nf_conntrack_standalone.c (33399B)
1// SPDX-License-Identifier: GPL-2.0 2#include <linux/types.h> 3#include <linux/netfilter.h> 4#include <linux/slab.h> 5#include <linux/module.h> 6#include <linux/skbuff.h> 7#include <linux/proc_fs.h> 8#include <linux/seq_file.h> 9#include <linux/percpu.h> 10#include <linux/netdevice.h> 11#include <linux/security.h> 12#include <net/net_namespace.h> 13#ifdef CONFIG_SYSCTL 14#include <linux/sysctl.h> 15#endif 16 17#include <net/netfilter/nf_conntrack.h> 18#include <net/netfilter/nf_conntrack_core.h> 19#include <net/netfilter/nf_conntrack_l4proto.h> 20#include <net/netfilter/nf_conntrack_expect.h> 21#include <net/netfilter/nf_conntrack_helper.h> 22#include <net/netfilter/nf_conntrack_acct.h> 23#include <net/netfilter/nf_conntrack_zones.h> 24#include <net/netfilter/nf_conntrack_timestamp.h> 25#ifdef CONFIG_LWTUNNEL 26#include <net/netfilter/nf_hooks_lwtunnel.h> 27#endif 28#include <linux/rculist_nulls.h> 29 30static bool enable_hooks __read_mostly; 31MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); 32module_param(enable_hooks, bool, 0000); 33 34unsigned int nf_conntrack_net_id __read_mostly; 35 36#ifdef CONFIG_NF_CONNTRACK_PROCFS 37void 38print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, 39 const struct nf_conntrack_l4proto *l4proto) 40{ 41 switch (tuple->src.l3num) { 42 case NFPROTO_IPV4: 43 seq_printf(s, "src=%pI4 dst=%pI4 ", 44 &tuple->src.u3.ip, &tuple->dst.u3.ip); 45 break; 46 case NFPROTO_IPV6: 47 seq_printf(s, "src=%pI6 dst=%pI6 ", 48 tuple->src.u3.ip6, tuple->dst.u3.ip6); 49 break; 50 default: 51 break; 52 } 53 54 switch (l4proto->l4proto) { 55 case IPPROTO_ICMP: 56 seq_printf(s, "type=%u code=%u id=%u ", 57 tuple->dst.u.icmp.type, 58 tuple->dst.u.icmp.code, 59 ntohs(tuple->src.u.icmp.id)); 60 break; 61 case IPPROTO_TCP: 62 seq_printf(s, "sport=%hu dport=%hu ", 63 ntohs(tuple->src.u.tcp.port), 64 ntohs(tuple->dst.u.tcp.port)); 65 break; 66 case IPPROTO_UDPLITE: 67 case IPPROTO_UDP: 68 seq_printf(s, "sport=%hu dport=%hu ", 69 ntohs(tuple->src.u.udp.port), 70 ntohs(tuple->dst.u.udp.port)); 71 72 break; 73 case IPPROTO_DCCP: 74 seq_printf(s, "sport=%hu dport=%hu ", 75 ntohs(tuple->src.u.dccp.port), 76 ntohs(tuple->dst.u.dccp.port)); 77 break; 78 case IPPROTO_SCTP: 79 seq_printf(s, "sport=%hu dport=%hu ", 80 ntohs(tuple->src.u.sctp.port), 81 ntohs(tuple->dst.u.sctp.port)); 82 break; 83 case IPPROTO_ICMPV6: 84 seq_printf(s, "type=%u code=%u id=%u ", 85 tuple->dst.u.icmp.type, 86 tuple->dst.u.icmp.code, 87 ntohs(tuple->src.u.icmp.id)); 88 break; 89 case IPPROTO_GRE: 90 seq_printf(s, "srckey=0x%x dstkey=0x%x ", 91 ntohs(tuple->src.u.gre.key), 92 ntohs(tuple->dst.u.gre.key)); 93 break; 94 default: 95 break; 96 } 97} 98EXPORT_SYMBOL_GPL(print_tuple); 99 100struct ct_iter_state { 101 struct seq_net_private p; 102 struct hlist_nulls_head *hash; 103 unsigned int htable_size; 104 unsigned int bucket; 105 u_int64_t time_now; 106}; 107 108static struct hlist_nulls_node *ct_get_first(struct seq_file *seq) 109{ 110 struct ct_iter_state *st = seq->private; 111 struct hlist_nulls_node *n; 112 113 for (st->bucket = 0; 114 st->bucket < st->htable_size; 115 st->bucket++) { 116 n = rcu_dereference( 117 hlist_nulls_first_rcu(&st->hash[st->bucket])); 118 if (!is_a_nulls(n)) 119 return n; 120 } 121 return NULL; 122} 123 124static struct hlist_nulls_node *ct_get_next(struct seq_file *seq, 125 struct hlist_nulls_node *head) 126{ 127 struct ct_iter_state *st = seq->private; 128 129 head = rcu_dereference(hlist_nulls_next_rcu(head)); 130 while (is_a_nulls(head)) { 131 if (likely(get_nulls_value(head) == st->bucket)) { 132 if (++st->bucket >= st->htable_size) 133 return NULL; 134 } 135 head = rcu_dereference( 136 hlist_nulls_first_rcu(&st->hash[st->bucket])); 137 } 138 return head; 139} 140 141static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos) 142{ 143 struct hlist_nulls_node *head = ct_get_first(seq); 144 145 if (head) 146 while (pos && (head = ct_get_next(seq, head))) 147 pos--; 148 return pos ? NULL : head; 149} 150 151static void *ct_seq_start(struct seq_file *seq, loff_t *pos) 152 __acquires(RCU) 153{ 154 struct ct_iter_state *st = seq->private; 155 156 st->time_now = ktime_get_real_ns(); 157 rcu_read_lock(); 158 159 nf_conntrack_get_ht(&st->hash, &st->htable_size); 160 return ct_get_idx(seq, *pos); 161} 162 163static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos) 164{ 165 (*pos)++; 166 return ct_get_next(s, v); 167} 168 169static void ct_seq_stop(struct seq_file *s, void *v) 170 __releases(RCU) 171{ 172 rcu_read_unlock(); 173} 174 175#ifdef CONFIG_NF_CONNTRACK_SECMARK 176static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 177{ 178 int ret; 179 u32 len; 180 char *secctx; 181 182 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 183 if (ret) 184 return; 185 186 seq_printf(s, "secctx=%s ", secctx); 187 188 security_release_secctx(secctx, len); 189} 190#else 191static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 192{ 193} 194#endif 195 196#ifdef CONFIG_NF_CONNTRACK_ZONES 197static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 198 int dir) 199{ 200 const struct nf_conntrack_zone *zone = nf_ct_zone(ct); 201 202 if (zone->dir != dir) 203 return; 204 switch (zone->dir) { 205 case NF_CT_DEFAULT_ZONE_DIR: 206 seq_printf(s, "zone=%u ", zone->id); 207 break; 208 case NF_CT_ZONE_DIR_ORIG: 209 seq_printf(s, "zone-orig=%u ", zone->id); 210 break; 211 case NF_CT_ZONE_DIR_REPL: 212 seq_printf(s, "zone-reply=%u ", zone->id); 213 break; 214 default: 215 break; 216 } 217} 218#else 219static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 220 int dir) 221{ 222} 223#endif 224 225#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 226static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 227{ 228 struct ct_iter_state *st = s->private; 229 struct nf_conn_tstamp *tstamp; 230 s64 delta_time; 231 232 tstamp = nf_conn_tstamp_find(ct); 233 if (tstamp) { 234 delta_time = st->time_now - tstamp->start; 235 if (delta_time > 0) 236 delta_time = div_s64(delta_time, NSEC_PER_SEC); 237 else 238 delta_time = 0; 239 240 seq_printf(s, "delta-time=%llu ", 241 (unsigned long long)delta_time); 242 } 243 return; 244} 245#else 246static inline void 247ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 248{ 249} 250#endif 251 252static const char* l3proto_name(u16 proto) 253{ 254 switch (proto) { 255 case AF_INET: return "ipv4"; 256 case AF_INET6: return "ipv6"; 257 } 258 259 return "unknown"; 260} 261 262static const char* l4proto_name(u16 proto) 263{ 264 switch (proto) { 265 case IPPROTO_ICMP: return "icmp"; 266 case IPPROTO_TCP: return "tcp"; 267 case IPPROTO_UDP: return "udp"; 268 case IPPROTO_DCCP: return "dccp"; 269 case IPPROTO_GRE: return "gre"; 270 case IPPROTO_SCTP: return "sctp"; 271 case IPPROTO_UDPLITE: return "udplite"; 272 case IPPROTO_ICMPV6: return "icmpv6"; 273 } 274 275 return "unknown"; 276} 277 278static unsigned int 279seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir) 280{ 281 struct nf_conn_acct *acct; 282 struct nf_conn_counter *counter; 283 284 acct = nf_conn_acct_find(ct); 285 if (!acct) 286 return 0; 287 288 counter = acct->counter; 