_ct {
>> atomic_t count;
>> unsigned int expect_count;
>> @@ -40,6 +47,7 @@ struct netns_ct {
>> unsigned int sysctl_log_invalid; /* Log invalid packets */
>> int sysctl_auto_assign_helper;
>> bool auto_assign_helper_warned;
>> + struct nf_ip_net proto;
> ^^^^^
> please, rename this to something like nf_ct_proto.
Get it ;)
>
>> #ifdef CONFIG_SYSCTL
>> struct ctl_table_header *sysctl_header;
>> struct ctl_table_header *acct_sysctl_header;
>> diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
>> index 46ec515..0c0fb90 100644
>> --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
>> +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
>> @@ -409,7 +409,7 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
>> goto cleanup_udp;
>> }
>>
>> - ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv4);
>> + ret = nf_conntrack_l3proto_register(&init_net, &nf_conntrack_l3proto_ipv4);
>> if (ret < 0) {
>> pr_err("nf_conntrack_ipv4: can't register ipv4\n");
>> goto cleanup_icmp;
>> @@ -432,7 +432,7 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
>> nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
>> #endif
>> cleanup_ipv4:
>> - nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
>> + nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv4);
>> cleanup_icmp:
>> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
>> cleanup_udp:
>> @@ -451,7 +451,7 @@ static void __exit nf_conntrack_l3proto_ipv4_fini(void)
>> nf_conntrack_ipv4_compat_fini();
>> #endif
>> nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
>> - nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
>> + nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv4);
>> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
>> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
>> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
>> diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
>> index 55f379f..6cfbe7b 100644
>> --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
>> +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
>> @@ -359,7 +359,7 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
>> goto cleanup_udp;
>> }
>>
>> - ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv6);
>> + ret = nf_conntrack_l3proto_register(&init_net, &nf_conntrack_l3proto_ipv6);
>> if (ret < 0) {
>> pr_err("nf_conntrack_ipv6: can't register ipv6\n");
>> goto cleanup_icmpv6;
>> @@ -375,7 +375,7 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
>> return ret;
>>
>> cleanup_ipv6:
>> - nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
>> + nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv6);
>> cleanup_icmpv6:
>> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
>> cleanup_udp:
>> @@ -389,7 +389,7 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
>> {
>> synchronize_net();
>> nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
>> - nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
>> + nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv6);
>> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
>> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
>> nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
>> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
>> index 6d68727..7ee6653 100644
>> --- a/net/netfilter/nf_conntrack_proto.c
>> +++ b/net/netfilter/nf_conntrack_proto.c
>> @@ -170,85 +170,116 @@ static int kill_l4proto(struct nf_conn *i, void *data)
>> nf_ct_l3num(i) == l4proto->l3proto;
>> }
>>
>> -static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
>> +static struct nf_ip_net *nf_ct_l3proto_net(struct net *net,
>> + struct nf_conntrack_l3proto *l3proto)
>> +{
>> + if (l3proto->l3proto == PF_INET)
>> + return &net->ct.proto;
>> + else
>> + return NULL;
>> +}
>> +
>> +static int nf_ct_l3proto_register_sysctl(struct net *net,
>> + struct nf_conntrack_l3proto *l3proto)
>> {
>> int err = 0;
>> + struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto);
>>
>> -#ifdef CONFIG_SYSCTL
>> - if (l3proto->ctl_table != NULL) {
>> - err = nf_ct_register_sysctl(&init_net,
>> - &l3proto->ctl_table_header,
>> + if (in == NULL)
>> + return 0;
>
> Under what circunstances that in be NULL?
Because l3proto_ipv6 doesn't need sysctl,so l3proto_ipv6's nf_ip_net is NULL,
please see function nf_ct_l3proto_net above.
>
>> +
>> +#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
>> + if (in->ctl_table != NULL) {
>> + err = nf_ct_register_sysctl(net,
>> + &in->ctl_table_header,
>> l3proto->ctl_table_path,
>> - l3proto->ctl_table, NULL);
>> + in->ctl_table,
>> + NULL);
>> + if (err < 0) {
>> + kfree(in->ctl_table);
>> + in->ctl_table = NULL;
>
> do we need this extra NULL assignment?
>
>> + }
>> }
>> #endif
>> return err;
>> }
>>
>> -static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto)
>> +static void nf_ct_l3proto_unregister_sysctl(struct net *net,
>> + struct nf_conntrack_l3proto *l3proto)
>> {
>> -#ifdef CONFIG_SYSCTL
>> - if (l3proto->ctl_table_header != NULL)
>> - nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
>> - &l3proto->ctl_table, NULL);
>> + struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto);
>> +
>> + if (in == NULL)
>> + return;
>> +#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
>> + if (in->ctl_table_header != NULL)
>> + nf_ct_unregister_sysctl(&in->ctl_table_header,
>> + &in->ctl_table,
>> + NULL);
>> #endif
>> }
>>
>> -int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
>> +int nf_conntrack_l3proto_register(struct net *net,
>> + struct nf_conntrack_l3proto *proto)
>> {
>> int ret = 0;
>> - struct nf_conntrack_l3proto *old;
>> -
>> - if (proto->l3proto >= AF_MAX)
>> - return -EBUSY;
>>
>> - if (proto->tuple_to_nlattr && !proto->nlattr_tuple_size)
>> - return -EINVAL;
>> + if (net == &init_net) {
>
> Same things as in previous patch. Move...
>
> if (net == &init_net) {
> ... this code ...
> }
>
> into some static int nf_conntrack_l3proto_register_net function.
>
Get it.
thanks
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 03/17] netfilter: add namespace support for l3proto
2012-05-24 1:58 ` Gao feng
@ 2012-05-24 10:04 ` Pablo Neira Ayuso
2012-05-24 10:57 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-24 10:04 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
On Thu, May 24, 2012 at 09:58:02AM +0800, Gao feng wrote:
> 于 2012年05月23日 18:29, Pablo Neira Ayuso 写道:
> > On Mon, May 14, 2012 at 04:52:13PM +0800, Gao feng wrote:
[...]
> >> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
> >> index 6d68727..7ee6653 100644
> >> --- a/net/netfilter/nf_conntrack_proto.c
> >> +++ b/net/netfilter/nf_conntrack_proto.c
> >> @@ -170,85 +170,116 @@ static int kill_l4proto(struct nf_conn *i, void *data)
> >> nf_ct_l3num(i) == l4proto->l3proto;
> >> }
> >>
> >> -static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
> >> +static struct nf_ip_net *nf_ct_l3proto_net(struct net *net,
> >> + struct nf_conntrack_l3proto *l3proto)
> >> +{
> >> + if (l3proto->l3proto == PF_INET)
> >> + return &net->ct.proto;
> >> + else
> >> + return NULL;
> >> +}
> >> +
> >> +static int nf_ct_l3proto_register_sysctl(struct net *net,
> >> + struct nf_conntrack_l3proto *l3proto)
> >> {
> >> int err = 0;
> >> + struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto);
> >>
> >> -#ifdef CONFIG_SYSCTL
> >> - if (l3proto->ctl_table != NULL) {
> >> - err = nf_ct_register_sysctl(&init_net,
> >> - &l3proto->ctl_table_header,
> >> + if (in == NULL)
> >> + return 0;
> >
> > Under what circunstances that in be NULL?
>
> Because l3proto_ipv6 doesn't need sysctl,so l3proto_ipv6's nf_ip_net is NULL,
> please see function nf_ct_l3proto_net above.
Then, please add a comment there to explain that some per-net protocol
information may missing since no sysctl is supported.
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 03/17] netfilter: add namespace support for l3proto
2012-05-24 10:04 ` Pablo Neira Ayuso
@ 2012-05-24 10:57 ` Gao feng
0 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-24 10:57 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
于 2012年05月24日 18:04, Pablo Neira Ayuso 写道:
> On Thu, May 24, 2012 at 09:58:02AM +0800, Gao feng wrote:
>> 于 2012年05月23日 18:29, Pablo Neira Ayuso 写道:
>>> On Mon, May 14, 2012 at 04:52:13PM +0800, Gao feng wrote:
> [...]
>>>> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
>>>> index 6d68727..7ee6653 100644
>>>> --- a/net/netfilter/nf_conntrack_proto.c
>>>> +++ b/net/netfilter/nf_conntrack_proto.c
>>>> @@ -170,85 +170,116 @@ static int kill_l4proto(struct nf_conn *i, void *data)
>>>> nf_ct_l3num(i) == l4proto->l3proto;
>>>> }
>>>>
>>>> -static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
>>>> +static struct nf_ip_net *nf_ct_l3proto_net(struct net *net,
>>>> + struct nf_conntrack_l3proto *l3proto)
>>>> +{
>>>> + if (l3proto->l3proto == PF_INET)
>>>> + return &net->ct.proto;
>>>> + else
>>>> + return NULL;
>>>> +}
>>>> +
>>>> +static int nf_ct_l3proto_register_sysctl(struct net *net,
>>>> + struct nf_conntrack_l3proto *l3proto)
>>>> {
>>>> int err = 0;
>>>> + struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto);
>>>>
>>>> -#ifdef CONFIG_SYSCTL
>>>> - if (l3proto->ctl_table != NULL) {
>>>> - err = nf_ct_register_sysctl(&init_net,
>>>> - &l3proto->ctl_table_header,
>>>> + if (in == NULL)
>>>> + return 0;
>>>
>>> Under what circunstances that in be NULL?
>>
>> Because l3proto_ipv6 doesn't need sysctl,so l3proto_ipv6's nf_ip_net is NULL,
>> please see function nf_ct_l3proto_net above.
>
> Then, please add a comment there to explain that some per-net protocol
> information may missing since no sysctl is supported.
Yes, I will add a comment to make it more clearer ;)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* [PATCH 04/17] netfilter: add namespace support for l4proto_generic
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (2 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 03/17] netfilter: add namespace support for l3proto Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-23 10:32 ` Pablo Neira Ayuso
2012-05-14 8:52 ` [PATCH 05/17] netfilter: add namespace support for l4proto_tcp Gao feng
` (14 subsequent siblings)
18 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
implement and export nf_conntrack_proto_generic_[init,fini],
nf_conntrack_[init,cleanup]_net call them to register or unregister
the sysctl of generic proto.
implement generic_net_init,it's used to initial the pernet
data for generic proto.
and use nf_generic_net.timeout to replace nf_ct_generic_timeout in
get_timeouts function.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netfilter/nf_conntrack_l4proto.h | 2 +
include/net/netns/conntrack.h | 6 +++
net/netfilter/nf_conntrack_core.c | 8 +++-
net/netfilter/nf_conntrack_proto.c | 21 +++++-----
net/netfilter/nf_conntrack_proto_generic.c | 55 ++++++++++++++++++++++++-
5 files changed, 76 insertions(+), 16 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index a93dcd5..0d329b9 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -118,6 +118,8 @@ struct nf_conntrack_l4proto {
/* Existing built-in generic protocol */
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_generic;
+extern int nf_conntrack_proto_generic_init(struct net *net);
+extern void nf_conntrack_proto_generic_fini(struct net *net);
#define MAX_NF_CT_PROTO 256
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 94992e9..3381b80 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -20,7 +20,13 @@ struct nf_proto_net {
unsigned int users;
};
+struct nf_generic_net {
+ struct nf_proto_net pn;
+ unsigned int timeout;
+};
+
struct nf_ip_net {
+ struct nf_generic_net generic;
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
struct ctl_table_header *ctl_table_header;
struct ctl_table *ctl_table;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 32c5909..fd33e91 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1353,6 +1353,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
}
nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
+ nf_conntrack_proto_generic_fini(net);
nf_conntrack_helper_fini(net);
nf_conntrack_timeout_fini(net);
nf_conntrack_ecache_fini(net);
@@ -1586,9 +1587,12 @@ static int nf_conntrack_init_net(struct net *net)
ret = nf_conntrack_helper_init(net);
if (ret < 0)
goto err_helper;
-
+ ret = nf_conntrack_proto_generic_init(net);
+ if (ret < 0)
+ goto err_generic;
return 0;
-
+err_generic:
+ nf_conntrack_helper_fini(net);
err_helper:
nf_conntrack_timeout_fini(net);
err_timeout:
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 7ee6653..9b4bf6d 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -287,10 +287,16 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
struct nf_conntrack_l4proto *l4proto)
{
- if (l4proto->net_id)
- return net_generic(net, *l4proto->net_id);
- else
- return NULL;
+ switch (l4proto->l4proto) {
+ case 255: /* l4proto_generic */
+ return (struct nf_proto_net *)&net->ct.proto.generic;
+ default:
+ if (l4proto->net_id)
+ return net_generic(net, *l4proto->net_id);
+ else
+ return NULL;
+ }
+ return NULL;
}
int nf_ct_l4proto_register_sysctl(struct net *net,
@@ -457,11 +463,6 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
int nf_conntrack_proto_init(void)
{
unsigned int i;
- int err;
-
- err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
- if (err < 0)
- return err;
for (i = 0; i < AF_MAX; i++)
rcu_assign_pointer(nf_ct_l3protos[i],
@@ -473,8 +474,6 @@ void nf_conntrack_proto_fini(void)
{
unsigned int i;
- nf_ct_l4proto_unregister_sysctl(&init_net, &nf_conntrack_l4proto_generic);
-
/* free l3proto protocol tables */
for (i = 0; i < PF_MAX; i++)
kfree(nf_ct_protos[i]);
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index d8923d5..7976a64 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -14,6 +14,11 @@
static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
+static inline struct nf_generic_net *generic_pernet(struct net *net)
+{
+ return &net->ct.proto.generic;
+}
+
static bool generic_pkt_to_tuple(const struct sk_buff *skb,
unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
@@ -42,7 +47,7 @@ static int generic_print_tuple(struct seq_file *s,
static unsigned int *generic_get_timeouts(struct net *net)
{
- return &nf_ct_generic_timeout;
+ return &(generic_pernet(net)->timeout);
}
/* Returns verdict for packet, or -1 for invalid. */
@@ -110,7 +115,6 @@ static struct ctl_table_header *generic_sysctl_header;
static struct ctl_table generic_sysctl_table[] = {
{
.procname = "nf_conntrack_generic_timeout",
- .data = &nf_ct_generic_timeout,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -121,7 +125,6 @@ static struct ctl_table generic_sysctl_table[] = {
static struct ctl_table generic_compat_sysctl_table[] = {
{
.procname = "ip_conntrack_generic_timeout",
- .data = &nf_ct_generic_timeout,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -131,10 +134,39 @@ static struct ctl_table generic_compat_sysctl_table[] = {
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
#endif /* CONFIG_SYSCTL */
+static int generic_init_net(struct net *net, u_int8_t compat)
+{
+ struct nf_generic_net *gn = generic_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)gn;
+ gn->timeout = nf_ct_generic_timeout;
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(generic_sysctl_table,
+ sizeof(generic_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table)
+ return -ENOMEM;
+ pn->ctl_table[0].data = &gn->timeout;
+
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ pn->ctl_compat_table = kmemdup(generic_compat_sysctl_table,
+ sizeof(generic_compat_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_compat_table) {
+ kfree(pn->ctl_table);
+ pn->ctl_table = NULL;
+ return -ENOMEM;
+ }
+ pn->ctl_compat_table[0].data = &gn->timeout;
+#endif
+#endif
+ return 0;
+}
+
struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
{
.l3proto = PF_UNSPEC,
.l4proto = 255,
+ .compat = 1,
.name = "unknown",
.pkt_to_tuple = generic_pkt_to_tuple,
.invert_tuple = generic_invert_tuple,
@@ -158,4 +190,21 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
.ctl_compat_table = generic_compat_sysctl_table,
#endif
#endif
+ .init_net = generic_init_net,
};
+
+int nf_conntrack_proto_generic_init(struct net *net)
+{
+ int ret = 0;
+ ret = generic_init_net(net, nf_conntrack_l4proto_generic.compat);
+ if (ret < 0)
+ return ret;
+ return nf_ct_l4proto_register_sysctl(net,
+ &nf_conntrack_l4proto_generic);
+}
+
+void nf_conntrack_proto_generic_fini(struct net *net)
+{
+ nf_ct_l4proto_unregister_sysctl(net,
+ &nf_conntrack_l4proto_generic);
+}
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* Re: [PATCH 04/17] netfilter: add namespace support for l4proto_generic
2012-05-14 8:52 ` [PATCH 04/17] netfilter: add namespace support for l4proto_generic Gao feng
@ 2012-05-23 10:32 ` Pablo Neira Ayuso
2012-05-24 1:13 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-23 10:32 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
On Mon, May 14, 2012 at 04:52:14PM +0800, Gao feng wrote:
> implement and export nf_conntrack_proto_generic_[init,fini],
> nf_conntrack_[init,cleanup]_net call them to register or unregister
> the sysctl of generic proto.
>
> implement generic_net_init,it's used to initial the pernet
> data for generic proto.
>
> and use nf_generic_net.timeout to replace nf_ct_generic_timeout in
> get_timeouts function.
>
> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> ---
> include/net/netfilter/nf_conntrack_l4proto.h | 2 +
> include/net/netns/conntrack.h | 6 +++
> net/netfilter/nf_conntrack_core.c | 8 +++-
> net/netfilter/nf_conntrack_proto.c | 21 +++++-----
> net/netfilter/nf_conntrack_proto_generic.c | 55 ++++++++++++++++++++++++-
> 5 files changed, 76 insertions(+), 16 deletions(-)
>
> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
> index a93dcd5..0d329b9 100644
> --- a/include/net/netfilter/nf_conntrack_l4proto.h
> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
> @@ -118,6 +118,8 @@ struct nf_conntrack_l4proto {
>
> /* Existing built-in generic protocol */
> extern struct nf_conntrack_l4proto nf_conntrack_l4proto_generic;
> +extern int nf_conntrack_proto_generic_init(struct net *net);
> +extern void nf_conntrack_proto_generic_fini(struct net *net);
>
> #define MAX_NF_CT_PROTO 256
>
> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
> index 94992e9..3381b80 100644
> --- a/include/net/netns/conntrack.h
> +++ b/include/net/netns/conntrack.h
> @@ -20,7 +20,13 @@ struct nf_proto_net {
> unsigned int users;
> };
>
> +struct nf_generic_net {
> + struct nf_proto_net pn;
> + unsigned int timeout;
> +};
> +
> struct nf_ip_net {
> + struct nf_generic_net generic;
> #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
> struct ctl_table_header *ctl_table_header;
> struct ctl_table *ctl_table;
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index 32c5909..fd33e91 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -1353,6 +1353,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
> }
>
> nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
> + nf_conntrack_proto_generic_fini(net);
> nf_conntrack_helper_fini(net);
> nf_conntrack_timeout_fini(net);
> nf_conntrack_ecache_fini(net);
> @@ -1586,9 +1587,12 @@ static int nf_conntrack_init_net(struct net *net)
> ret = nf_conntrack_helper_init(net);
> if (ret < 0)
> goto err_helper;
> -
> + ret = nf_conntrack_proto_generic_init(net);
> + if (ret < 0)
> + goto err_generic;
> return 0;
> -
> +err_generic:
> + nf_conntrack_helper_fini(net);
> err_helper:
> nf_conntrack_timeout_fini(net);
> err_timeout:
> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
> index 7ee6653..9b4bf6d 100644
> --- a/net/netfilter/nf_conntrack_proto.c
> +++ b/net/netfilter/nf_conntrack_proto.c
> @@ -287,10 +287,16 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
> static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
> struct nf_conntrack_l4proto *l4proto)
> {
> - if (l4proto->net_id)
> - return net_generic(net, *l4proto->net_id);
> - else
> - return NULL;
> + switch (l4proto->l4proto) {
> + case 255: /* l4proto_generic */
> + return (struct nf_proto_net *)&net->ct.proto.generic;
> + default:
> + if (l4proto->net_id)
> + return net_generic(net, *l4proto->net_id);
> + else
> + return NULL;
> + }
> + return NULL;
> }
>
> int nf_ct_l4proto_register_sysctl(struct net *net,
> @@ -457,11 +463,6 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
> int nf_conntrack_proto_init(void)
> {
> unsigned int i;
> - int err;
> -
> - err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
> - if (err < 0)
> - return err;
I like that all protocols sysctl are registered by
nf_conntrack_proto_init. Can you keep using that?
> for (i = 0; i < AF_MAX; i++)
> rcu_assign_pointer(nf_ct_l3protos[i],
> @@ -473,8 +474,6 @@ void nf_conntrack_proto_fini(void)
> {
> unsigned int i;
>
> - nf_ct_l4proto_unregister_sysctl(&init_net, &nf_conntrack_l4proto_generic);
> -
> /* free l3proto protocol tables */
> for (i = 0; i < PF_MAX; i++)
> kfree(nf_ct_protos[i]);
> diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
> index d8923d5..7976a64 100644
> --- a/net/netfilter/nf_conntrack_proto_generic.c
> +++ b/net/netfilter/nf_conntrack_proto_generic.c
> @@ -14,6 +14,11 @@
>
> static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
>
> +static inline struct nf_generic_net *generic_pernet(struct net *net)
> +{
> + return &net->ct.proto.generic;
> +}
> +
> static bool generic_pkt_to_tuple(const struct sk_buff *skb,
> unsigned int dataoff,
> struct nf_conntrack_tuple *tuple)
> @@ -42,7 +47,7 @@ static int generic_print_tuple(struct seq_file *s,
>
> static unsigned int *generic_get_timeouts(struct net *net)
> {
> - return &nf_ct_generic_timeout;
> + return &(generic_pernet(net)->timeout);
> }
>
> /* Returns verdict for packet, or -1 for invalid. */
> @@ -110,7 +115,6 @@ static struct ctl_table_header *generic_sysctl_header;
> static struct ctl_table generic_sysctl_table[] = {
> {
> .procname = "nf_conntrack_generic_timeout",
> - .data = &nf_ct_generic_timeout,
> .maxlen = sizeof(unsigned int),
> .mode = 0644,
> .proc_handler = proc_dointvec_jiffies,
> @@ -121,7 +125,6 @@ static struct ctl_table generic_sysctl_table[] = {
> static struct ctl_table generic_compat_sysctl_table[] = {
> {
> .procname = "ip_conntrack_generic_timeout",
> - .data = &nf_ct_generic_timeout,
> .maxlen = sizeof(unsigned int),
> .mode = 0644,
> .proc_handler = proc_dointvec_jiffies,
> @@ -131,10 +134,39 @@ static struct ctl_table generic_compat_sysctl_table[] = {
> #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
> #endif /* CONFIG_SYSCTL */
>
> +static int generic_init_net(struct net *net, u_int8_t compat)
> +{
> + struct nf_generic_net *gn = generic_pernet(net);
> + struct nf_proto_net *pn = (struct nf_proto_net *)gn;
> + gn->timeout = nf_ct_generic_timeout;
> +#ifdef CONFIG_SYSCTL
> + pn->ctl_table = kmemdup(generic_sysctl_table,
> + sizeof(generic_sysctl_table),
> + GFP_KERNEL);
> + if (!pn->ctl_table)
> + return -ENOMEM;
> + pn->ctl_table[0].data = &gn->timeout;
> +
> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> + pn->ctl_compat_table = kmemdup(generic_compat_sysctl_table,
> + sizeof(generic_compat_sysctl_table),
> + GFP_KERNEL);
> + if (!pn->ctl_compat_table) {
> + kfree(pn->ctl_table);
> + pn->ctl_table = NULL;
> + return -ENOMEM;
> + }
> + pn->ctl_compat_table[0].data = &gn->timeout;
> +#endif
> +#endif
> + return 0;
> +}
> +
> struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
> {
> .l3proto = PF_UNSPEC,
> .l4proto = 255,
> + .compat = 1,
> .name = "unknown",
> .pkt_to_tuple = generic_pkt_to_tuple,
> .invert_tuple = generic_invert_tuple,
> @@ -158,4 +190,21 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
> .ctl_compat_table = generic_compat_sysctl_table,
> #endif
> #endif
> + .init_net = generic_init_net,
> };
> +
> +int nf_conntrack_proto_generic_init(struct net *net)
> +{
> + int ret = 0;
> + ret = generic_init_net(net, nf_conntrack_l4proto_generic.compat);
> + if (ret < 0)
> + return ret;
> + return nf_ct_l4proto_register_sysctl(net,
> + &nf_conntrack_l4proto_generic);
> +}
> +
> +void nf_conntrack_proto_generic_fini(struct net *net)
> +{
> + nf_ct_l4proto_unregister_sysctl(net,
> + &nf_conntrack_l4proto_generic);
> +}
> --
> 1.7.7.6
>
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 04/17] netfilter: add namespace support for l4proto_generic
2012-05-23 10:32 ` Pablo Neira Ayuso
@ 2012-05-24 1:13 ` Gao feng
2012-05-24 9:52 ` Pablo Neira Ayuso
0 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-24 1:13 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
于 2012年05月23日 18:32, Pablo Neira Ayuso 写道:
> On Mon, May 14, 2012 at 04:52:14PM +0800, Gao feng wrote:
>> implement and export nf_conntrack_proto_generic_[init,fini],
>> nf_conntrack_[init,cleanup]_net call them to register or unregister
>> the sysctl of generic proto.
>>
>> implement generic_net_init,it's used to initial the pernet
>> data for generic proto.
>>
>> and use nf_generic_net.timeout to replace nf_ct_generic_timeout in
>> get_timeouts function.
>>
>> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>> ---
>> include/net/netfilter/nf_conntrack_l4proto.h | 2 +
>> include/net/netns/conntrack.h | 6 +++
>> net/netfilter/nf_conntrack_core.c | 8 +++-
>> net/netfilter/nf_conntrack_proto.c | 21 +++++-----
>> net/netfilter/nf_conntrack_proto_generic.c | 55 ++++++++++++++++++++++++-
>> 5 files changed, 76 insertions(+), 16 deletions(-)
>>
>> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
>> index a93dcd5..0d329b9 100644
>> --- a/include/net/netfilter/nf_conntrack_l4proto.h
>> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
>> @@ -118,6 +118,8 @@ struct nf_conntrack_l4proto {
>>
>> /* Existing built-in generic protocol */
>> extern struct nf_conntrack_l4proto nf_conntrack_l4proto_generic;
>> +extern int nf_conntrack_proto_generic_init(struct net *net);
>> +extern void nf_conntrack_proto_generic_fini(struct net *net);
>>
>> #define MAX_NF_CT_PROTO 256
>>
>> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
>> index 94992e9..3381b80 100644
>> --- a/include/net/netns/conntrack.h
>> +++ b/include/net/netns/conntrack.h
>> @@ -20,7 +20,13 @@ struct nf_proto_net {
>> unsigned int users;
>> };
>>
>> +struct nf_generic_net {
>> + struct nf_proto_net pn;
>> + unsigned int timeout;
>> +};
>> +
>> struct nf_ip_net {
>> + struct nf_generic_net generic;
>> #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
>> struct ctl_table_header *ctl_table_header;
>> struct ctl_table *ctl_table;
>> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
>> index 32c5909..fd33e91 100644
>> --- a/net/netfilter/nf_conntrack_core.c
>> +++ b/net/netfilter/nf_conntrack_core.c
>> @@ -1353,6 +1353,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
>> }
>>
>> nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
>> + nf_conntrack_proto_generic_fini(net);
>> nf_conntrack_helper_fini(net);
>> nf_conntrack_timeout_fini(net);
>> nf_conntrack_ecache_fini(net);
>> @@ -1586,9 +1587,12 @@ static int nf_conntrack_init_net(struct net *net)
>> ret = nf_conntrack_helper_init(net);
>> if (ret < 0)
>> goto err_helper;
>> -
>> + ret = nf_conntrack_proto_generic_init(net);
>> + if (ret < 0)
>> + goto err_generic;
>> return 0;
>> -
>> +err_generic:
>> + nf_conntrack_helper_fini(net);
>> err_helper:
>> nf_conntrack_timeout_fini(net);
>> err_timeout:
>> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
>> index 7ee6653..9b4bf6d 100644
>> --- a/net/netfilter/nf_conntrack_proto.c
>> +++ b/net/netfilter/nf_conntrack_proto.c
>> @@ -287,10 +287,16 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
>> static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
>> struct nf_conntrack_l4proto *l4proto)
>> {
>> - if (l4proto->net_id)
>> - return net_generic(net, *l4proto->net_id);
>> - else
>> - return NULL;
>> + switch (l4proto->l4proto) {
>> + case 255: /* l4proto_generic */
>> + return (struct nf_proto_net *)&net->ct.proto.generic;
>> + default:
>> + if (l4proto->net_id)
>> + return net_generic(net, *l4proto->net_id);
>> + else
>> + return NULL;
>> + }
>> + return NULL;
>> }
>>
>> int nf_ct_l4proto_register_sysctl(struct net *net,
>> @@ -457,11 +463,6 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
>> int nf_conntrack_proto_init(void)
>> {
>> unsigned int i;
>> - int err;
>> -
>> - err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
>> - if (err < 0)
>> - return err;
>
> I like that all protocols sysctl are registered by
> nf_conntrack_proto_init. Can you keep using that?
you mean per-net's generic_proto sysctl are registered by
nf_conntrack_proto_init?
such as
int nf_conntrack_proto_init(struct net *net)
{
...
err = nf_ct_l4proto_register_sysctl(net, &nf_conntrack_l4proto_generic);
...
}
if my understanding is right,my answer is yes we can ;)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 04/17] netfilter: add namespace support for l4proto_generic
2012-05-24 1:13 ` Gao feng
@ 2012-05-24 9:52 ` Pablo Neira Ayuso
2012-05-24 11:07 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-24 9:52 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
On Thu, May 24, 2012 at 09:13:36AM +0800, Gao feng wrote:
> 于 2012年05月23日 18:32, Pablo Neira Ayuso 写道:
> > On Mon, May 14, 2012 at 04:52:14PM +0800, Gao feng wrote:
> >> implement and export nf_conntrack_proto_generic_[init,fini],
> >> nf_conntrack_[init,cleanup]_net call them to register or unregister
> >> the sysctl of generic proto.
> >>
> >> implement generic_net_init,it's used to initial the pernet
> >> data for generic proto.
> >>
> >> and use nf_generic_net.timeout to replace nf_ct_generic_timeout in
> >> get_timeouts function.
> >>
> >> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
> >> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> >> ---
> >> include/net/netfilter/nf_conntrack_l4proto.h | 2 +
> >> include/net/netns/conntrack.h | 6 +++
> >> net/netfilter/nf_conntrack_core.c | 8 +++-
> >> net/netfilter/nf_conntrack_proto.c | 21 +++++-----
> >> net/netfilter/nf_conntrack_proto_generic.c | 55 ++++++++++++++++++++++++-
> >> 5 files changed, 76 insertions(+), 16 deletions(-)
> >>
> >> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
> >> index a93dcd5..0d329b9 100644
> >> --- a/include/net/netfilter/nf_conntrack_l4proto.h
> >> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
> >> @@ -118,6 +118,8 @@ struct nf_conntrack_l4proto {
> >>
> >> /* Existing built-in generic protocol */
> >> extern struct nf_conntrack_l4proto nf_conntrack_l4proto_generic;
> >> +extern int nf_conntrack_proto_generic_init(struct net *net);
> >> +extern void nf_conntrack_proto_generic_fini(struct net *net);
> >>
> >> #define MAX_NF_CT_PROTO 256
> >>
> >> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
> >> index 94992e9..3381b80 100644
> >> --- a/include/net/netns/conntrack.h
> >> +++ b/include/net/netns/conntrack.h
> >> @@ -20,7 +20,13 @@ struct nf_proto_net {
> >> unsigned int users;
> >> };
> >>
> >> +struct nf_generic_net {
> >> + struct nf_proto_net pn;
> >> + unsigned int timeout;
> >> +};
> >> +
> >> struct nf_ip_net {
> >> + struct nf_generic_net generic;
> >> #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
> >> struct ctl_table_header *ctl_table_header;
> >> struct ctl_table *ctl_table;
> >> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> >> index 32c5909..fd33e91 100644
> >> --- a/net/netfilter/nf_conntrack_core.c
> >> +++ b/net/netfilter/nf_conntrack_core.c
> >> @@ -1353,6 +1353,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
> >> }
> >>
> >> nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
> >> + nf_conntrack_proto_generic_fini(net);
> >> nf_conntrack_helper_fini(net);
> >> nf_conntrack_timeout_fini(net);
> >> nf_conntrack_ecache_fini(net);
> >> @@ -1586,9 +1587,12 @@ static int nf_conntrack_init_net(struct net *net)
> >> ret = nf_conntrack_helper_init(net);
> >> if (ret < 0)
> >> goto err_helper;
> >> -
> >> + ret = nf_conntrack_proto_generic_init(net);
> >> + if (ret < 0)
> >> + goto err_generic;
> >> return 0;
> >> -
> >> +err_generic:
> >> + nf_conntrack_helper_fini(net);
> >> err_helper:
> >> nf_conntrack_timeout_fini(net);
> >> err_timeout:
> >> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
> >> index 7ee6653..9b4bf6d 100644
> >> --- a/net/netfilter/nf_conntrack_proto.c
> >> +++ b/net/netfilter/nf_conntrack_proto.c
> >> @@ -287,10 +287,16 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
> >> static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
> >> struct nf_conntrack_l4proto *l4proto)
> >> {
> >> - if (l4proto->net_id)
> >> - return net_generic(net, *l4proto->net_id);
> >> - else
> >> - return NULL;
> >> + switch (l4proto->l4proto) {
> >> + case 255: /* l4proto_generic */
> >> + return (struct nf_proto_net *)&net->ct.proto.generic;
> >> + default:
> >> + if (l4proto->net_id)
> >> + return net_generic(net, *l4proto->net_id);
> >> + else
> >> + return NULL;
> >> + }
> >> + return NULL;
> >> }
> >>
> >> int nf_ct_l4proto_register_sysctl(struct net *net,
> >> @@ -457,11 +463,6 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
> >> int nf_conntrack_proto_init(void)
> >> {
> >> unsigned int i;
> >> - int err;
> >> -
> >> - err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
> >> - if (err < 0)
> >> - return err;
> >
> > I like that all protocols sysctl are registered by
> > nf_conntrack_proto_init. Can you keep using that?
>
> you mean per-net's generic_proto sysctl are registered by
> nf_conntrack_proto_init?
>
> such as
>
> int nf_conntrack_proto_init(struct net *net)
> {
> ...
> err = nf_ct_l4proto_register_sysctl(net, &nf_conntrack_l4proto_generic);
Yes, all protocol trackers included in nf_conntrack_proto_init:
err = nf_conntrack_proto_generic_init(net);
...
err = nf_conntrack_proto_tcp_init(net);
...
and so on.
> ...
> }
>
> if my understanding is right,my answer is yes we can ;)
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 04/17] netfilter: add namespace support for l4proto_generic
2012-05-24 9:52 ` Pablo Neira Ayuso
@ 2012-05-24 11:07 ` Gao feng
2012-05-24 14:40 ` Pablo Neira Ayuso
0 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-24 11:07 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
于 2012年05月24日 17:52, Pablo Neira Ayuso 写道:
> On Thu, May 24, 2012 at 09:13:36AM +0800, Gao feng wrote:
>> 于 2012年05月23日 18:32, Pablo Neira Ayuso 写道:
>>> On Mon, May 14, 2012 at 04:52:14PM +0800, Gao feng wrote:
>>>> implement and export nf_conntrack_proto_generic_[init,fini],
>>>> nf_conntrack_[init,cleanup]_net call them to register or unregister
>>>> the sysctl of generic proto.
>>>>
>>>> implement generic_net_init,it's used to initial the pernet
>>>> data for generic proto.
>>>>
>>>> and use nf_generic_net.timeout to replace nf_ct_generic_timeout in
>>>> get_timeouts function.
>>>>
>>>> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
>>>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>>>> ---
>>>> include/net/netfilter/nf_conntrack_l4proto.h | 2 +
>>>> include/net/netns/conntrack.h | 6 +++
>>>> net/netfilter/nf_conntrack_core.c | 8 +++-
>>>> net/netfilter/nf_conntrack_proto.c | 21 +++++-----
>>>> net/netfilter/nf_conntrack_proto_generic.c | 55 ++++++++++++++++++++++++-
>>>> 5 files changed, 76 insertions(+), 16 deletions(-)
>>>>
>>>> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
>>>> index a93dcd5..0d329b9 100644
>>>> --- a/include/net/netfilter/nf_conntrack_l4proto.h
>>>> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
>>>> @@ -118,6 +118,8 @@ struct nf_conntrack_l4proto {
>>>>
>>>> /* Existing built-in generic protocol */
>>>> extern struct nf_conntrack_l4proto nf_conntrack_l4proto_generic;
>>>> +extern int nf_conntrack_proto_generic_init(struct net *net);
>>>> +extern void nf_conntrack_proto_generic_fini(struct net *net);
>>>>
>>>> #define MAX_NF_CT_PROTO 256
>>>>
>>>> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
>>>> index 94992e9..3381b80 100644
>>>> --- a/include/net/netns/conntrack.h
>>>> +++ b/include/net/netns/conntrack.h
>>>> @@ -20,7 +20,13 @@ struct nf_proto_net {
>>>> unsigned int users;
>>>> };
>>>>
>>>> +struct nf_generic_net {
>>>> + struct nf_proto_net pn;
>>>> + unsigned int timeout;
>>>> +};
>>>> +
>>>> struct nf_ip_net {
>>>> + struct nf_generic_net generic;
>>>> #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
>>>> struct ctl_table_header *ctl_table_header;
>>>> struct ctl_table *ctl_table;
>>>> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
>>>> index 32c5909..fd33e91 100644
>>>> --- a/net/netfilter/nf_conntrack_core.c
>>>> +++ b/net/netfilter/nf_conntrack_core.c
>>>> @@ -1353,6 +1353,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
>>>> }
>>>>
>>>> nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
>>>> + nf_conntrack_proto_generic_fini(net);
>>>> nf_conntrack_helper_fini(net);
>>>> nf_conntrack_timeout_fini(net);
>>>> nf_conntrack_ecache_fini(net);
>>>> @@ -1586,9 +1587,12 @@ static int nf_conntrack_init_net(struct net *net)
>>>> ret = nf_conntrack_helper_init(net);
>>>> if (ret < 0)
>>>> goto err_helper;
>>>> -
>>>> + ret = nf_conntrack_proto_generic_init(net);
>>>> + if (ret < 0)
>>>> + goto err_generic;
>>>> return 0;
>>>> -
>>>> +err_generic:
>>>> + nf_conntrack_helper_fini(net);
>>>> err_helper:
>>>> nf_conntrack_timeout_fini(net);
>>>> err_timeout:
>>>> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
>>>> index 7ee6653..9b4bf6d 100644
>>>> --- a/net/netfilter/nf_conntrack_proto.c
>>>> +++ b/net/netfilter/nf_conntrack_proto.c
>>>> @@ -287,10 +287,16 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
>>>> static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
>>>> struct nf_conntrack_l4proto *l4proto)
>>>> {
>>>> - if (l4proto->net_id)
>>>> - return net_generic(net, *l4proto->net_id);
>>>> - else
>>>> - return NULL;
>>>> + switch (l4proto->l4proto) {
>>>> + case 255: /* l4proto_generic */
>>>> + return (struct nf_proto_net *)&net->ct.proto.generic;
>>>> + default:
>>>> + if (l4proto->net_id)
>>>> + return net_generic(net, *l4proto->net_id);
>>>> + else
>>>> + return NULL;
>>>> + }
>>>> + return NULL;
>>>> }
>>>>
>>>> int nf_ct_l4proto_register_sysctl(struct net *net,
>>>> @@ -457,11 +463,6 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
>>>> int nf_conntrack_proto_init(void)
>>>> {
>>>> unsigned int i;
>>>> - int err;
>>>> -
>>>> - err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
>>>> - if (err < 0)
>>>> - return err;
>>>
>>> I like that all protocols sysctl are registered by
>>> nf_conntrack_proto_init. Can you keep using that?
>>
>> you mean per-net's generic_proto sysctl are registered by
>> nf_conntrack_proto_init?
>>
>> such as
>>
>> int nf_conntrack_proto_init(struct net *net)
>> {
>> ...