289 seq_printf(s, "packets=%llu bytes=%llu ", 290 (unsigned long long)atomic64_read(&counter[dir].packets), 291 (unsigned long long)atomic64_read(&counter[dir].bytes)); 292 293 return 0; 294} 295 296/* return 0 on success, 1 in case of error */ 297static int ct_seq_show(struct seq_file *s, void *v) 298{ 299 struct nf_conntrack_tuple_hash *hash = v; 300 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); 301 const struct nf_conntrack_l4proto *l4proto; 302 struct net *net = seq_file_net(s); 303 int ret = 0; 304 305 WARN_ON(!ct); 306 if (unlikely(!refcount_inc_not_zero(&ct->ct_general.use))) 307 return 0; 308 309 if (nf_ct_should_gc(ct)) { 310 nf_ct_kill(ct); 311 goto release; 312 } 313 314 /* we only want to print DIR_ORIGINAL */ 315 if (NF_CT_DIRECTION(hash)) 316 goto release; 317 318 if (!net_eq(nf_ct_net(ct), net)) 319 goto release; 320 321 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 322 323 ret = -ENOSPC; 324 seq_printf(s, "%-8s %u %-8s %u ", 325 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct), 326 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct)); 327 328 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status)) 329 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ); 330 331 if (l4proto->print_conntrack) 332 l4proto->print_conntrack(s, ct); 333 334 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 335 l4proto); 336 337 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG); 338 339 if (seq_has_overflowed(s)) 340 goto release; 341 342 if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL)) 343 goto release; 344 345 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) 346 seq_puts(s, "[UNREPLIED] "); 347 348 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto); 349 350 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL); 351 352 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY)) 353 goto release; 354 355 if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status)) 356 seq_puts(s, "[HW_OFFLOAD] "); 357 else if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 358 seq_puts(s, "[OFFLOAD] "); 359 else if (test_bit(IPS_ASSURED_BIT, &ct->status)) 360 seq_puts(s, "[ASSURED] "); 361 362 if (seq_has_overflowed(s)) 363 goto release; 364 365#if defined(CONFIG_NF_CONNTRACK_MARK) 366 seq_printf(s, "mark=%u ", ct->mark); 367#endif 368 369 ct_show_secctx(s, ct); 370 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR); 371 ct_show_delta_time(s, ct); 372 373 seq_printf(s, "use=%u\n", refcount_read(&ct->ct_general.use)); 374 375 if (seq_has_overflowed(s)) 376 goto release; 377 378 ret = 0; 379release: 380 nf_ct_put(ct); 381 return ret; 382} 383 384static const struct seq_operations ct_seq_ops = { 385 .start = ct_seq_start, 386 .next = ct_seq_next, 387 .stop = ct_seq_stop, 388 .show = ct_seq_show 389}; 390 391static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos) 392{ 393 struct net *net = seq_file_net(seq); 394 int cpu; 395 396 if (*pos == 0) 397 return SEQ_START_TOKEN; 398 399 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) { 400 if (!cpu_possible(cpu)) 401 continue; 402 *pos = cpu + 1; 403 return per_cpu_ptr(net->ct.stat, cpu); 404 } 405 406 return NULL; 407} 408 409static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) 410{ 411 struct net *net = seq_file_net(seq); 412 int cpu; 413 414 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) { 415 if (!cpu_possible(cpu)) 416 continue; 417 *pos = cpu + 1; 418 return per_cpu_ptr(net->ct.stat, cpu); 419 } 420 (*pos)++; 421 return NULL; 422} 423 424static void ct_cpu_seq_stop(struct seq_file *seq, void *v) 425{ 426} 427 428static int ct_cpu_seq_show(struct seq_file *seq, void *v) 429{ 430 struct net *net = seq_file_net(seq); 431 const struct ip_conntrack_stat *st = v; 432 unsigned int nr_conntracks; 433 434 if (v == SEQ_START_TOKEN) { 435 seq_puts(seq, "entries clashres found new invalid ignore delete chainlength insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); 436 return 0; 437 } 438 439 nr_conntracks = nf_conntrack_count(net); 440 441 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 442 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 443 nr_conntracks, 444 st->clash_resolve, 445 st->found, 446 0, 447 st->invalid, 448 0, 449 0, 450 st->chaintoolong, 451 st->insert, 452 st->insert_failed, 453 st->drop, 454 st->early_drop, 455 st->error, 456 457 st->expect_new, 458 st->expect_create, 459 st->expect_delete, 460 st->search_restart 461 ); 462 return 0; 463} 464 465static const struct seq_operations ct_cpu_seq_ops = { 466 .start = ct_cpu_seq_start, 467 .next = ct_cpu_seq_next, 468 .stop = ct_cpu_seq_stop, 469 .show = ct_cpu_seq_show, 470}; 471 472static int nf_conntrack_standalone_init_proc(struct net *net) 473{ 474 struct proc_dir_entry *pde; 475 kuid_t root_uid; 476 kgid_t root_gid; 477 478 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops, 479 sizeof(struct ct_iter_state)); 480 if (!pde) 481 goto out_nf_conntrack; 482 483 root_uid = make_kuid(net->user_ns, 0); 484 root_gid = make_kgid(net->user_ns, 0); 485 if (uid_valid(root_uid) && gid_valid(root_gid)) 486 proc_set_user(pde, root_uid, root_gid); 487 488 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat, 489 &ct_cpu_seq_ops, sizeof(struct seq_net_private)); 490 if (!pde) 491 goto out_stat_nf_conntrack; 492 return 0; 493 494out_stat_nf_conntrack: 495 remove_proc_entry("nf_conntrack", net->proc_net); 496out_nf_conntrack: 497 return -ENOMEM; 498} 499 500static void nf_conntrack_standalone_fini_proc(struct net *net) 501{ 502 remove_proc_entry("nf_conntrack", net->proc_net_stat); 503 remove_proc_entry("nf_conntrack", net->proc_net); 504} 505#else 506static int nf_conntrack_standalone_init_proc(struct net *net) 507{ 508 return 0; 509} 510 511static void nf_conntrack_standalone_fini_proc(struct net *net) 512{ 513} 514#endif /* CONFIG_NF_CONNTRACK_PROCFS */ 515 516u32 nf_conntrack_count(const struct net *net) 517{ 518 const struct nf_conntrack_net *cnet = nf_ct_pernet(net); 519 520 return atomic_read(&cnet->count); 521} 522EXPORT_SYMBOL_GPL(nf_conntrack_count); 523 524/* Sysctl support */ 525 526#ifdef CONFIG_SYSCTL 527/* size the user *wants to set */ 528static unsigned int nf_conntrack_htable_size_user __read_mostly; 529 530static int 531nf_conntrack_hash_sysctl(struct ctl_table *table, int write, 532 void *buffer, size_t *lenp, loff_t *ppos) 533{ 534 int ret; 535 536 /* module_param hashsize could have changed value */ 537 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 538 539 ret = proc_dointvec(table, write, buffer, lenp, ppos); 540 if (ret < 0 || !write) 541 return ret; 542 543 /* update ret, we might not be able to satisfy request */ 544 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user); 545 546 /* update it to the actual value used by conntrack */ 547 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 548 return ret; 549} 550 551static struct ctl_table_header *nf_ct_netfilter_header; 552 553enum nf_ct_sysctl_index { 554 NF_SYSCTL_CT_MAX, 555 NF_SYSCTL_CT_COUNT, 556 NF_SYSCTL_CT_BUCKETS, 557 NF_SYSCTL_CT_CHECKSUM, 558 NF_SYSCTL_CT_LOG_INVALID, 559 NF_SYSCTL_CT_EXPECT_MAX, 560 NF_SYSCTL_CT_ACCT, 561 