>> err = nf_ct_l4proto_register_sysctl(net, &nf_conntrack_l4proto_generic);
>
> Yes, all protocol trackers included in nf_conntrack_proto_init:
>
> err = nf_conntrack_proto_generic_init(net);
> ...
> err = nf_conntrack_proto_tcp_init(net);
> ...
>
> and so on.
sounds good,but the l4protos except l4proto_generic are enabled by
insmod modules(such as nf_conntrack_ipv4,nf_conntrack_proto_udplite).
So I think it makes no sense to init all protocol here, unless we decide
to put those protos into module nf_conntrack.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 04/17] netfilter: add namespace support for l4proto_generic
2012-05-24 11:07 ` Gao feng
@ 2012-05-24 14:40 ` Pablo Neira Ayuso
2012-05-26 2:36 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-24 14:40 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
On Thu, May 24, 2012 at 07:07:36PM +0800, Gao feng wrote:
> 于 2012年05月24日 17:52, Pablo Neira Ayuso 写道:
> > On Thu, May 24, 2012 at 09:13:36AM +0800, Gao feng wrote:
> >> 于 2012年05月23日 18:32, Pablo Neira Ayuso 写道:
> >>> On Mon, May 14, 2012 at 04:52:14PM +0800, Gao feng wrote:
> >>>> implement and export nf_conntrack_proto_generic_[init,fini],
> >>>> nf_conntrack_[init,cleanup]_net call them to register or unregister
> >>>> the sysctl of generic proto.
> >>>>
> >>>> implement generic_net_init,it's used to initial the pernet
> >>>> data for generic proto.
> >>>>
> >>>> and use nf_generic_net.timeout to replace nf_ct_generic_timeout in
> >>>> get_timeouts function.
> >>>>
> >>>> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
> >>>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> >>>> ---
> >>>> include/net/netfilter/nf_conntrack_l4proto.h | 2 +
> >>>> include/net/netns/conntrack.h | 6 +++
> >>>> net/netfilter/nf_conntrack_core.c | 8 +++-
> >>>> net/netfilter/nf_conntrack_proto.c | 21 +++++-----
> >>>> net/netfilter/nf_conntrack_proto_generic.c | 55 ++++++++++++++++++++++++-
> >>>> 5 files changed, 76 insertions(+), 16 deletions(-)
> >>>>
> >>>> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
> >>>> index a93dcd5..0d329b9 100644
> >>>> --- a/include/net/netfilter/nf_conntrack_l4proto.h
> >>>> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
> >>>> @@ -118,6 +118,8 @@ struct nf_conntrack_l4proto {
> >>>>
> >>>> /* Existing built-in generic protocol */
> >>>> extern struct nf_conntrack_l4proto nf_conntrack_l4proto_generic;
> >>>> +extern int nf_conntrack_proto_generic_init(struct net *net);
> >>>> +extern void nf_conntrack_proto_generic_fini(struct net *net);
> >>>>
> >>>> #define MAX_NF_CT_PROTO 256
> >>>>
> >>>> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
> >>>> index 94992e9..3381b80 100644
> >>>> --- a/include/net/netns/conntrack.h
> >>>> +++ b/include/net/netns/conntrack.h
> >>>> @@ -20,7 +20,13 @@ struct nf_proto_net {
> >>>> unsigned int users;
> >>>> };
> >>>>
> >>>> +struct nf_generic_net {
> >>>> + struct nf_proto_net pn;
> >>>> + unsigned int timeout;
> >>>> +};
> >>>> +
> >>>> struct nf_ip_net {
> >>>> + struct nf_generic_net generic;
> >>>> #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
> >>>> struct ctl_table_header *ctl_table_header;
> >>>> struct ctl_table *ctl_table;
> >>>> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> >>>> index 32c5909..fd33e91 100644
> >>>> --- a/net/netfilter/nf_conntrack_core.c
> >>>> +++ b/net/netfilter/nf_conntrack_core.c
> >>>> @@ -1353,6 +1353,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
> >>>> }
> >>>>
> >>>> nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
> >>>> + nf_conntrack_proto_generic_fini(net);
> >>>> nf_conntrack_helper_fini(net);
> >>>> nf_conntrack_timeout_fini(net);
> >>>> nf_conntrack_ecache_fini(net);
> >>>> @@ -1586,9 +1587,12 @@ static int nf_conntrack_init_net(struct net *net)
> >>>> ret = nf_conntrack_helper_init(net);
> >>>> if (ret < 0)
> >>>> goto err_helper;
> >>>> -
> >>>> + ret = nf_conntrack_proto_generic_init(net);
> >>>> + if (ret < 0)
> >>>> + goto err_generic;
> >>>> return 0;
> >>>> -
> >>>> +err_generic:
> >>>> + nf_conntrack_helper_fini(net);
> >>>> err_helper:
> >>>> nf_conntrack_timeout_fini(net);
> >>>> err_timeout:
> >>>> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
> >>>> index 7ee6653..9b4bf6d 100644
> >>>> --- a/net/netfilter/nf_conntrack_proto.c
> >>>> +++ b/net/netfilter/nf_conntrack_proto.c
> >>>> @@ -287,10 +287,16 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
> >>>> static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
> >>>> struct nf_conntrack_l4proto *l4proto)
> >>>> {
> >>>> - if (l4proto->net_id)
> >>>> - return net_generic(net, *l4proto->net_id);
> >>>> - else
> >>>> - return NULL;
> >>>> + switch (l4proto->l4proto) {
> >>>> + case 255: /* l4proto_generic */
> >>>> + return (struct nf_proto_net *)&net->ct.proto.generic;
> >>>> + default:
> >>>> + if (l4proto->net_id)
> >>>> + return net_generic(net, *l4proto->net_id);
> >>>> + else
> >>>> + return NULL;
> >>>> + }
> >>>> + return NULL;
> >>>> }
> >>>>
> >>>> int nf_ct_l4proto_register_sysctl(struct net *net,
> >>>> @@ -457,11 +463,6 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
> >>>> int nf_conntrack_proto_init(void)
> >>>> {
> >>>> unsigned int i;
> >>>> - int err;
> >>>> -
> >>>> - err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
> >>>> - if (err < 0)
> >>>> - return err;
> >>>
> >>> I like that all protocols sysctl are registered by
> >>> nf_conntrack_proto_init. Can you keep using that?
> >>
> >> you mean per-net's generic_proto sysctl are registered by
> >> nf_conntrack_proto_init?
> >>
> >> such as
> >>
> >> int nf_conntrack_proto_init(struct net *net)
> >> {
> >> ...
> >> err = nf_ct_l4proto_register_sysctl(net, &nf_conntrack_l4proto_generic);
> >
> > Yes, all protocol trackers included in nf_conntrack_proto_init:
> >
> > err = nf_conntrack_proto_generic_init(net);
> > ...
> > err = nf_conntrack_proto_tcp_init(net);
> > ...
> >
> > and so on.
>
> sounds good,but the l4protos except l4proto_generic are enabled by
> insmod modules(such as nf_conntrack_ipv4,nf_conntrack_proto_udplite).
>
> So I think it makes no sense to init all protocol here, unless we decide
> to put those protos into module nf_conntrack.
Sorry, I meant to say all protocols that are built-in.
So, just put there those that are built-in, like TCP, UDP and generic
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 04/17] netfilter: add namespace support for l4proto_generic
2012-05-24 14:40 ` Pablo Neira Ayuso
@ 2012-05-26 2:36 ` Gao feng
2012-05-28 9:54 ` Pablo Neira Ayuso
0 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-26 2:36 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
于 2012年05月24日 22:40, Pablo Neira Ayuso 写道:
> On Thu, May 24, 2012 at 07:07:36PM +0800, Gao feng wrote:
>> 于 2012年05月24日 17:52, Pablo Neira Ayuso 写道:
>>> On Thu, May 24, 2012 at 09:13:36AM +0800, Gao feng wrote:
>>>> 于 2012年05月23日 18:32, Pablo Neira Ayuso 写道:
>>>>> On Mon, May 14, 2012 at 04:52:14PM +0800, Gao feng wrote:
>>>>>> implement and export nf_conntrack_proto_generic_[init,fini],
>>>>>> nf_conntrack_[init,cleanup]_net call them to register or unregister
>>>>>> the sysctl of generic proto.
>>>>>>
>>>>>> implement generic_net_init,it's used to initial the pernet
>>>>>> data for generic proto.
>>>>>>
>>>>>> and use nf_generic_net.timeout to replace nf_ct_generic_timeout in
>>>>>> get_timeouts function.
>>>>>>
>>>>>> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
>>>>>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>>>>>> ---
>>>>>> include/net/netfilter/nf_conntrack_l4proto.h | 2 +
>>>>>> include/net/netns/conntrack.h | 6 +++
>>>>>> net/netfilter/nf_conntrack_core.c | 8 +++-
>>>>>> net/netfilter/nf_conntrack_proto.c | 21 +++++-----
>>>>>> net/netfilter/nf_conntrack_proto_generic.c | 55 ++++++++++++++++++++++++-
>>>>>> 5 files changed, 76 insertions(+), 16 deletions(-)
>>>>>>
>>>>>> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
>>>>>> index a93dcd5..0d329b9 100644
>>>>>> --- a/include/net/netfilter/nf_conntrack_l4proto.h
>>>>>> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
>>>>>> @@ -118,6 +118,8 @@ struct nf_conntrack_l4proto {
>>>>>>
>>>>>> /* Existing built-in generic protocol */
>>>>>> extern struct nf_conntrack_l4proto nf_conntrack_l4proto_generic;
>>>>>> +extern int nf_conntrack_proto_generic_init(struct net *net);
>>>>>> +extern void nf_conntrack_proto_generic_fini(struct net *net);
>>>>>>
>>>>>> #define MAX_NF_CT_PROTO 256
>>>>>>
>>>>>> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
>>>>>> index 94992e9..3381b80 100644
>>>>>> --- a/include/net/netns/conntrack.h
>>>>>> +++ b/include/net/netns/conntrack.h
>>>>>> @@ -20,7 +20,13 @@ struct nf_proto_net {
>>>>>> unsigned int users;
>>>>>> };
>>>>>>
>>>>>> +struct nf_generic_net {
>>>>>> + struct nf_proto_net pn;
>>>>>> + unsigned int timeout;
>>>>>> +};
>>>>>> +
>>>>>> struct nf_ip_net {
>>>>>> + struct nf_generic_net generic;
>>>>>> #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
>>>>>> struct ctl_table_header *ctl_table_header;
>>>>>> struct ctl_table *ctl_table;
>>>>>> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
>>>>>> index 32c5909..fd33e91 100644
>>>>>> --- a/net/netfilter/nf_conntrack_core.c
>>>>>> +++ b/net/netfilter/nf_conntrack_core.c
>>>>>> @@ -1353,6 +1353,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
>>>>>> }
>>>>>>
>>>>>> nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
>>>>>> + nf_conntrack_proto_generic_fini(net);
>>>>>> nf_conntrack_helper_fini(net);
>>>>>> nf_conntrack_timeout_fini(net);
>>>>>> nf_conntrack_ecache_fini(net);
>>>>>> @@ -1586,9 +1587,12 @@ static int nf_conntrack_init_net(struct net *net)
>>>>>> ret = nf_conntrack_helper_init(net);
>>>>>> if (ret < 0)
>>>>>> goto err_helper;
>>>>>> -
>>>>>> + ret = nf_conntrack_proto_generic_init(net);
>>>>>> + if (ret < 0)
>>>>>> + goto err_generic;
>>>>>> return 0;
>>>>>> -
>>>>>> +err_generic:
>>>>>> + nf_conntrack_helper_fini(net);
>>>>>> err_helper:
>>>>>> nf_conntrack_timeout_fini(net);
>>>>>> err_timeout:
>>>>>> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
>>>>>> index 7ee6653..9b4bf6d 100644
>>>>>> --- a/net/netfilter/nf_conntrack_proto.c
>>>>>> +++ b/net/netfilter/nf_conntrack_proto.c
>>>>>> @@ -287,10 +287,16 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
>>>>>> static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
>>>>>> struct nf_conntrack_l4proto *l4proto)
>>>>>> {
>>>>>> - if (l4proto->net_id)
>>>>>> - return net_generic(net, *l4proto->net_id);
>>>>>> - else
>>>>>> - return NULL;
>>>>>> + switch (l4proto->l4proto) {
>>>>>> + case 255: /* l4proto_generic */
>>>>>> + return (struct nf_proto_net *)&net->ct.proto.generic;
>>>>>> + default:
>>>>>> + if (l4proto->net_id)
>>>>>> + return net_generic(net, *l4proto->net_id);
>>>>>> + else
>>>>>> + return NULL;
>>>>>> + }
>>>>>> + return NULL;
>>>>>> }
>>>>>>
>>>>>> int nf_ct_l4proto_register_sysctl(struct net *net,
>>>>>> @@ -457,11 +463,6 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
>>>>>> int nf_conntrack_proto_init(void)
>>>>>> {
>>>>>> unsigned int i;
>>>>>> - int err;
>>>>>> -
>>>>>> - err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
>>>>>> - if (err < 0)
>>>>>> - return err;
>>>>>
>>>>> I like that all protocols sysctl are registered by
>>>>> nf_conntrack_proto_init. Can you keep using that?
>>>>
>>>> you mean per-net's generic_proto sysctl are registered by
>>>> nf_conntrack_proto_init?
>>>>
>>>> such as
>>>>
>>>> int nf_conntrack_proto_init(struct net *net)
>>>> {
>>>> ...
>>>> err = nf_ct_l4proto_register_sysctl(net, &nf_conntrack_l4proto_generic);
>>>
>>> Yes, all protocol trackers included in nf_conntrack_proto_init:
>>>
>>> err = nf_conntrack_proto_generic_init(net);
>>> ...
>>> err = nf_conntrack_proto_tcp_init(net);
>>> ...
>>>
>>> and so on.
>>
>> sounds good,but the l4protos except l4proto_generic are enabled by
>> insmod modules(such as nf_conntrack_ipv4,nf_conntrack_proto_udplite).
>>
>> So I think it makes no sense to init all protocol here, unless we decide
>> to put those protos into module nf_conntrack.
>
> Sorry, I meant to say all protocols that are built-in.
>
> So, just put there those that are built-in, like TCP, UDP and generic
AFAIK l4proto_generic is registered when install module nf_conntrack,
BUT l4proto_tcp,l4proto_udp,l4proto_icmp are registered when install module nf_conntrack_ipv4.
So we can only register generic proto here.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 04/17] netfilter: add namespace support for l4proto_generic
2012-05-26 2:36 ` Gao feng
@ 2012-05-28 9:54 ` Pablo Neira Ayuso
0 siblings, 0 replies; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-28 9:54 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
On Sat, May 26, 2012 at 10:36:36AM +0800, Gao feng wrote:
> >>>>>> @@ -1586,9 +1587,12 @@ static int nf_conntrack_init_net(struct net *net)
> >>>>>> ret = nf_conntrack_helper_init(net);
> >>>>>> if (ret < 0)
> >>>>>> goto err_helper;
> >>>>>> -
> >>>>>> + ret = nf_conntrack_proto_generic_init(net);
> >>>>>> + if (ret < 0)
> >>>>>> + goto err_generic;
> >>>>>> return 0;
> >>>>>> -
> >>>>>> +err_generic:
> >>>>>> + nf_conntrack_helper_fini(net);
> >>>>>> err_helper:
> >>>>>> nf_conntrack_timeout_fini(net);
> >>>>>> err_timeout:
> >>>>>> diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
> >>>>>> index 7ee6653..9b4bf6d 100644
> >>>>>> --- a/net/netfilter/nf_conntrack_proto.c
> >>>>>> +++ b/net/netfilter/nf_conntrack_proto.c
> >>>>>> @@ -287,10 +287,16 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
> >>>>>> static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
> >>>>>> struct nf_conntrack_l4proto *l4proto)
> >>>>>> {
> >>>>>> - if (l4proto->net_id)
> >>>>>> - return net_generic(net, *l4proto->net_id);
> >>>>>> - else
> >>>>>> - return NULL;
> >>>>>> + switch (l4proto->l4proto) {
> >>>>>> + case 255: /* l4proto_generic */
> >>>>>> + return (struct nf_proto_net *)&net->ct.proto.generic;
> >>>>>> + default:
> >>>>>> + if (l4proto->net_id)
> >>>>>> + return net_generic(net, *l4proto->net_id);
> >>>>>> + else
> >>>>>> + return NULL;
> >>>>>> + }
> >>>>>> + return NULL;
> >>>>>> }
> >>>>>>
> >>>>>> int nf_ct_l4proto_register_sysctl(struct net *net,
> >>>>>> @@ -457,11 +463,6 @@ EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
> >>>>>> int nf_conntrack_proto_init(void)
> >>>>>> {
> >>>>>> unsigned int i;
> >>>>>> - int err;
> >>>>>> -
> >>>>>> - err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
> >>>>>> - if (err < 0)
> >>>>>> - return err;
> >>>>>
> >>>>> I like that all protocols sysctl are registered by
> >>>>> nf_conntrack_proto_init. Can you keep using that?
> >>>>
> >>>> you mean per-net's generic_proto sysctl are registered by
> >>>> nf_conntrack_proto_init?
> >>>>
> >>>> such as
> >>>>
> >>>> int nf_conntrack_proto_init(struct net *net)
> >>>> {
> >>>> ...
> >>>> err = nf_ct_l4proto_register_sysctl(net, &nf_conntrack_l4proto_generic);
> >>>
> >>> Yes, all protocol trackers included in nf_conntrack_proto_init:
> >>>
> >>> err = nf_conntrack_proto_generic_init(net);
> >>> ...
> >>> err = nf_conntrack_proto_tcp_init(net);
> >>> ...
> >>>
> >>> and so on.
> >>
> >> sounds good,but the l4protos except l4proto_generic are enabled by
> >> insmod modules(such as nf_conntrack_ipv4,nf_conntrack_proto_udplite).
> >>
> >> So I think it makes no sense to init all protocol here, unless we decide
> >> to put those protos into module nf_conntrack.
> >
> > Sorry, I meant to say all protocols that are built-in.
> >
> > So, just put there those that are built-in, like TCP, UDP and generic
>
> AFAIK l4proto_generic is registered when install module nf_conntrack,
> BUT l4proto_tcp,l4proto_udp,l4proto_icmp are registered when install module nf_conntrack_ipv4.
>
> So we can only register generic proto here.
You are all right.
^ permalink raw reply [flat|nested] 52+ messages in thread
* [PATCH 05/17] netfilter: add namespace support for l4proto_tcp
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (3 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 04/17] netfilter: add namespace support for l4proto_generic Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-25 3:00 ` Pablo Neira Ayuso
2012-05-14 8:52 ` [PATCH 06/17] netfilter: add namespace support for l4proto_udp Gao feng
` (13 subsequent siblings)
18 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
implement tcp_init_net to initial the pernet sysctl data
for tcp proto.
Because tcp_init_net is called by l4proto_tcp[4,6],so use
nf_proto_net.users to identify if the pernet data is initialized
when CONFIG_SYSCTL is not configured.
nf_tcp_net as a field of netns_ct,when proto is tcp,
return net->ct.proto.tcp in function nf_ct_l4proto_net.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netns/conntrack.h | 10 +++
net/netfilter/nf_conntrack_proto.c | 2 +
net/netfilter/nf_conntrack_proto_tcp.c | 114 ++++++++++++++++++++++++--------
3 files changed, 97 insertions(+), 29 deletions(-)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 3381b80..d79e627 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -4,6 +4,7 @@
#include <linux/list.h>
#include <linux/list_nulls.h>
#include <linux/atomic.h>
+#include <linux/netfilter/nf_conntrack_tcp.h>
struct ctl_table_header;
struct nf_conntrack_ecache;
@@ -25,8 +26,17 @@ struct nf_generic_net {
unsigned int timeout;
};
+struct nf_tcp_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[TCP_CONNTRACK_TIMEOUT_MAX];
+ unsigned int tcp_loose;
+ unsigned int tcp_be_liberal;
+ unsigned int tcp_max_retrans;
+};
+
struct nf_ip_net {
struct nf_generic_net generic;
+ struct nf_tcp_net tcp;
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
struct ctl_table_header *ctl_table_header;
struct ctl_table *ctl_table;
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 9b4bf6d..4531d6a 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -288,6 +288,8 @@ static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
struct nf_conntrack_l4proto *l4proto)
{
switch (l4proto->l4proto) {
+ case IPPROTO_TCP:
+ return (struct nf_proto_net *)&net->ct.proto.tcp;
case 255: /* l4proto_generic */
return (struct nf_proto_net *)&net->ct.proto.generic;
default:
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 4dfbfa8..dd19350 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -270,6 +270,11 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
}
};
+static inline struct nf_tcp_net *tcp_pernet(struct net *net)
+{
+ return &net->ct.proto.tcp;
+}
+
static bool tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
{
@@ -516,6 +521,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
u_int8_t pf)
{
struct net *net = nf_ct_net(ct);
+ struct nf_tcp_net *tn = tcp_pernet(net);
struct ip_ct_tcp_state *sender = &state->seen[dir];
struct ip_ct_tcp_state *receiver = &state->seen[!dir];
const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
@@ -720,7 +726,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
} else {
res = false;
if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
- nf_ct_tcp_be_liberal)
+ tn->tcp_be_liberal)
res = true;
if (!res && LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
@@ -828,6 +834,7 @@ static int tcp_packet(struct nf_conn *ct,
unsigned int *timeouts)
{
struct net *net = nf_ct_net(ct);
+ struct nf_tcp_net *tn = tcp_pernet(net);
struct nf_conntrack_tuple *tuple;
enum tcp_conntrack new_state, old_state;
enum ip_conntrack_dir dir;
@@ -1019,7 +1026,7 @@ static int tcp_packet(struct nf_conn *ct,
&& new_state == TCP_CONNTRACK_FIN_WAIT)
ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
- if (ct->proto.tcp.retrans >= nf_ct_tcp_max_retrans &&
+ if (ct->proto.tcp.retrans >= tn->tcp_max_retrans &&
timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
timeout = timeouts[TCP_CONNTRACK_RETRANS];
else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) &
@@ -1064,6 +1071,8 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
enum tcp_conntrack new_state;
const struct tcphdr *th;
struct tcphdr _tcph;
+ struct net *net = nf_ct_net(ct);
+ struct nf_tcp_net *tn = tcp_pernet(net);
const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
@@ -1092,7 +1101,7 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
ct->proto.tcp.seen[0].td_end;
tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]);
- } else if (nf_ct_tcp_loose == 0) {
+ } else if (tn->tcp_loose == 0) {
/* Don't try to pick up connections. */
return false;
} else {
@@ -1359,91 +1368,78 @@ static struct ctl_table_header *tcp_sysctl_header;
static struct ctl_table tcp_sysctl_table[] = {
{
.procname = "nf_conntrack_tcp_timeout_syn_sent",
- .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_syn_recv",
- .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_established",
- .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_fin_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_close_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_last_ack",
- .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_time_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_close",
- .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_max_retrans",
- .data = &tcp_timeouts[TCP_CONNTRACK_RETRANS],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_unacknowledged",
- .data = &tcp_timeouts[TCP_CONNTRACK_UNACK],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_loose",
- .data = &nf_ct_tcp_loose,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "nf_conntrack_tcp_be_liberal",
- .data = &nf_ct_tcp_be_liberal,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "nf_conntrack_tcp_max_retrans",
- .data = &nf_ct_tcp_max_retrans,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
@@ -1455,91 +1451,78 @@ static struct ctl_table tcp_sysctl_table[] = {
static struct ctl_table tcp_compat_sysctl_table[] = {
{
.procname = "ip_conntrack_tcp_timeout_syn_sent",
- .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_syn_sent2",
- .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT2],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_syn_recv",
- .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_established",
- .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_fin_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_close_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_last_ack",
- .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_time_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_close",
- .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_max_retrans",
- .data = &tcp_timeouts[TCP_CONNTRACK_RETRANS],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_loose",
- .data = &nf_ct_tcp_loose,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_tcp_be_liberal",
- .data = &nf_ct_tcp_be_liberal,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_tcp_max_retrans",
- .data = &nf_ct_tcp_max_retrans,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
@@ -1549,10 +1532,80 @@ static struct ctl_table tcp_compat_sysctl_table[] = {
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
#endif /* CONFIG_SYSCTL */
+static int tcp_init_net(struct net *net, u_int8_t compat)
+{
+ int i;
+ struct nf_tcp_net *tn = tcp_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)tn;
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ pn->ctl_compat_table = kmemdup(tcp_compat_sysctl_table,
+ sizeof(tcp_compat_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_compat_table)
+ return -ENOMEM;
+
+ pn->ctl_compat_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
+ pn->ctl_compat_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT2];
+ pn->ctl_compat_table[2].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
+ pn->ctl_compat_table[3].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
+ pn->ctl_compat_table[4].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
+ pn->ctl_compat_table[5].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
+ pn->ctl_compat_table[6].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
+ pn->ctl_compat_table[7].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
+ pn->ctl_compat_table[8].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
+ pn->ctl_compat_table[9].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
+ pn->ctl_compat_table[10].data = &tn->tcp_loose;
+ pn->ctl_compat_table[11].data = &tn->tcp_be_liberal;
+ pn->ctl_compat_table[12].data = &tn->tcp_max_retrans;
+ }
+#endif
+ if (!pn->ctl_table) {
+#else
+ if (!pn->user++) {
+#endif
+ for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++)
+ tn->timeouts[i] = tcp_timeouts[i];
+ tn->tcp_loose = nf_ct_tcp_loose;
+ tn->tcp_be_liberal = nf_ct_tcp_be_liberal;
+ tn->tcp_max_retrans = nf_ct_tcp_max_retrans;
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(tcp_sysctl_table,
+ sizeof(tcp_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table) {
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ kfree(pn->ctl_compat_table);
+ pn->ctl_compat_table = NULL;
+ }
+#endif
+ return -ENOMEM;
+ }
+ pn->ctl_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
+ pn->ctl_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
+ pn->ctl_table[2].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
+ pn->ctl_table[3].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
+ pn->ctl_table[4].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
+ pn->ctl_table[5].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
+ pn->ctl_table[6].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
+ pn->ctl_table[7].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
+ pn->ctl_table[8].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
+ pn->ctl_table[9].data = &tn->timeouts[TCP_CONNTRACK_UNACK];
+ pn->ctl_table[10].data = &tn->tcp_loose;
+ pn->ctl_table[11].data = &tn->tcp_be_liberal;
+ pn->ctl_table[12].data = &tn->tcp_max_retrans;
+#endif
+ }
+ return 0;
+}
+
struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
{
.l3proto = PF_INET,
.l4proto = IPPROTO_TCP,
+ .compat = 1,
.name = "tcp",
.pkt_to_tuple = tcp_pkt_to_tuple,
.invert_tuple = tcp_invert_tuple,
@@ -1589,6 +1642,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
.ctl_compat_table = tcp_compat_sysctl_table,
#endif
#endif
+ .init_net = tcp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4);
@@ -1596,6 +1650,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
{
.l3proto = PF_INET6,
.l4proto = IPPROTO_TCP,
+ .compat = 0,
.name = "tcp",
.pkt_to_tuple = tcp_pkt_to_tuple,
.invert_tuple = tcp_invert_tuple,
@@ -1629,5 +1684,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
.ctl_table_header = &tcp_sysctl_header,
.ctl_table = tcp_sysctl_table,
#endif
+ .init_net = tcp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* Re: [PATCH 05/17] netfilter: add namespace support for l4proto_tcp
2012-05-14 8:52 ` [PATCH 05/17] netfilter: add namespace support for l4proto_tcp Gao feng
@ 2012-05-25 3:00 ` Pablo Neira Ayuso
2012-05-25 6:05 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-25 3:00 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
Hi Gao,
While having a look at this again, I have two new requests:
On Mon, May 14, 2012 at 04:52:15PM +0800, Gao feng wrote:
[...]
> diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
> index 4dfbfa8..dd19350 100644
> --- a/net/netfilter/nf_conntrack_proto_tcp.c
> +++ b/net/netfilter/nf_conntrack_proto_tcp.c
[...]
> @@ -1549,10 +1532,80 @@ static struct ctl_table tcp_compat_sysctl_table[] = {
> #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
> #endif /* CONFIG_SYSCTL */
>
> +static int tcp_init_net(struct net *net, u_int8_t compat)
> +{
> + int i;
> + struct nf_tcp_net *tn = tcp_pernet(net);
> + struct nf_proto_net *pn = (struct nf_proto_net *)tn;
> +#ifdef CONFIG_SYSCTL
> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> + if (compat) {
> + pn->ctl_compat_table = kmemdup(tcp_compat_sysctl_table,
> + sizeof(tcp_compat_sysctl_table),
> + GFP_KERNEL);
> + if (!pn->ctl_compat_table)
> + return -ENOMEM;
> +
> + pn->ctl_compat_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
> + pn->ctl_compat_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT2];
> + pn->ctl_compat_table[2].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
> + pn->ctl_compat_table[3].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
> + pn->ctl_compat_table[4].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
> + pn->ctl_compat_table[5].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
> + pn->ctl_compat_table[6].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
> + pn->ctl_compat_table[7].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
> + pn->ctl_compat_table[8].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
> + pn->ctl_compat_table[9].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
> + pn->ctl_compat_table[10].data = &tn->tcp_loose;
> + pn->ctl_compat_table[11].data = &tn->tcp_be_liberal;
> + pn->ctl_compat_table[12].data = &tn->tcp_max_retrans;
You can make a generic function to set the ctl_data that you can
reuse for this code above and the one below.
> + }
> +#endif
> + if (!pn->ctl_table) {
> +#else
> + if (!pn->user++) {
> +#endif
> + for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++)
> + tn->timeouts[i] = tcp_timeouts[i];
> + tn->tcp_loose = nf_ct_tcp_loose;
> + tn->tcp_be_liberal = nf_ct_tcp_be_liberal;
> + tn->tcp_max_retrans = nf_ct_tcp_max_retrans;
> +#ifdef CONFIG_SYSCTL
> + pn->ctl_table = kmemdup(tcp_sysctl_table,
> + sizeof(tcp_sysctl_table),
> + GFP_KERNEL);
> + if (!pn->ctl_table) {
> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> + if (compat) {
> + kfree(pn->ctl_compat_table);
> + pn->ctl_compat_table = NULL;
> + }
> +#endif
> + return -ENOMEM;
> + }
> + pn->ctl_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
> + pn->ctl_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
> + pn->ctl_table[2].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
> + pn->ctl_table[3].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
> + pn->ctl_table[4].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
> + pn->ctl_table[5].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
> + pn->ctl_table[6].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
> + pn->ctl_table[7].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
> + pn->ctl_table[8].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
> + pn->ctl_table[9].data = &tn->timeouts[TCP_CONNTRACK_UNACK];
> + pn->ctl_table[10].data = &tn->tcp_loose;
> + pn->ctl_table[11].data = &tn->tcp_be_liberal;
> + pn->ctl_table[12].data = &tn->tcp_max_retrans;
> +#endif
I have bad experience with code that has lots of #ifdef's.
Please, split all *_init_net into smaller functions.
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 05/17] netfilter: add namespace support for l4proto_tcp
2012-05-25 3:00 ` Pablo Neira Ayuso
@ 2012-05-25 6:05 ` Gao feng
0 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-25 6:05 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
于 2012年05月25日 11:00, Pablo Neira Ayuso 写道:
> Hi Gao,
>
> While having a look at this again, I have two new requests:
>
> On Mon, May 14, 2012 at 04:52:15PM +0800, Gao feng wrote:
> [...]
>> diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
>> index 4dfbfa8..dd19350 100644
>> --- a/net/netfilter/nf_conntrack_proto_tcp.c
>> +++ b/net/netfilter/nf_conntrack_proto_tcp.c
> [...]
>> @@ -1549,10 +1532,80 @@ static struct ctl_table tcp_compat_sysctl_table[] = {
>> #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
>> #endif /* CONFIG_SYSCTL */
>>
>> +static int tcp_init_net(struct net *net, u_int8_t compat)
>> +{
>> + int i;
>> + struct nf_tcp_net *tn = tcp_pernet(net);
>> + struct nf_proto_net *pn = (struct nf_proto_net *)tn;
>> +#ifdef CONFIG_SYSCTL
>> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> + if (compat) {
>> + pn->ctl_compat_table = kmemdup(tcp_compat_sysctl_table,
>> + sizeof(tcp_compat_sysctl_table),
>> + GFP_KERNEL);
>> + if (!pn->ctl_compat_table)
>> + return -ENOMEM;
>> +
>> + pn->ctl_compat_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
>> + pn->ctl_compat_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT2];
>> + pn->ctl_compat_table[2].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
>> + pn->ctl_compat_table[3].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
>> + pn->ctl_compat_table[4].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
>> + pn->ctl_compat_table[5].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
>> + pn->ctl_compat_table[6].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
>> + pn->ctl_compat_table[7].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
>> + pn->ctl_compat_table[8].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
>> + pn->ctl_compat_table[9].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
>> + pn->ctl_compat_table[10].data = &tn->tcp_loose;
>> + pn->ctl_compat_table[11].data = &tn->tcp_be_liberal;
>> + pn->ctl_compat_table[12].data = &tn->tcp_max_retrans;
>
> You can make a generic function to set the ctl_data that you can
> reuse for this code above and the one below.
>
Actually I want reuse this code too,
But Unfortunately the ctl_data has different order or different size.
ctl_compat_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT2]
but
ctl_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
>> + }
>> +#endif
>> + if (!pn->ctl_table) {
>> +#else
>> + if (!pn->user++) {
>> +#endif
>> + for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++)
>> + tn->timeouts[i] = tcp_timeouts[i];
>> + tn->tcp_loose = nf_ct_tcp_loose;
>> + tn->tcp_be_liberal = nf_ct_tcp_be_liberal;
>> + tn->tcp_max_retrans = nf_ct_tcp_max_retrans;
>> +#ifdef CONFIG_SYSCTL
>> + pn->ctl_table = kmemdup(tcp_sysctl_table,
>> + sizeof(tcp_sysctl_table),
>> + GFP_KERNEL);
>> + if (!pn->ctl_table) {
>> +#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> + if (compat) {
>> + kfree(pn->ctl_compat_table);
>> + pn->ctl_compat_table = NULL;
>> + }
>> +#endif
>> + return -ENOMEM;
>> + }
>> + pn->ctl_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
>> + pn->ctl_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
>> + pn->ctl_table[2].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
>> + pn->ctl_table[3].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
>> + pn->ctl_table[4].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
>> + pn->ctl_table[5].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
>> + pn->ctl_table[6].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
>> + pn->ctl_table[7].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
>> + pn->ctl_table[8].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
>> + pn->ctl_table[9].data = &tn->timeouts[TCP_CONNTRACK_UNACK];
>> + pn->ctl_table[10].data = &tn->tcp_loose;
>> + pn->ctl_table[11].data = &tn->tcp_be_liberal;
>> + pn->ctl_table[12].data = &tn->tcp_max_retrans;
>> +#endif
>
> I have bad experience with code that has lots of #ifdef's.
>
> Please, split all *_init_net into smaller functions.
It did look ugly,I will try my best to make code clear. ;)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* [PATCH 06/17] netfilter: add namespace support for l4proto_udp
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (4 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 05/17] netfilter: add namespace support for l4proto_tcp Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-14 8:52 ` [PATCH 07/17] netfilter: add namespace support for l4proto_icmp Gao feng
` (12 subsequent siblings)
18 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
implement udp_init_net to initial the pernet sysctl data for
udp protos.
Because udp_init_net is called by l4proto_udp[4,6],so use
nf_proto_net.users to identify if the pernet data is initialized
when CONFIG_SYSCTL is not configured.
nf_udp_net as a field of netns_ct,when proto is udp,
return net->ct.proto.udp in function nf_ct_l4proto_net.
and move enum udp_conntrack to conntrack.h
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netns/conntrack.h | 12 ++++++
net/netfilter/nf_conntrack_proto.c | 2 +
net/netfilter/nf_conntrack_proto_udp.c | 65 ++++++++++++++++++++++++++-----
3 files changed, 68 insertions(+), 11 deletions(-)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index d79e627..3d1450b 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -34,9 +34,21 @@ struct nf_tcp_net {
unsigned int tcp_max_retrans;
};
+enum udp_conntrack {
+ UDP_CT_UNREPLIED,
+ UDP_CT_REPLIED,
+ UDP_CT_MAX
+};
+
+struct nf_udp_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[UDP_CT_MAX];
+};
+
struct nf_ip_net {
struct nf_generic_net generic;
struct nf_tcp_net tcp;
+ struct nf_udp_net udp;
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
struct ctl_table_header *ctl_table_header;
struct ctl_table *ctl_table;
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 4531d6a..ba96447 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -290,6 +290,8 @@ static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
switch (l4proto->l4proto) {
case IPPROTO_TCP:
return (struct nf_proto_net *)&net->ct.proto.tcp;
+ case IPPROTO_UDP:
+ return (struct nf_proto_net *)&net->ct.proto.udp;
case 255: /* l4proto_generic */
return (struct nf_proto_net *)&net->ct.proto.generic;
default:
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 7259a6b..072ef9c 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -25,17 +25,16 @@
#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
-enum udp_conntrack {
- UDP_CT_UNREPLIED,
- UDP_CT_REPLIED,
- UDP_CT_MAX
-};
-
static unsigned int udp_timeouts[UDP_CT_MAX] = {
[UDP_CT_UNREPLIED] = 30*HZ,
[UDP_CT_REPLIED] = 180*HZ,
};
+static inline struct nf_udp_net *udp_pernet(struct net *net)
+{
+ return &net->ct.proto.udp;
+}
+
static bool udp_pkt_to_tuple(const struct sk_buff *skb,
unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
@@ -73,7 +72,7 @@ static int udp_print_tuple(struct seq_file *s,
static unsigned int *udp_get_timeouts(struct net *net)
{
- return udp_timeouts;
+ return udp_pernet(net)->timeouts;
}
/* Returns verdict for packet, and may modify conntracktype */
@@ -205,14 +204,12 @@ static struct ctl_table_header *udp_sysctl_header;
static struct ctl_table udp_sysctl_table[] = {
{
.procname = "nf_conntrack_udp_timeout",
- .data = &udp_timeouts[UDP_CT_UNREPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_udp_timeout_stream",
- .data = &udp_timeouts[UDP_CT_REPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -223,14 +220,12 @@ static struct ctl_table udp_sysctl_table[] = {
static struct ctl_table udp_compat_sysctl_table[] = {
{
.procname = "ip_conntrack_udp_timeout",
- .data = &udp_timeouts[UDP_CT_UNREPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_udp_timeout_stream",
- .data = &udp_timeouts[UDP_CT_REPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -240,10 +235,55 @@ static struct ctl_table udp_compat_sysctl_table[] = {
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
#endif /* CONFIG_SYSCTL */
+static int udp_init_net(struct net *net, u_int8_t compat)
+{
+ int i;
+ struct nf_udp_net *un = udp_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)un;
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ pn->ctl_compat_table = kmemdup(udp_compat_sysctl_table,
+ sizeof(udp_compat_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_compat_table)
+ return -ENOMEM;
+
+ pn->ctl_compat_table[0].data = &un->timeouts[UDP_CT_UNREPLIED];
+ pn->ctl_compat_table[1].data = &un->timeouts[UDP_CT_REPLIED];
+ }
+#endif
+ if (!pn->ctl_table) {
+#else
+ if (!pn->user++) {
+#endif
+ for (i = 0; i < UDP_CT_MAX; i++)
+ un->timeouts[i] = udp_timeouts[i];
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(udp_sysctl_table,
+ sizeof(udp_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table) {
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ kfree(pn->ctl_compat_table);
+ pn->ctl_compat_table = NULL;
+ }
+#endif
+ return -ENOMEM;
+ }
+ pn->ctl_table[0].data = &un->timeouts[UDP_CT_UNREPLIED];
+ pn->ctl_table[1].data = &un->timeouts[UDP_CT_REPLIED];
+#endif
+ }
+ return 0;
+}
+
struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
{
.l3proto = PF_INET,
.l4proto = IPPROTO_UDP,
+ .compat = 1,
.name = "udp",
.pkt_to_tuple = udp_pkt_to_tuple,
.invert_tuple = udp_invert_tuple,
@@ -275,6 +315,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
.ctl_compat_table = udp_compat_sysctl_table,
#endif
#endif
+ .init_net = udp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp4);
@@ -282,6 +323,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
{
.l3proto = PF_INET6,
.l4proto = IPPROTO_UDP,
+ .compat = 0,
.name = "udp",
.pkt_to_tuple = udp_pkt_to_tuple,
.invert_tuple = udp_invert_tuple,
@@ -310,5 +352,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
.ctl_table_header = &udp_sysctl_header,
.ctl_table = udp_sysctl_table,
#endif
+ .init_net = udp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp6);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* [PATCH 07/17] netfilter: add namespace support for l4proto_icmp
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (5 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 06/17] netfilter: add namespace support for l4proto_udp Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-14 8:52 ` [PATCH 08/17] netfilter: add namespace support for l4proto_icmpv6 Gao feng
` (11 subsequent siblings)
18 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
implement icmp_init_net is to initial the pernet data for
icmp proto.
beacuse nf_icmp_net is a field of netns_ct,so when proto is icmp,
return net->ct.proto.icmp in function nf_ct_l4proto_net.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netns/conntrack.h | 6 ++++
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 39 ++++++++++++++++++++++++--
net/netfilter/nf_conntrack_proto.c | 2 +
3 files changed, 44 insertions(+), 3 deletions(-)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 3d1450b..430cc71 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -45,10 +45,16 @@ struct nf_udp_net {
unsigned int timeouts[UDP_CT_MAX];
};
+struct nf_icmp_net {
+ struct nf_proto_net pn;
+ unsigned int timeout;
+};
+
struct nf_ip_net {
struct nf_generic_net generic;
struct nf_tcp_net tcp;
struct nf_udp_net udp;
+ struct nf_icmp_net icmp;
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
struct ctl_table_header *ctl_table_header;
struct ctl_table *ctl_table;
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 0847e37..f468d10 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -23,6 +23,11 @@
static unsigned int nf_ct_icmp_timeout __read_mostly = 30*HZ;
+static inline struct nf_icmp_net *icmp_pernet(struct net *net)
+{
+ return &net->ct.proto.icmp;
+}
+
static bool icmp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
{
@@ -77,7 +82,7 @@ static int icmp_print_tuple(struct seq_file *s,
static unsigned int *icmp_get_timeouts(struct net *net)
{
- return &nf_ct_icmp_timeout;
+ return &icmp_pernet(net)->timeout;
}
/* Returns verdict for packet, or -1 for invalid. */
@@ -312,7 +317,6 @@ static struct ctl_table_header *icmp_sysctl_header;
static struct ctl_table icmp_sysctl_table[] = {
{
.procname = "nf_conntrack_icmp_timeout",
- .data = &nf_ct_icmp_timeout,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -323,7 +327,6 @@ static struct ctl_table icmp_sysctl_table[] = {
static struct ctl_table icmp_compat_sysctl_table[] = {
{
.procname = "ip_conntrack_icmp_timeout",
- .data = &nf_ct_icmp_timeout,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -333,10 +336,39 @@ static struct ctl_table icmp_compat_sysctl_table[] = {
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
#endif /* CONFIG_SYSCTL */
+static int icmp_init_net(struct net *net, u_int8_t compat)
+{
+ struct nf_icmp_net *in = icmp_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)in;
+ in->timeout = nf_ct_icmp_timeout;
+
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(icmp_sysctl_table,
+ sizeof(icmp_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table)
+ return -ENOMEM;
+ pn->ctl_table[0].data = &in->timeout;
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ pn->ctl_compat_table = kmemdup(icmp_compat_sysctl_table,
+ sizeof(icmp_compat_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_compat_table) {
+ kfree(pn->ctl_table);
+ pn->ctl_table = NULL;
+ return -ENOMEM;
+ }
+ pn->ctl_compat_table[0].data = &in->timeout;
+#endif
+#endif
+ return 0;
+}
+
struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
{
.l3proto = PF_INET,
.l4proto = IPPROTO_ICMP,
+ .compat = 1,
.name = "icmp",
.pkt_to_tuple = icmp_pkt_to_tuple,
.invert_tuple = icmp_invert_tuple,
@@ -369,4 +401,5 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
.ctl_compat_table = icmp_compat_sysctl_table,
#endif
#endif
+ .init_net = icmp_init_net,
};
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index ba96447..fc0accd 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -292,6 +292,8 @@ static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
return (struct nf_proto_net *)&net->ct.proto.tcp;
case IPPROTO_UDP:
return (struct nf_proto_net *)&net->ct.proto.udp;
+ case IPPROTO_ICMP:
+ return (struct nf_proto_net *)&net->ct.proto.icmp;
case 255: /* l4proto_generic */
return (struct nf_proto_net *)&net->ct.proto.generic;
default:
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* [PATCH 08/17] netfilter: add namespace support for l4proto_icmpv6
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (6 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 07/17] netfilter: add namespace support for l4proto_icmp Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-14 8:52 ` [PATCH 09/17] netfilter: add namespace support for l3proto_ipv4 Gao feng
` (10 subsequent siblings)
18 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
implement icmpv6_init_net is to initial the pernet data for
icmpv6 proto.
because nf_icmp_net is a field of netns_ct,so when proto is icmpv6,
return net->ct.proto.icmpv6 in function nf_ct_l4proto_net.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netns/conntrack.h | 1 +
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 26 ++++++++++++++++++++++-
net/netfilter/nf_conntrack_proto.c | 2 +
3 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 430cc71..3409b26 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -55,6 +55,7 @@ struct nf_ip_net {
struct nf_tcp_net tcp;
struct nf_udp_net udp;
struct nf_icmp_net icmp;
+ struct nf_icmp_net icmpv6;
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
struct ctl_table_header *ctl_table_header;
struct ctl_table *ctl_table;
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 3e81904..3cb422e 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -29,6 +29,11 @@
static unsigned int nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
+static inline struct nf_icmp_net *icmpv6_pernet(struct net *net)
+{
+ return &net->ct.proto.icmpv6;
+}
+
static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
@@ -90,7 +95,7 @@ static int icmpv6_print_tuple(struct seq_file *s,
static unsigned int *icmpv6_get_timeouts(struct net *net)
{
- return &nf_ct_icmpv6_timeout;
+ return &icmpv6_pernet(net)->timeout;
}
/* Returns verdict for packet, or -1 for invalid. */
@@ -319,7 +324,6 @@ static struct ctl_table_header *icmpv6_sysctl_header;
static struct ctl_table icmpv6_sysctl_table[] = {
{
.procname = "nf_conntrack_icmpv6_timeout",
- .data = &nf_ct_icmpv6_timeout,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -328,10 +332,27 @@ static struct ctl_table icmpv6_sysctl_table[] = {
};
#endif /* CONFIG_SYSCTL */
+static int icmpv6_init_net(struct net *net, u_int8_t compat)
+{
+ struct nf_icmp_net *in = icmpv6_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)in;
+ in->timeout = nf_ct_icmpv6_timeout;
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(icmpv6_sysctl_table,
+ sizeof(icmpv6_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table)
+ return -ENOMEM;
+ pn->ctl_table[0].data = &in->timeout;
+#endif
+ return 0;
+}
+
struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
{
.l3proto = PF_INET6,
.l4proto = IPPROTO_ICMPV6,
+ .compat = 0,
.name = "icmpv6",
.pkt_to_tuple = icmpv6_pkt_to_tuple,
.invert_tuple = icmpv6_invert_tuple,
@@ -359,4 +380,5 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
.ctl_table_header = &icmpv6_sysctl_header,
.ctl_table = icmpv6_sysctl_table,
#endif
+ .init_net = icmpv6_init_net,
};
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index fc0accd..79b7c76 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -294,6 +294,8 @@ static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
return (struct nf_proto_net *)&net->ct.proto.udp;
case IPPROTO_ICMP:
return (struct nf_proto_net *)&net->ct.proto.icmp;
+ case IPPROTO_ICMPV6:
+ return (struct nf_proto_net *)&net->ct.proto.icmpv6;
case 255: /* l4proto_generic */
return (struct nf_proto_net *)&net->ct.proto.generic;
default:
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* [PATCH 09/17] netfilter: add namespace support for l3proto_ipv4
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (7 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 08/17] netfilter: add namespace support for l4proto_icmpv6 Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-14 8:52 ` [PATCH 10/17] netfilter: add namespace support for l3proto_ipv6 Gao feng
` (9 subsequent siblings)
18 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
add pernet_operations ipv4_net_ops and register it when
module nf_conntrack_ipv4 is loaded.
move the l4proto_register and l3proto_register from module_init
function to ipv4_net_ops.init.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 122 ++++++++++++++++--------
1 files changed, 84 insertions(+), 38 deletions(-)
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 0c0fb90..1dd17ed 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -207,35 +207,30 @@ static int log_invalid_proto_max = 255;
static ctl_table ip_ct_sysctl_table[] = {
{
.procname = "ip_conntrack_max",
- .data = &nf_conntrack_max,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_count",
- .data = &init_net.ct.count,
.maxlen = sizeof(int),
.mode = 0444,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_buckets",
- .data = &init_net.ct.htable_size,
.maxlen = sizeof(unsigned int),
.mode = 0444,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_checksum",
- .data = &init_net.ct.sysctl_checksum,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_log_invalid",
- .data = &init_net.ct.sysctl_log_invalid,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
@@ -351,6 +346,24 @@ static struct nf_sockopt_ops so_getorigdst = {
.owner = THIS_MODULE,
};
+static int ipv4_init_net(struct net *net)
+{
+#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
+ struct nf_ip_net *in = &net->ct.proto;
+ in->ctl_table = kmemdup(ip_ct_sysctl_table,
+ sizeof(ip_ct_sysctl_table),
+ GFP_KERNEL);
+ if (!in->ctl_table)
+ return -ENOMEM;
+ in->ctl_table[0].data = &nf_conntrack_max;
+ in->ctl_table[1].data = &net->ct.count;
+ in->ctl_table[2].data = &net->ct.htable_size;
+ in->ctl_table[3].data = &net->ct.sysctl_checksum;
+ in->ctl_table[4].data = &net->ct.sysctl_log_invalid;
+#endif
+ return 0;
+}
+
struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
.l3proto = PF_INET,
.name = "ipv4",
@@ -368,6 +381,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
.ctl_table_path = "net/ipv4/netfilter",
.ctl_table = ip_ct_sysctl_table,
#endif
+ .init_net = ipv4_init_net,
.me = THIS_MODULE,
};
@@ -378,6 +392,65 @@ MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
MODULE_ALIAS("ip_conntrack");
MODULE_LICENSE("GPL");
+static int ipv4_net_init(struct net *net)
+{
+ int ret = 0;
+
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_tcp4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_tcp4 :protocol register failed\n");
+ goto out_tcp;
+ }
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_udp4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_udp4 :protocol register failed\n");
+ goto out_udp;
+ }
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_icmp);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_icmp4 :protocol register failed\n");
+ goto out_icmp;
+ }
+ ret = nf_conntrack_l3proto_register(net,
+ &nf_conntrack_l3proto_ipv4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l3proto_ipv4 :protocol register failed\n");
+ goto out_ipv4;
+ }
+ return 0;
+out_ipv4:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_icmp);
+out_icmp:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udp4);
+out_udp:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_tcp4);
+out_tcp:
+ return ret;
+}
+
+static void ipv4_net_exit(struct net *net)
+{
+ nf_conntrack_l3proto_unregister(net,
+ &nf_conntrack_l3proto_ipv4);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_icmp);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udp4);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_tcp4);
+}
+
+static struct pernet_operations ipv4_net_ops = {
+ .init = ipv4_net_init,
+ .exit = ipv4_net_exit,
+};
+
static int __init nf_conntrack_l3proto_ipv4_init(void)
{
int ret = 0;
@@ -391,35 +464,17 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
return ret;
}
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp4);
+ ret = register_pernet_subsys(&ipv4_net_ops);
if (ret < 0) {
- pr_err("nf_conntrack_ipv4: can't register tcp.\n");
+ pr_err("nf_conntrack_ipv4: can't register pernet ops\n");
goto cleanup_sockopt;
}
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp4);
- if (ret < 0) {
- pr_err("nf_conntrack_ipv4: can't register udp.\n");
- goto cleanup_tcp;
- }
-
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmp);
- if (ret < 0) {
- pr_err("nf_conntrack_ipv4: can't register icmp.\n");
- goto cleanup_udp;
- }
-
- ret = nf_conntrack_l3proto_register(&init_net, &nf_conntrack_l3proto_ipv4);
- if (ret < 0) {
- pr_err("nf_conntrack_ipv4: can't register ipv4\n");
- goto cleanup_icmp;
- }
-
ret = nf_register_hooks(ipv4_conntrack_ops,
ARRAY_SIZE(ipv4_conntrack_ops));
if (ret < 0) {
pr_err("nf_conntrack_ipv4: can't register hooks.\n");
- goto cleanup_ipv4;
+ goto cleanup_pernet;
}
#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
ret = nf_conntrack_ipv4_compat_init();
@@ -431,14 +486,8 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
cleanup_hooks:
nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
#endif
- cleanup_ipv4:
- nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv4);
- cleanup_icmp:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
- cleanup_udp:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
- cleanup_tcp:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
+ cleanup_pernet:
+ unregister_pernet_subsys(&ipv4_net_ops);
cleanup_sockopt:
nf_unregister_sockopt(&so_getorigdst);
return ret;
@@ -451,10 +500,7 @@ static void __exit nf_conntrack_l3proto_ipv4_fini(void)
nf_conntrack_ipv4_compat_fini();
#endif
nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
- nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv4);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
+ unregister_pernet_subsys(&ipv4_net_ops);
nf_unregister_sockopt(&so_getorigdst);
}
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* [PATCH 10/17] netfilter: add namespace support for l3proto_ipv6
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (8 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 09/17] netfilter: add namespace support for l3proto_ipv4 Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-14 8:52 ` [PATCH 11/17] netfilter: add namespace support for l4proto_sctp Gao feng
` (8 subsequent siblings)
18 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
add pernet_operations ipv6_net_ops and register it when
module nf_conntrack_ipv6 is loaded.
move the l4proto_register and l3proto_register from module_init
function to ipv6_net_ops.init.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 88 ++++++++++++++++--------
1 files changed, 59 insertions(+), 29 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 6cfbe7b..7553019 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -334,37 +334,75 @@ MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Yasuyuki KOZAKAI @USAGI <yasuyuki.kozakai@toshiba.co.jp>");
-static int __init nf_conntrack_l3proto_ipv6_init(void)
+static int ipv6_net_init(struct net *net)
{
int ret = 0;
- need_conntrack();
- nf_defrag_ipv6_enable();
-
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp6);
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_tcp6);
if (ret < 0) {
- pr_err("nf_conntrack_ipv6: can't register tcp.\n");
- return ret;
+ printk(KERN_ERR "nf_conntrack_l4proto_tcp6: protocol register failed\n");
+ goto out;
}
-
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp6);
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_udp6);
if (ret < 0) {
- pr_err("nf_conntrack_ipv6: can't register udp.\n");
- goto cleanup_tcp;
+ printk(KERN_ERR "nf_conntrack_l4proto_udp6: protocol register failed\n");
+ goto cleanup_tcp6;
}
-
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmpv6);
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_icmpv6);
if (ret < 0) {
- pr_err("nf_conntrack_ipv6: can't register icmpv6.\n");
- goto cleanup_udp;
+ printk(KERN_ERR "nf_conntrack_l4proto_icmp6: protocol register failed\n");
+ goto cleanup_udp6;
}
-
- ret = nf_conntrack_l3proto_register(&init_net, &nf_conntrack_l3proto_ipv6);
+ ret = nf_conntrack_l3proto_register(net,
+ &nf_conntrack_l3proto_ipv6);
if (ret < 0) {
- pr_err("nf_conntrack_ipv6: can't register ipv6\n");
+ printk(KERN_ERR "nf_conntrack_l3proto_ipv6: protocol register failed\n");
goto cleanup_icmpv6;
}
+ return 0;
+ cleanup_icmpv6:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_icmpv6);
+ cleanup_udp6:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udp6);
+ cleanup_tcp6:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_tcp6);
+ out:
+ return ret;
+}
+static void ipv6_net_exit(struct net *net)
+{
+ nf_conntrack_l3proto_unregister(net,
+ &nf_conntrack_l3proto_ipv6);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_icmpv6);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udp6);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_tcp6);
+}
+
+static struct pernet_operations ipv6_net_ops = {
+ .init = ipv6_net_init,
+ .exit = ipv6_net_exit,
+};
+
+static int __init nf_conntrack_l3proto_ipv6_init(void)
+{
+ int ret = 0;
+
+ need_conntrack();
+ nf_defrag_ipv6_enable();
+
+ ret = register_pernet_subsys(&ipv6_net_ops);
+ if (ret < 0)
+ goto cleanup_pernet;
ret = nf_register_hooks(ipv6_conntrack_ops,
ARRAY_SIZE(ipv6_conntrack_ops));
if (ret < 0) {
@@ -375,13 +413,8 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
return ret;
cleanup_ipv6:
- nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv6);
- cleanup_icmpv6:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
- cleanup_udp:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
- cleanup_tcp:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
+ unregister_pernet_subsys(&ipv6_net_ops);
+ cleanup_pernet:
return ret;
}
@@ -389,10 +422,7 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
{
synchronize_net();
nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
- nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv6);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
+ unregister_pernet_subsys(&ipv6_net_ops);
}
module_init(nf_conntrack_l3proto_ipv6_init);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* [PATCH 11/17] netfilter: add namespace support for l4proto_sctp
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (9 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 10/17] netfilter: add namespace support for l3proto_ipv6 Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-14 8:52 ` [PATCH 12/17] netfilter: add namespace support for l4proto_udplite Gao feng
` (7 subsequent siblings)
18 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
add pernet_operations sctp_net_ops and register it when
module nf_conntrack_proto_sctp is loaded.
move the l4proto_register from module_init function to
sctp_net_ops.init.
and implement sctp_init_net to initial the pernet sysctl
data for sctp[4,6] protos.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/netfilter/nf_conntrack_proto_sctp.c | 135 ++++++++++++++++++++++++-------
1 files changed, 106 insertions(+), 29 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 97bbc20..3f0fdf8 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -127,6 +127,17 @@ static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
}
};
+static int sctp_net_id __read_mostly;
+struct sctp_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[SCTP_CONNTRACK_MAX];
+};
+
+static inline struct sctp_net *sctp_pernet(struct net *net)
+{
+ return net_generic(net, sctp_net_id);
+}
+
static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
{
@@ -281,7 +292,7 @@ static int sctp_new_state(enum ip_conntrack_dir dir,
static unsigned int *sctp_get_timeouts(struct net *net)
{
- return sctp_timeouts;
+ return sctp_pernet(net)->timeouts;
}
/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
@@ -604,49 +615,42 @@ static struct ctl_table_header *sctp_sysctl_header;
static struct ctl_table sctp_sysctl_table[] = {
{
.procname = "nf_conntrack_sctp_timeout_closed",
- .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_cookie_wait",
- .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_cookie_echoed",
- .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_established",
- .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_shutdown_sent",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_shutdown_recd",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -658,49 +662,42 @@ static struct ctl_table sctp_sysctl_table[] = {
static struct ctl_table sctp_compat_sysctl_table[] = {
{
.procname = "ip_conntrack_sctp_timeout_closed",
- .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_cookie_wait",
- .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_cookie_echoed",
- .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_established",
- .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_shutdown_sent",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_shutdown_recd",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -710,9 +707,63 @@ static struct ctl_table sctp_compat_sysctl_table[] = {
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
#endif
+static int sctp_init_net(struct net *net, u_int8_t compat)
+{
+ int i;
+ struct sctp_net *sn = sctp_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)sn;
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ pn->ctl_compat_table = kmemdup(sctp_compat_sysctl_table,
+ sizeof(sctp_compat_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_compat_table)
+ return -ENOMEM;
+ pn->ctl_compat_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
+ pn->ctl_compat_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
+ pn->ctl_compat_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
+ pn->ctl_compat_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
+ pn->ctl_compat_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
+ pn->ctl_compat_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
+ pn->ctl_compat_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
+ }
+#endif
+ if (!pn->ctl_table) {
+#else
+ if (!pn->users++) {
+#endif
+ for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
+ sn->timeouts[i] = sctp_timeouts[i];
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(sctp_sysctl_table,
+ sizeof(sctp_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table) {
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ kfree(pn->ctl_compat_table);
+ pn->ctl_compat_table = NULL;
+ }
+#endif
+ return -ENOMEM;
+ }
+ pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
+ pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
+ pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
+ pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
+ pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
+ pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
+ pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
+#endif
+ }
+ return 0;
+}
+
static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
.l3proto = PF_INET,
.l4proto = IPPROTO_SCTP,
+ .compat = 1,
.name = "sctp",
.pkt_to_tuple = sctp_pkt_to_tuple,
.invert_tuple = sctp_invert_tuple,
@@ -748,11 +799,14 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
.ctl_compat_table = sctp_compat_sysctl_table,
#endif
#endif
+ .net_id = &sctp_net_id,
+ .init_net = sctp_init_net,
};
static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
.l3proto = PF_INET6,
.l4proto = IPPROTO_SCTP,
+ .compat = 0,
.name = "sctp",
.pkt_to_tuple = sctp_pkt_to_tuple,
.invert_tuple = sctp_invert_tuple,
@@ -785,35 +839,58 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
.ctl_table_header = &sctp_sysctl_header,
.ctl_table = sctp_sysctl_table,
#endif
+ .net_id = &sctp_net_id,
+ .init_net = sctp_init_net,
};
-static int __init nf_conntrack_proto_sctp_init(void)
+static int sctp_net_init(struct net *net)
{
- int ret;
+ int ret = 0;
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_sctp4);
- if (ret) {
- pr_err("nf_conntrack_l4proto_sctp4: protocol register failed\n");
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_sctp4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_sctp4 :protocol register failed.\n");
goto out;
}
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_sctp6);
- if (ret) {
- pr_err("nf_conntrack_l4proto_sctp6: protocol register failed\n");
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_sctp6);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_sctp6 :protocol register failed.\n");
goto cleanup_sctp4;
}
+ return 0;
+cleanup_sctp4:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_sctp4);
+out:
return ret;
+}
- cleanup_sctp4:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp4);
- out:
- return ret;
+static void sctp_net_exit(struct net *net)
+{
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_sctp6);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_sctp4);
+}
+
+static struct pernet_operations sctp_net_ops = {
+ .init = sctp_net_init,
+ .exit = sctp_net_exit,
+ .id = &sctp_net_id,
+ .size = sizeof(struct sctp_net),
+};
+
+static int __init nf_conntrack_proto_sctp_init(void)
+{
+ return register_pernet_subsys(&sctp_net_ops);
}
static void __exit nf_conntrack_proto_sctp_fini(void)
{
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp6);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp4);
+ unregister_pernet_subsys(&sctp_net_ops);
}
module_init(nf_conntrack_proto_sctp_init);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* [PATCH 12/17] netfilter: add namespace support for l4proto_udplite
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (10 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 11/17] netfilter: add namespace support for l4proto_sctp Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-14 8:52 ` [PATCH 13/17] netfilter: adjust l4proto_dccp to the nf_conntrack_l4proto_register Gao feng
` (6 subsequent siblings)
18 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
add pernet_operations udplite_net_ops and register it when
module nf_conntrack_proto_udplite is loaded.
move the l4proto_register from module_init function to
udplite_net_ops.init.
and implement udplite_init_net to initial the pernet sysctl
table for udplite[4,6] protos.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/netfilter/nf_conntrack_proto_udplite.c | 103 +++++++++++++++++++++++-----
1 files changed, 85 insertions(+), 18 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index fa142a8..1e90cf5 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -35,6 +35,17 @@ static unsigned int udplite_timeouts[UDPLITE_CT_MAX] = {
[UDPLITE_CT_REPLIED] = 180*HZ,
};
+static int udplite_net_id __read_mostly;
+struct udplite_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[UDPLITE_CT_MAX];
+};
+
+static inline struct udplite_net *udplite_pernet(struct net *net)
+{
+ return net_generic(net, udplite_net_id);
+}
+
static bool udplite_pkt_to_tuple(const struct sk_buff *skb,
unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
@@ -70,7 +81,7 @@ static int udplite_print_tuple(struct seq_file *s,
static unsigned int *udplite_get_timeouts(struct net *net)
{
- return udplite_timeouts;
+ return udplite_pernet(net)->timeouts;
}
/* Returns verdict for packet, and may modify conntracktype */
@@ -209,14 +220,12 @@ static struct ctl_table_header *udplite_sysctl_header;
static struct ctl_table udplite_sysctl_table[] = {
{
.procname = "nf_conntrack_udplite_timeout",
- .data = &udplite_timeouts[UDPLITE_CT_UNREPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_udplite_timeout_stream",
- .data = &udplite_timeouts[UDPLITE_CT_REPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -225,10 +234,36 @@ static struct ctl_table udplite_sysctl_table[] = {
};
#endif /* CONFIG_SYSCTL */
+static int udplite_init_net(struct net *net, u_int8_t compat)
+{
+ int i;
+ struct udplite_net *un = udplite_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)un;
+#ifdef CONFIG_SYSCTL
+ if (!pn->ctl_table) {
+#else
+ if (!pn->users++) {
+#endif
+ for (i = 0 ; i < UDPLITE_CT_MAX; i++)
+ un->timeouts[i] = udplite_timeouts[i];
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(udplite_sysctl_table,
+ sizeof(udplite_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table)
+ return -ENOMEM;
+ pn->ctl_table[0].data = &un->timeouts[UDPLITE_CT_UNREPLIED];
+ pn->ctl_table[1].data = &un->timeouts[UDPLITE_CT_REPLIED];
+#endif
+ }
+ return 0;
+}
+
static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
{
.l3proto = PF_INET,
.l4proto = IPPROTO_UDPLITE,
+ .compat = 0,
.name = "udplite",
.pkt_to_tuple = udplite_pkt_to_tuple,
.invert_tuple = udplite_invert_tuple,
@@ -258,12 +293,15 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
.ctl_table_header = &udplite_sysctl_header,
.ctl_table = udplite_sysctl_table,
#endif
+ .net_id = &udplite_net_id,
+ .init_net = udplite_init_net,
};
static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
{
.l3proto = PF_INET6,
.l4proto = IPPROTO_UDPLITE,
+ .compat = 0,
.name = "udplite",
.pkt_to_tuple = udplite_pkt_to_tuple,
.invert_tuple = udplite_invert_tuple,
@@ -293,29 +331,58 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
.ctl_table_header = &udplite_sysctl_header,
.ctl_table = udplite_sysctl_table,
#endif
+ .net_id = &udplite_net_id,
+ .init_net = udplite_init_net,
};
-static int __init nf_conntrack_proto_udplite_init(void)
+static int udplite_net_init(struct net *net)
{
- int err;
-
- err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite4);
- if (err < 0)
- goto err1;
- err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite6);
- if (err < 0)
- goto err2;
+ int ret = 0;
+
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_udplite4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_udplite4 :protocol register failed.\n");
+ goto out;
+ }
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_udplite6);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_udplite4 :protocol register failed.\n");
+ goto cleanup_udplite4;
+ }
return 0;
-err2:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
-err1:
- return err;
+
+cleanup_udplite4:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udplite4);
+out:
+ return ret;
+}
+
+static void udplite_net_exit(struct net *net)
+{
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udplite6);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udplite4);
+}
+
+static struct pernet_operations udplite_net_ops = {
+ .init = udplite_net_init,
+ .exit = udplite_net_exit,
+ .id = &udplite_net_id,
+ .size = sizeof(struct udplite_net),
+};
+
+static int __init nf_conntrack_proto_udplite_init(void)
+{
+ return register_pernet_subsys(&udplite_net_ops);
}
static void __exit nf_conntrack_proto_udplite_exit(void)
{
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite6);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
+ unregister_pernet_subsys(&udplite_net_ops);
}
module_init(nf_conntrack_proto_udplite_init);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* [PATCH 13/17] netfilter: adjust l4proto_dccp to the nf_conntrack_l4proto_register
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (11 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 12/17] netfilter: add namespace support for l4proto_udplite Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-14 8:52 ` [PATCH 14/17] netfilter: adjust l4proto_gre4 " Gao feng
` (5 subsequent siblings)
18 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
move the nf_conntrack_l4proto_register from module_init to
dccp_net_ops.init,and change the struct dccp_net to adjust
to the nf_conntrack_l4proto_register.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/netfilter/nf_conntrack_proto_dccp.c | 135 ++++++++++++++++---------------
1 files changed, 69 insertions(+), 66 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 5a8e037..034f8ea 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -387,12 +387,9 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] =
/* this module per-net specifics */
static int dccp_net_id __read_mostly;
struct dccp_net {
+ struct nf_proto_net np;
int dccp_loose;
unsigned int dccp_timeout[CT_DCCP_MAX + 1];
-#ifdef CONFIG_SYSCTL
- struct ctl_table_header *sysctl_header;
- struct ctl_table *sysctl_table;
-#endif
};
static inline struct dccp_net *dccp_pernet(struct net *net)
@@ -817,9 +814,50 @@ static struct ctl_table dccp_sysctl_table[] = {
};
#endif /* CONFIG_SYSCTL */
+static int dccp_init_net(struct net *net, u_int8_t compat)
+{
+
+ struct dccp_net *dn = dccp_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)dn;
+
+#ifdef CONFIG_SYSCTL
+ if (!pn->ctl_table) {
+#else
+ if (!pn->users++) {
+#endif
+ /* default values */
+ dn->dccp_loose = 1;
+ dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL;
+ dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL;
+ dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL;
+ dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ;
+ dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ;
+ dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ;
+ dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL;
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(dccp_sysctl_table,
+ sizeof(dccp_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table)
+ return -ENOMEM;
+
+ pn->ctl_table[0].data = &dn->dccp_timeout[CT_DCCP_REQUEST];
+ pn->ctl_table[1].data = &dn->dccp_timeout[CT_DCCP_RESPOND];
+ pn->ctl_table[2].data = &dn->dccp_timeout[CT_DCCP_PARTOPEN];
+ pn->ctl_table[3].data = &dn->dccp_timeout[CT_DCCP_OPEN];
+ pn->ctl_table[4].data = &dn->dccp_timeout[CT_DCCP_CLOSEREQ];
+ pn->ctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING];
+ pn->ctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT];
+ pn->ctl_table[7].data = &dn->dccp_loose;
+#endif
+ }
+ return 0;
+}
+
static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
.l3proto = AF_INET,
.l4proto = IPPROTO_DCCP,
+ .compat = 0,
.name = "dccp",
.pkt_to_tuple = dccp_pkt_to_tuple,
.invert_tuple = dccp_invert_tuple,
@@ -847,11 +885,14 @@ static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
.nla_policy = dccp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+ .net_id = &dccp_net_id,
+ .init_net = dccp_init_net,
};
static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
.l3proto = AF_INET6,
.l4proto = IPPROTO_DCCP,
+ .compat = 0,
.name = "dccp",
.pkt_to_tuple = dccp_pkt_to_tuple,
.invert_tuple = dccp_invert_tuple,
@@ -879,55 +920,39 @@ static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
.nla_policy = dccp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+ .net_id = &dccp_net_id,
+ .init_net = dccp_init_net,
};
static __net_init int dccp_net_init(struct net *net)
{
- struct dccp_net *dn = dccp_pernet(net);
-
- /* default values */
- dn->dccp_loose = 1;
- dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL;
- dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL;
- dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL;
- dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ;
- dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ;
- dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ;
- dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL;
-
-#ifdef CONFIG_SYSCTL
- dn->sysctl_table = kmemdup(dccp_sysctl_table,
- sizeof(dccp_sysctl_table), GFP_KERNEL);
- if (!dn->sysctl_table)
- return -ENOMEM;
-
- dn->sysctl_table[0].data = &dn->dccp_timeout[CT_DCCP_REQUEST];
- dn->sysctl_table[1].data = &dn->dccp_timeout[CT_DCCP_RESPOND];
- dn->sysctl_table[2].data = &dn->dccp_timeout[CT_DCCP_PARTOPEN];
- dn->sysctl_table[3].data = &dn->dccp_timeout[CT_DCCP_OPEN];
- dn->sysctl_table[4].data = &dn->dccp_timeout[CT_DCCP_CLOSEREQ];
- dn->sysctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING];
- dn->sysctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT];
- dn->sysctl_table[7].data = &dn->dccp_loose;
-
- dn->sysctl_header = register_net_sysctl(net, "net/netfilter",
- dn->sysctl_table);
- if (!dn->sysctl_header) {
- kfree(dn->sysctl_table);
- return -ENOMEM;
+ int ret = 0;
+ ret = nf_conntrack_l4proto_register(net,
+ &dccp_proto4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_dccp4 :protocol register failed.\n");
+ goto out;
+ }
+ ret = nf_conntrack_l4proto_register(net,
+ &dccp_proto6);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_dccp6 :protocol register failed.\n");
+ goto cleanup_dccp4;
}
-#endif
-
return 0;
+cleanup_dccp4:
+ nf_conntrack_l4proto_unregister(net,
+ &dccp_proto4);
+out:
+ return ret;
}
static __net_exit void dccp_net_exit(struct net *net)
{
- struct dccp_net *dn = dccp_pernet(net);
-#ifdef CONFIG_SYSCTL
- unregister_net_sysctl_table(dn->sysctl_header);
- kfree(dn->sysctl_table);
-#endif
+ nf_conntrack_l4proto_unregister(net,
+ &dccp_proto6);
+ nf_conntrack_l4proto_unregister(net,
+ &dccp_proto4);
}
static struct pernet_operations dccp_net_ops = {
@@ -939,34 +964,12 @@ static struct pernet_operations dccp_net_ops = {
static int __init nf_conntrack_proto_dccp_init(void)
{
- int err;
-
- err = register_pernet_subsys(&dccp_net_ops);
- if (err < 0)
- goto err1;
-
- err = nf_conntrack_l4proto_register(&init_net, &dccp_proto4);
- if (err < 0)
- goto err2;
-
- err = nf_conntrack_l4proto_register(&init_net, &dccp_proto6);
- if (err < 0)
- goto err3;
- return 0;
-
-err3:
- nf_conntrack_l4proto_unregister(&init_net, &dccp_proto4);
-err2:
- unregister_pernet_subsys(&dccp_net_ops);
-err1:
- return err;
+ return register_pernet_subsys(&dccp_net_ops);
}
static void __exit nf_conntrack_proto_dccp_fini(void)
{
unregister_pernet_subsys(&dccp_net_ops);
- nf_conntrack_l4proto_unregister(&init_net, &dccp_proto6);
- nf_conntrack_l4proto_unregister(&init_net, &dccp_proto4);
}
module_init(nf_conntrack_proto_dccp_init);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* [PATCH 14/17] netfilter: adjust l4proto_gre4 to the nf_conntrack_l4proto_register
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (12 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 13/17] netfilter: adjust l4proto_dccp to the nf_conntrack_l4proto_register Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-14 8:52 ` [PATCH 15/17] netfilter: cleanup sysctl for l4proto and l3proto Gao feng
` (4 subsequent siblings)
18 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
move the nf_conntrack_l4proto_register from module_init to
proto_gre_net_ops.init.
and use gre_pernet to replace net_generic.
because gre proto has no sysctl,so only need to initial pernet data
for gre proto.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/netfilter/nf_conntrack_proto_gre.c | 56 ++++++++++++++++++++------------
1 files changed, 35 insertions(+), 21 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index 132f0d2..8d70452 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -54,13 +54,20 @@ static unsigned int gre_timeouts[GRE_CT_MAX] = {
static int proto_gre_net_id __read_mostly;
struct netns_proto_gre {
+ struct nf_proto_net nf;
rwlock_t keymap_lock;
struct list_head keymap_list;
+ unsigned int gre_timeouts[GRE_CT_MAX];
};
+static inline struct netns_proto_gre *gre_pernet(struct net *net)
+{
+ return net_generic(net, proto_gre_net_id);
+}
+
void nf_ct_gre_keymap_flush(struct net *net)
{
- struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
+ struct netns_proto_gre *net_gre = gre_pernet(net);
struct nf_ct_gre_keymap *km, *tmp;
write_lock_bh(&net_gre->keymap_lock);
@@ -85,7 +92,7 @@ static inline int gre_key_cmpfn(const struct nf_ct_gre_keymap *km,
/* look up the source key for a given tuple */
static __be16 gre_keymap_lookup(struct net *net, struct nf_conntrack_tuple *t)
{
- struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
+ struct netns_proto_gre *net_gre = gre_pernet(net);
struct nf_ct_gre_keymap *km;
__be16 key = 0;
@@ -109,7 +116,7 @@ int nf_ct_gre_keymap_add(struct nf_conn *ct, enum ip_conntrack_dir dir,
struct nf_conntrack_tuple *t)
{
struct net *net = nf_ct_net(ct);
- struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
+ struct netns_proto_gre *net_gre = gre_pernet(net);
struct nf_conn_help *help = nfct_help(ct);
struct nf_ct_gre_keymap **kmp, *km;
@@ -150,7 +157,7 @@ EXPORT_SYMBOL_GPL(nf_ct_gre_keymap_add);
void nf_ct_gre_keymap_destroy(struct nf_conn *ct)
{
struct net *net = nf_ct_net(ct);
- struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
+ struct netns_proto_gre *net_gre = gre_pernet(net);
struct nf_conn_help *help = nfct_help(ct);
enum ip_conntrack_dir dir;
@@ -237,7 +244,7 @@ static int gre_print_conntrack(struct seq_file *s, struct nf_conn *ct)
static unsigned int *gre_get_timeouts(struct net *net)
{
- return gre_timeouts;
+ return gre_pernet(net)->gre_timeouts;
}
/* Returns verdict for packet, and may modify conntrack */
@@ -339,6 +346,18 @@ gre_timeout_nla_policy[CTA_TIMEOUT_GRE_MAX+1] = {
};
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+static int gre_init_net(struct net *net, u_int8_t compat)
+{
+ int i;
+ struct netns_proto_gre *net_gre = gre_pernet(net);
+
+ rwlock_init(&net_gre->keymap_lock);
+ INIT_LIST_HEAD(&net_gre->keymap_list);
+ for (i = 0; i < GRE_CT_MAX; i++)
+ net_gre->gre_timeouts[i] = gre_timeouts[i];
+ return 0;
+}
+
/* protocol helper struct */
static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = {
.l3proto = AF_INET,
@@ -368,20 +387,24 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = {
.nla_policy = gre_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+ .net_id = &proto_gre_net_id,
+ .init_net = gre_init_net,
};
static int proto_gre_net_init(struct net *net)
{
- struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
-
- rwlock_init(&net_gre->keymap_lock);
- INIT_LIST_HEAD(&net_gre->keymap_list);
-
- return 0;
+ int ret = 0;
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_gre4);
+ if (ret < 0)
+ pr_err("nf_conntrack_l4proto_gre4 :protocol register failed.\n");
+ return ret;
}
static void proto_gre_net_exit(struct net *net)
{
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_gre4);
nf_ct_gre_keymap_flush(net);
}
@@ -394,20 +417,11 @@ static struct pernet_operations proto_gre_net_ops = {
static int __init nf_ct_proto_gre_init(void)
{
- int rv;
-
- rv = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_gre4);
- if (rv < 0)
- return rv;
- rv = register_pernet_subsys(&proto_gre_net_ops);
- if (rv < 0)
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_gre4);
- return rv;
+ return register_pernet_subsys(&proto_gre_net_ops);
}
static void __exit nf_ct_proto_gre_fini(void)
{
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_gre4);
unregister_pernet_subsys(&proto_gre_net_ops);
}
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* [PATCH 15/17] netfilter: cleanup sysctl for l4proto and l3proto
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (13 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 14/17] netfilter: adjust l4proto_gre4 " Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-23 10:38 ` Pablo Neira Ayuso
2012-05-14 8:52 ` [PATCH 16/17] netfilter: add namespace support for cttimeout Gao feng
` (3 subsequent siblings)
18 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
delete no useless sysctl data for l4proto and l3proto.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netfilter/nf_conntrack_l3proto.h | 2 --
include/net/netfilter/nf_conntrack_l4proto.h | 10 ----------
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 1 -
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 8 --------
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 5 -----
net/netfilter/nf_conntrack_proto_generic.c | 8 --------
net/netfilter/nf_conntrack_proto_sctp.c | 15 ---------------
net/netfilter/nf_conntrack_proto_tcp.c | 15 ---------------
net/netfilter/nf_conntrack_proto_udp.c | 15 ---------------
net/netfilter/nf_conntrack_proto_udplite.c | 12 ------------
10 files changed, 0 insertions(+), 91 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index d6df8c7..6f7c13f 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -64,9 +64,7 @@ struct nf_conntrack_l3proto {
size_t nla_size;
#ifdef CONFIG_SYSCTL
- struct ctl_table_header *ctl_table_header;
const char *ctl_table_path;
- struct ctl_table *ctl_table;
#endif /* CONFIG_SYSCTL */
/* Init l3proto pernet data */
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index 0d329b9..4881df34 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -95,16 +95,6 @@ struct nf_conntrack_l4proto {
const struct nla_policy *nla_policy;
} ctnl_timeout;
#endif
-
-#ifdef CONFIG_SYSCTL
- struct ctl_table_header **ctl_table_header;
- struct ctl_table *ctl_table;
- unsigned int *ctl_table_users;
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- struct ctl_table_header *ctl_compat_table_header;
- struct ctl_table *ctl_compat_table;
-#endif
-#endif
int *net_id;
/* Init l4proto pernet data */
int (*init_net)(struct net *net, u_int8_t compat);
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 1dd17ed..173da4d 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -379,7 +379,6 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
#endif
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
.ctl_table_path = "net/ipv4/netfilter",
- .ctl_table = ip_ct_sysctl_table,
#endif
.init_net = ipv4_init_net,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index f468d10..90da247 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -313,7 +313,6 @@ icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static struct ctl_table_header *icmp_sysctl_header;
static struct ctl_table icmp_sysctl_table[] = {
{
.procname = "nf_conntrack_icmp_timeout",
@@ -394,12 +393,5 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
.nla_policy = icmp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_header = &icmp_sysctl_header,
- .ctl_table = icmp_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- .ctl_compat_table = icmp_compat_sysctl_table,
-#endif
-#endif
.init_net = icmp_init_net,
};
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 3cb422e..12ca315 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -320,7 +320,6 @@ icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static struct ctl_table_header *icmpv6_sysctl_header;
static struct ctl_table icmpv6_sysctl_table[] = {
{
.procname = "nf_conntrack_icmpv6_timeout",
@@ -376,9 +375,5 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
.nla_policy = icmpv6_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_header = &icmpv6_sysctl_header,
- .ctl_table = icmpv6_sysctl_table,
-#endif
.init_net = icmpv6_init_net,
};
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 7976a64..0f87a77 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -111,7 +111,6 @@ generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static struct ctl_table_header *generic_sysctl_header;
static struct ctl_table generic_sysctl_table[] = {
{
.procname = "nf_conntrack_generic_timeout",
@@ -183,13 +182,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
.nla_policy = generic_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_header = &generic_sysctl_header,
- .ctl_table = generic_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- .ctl_compat_table = generic_compat_sysctl_table,
-#endif
-#endif
.init_net = generic_init_net,
};
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 3f0fdf8..291cef4 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -610,8 +610,6 @@ sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
#ifdef CONFIG_SYSCTL
-static unsigned int sctp_sysctl_table_users;
-static struct ctl_table_header *sctp_sysctl_header;
static struct ctl_table sctp_sysctl_table[] = {
{
.procname = "nf_conntrack_sctp_timeout_closed",
@@ -791,14 +789,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
.nla_policy = sctp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &sctp_sysctl_table_users,
- .ctl_table_header = &sctp_sysctl_header,
- .ctl_table = sctp_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- .ctl_compat_table = sctp_compat_sysctl_table,
-#endif
-#endif
.net_id = &sctp_net_id,
.init_net = sctp_init_net,
};
@@ -834,11 +824,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#endif
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &sctp_sysctl_table_users,
- .ctl_table_header = &sctp_sysctl_header,
- .ctl_table = sctp_sysctl_table,
-#endif
.net_id = &sctp_net_id,
.init_net = sctp_init_net,
};
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index dd19350..4d16b8a 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1363,8 +1363,6 @@ static const struct nla_policy tcp_timeout_nla_policy[CTA_TIMEOUT_TCP_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static unsigned int tcp_sysctl_table_users;
-static struct ctl_table_header *tcp_sysctl_header;
static struct ctl_table tcp_sysctl_table[] = {
{
.procname = "nf_conntrack_tcp_timeout_syn_sent",
@@ -1634,14 +1632,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
.nla_policy = tcp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &tcp_sysctl_table_users,
- .ctl_table_header = &tcp_sysctl_header,
- .ctl_table = tcp_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- .ctl_compat_table = tcp_compat_sysctl_table,
-#endif
-#endif
.init_net = tcp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4);
@@ -1679,11 +1669,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
.nla_policy = tcp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &tcp_sysctl_table_users,
- .ctl_table_header = &tcp_sysctl_header,
- .ctl_table = tcp_sysctl_table,
-#endif
.init_net = tcp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6);
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 072ef9c..c38ab58 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -199,8 +199,6 @@ udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static unsigned int udp_sysctl_table_users;
-static struct ctl_table_header *udp_sysctl_header;
static struct ctl_table udp_sysctl_table[] = {
{
.procname = "nf_conntrack_udp_timeout",
@@ -307,14 +305,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
.nla_policy = udp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &udp_sysctl_table_users,
- .ctl_table_header = &udp_sysctl_header,
- .ctl_table = udp_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- .ctl_compat_table = udp_compat_sysctl_table,
-#endif
-#endif
.init_net = udp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp4);
@@ -347,11 +337,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
.nla_policy = udp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &udp_sysctl_table_users,
- .ctl_table_header = &udp_sysctl_header,
- .ctl_table = udp_sysctl_table,
-#endif
.init_net = udp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp6);
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 1e90cf5..cb3dc81 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -215,8 +215,6 @@ udplite_timeout_nla_policy[CTA_TIMEOUT_UDPLITE_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static unsigned int udplite_sysctl_table_users;
-static struct ctl_table_header *udplite_sysctl_header;
static struct ctl_table udplite_sysctl_table[] = {
{
.procname = "nf_conntrack_udplite_timeout",
@@ -288,11 +286,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
.nla_policy = udplite_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &udplite_sysctl_table_users,
- .ctl_table_header = &udplite_sysctl_header,
- .ctl_table = udplite_sysctl_table,
-#endif
.net_id = &udplite_net_id,
.init_net = udplite_init_net,
};
@@ -326,11 +319,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
.nla_policy = udplite_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &udplite_sysctl_table_users,
- .ctl_table_header = &udplite_sysctl_header,
- .ctl_table = udplite_sysctl_table,
-#endif
.net_id = &udplite_net_id,
.init_net = udplite_init_net,
};
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* Re: [PATCH 15/17] netfilter: cleanup sysctl for l4proto and l3proto
2012-05-14 8:52 ` [PATCH 15/17] netfilter: cleanup sysctl for l4proto and l3proto Gao feng
@ 2012-05-23 10:38 ` Pablo Neira Ayuso
2012-05-24 0:59 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-23 10:38 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
On Mon, May 14, 2012 at 04:52:25PM +0800, Gao feng wrote:
> delete no useless sysctl data for l4proto and l3proto.
>
> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> ---
> include/net/netfilter/nf_conntrack_l3proto.h | 2 --
> include/net/netfilter/nf_conntrack_l4proto.h | 10 ----------
> net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 1 -
> net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 8 --------
> net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 5 -----
> net/netfilter/nf_conntrack_proto_generic.c | 8 --------
> net/netfilter/nf_conntrack_proto_sctp.c | 15 ---------------
> net/netfilter/nf_conntrack_proto_tcp.c | 15 ---------------
> net/netfilter/nf_conntrack_proto_udp.c | 15 ---------------
> net/netfilter/nf_conntrack_proto_udplite.c | 12 ------------
> 10 files changed, 0 insertions(+), 91 deletions(-)
>
> diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
> index d6df8c7..6f7c13f 100644
> --- a/include/net/netfilter/nf_conntrack_l3proto.h
> +++ b/include/net/netfilter/nf_conntrack_l3proto.h
> @@ -64,9 +64,7 @@ struct nf_conntrack_l3proto {
> size_t nla_size;
>
> #ifdef CONFIG_SYSCTL
> - struct ctl_table_header *ctl_table_header;
> const char *ctl_table_path;
> - struct ctl_table *ctl_table;
> #endif /* CONFIG_SYSCTL */
>
> /* Init l3proto pernet data */
> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
> index 0d329b9..4881df34 100644
> --- a/include/net/netfilter/nf_conntrack_l4proto.h
> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
> @@ -95,16 +95,6 @@ struct nf_conntrack_l4proto {
> const struct nla_policy *nla_policy;
> } ctnl_timeout;
> #endif
> -
> -#ifdef CONFIG_SYSCTL
> - struct ctl_table_header **ctl_table_header;
> - struct ctl_table *ctl_table;
> - unsigned int *ctl_table_users;
> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> - struct ctl_table_header *ctl_compat_table_header;
> - struct ctl_table *ctl_compat_table;
> -#endif
> -#endif
Interesting. This structure is added in patch 1/17, then it's remove
in patch 15/17.
Probably I'm missing anything, but why are you doing it like that?
> int *net_id;
> /* Init l4proto pernet data */
> int (*init_net)(struct net *net, u_int8_t compat);
> diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> index 1dd17ed..173da4d 100644
> --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
> @@ -379,7 +379,6 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
> #endif
> #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
> .ctl_table_path = "net/ipv4/netfilter",
> - .ctl_table = ip_ct_sysctl_table,
> #endif
> .init_net = ipv4_init_net,
> .me = THIS_MODULE,
> diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
> index f468d10..90da247 100644
> --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
> +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
> @@ -313,7 +313,6 @@ icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = {
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>
> #ifdef CONFIG_SYSCTL
> -static struct ctl_table_header *icmp_sysctl_header;
> static struct ctl_table icmp_sysctl_table[] = {
> {
> .procname = "nf_conntrack_icmp_timeout",
> @@ -394,12 +393,5 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
> .nla_policy = icmp_timeout_nla_policy,
> },
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> -#ifdef CONFIG_SYSCTL
> - .ctl_table_header = &icmp_sysctl_header,
> - .ctl_table = icmp_sysctl_table,
> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> - .ctl_compat_table = icmp_compat_sysctl_table,
> -#endif
> -#endif
> .init_net = icmp_init_net,
> };
> diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
> index 3cb422e..12ca315 100644
> --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
> +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
> @@ -320,7 +320,6 @@ icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = {
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>
> #ifdef CONFIG_SYSCTL
> -static struct ctl_table_header *icmpv6_sysctl_header;
> static struct ctl_table icmpv6_sysctl_table[] = {
> {
> .procname = "nf_conntrack_icmpv6_timeout",
> @@ -376,9 +375,5 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
> .nla_policy = icmpv6_timeout_nla_policy,
> },
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> -#ifdef CONFIG_SYSCTL
> - .ctl_table_header = &icmpv6_sysctl_header,
> - .ctl_table = icmpv6_sysctl_table,
> -#endif
> .init_net = icmpv6_init_net,
> };
> diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
> index 7976a64..0f87a77 100644
> --- a/net/netfilter/nf_conntrack_proto_generic.c
> +++ b/net/netfilter/nf_conntrack_proto_generic.c
> @@ -111,7 +111,6 @@ generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>
> #ifdef CONFIG_SYSCTL
> -static struct ctl_table_header *generic_sysctl_header;
> static struct ctl_table generic_sysctl_table[] = {
> {
> .procname = "nf_conntrack_generic_timeout",
> @@ -183,13 +182,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
> .nla_policy = generic_timeout_nla_policy,
> },
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> -#ifdef CONFIG_SYSCTL
> - .ctl_table_header = &generic_sysctl_header,
> - .ctl_table = generic_sysctl_table,
> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> - .ctl_compat_table = generic_compat_sysctl_table,
> -#endif
> -#endif
> .init_net = generic_init_net,
> };
>
> diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
> index 3f0fdf8..291cef4 100644
> --- a/net/netfilter/nf_conntrack_proto_sctp.c
> +++ b/net/netfilter/nf_conntrack_proto_sctp.c
> @@ -610,8 +610,6 @@ sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
>
>
> #ifdef CONFIG_SYSCTL
> -static unsigned int sctp_sysctl_table_users;
> -static struct ctl_table_header *sctp_sysctl_header;
> static struct ctl_table sctp_sysctl_table[] = {
> {
> .procname = "nf_conntrack_sctp_timeout_closed",
> @@ -791,14 +789,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
> .nla_policy = sctp_timeout_nla_policy,
> },
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> -#ifdef CONFIG_SYSCTL
> - .ctl_table_users = &sctp_sysctl_table_users,
> - .ctl_table_header = &sctp_sysctl_header,
> - .ctl_table = sctp_sysctl_table,
> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> - .ctl_compat_table = sctp_compat_sysctl_table,
> -#endif
> -#endif
> .net_id = &sctp_net_id,
> .init_net = sctp_init_net,
> };
> @@ -834,11 +824,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
> },
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> #endif
> -#ifdef CONFIG_SYSCTL
> - .ctl_table_users = &sctp_sysctl_table_users,
> - .ctl_table_header = &sctp_sysctl_header,
> - .ctl_table = sctp_sysctl_table,
> -#endif
> .net_id = &sctp_net_id,
> .init_net = sctp_init_net,
> };
> diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
> index dd19350..4d16b8a 100644
> --- a/net/netfilter/nf_conntrack_proto_tcp.c
> +++ b/net/netfilter/nf_conntrack_proto_tcp.c
> @@ -1363,8 +1363,6 @@ static const struct nla_policy tcp_timeout_nla_policy[CTA_TIMEOUT_TCP_MAX+1] = {
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>
> #ifdef CONFIG_SYSCTL
> -static unsigned int tcp_sysctl_table_users;
> -static struct ctl_table_header *tcp_sysctl_header;
> static struct ctl_table tcp_sysctl_table[] = {
> {
> .procname = "nf_conntrack_tcp_timeout_syn_sent",
> @@ -1634,14 +1632,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
> .nla_policy = tcp_timeout_nla_policy,
> },
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> -#ifdef CONFIG_SYSCTL
> - .ctl_table_users = &tcp_sysctl_table_users,
> - .ctl_table_header = &tcp_sysctl_header,
> - .ctl_table = tcp_sysctl_table,
> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> - .ctl_compat_table = tcp_compat_sysctl_table,
> -#endif
> -#endif
> .init_net = tcp_init_net,
> };
> EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4);
> @@ -1679,11 +1669,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
> .nla_policy = tcp_timeout_nla_policy,
> },
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> -#ifdef CONFIG_SYSCTL
> - .ctl_table_users = &tcp_sysctl_table_users,
> - .ctl_table_header = &tcp_sysctl_header,
> - .ctl_table = tcp_sysctl_table,
> -#endif
> .init_net = tcp_init_net,
> };
> EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6);
> diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
> index 072ef9c..c38ab58 100644
> --- a/net/netfilter/nf_conntrack_proto_udp.c
> +++ b/net/netfilter/nf_conntrack_proto_udp.c
> @@ -199,8 +199,6 @@ udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>
> #ifdef CONFIG_SYSCTL
> -static unsigned int udp_sysctl_table_users;
> -static struct ctl_table_header *udp_sysctl_header;
> static struct ctl_table udp_sysctl_table[] = {
> {
> .procname = "nf_conntrack_udp_timeout",
> @@ -307,14 +305,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
> .nla_policy = udp_timeout_nla_policy,
> },
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> -#ifdef CONFIG_SYSCTL
> - .ctl_table_users = &udp_sysctl_table_users,
> - .ctl_table_header = &udp_sysctl_header,
> - .ctl_table = udp_sysctl_table,
> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> - .ctl_compat_table = udp_compat_sysctl_table,
> -#endif
> -#endif
> .init_net = udp_init_net,
> };
> EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp4);
> @@ -347,11 +337,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
> .nla_policy = udp_timeout_nla_policy,
> },
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> -#ifdef CONFIG_SYSCTL
> - .ctl_table_users = &udp_sysctl_table_users,
> - .ctl_table_header = &udp_sysctl_header,
> - .ctl_table = udp_sysctl_table,
> -#endif
> .init_net = udp_init_net,
> };
> EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp6);
> diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
> index 1e90cf5..cb3dc81 100644
> --- a/net/netfilter/nf_conntrack_proto_udplite.c
> +++ b/net/netfilter/nf_conntrack_proto_udplite.c
> @@ -215,8 +215,6 @@ udplite_timeout_nla_policy[CTA_TIMEOUT_UDPLITE_MAX+1] = {
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
>
> #ifdef CONFIG_SYSCTL
> -static unsigned int udplite_sysctl_table_users;
> -static struct ctl_table_header *udplite_sysctl_header;
> static struct ctl_table udplite_sysctl_table[] = {
> {
> .procname = "nf_conntrack_udplite_timeout",
> @@ -288,11 +286,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
> .nla_policy = udplite_timeout_nla_policy,
> },
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> -#ifdef CONFIG_SYSCTL
> - .ctl_table_users = &udplite_sysctl_table_users,
> - .ctl_table_header = &udplite_sysctl_header,
> - .ctl_table = udplite_sysctl_table,
> -#endif
> .net_id = &udplite_net_id,
> .init_net = udplite_init_net,
> };
> @@ -326,11 +319,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
> .nla_policy = udplite_timeout_nla_policy,
> },
> #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
> -#ifdef CONFIG_SYSCTL
> - .ctl_table_users = &udplite_sysctl_table_users,
> - .ctl_table_header = &udplite_sysctl_header,
> - .ctl_table = udplite_sysctl_table,
> -#endif
> .net_id = &udplite_net_id,
> .init_net = udplite_init_net,
> };
> --
> 1.7.7.6
>
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 15/17] netfilter: cleanup sysctl for l4proto and l3proto
2012-05-23 10:38 ` Pablo Neira Ayuso
@ 2012-05-24 0:59 ` Gao feng
2012-05-24 9:56 ` Pablo Neira Ayuso
0 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-24 0:59 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
Hi pablo:
于 2012年05月23日 18:38, Pablo Neira Ayuso 写道:
> On Mon, May 14, 2012 at 04:52:25PM +0800, Gao feng wrote:
>> delete no useless sysctl data for l4proto and l3proto.
>>
>> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>> ---
>> include/net/netfilter/nf_conntrack_l3proto.h | 2 --
>> include/net/netfilter/nf_conntrack_l4proto.h | 10 ----------
>> net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 1 -
>> net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 8 --------
>> net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 5 -----
>> net/netfilter/nf_conntrack_proto_generic.c | 8 --------
>> net/netfilter/nf_conntrack_proto_sctp.c | 15 ---------------
>> net/netfilter/nf_conntrack_proto_tcp.c | 15 ---------------
>> net/netfilter/nf_conntrack_proto_udp.c | 15 ---------------
>> net/netfilter/nf_conntrack_proto_udplite.c | 12 ------------
>> 10 files changed, 0 insertions(+), 91 deletions(-)
>>
>> diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
>> index d6df8c7..6f7c13f 100644
>> --- a/include/net/netfilter/nf_conntrack_l3proto.h
>> +++ b/include/net/netfilter/nf_conntrack_l3proto.h
>> @@ -64,9 +64,7 @@ struct nf_conntrack_l3proto {
>> size_t nla_size;
>>
>> #ifdef CONFIG_SYSCTL
>> - struct ctl_table_header *ctl_table_header;
>> const char *ctl_table_path;
>> - struct ctl_table *ctl_table;
>> #endif /* CONFIG_SYSCTL */
>>
>> /* Init l3proto pernet data */
>> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
>> index 0d329b9..4881df34 100644
>> --- a/include/net/netfilter/nf_conntrack_l4proto.h
>> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
>> @@ -95,16 +95,6 @@ struct nf_conntrack_l4proto {
>> const struct nla_policy *nla_policy;
>> } ctnl_timeout;
>> #endif
>> -
>> -#ifdef CONFIG_SYSCTL
>> - struct ctl_table_header **ctl_table_header;
>> - struct ctl_table *ctl_table;
>> - unsigned int *ctl_table_users;
>> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
>> - struct ctl_table_header *ctl_compat_table_header;
>> - struct ctl_table *ctl_compat_table;
>> -#endif
>> -#endif
>
> Interesting. This structure is added in patch 1/17, then it's remove
> in patch 15/17.
>
> Probably I'm missing anything, but why are you doing it like that?
This structure means ctl_table_header,ctl_table and so on?
I add this structure to struct nf_proto_net in patch 1/17,so those fields in
struct nf_conntrack_l4proto are useless,this patch is just some cleanup.
the same with nf_conntrack_l3proto.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 15/17] netfilter: cleanup sysctl for l4proto and l3proto
2012-05-24 0:59 ` Gao feng
@ 2012-05-24 9:56 ` Pablo Neira Ayuso
0 siblings, 0 replies; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-24 9:56 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
On Thu, May 24, 2012 at 08:59:18AM +0800, Gao feng wrote:
> Hi pablo:
>
> 于 2012年05月23日 18:38, Pablo Neira Ayuso 写道:
> > On Mon, May 14, 2012 at 04:52:25PM +0800, Gao feng wrote:
> >> delete no useless sysctl data for l4proto and l3proto.
> >>
> >> Acked-by: Eric W. Biederman <ebiederm@xmission.com>
> >> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> >> ---
> >> include/net/netfilter/nf_conntrack_l3proto.h | 2 --
> >> include/net/netfilter/nf_conntrack_l4proto.h | 10 ----------
> >> net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 1 -
> >> net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 8 --------
> >> net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 5 -----
> >> net/netfilter/nf_conntrack_proto_generic.c | 8 --------
> >> net/netfilter/nf_conntrack_proto_sctp.c | 15 ---------------
> >> net/netfilter/nf_conntrack_proto_tcp.c | 15 ---------------
> >> net/netfilter/nf_conntrack_proto_udp.c | 15 ---------------
> >> net/netfilter/nf_conntrack_proto_udplite.c | 12 ------------
> >> 10 files changed, 0 insertions(+), 91 deletions(-)
> >>
> >> diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
> >> index d6df8c7..6f7c13f 100644
> >> --- a/include/net/netfilter/nf_conntrack_l3proto.h
> >> +++ b/include/net/netfilter/nf_conntrack_l3proto.h
> >> @@ -64,9 +64,7 @@ struct nf_conntrack_l3proto {
> >> size_t nla_size;
> >>
> >> #ifdef CONFIG_SYSCTL
> >> - struct ctl_table_header *ctl_table_header;
> >> const char *ctl_table_path;
> >> - struct ctl_table *ctl_table;
> >> #endif /* CONFIG_SYSCTL */
> >>
> >> /* Init l3proto pernet data */
> >> diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
> >> index 0d329b9..4881df34 100644
> >> --- a/include/net/netfilter/nf_conntrack_l4proto.h
> >> +++ b/include/net/netfilter/nf_conntrack_l4proto.h
> >> @@ -95,16 +95,6 @@ struct nf_conntrack_l4proto {
> >> const struct nla_policy *nla_policy;
> >> } ctnl_timeout;
> >> #endif
> >> -
> >> -#ifdef CONFIG_SYSCTL
> >> - struct ctl_table_header **ctl_table_header;
> >> - struct ctl_table *ctl_table;
> >> - unsigned int *ctl_table_users;
> >> -#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
> >> - struct ctl_table_header *ctl_compat_table_header;
> >> - struct ctl_table *ctl_compat_table;
> >> -#endif
> >> -#endif
> >
> > Interesting. This structure is added in patch 1/17, then it's remove
> > in patch 15/17.
> >
> > Probably I'm missing anything, but why are you doing it like that?
>
> This structure means ctl_table_header,ctl_table and so on?
>
> I add this structure to struct nf_proto_net in patch 1/17,so those fields in
> struct nf_conntrack_l4proto are useless,this patch is just some cleanup.
>
> the same with nf_conntrack_l3proto.
I see, then it's OK. Please, elaborate a bit more the patch
description to explain that this structure is not required anymore.
^ permalink raw reply [flat|nested] 52+ messages in thread
* [PATCH 16/17] netfilter: add namespace support for cttimeout
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (14 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 15/17] netfilter: cleanup sysctl for l4proto and l3proto Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-23 10:41 ` Pablo Neira Ayuso
2012-05-14 8:52 ` [PATCH 17/17] netfilter: cttimeout use pernet data of l4proto Gao feng
` (2 subsequent siblings)
18 siblings, 1 reply; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
add struct net as a param of ctnl_timeout.nlattr_to_obj,
modify ctnl_timeout_parse_policy and cttimeout_new_timeout
to transmit struct net to nlattr_to_obj.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netfilter/nf_conntrack_l4proto.h | 3 ++-
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 3 ++-
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 3 ++-
net/netfilter/nf_conntrack_proto_dccp.c | 3 ++-
net/netfilter/nf_conntrack_proto_generic.c | 3 ++-
net/netfilter/nf_conntrack_proto_gre.c | 3 ++-
net/netfilter/nf_conntrack_proto_sctp.c | 3 ++-
net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
net/netfilter/nf_conntrack_proto_udp.c | 3 ++-
net/netfilter/nf_conntrack_proto_udplite.c | 3 ++-
net/netfilter/nfnetlink_cttimeout.c | 13 ++++++++-----
11 files changed, 28 insertions(+), 15 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index 4881df34..d8457c4 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -88,7 +88,8 @@ struct nf_conntrack_l4proto {
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
struct {
size_t obj_size;
- int (*nlattr_to_obj)(struct nlattr *tb[], void *data);
+ int (*nlattr_to_obj)(struct nlattr *tb[],
+ struct net *net, void *data);
int (*obj_to_nlattr)(struct sk_buff *skb, const void *data);
unsigned int nlattr_max;
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 90da247..c80b73c 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -279,7 +279,8 @@ static int icmp_nlattr_tuple_size(void)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int icmp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int icmp_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeout = data;
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 12ca315..0ea5ba9 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -286,7 +286,8 @@ static int icmpv6_nlattr_tuple_size(void)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int icmpv6_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int icmpv6_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeout = data;
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 034f8ea..b301fb0 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -712,7 +712,8 @@ static int dccp_nlattr_size(void)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
struct dccp_net *dn = dccp_pernet(&init_net);
unsigned int *timeouts = data;
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 0f87a77..de326f4 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -75,7 +75,8 @@ static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb,
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int generic_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int generic_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeout = data;
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index 8d70452..e4cc5e4 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -304,7 +304,8 @@ static void gre_destroy(struct nf_conn *ct)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int gre_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int gre_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeouts = data;
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 291cef4..a28f3c4 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -562,7 +562,8 @@ static int sctp_nlattr_size(void)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeouts = data;
int i;
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 4d16b8a..c0c0010 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1259,7 +1259,8 @@ static int tcp_nlattr_tuple_size(void)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeouts = data;
int i;
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index c38ab58..14444a9 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -156,7 +156,8 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int udp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int udp_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeouts = data;
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index cb3dc81..34bd65f 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -172,7 +172,8 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl,
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int udplite_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int udplite_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeouts = data;
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 3e65528..cdecbc8 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -49,8 +49,9 @@ static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = {
static int
ctnl_timeout_parse_policy(struct ctnl_timeout *timeout,
- struct nf_conntrack_l4proto *l4proto,
- const struct nlattr *attr)
+ struct nf_conntrack_l4proto *l4proto,
+ struct net *net,
+ const struct nlattr *attr)
{
int ret = 0;
@@ -60,7 +61,8 @@ ctnl_timeout_parse_policy(struct ctnl_timeout *timeout,
nla_parse_nested(tb, l4proto->ctnl_timeout.nlattr_max,
attr, l4proto->ctnl_timeout.nla_policy);
- ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, &timeout->data);
+ ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, net,
+ &timeout->data);
}
return ret;
}
@@ -74,6 +76,7 @@ cttimeout_new_timeout(struct sock *ctnl, struct sk_buff *skb,
__u8 l4num;
struct nf_conntrack_l4proto *l4proto;
struct ctnl_timeout *timeout, *matching = NULL;
+ struct net *net = sock_net(skb->sk);
char *name;
int ret;
@@ -117,7 +120,7 @@ cttimeout_new_timeout(struct sock *ctnl, struct sk_buff *skb,
goto err_proto_put;
}
- ret = ctnl_timeout_parse_policy(matching, l4proto,
+ ret = ctnl_timeout_parse_policy(matching, l4proto, net,
cda[CTA_TIMEOUT_DATA]);
return ret;
}
@@ -132,7 +135,7 @@ cttimeout_new_timeout(struct sock *ctnl, struct sk_buff *skb,
goto err_proto_put;
}
- ret = ctnl_timeout_parse_policy(timeout, l4proto,
+ ret = ctnl_timeout_parse_policy(timeout, l4proto, net,
cda[CTA_TIMEOUT_DATA]);
if (ret < 0)
goto err;
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* Re: [PATCH 16/17] netfilter: add namespace support for cttimeout
2012-05-14 8:52 ` [PATCH 16/17] netfilter: add namespace support for cttimeout Gao feng
@ 2012-05-23 10:41 ` Pablo Neira Ayuso
2012-05-24 1:04 ` Gao feng
0 siblings, 1 reply; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-23 10:41 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
On Mon, May 14, 2012 at 04:52:26PM +0800, Gao feng wrote:
> add struct net as a param of ctnl_timeout.nlattr_to_obj,
>
> modify ctnl_timeout_parse_policy and cttimeout_new_timeout
> to transmit struct net to nlattr_to_obj.
Please, merge your patch 16 and 17 into one single patch.
> unsigned int *timeouts = data;
>
> diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
> index 291cef4..a28f3c4 100644
> --- a/net/netfilter/nf_conntrack_proto_sctp.c
> +++ b/net/netfilter/nf_conntrack_proto_sctp.c
> @@ -562,7 +562,8 @@ static int sctp_nlattr_size(void)
> #include <linux/netfilter/nfnetlink.h>
> #include <linux/netfilter/nfnetlink_cttimeout.h>
>
> -static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
> +static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
> + struct net *net, void *data)
The interface modification and the use of the new *net parameter
should go together, ie. merge patch 16 and 17 :-).
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH 16/17] netfilter: add namespace support for cttimeout
2012-05-23 10:41 ` Pablo Neira Ayuso
@ 2012-05-24 1:04 ` Gao feng
0 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-24 1:04 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
于 2012年05月23日 18:41, Pablo Neira Ayuso 写道:
> On Mon, May 14, 2012 at 04:52:26PM +0800, Gao feng wrote:
>> add struct net as a param of ctnl_timeout.nlattr_to_obj,
>>
>> modify ctnl_timeout_parse_policy and cttimeout_new_timeout
>> to transmit struct net to nlattr_to_obj.
>
> Please, merge your patch 16 and 17 into one single patch.
>
>> unsigned int *timeouts = data;
>>
>> diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
>> index 291cef4..a28f3c4 100644
>> --- a/net/netfilter/nf_conntrack_proto_sctp.c
>> +++ b/net/netfilter/nf_conntrack_proto_sctp.c
>> @@ -562,7 +562,8 @@ static int sctp_nlattr_size(void)
>> #include <linux/netfilter/nfnetlink.h>
>> #include <linux/netfilter/nfnetlink_cttimeout.h>
>>
>> -static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
>> +static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
>> + struct net *net, void *data)
>
> The interface modification and the use of the new *net parameter
> should go together, ie. merge patch 16 and 17 :-).
got it,thanks ;)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* [PATCH 17/17] netfilter: cttimeout use pernet data of l4proto
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (15 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 16/17] netfilter: add namespace support for cttimeout Gao feng
@ 2012-05-14 8:52 ` Gao feng
2012-05-21 8:52 ` [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
2012-05-23 10:42 ` Pablo Neira Ayuso
18 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano, Gao feng
replace global data with pernet data of l4proto
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 3 ++-
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 3 ++-
net/netfilter/nf_conntrack_proto_dccp.c | 2 +-
net/netfilter/nf_conntrack_proto_generic.c | 3 ++-
net/netfilter/nf_conntrack_proto_gre.c | 5 +++--
net/netfilter/nf_conntrack_proto_sctp.c | 3 ++-
net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
net/netfilter/nf_conntrack_proto_udp.c | 5 +++--
net/netfilter/nf_conntrack_proto_udplite.c | 5 +++--
9 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index c80b73c..87e0827 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -283,13 +283,14 @@ static int icmp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeout = data;
+ struct nf_icmp_net *in = icmp_pernet(net);
if (tb[CTA_TIMEOUT_ICMP_TIMEOUT]) {
*timeout =
ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMP_TIMEOUT])) * HZ;
} else {
/* Set default ICMP timeout. */
- *timeout = nf_ct_icmp_timeout;
+ *timeout = in->timeout;
}
return 0;
}
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 0ea5ba9..0a191a7 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -290,13 +290,14 @@ static int icmpv6_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeout = data;
+ struct nf_icmp_net *in = icmpv6_pernet(net);
if (tb[CTA_TIMEOUT_ICMPV6_TIMEOUT]) {
*timeout =
ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMPV6_TIMEOUT])) * HZ;
} else {
/* Set default ICMPv6 timeout. */
- *timeout = nf_ct_icmpv6_timeout;
+ *timeout = in->timeout;
}
return 0;
}
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index b301fb0..e7c71ed 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -715,7 +715,7 @@ static int dccp_nlattr_size(void)
static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
- struct dccp_net *dn = dccp_pernet(&init_net);
+ struct dccp_net *dn = dccp_pernet(net);
unsigned int *timeouts = data;
int i;
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index de326f4..a69c478 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -79,13 +79,14 @@ static int generic_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeout = data;
+ struct nf_generic_net *gn = generic_pernet(net);
if (tb[CTA_TIMEOUT_GENERIC_TIMEOUT])
*timeout =
ntohl(nla_get_be32(tb[CTA_TIMEOUT_GENERIC_TIMEOUT])) * HZ;
else {
/* Set default generic timeout. */
- *timeout = nf_ct_generic_timeout;
+ *timeout = gn->timeout;
}
return 0;
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index e4cc5e4..2a29ca5 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -308,10 +308,11 @@ static int gre_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
+ struct netns_proto_gre *net_gre = gre_pernet(net);
/* set default timeouts for GRE. */
- timeouts[GRE_CT_UNREPLIED] = gre_timeouts[GRE_CT_UNREPLIED];
- timeouts[GRE_CT_REPLIED] = gre_timeouts[GRE_CT_REPLIED];
+ timeouts[GRE_CT_UNREPLIED] = net_gre->gre_timeouts[GRE_CT_UNREPLIED];
+ timeouts[GRE_CT_REPLIED] = net_gre->gre_timeouts[GRE_CT_REPLIED];
if (tb[CTA_TIMEOUT_GRE_UNREPLIED]) {
timeouts[GRE_CT_UNREPLIED] =
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index a28f3c4..ee8f2b5 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -566,11 +566,12 @@ static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
+ struct sctp_net *sn = sctp_pernet(net);
int i;
/* set default SCTP timeouts. */
for (i=0; i<SCTP_CONNTRACK_MAX; i++)
- timeouts[i] = sctp_timeouts[i];
+ timeouts[i] = sn->timeouts[i];
/* there's a 1:1 mapping between attributes and protocol states. */
for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index c0c0010..58f9523 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1263,11 +1263,12 @@ static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
+ struct nf_tcp_net *tn = tcp_pernet(net);
int i;
/* set default TCP timeouts. */
for (i=0; i<TCP_CONNTRACK_TIMEOUT_MAX; i++)
- timeouts[i] = tcp_timeouts[i];
+ timeouts[i] = tn->timeouts[i];
if (tb[CTA_TIMEOUT_TCP_SYN_SENT]) {
timeouts[TCP_CONNTRACK_SYN_SENT] =
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 14444a9..70ed8b9 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -160,10 +160,11 @@ static int udp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
+ struct nf_udp_net *un = udp_pernet(net);
/* set default timeouts for UDP. */
- timeouts[UDP_CT_UNREPLIED] = udp_timeouts[UDP_CT_UNREPLIED];
- timeouts[UDP_CT_REPLIED] = udp_timeouts[UDP_CT_REPLIED];
+ timeouts[UDP_CT_UNREPLIED] = un->timeouts[UDP_CT_UNREPLIED];
+ timeouts[UDP_CT_REPLIED] = un->timeouts[UDP_CT_REPLIED];
if (tb[CTA_TIMEOUT_UDP_UNREPLIED]) {
timeouts[UDP_CT_UNREPLIED] =
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 34bd65f..807c9ab 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -176,10 +176,11 @@ static int udplite_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
+ struct udplite_net *un = udplite_pernet(net);
/* set default timeouts for UDPlite. */
- timeouts[UDPLITE_CT_UNREPLIED] = udplite_timeouts[UDPLITE_CT_UNREPLIED];
- timeouts[UDPLITE_CT_REPLIED] = udplite_timeouts[UDPLITE_CT_REPLIED];
+ timeouts[UDPLITE_CT_UNREPLIED] = un->timeouts[UDPLITE_CT_UNREPLIED];
+ timeouts[UDPLITE_CT_REPLIED] = un->timeouts[UDPLITE_CT_REPLIED];
if (tb[CTA_TIMEOUT_UDPLITE_UNREPLIED]) {
timeouts[UDPLITE_CT_UNREPLIED] =
--
1.7.7.6
^ permalink raw reply related [flat|nested] 52+ messages in thread
* Re: [PATCH v3 00/17] netfilter: add namespace support for netfilter protos
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (16 preceding siblings ...)
2012-05-14 8:52 ` [PATCH 17/17] netfilter: cttimeout use pernet data of l4proto Gao feng
@ 2012-05-21 8:52 ` Gao feng
2012-05-23 10:42 ` Pablo Neira Ayuso
18 siblings, 0 replies; 52+ messages in thread
From: Gao feng @ 2012-05-21 8:52 UTC (permalink / raw)
To: Gao feng; +Cc: pablo, netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
于 2012年05月14日 16:52, Gao feng 写道:
> Currently the sysctl of netfilter proto is not isolated, so when
> changing proto's sysctl in container will cause the host's sysctl
> be changed too. it's not expected.
>
> This patch set adds the namespace support for netfilter protos.
ping
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 52+ messages in thread
* Re: [PATCH v3 00/17] netfilter: add namespace support for netfilter protos
2012-05-14 8:52 [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
` (17 preceding siblings ...)
2012-05-21 8:52 ` [PATCH v3 00/17] netfilter: add namespace support for netfilter protos Gao feng
@ 2012-05-23 10:42 ` Pablo Neira Ayuso
18 siblings, 0 replies; 52+ messages in thread
From: Pablo Neira Ayuso @ 2012-05-23 10:42 UTC (permalink / raw)
To: Gao feng; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano
On Mon, May 14, 2012 at 04:52:10PM +0800, Gao feng wrote:
> Currently the sysctl of netfilter proto is not isolated, so when
> changing proto's sysctl in container will cause the host's sysctl
> be changed too. it's not expected.
>
> This patch set adds the namespace support for netfilter protos.
>
> impletement four pernet_operations to register sysctl and initial
> pernet data for proto.
>
> -ipv4_net_ops is used to register tcp4(compat),
> udp4(compat),icmp(compat),ipv4(compat).
> -ipv6_net_ops is used to register tcp6,udp6 and icmpv6.
> -sctp_net_ops is used to register sctp4(compat) and sctp6.
> -udplite_net_ops is used to register udplite4 and udplite6
>
> extern l[3,4]proto (sysctl) register functions to make them support
> namespace.
>
> finailly add namespace support for cttimeout.
This requires another spin. It looks way better than previous version
but I don't want to take the patchset and then send another batch to
David to remove the .compat field, the unrequired export of couple of
symbols, and so on...
Thanks!
^ permalink raw reply [flat|nested] 52+ messages in thread