NF_SYSCTL_CT_HELPER, 562#ifdef CONFIG_NF_CONNTRACK_EVENTS 563 NF_SYSCTL_CT_EVENTS, 564#endif 565#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 566 NF_SYSCTL_CT_TIMESTAMP, 567#endif 568 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC, 569 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT, 570 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV, 571 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED, 572 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT, 573 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT, 574 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK, 575 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT, 576 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE, 577 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS, 578 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK, 579#if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 580 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD, 581#endif 582 NF_SYSCTL_CT_PROTO_TCP_LOOSE, 583 NF_SYSCTL_CT_PROTO_TCP_LIBERAL, 584 NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST, 585 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS, 586 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP, 587 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM, 588#if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 589 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD, 590#endif 591 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP, 592 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6, 593#ifdef CONFIG_NF_CT_PROTO_SCTP 594 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED, 595 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT, 596 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED, 597 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED, 598 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT, 599 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD, 600 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, 601 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, 602 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED, 603#endif 604#ifdef CONFIG_NF_CT_PROTO_DCCP 605 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, 606 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND, 607 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN, 608 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN, 609 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ, 610 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING, 611 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT, 612 NF_SYSCTL_CT_PROTO_DCCP_LOOSE, 613#endif 614#ifdef CONFIG_NF_CT_PROTO_GRE 615 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, 616 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, 617#endif 618#ifdef CONFIG_LWTUNNEL 619 NF_SYSCTL_CT_LWTUNNEL, 620#endif 621 622 __NF_SYSCTL_CT_LAST_SYSCTL, 623}; 624 625#define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1) 626 627static struct ctl_table nf_ct_sysctl_table[] = { 628 [NF_SYSCTL_CT_MAX] = { 629 .procname = "nf_conntrack_max", 630 .data = &nf_conntrack_max, 631 .maxlen = sizeof(int), 632 .mode = 0644, 633 .proc_handler = proc_dointvec, 634 }, 635 [NF_SYSCTL_CT_COUNT] = { 636 .procname = "nf_conntrack_count", 637 .maxlen = sizeof(int), 638 .mode = 0444, 639 .proc_handler = proc_dointvec, 640 }, 641 [NF_SYSCTL_CT_BUCKETS] = { 642 .procname = "nf_conntrack_buckets", 643 .data = &nf_conntrack_htable_size_user, 644 .maxlen = sizeof(unsigned int), 645 .mode = 0644, 646 .proc_handler = nf_conntrack_hash_sysctl, 647 }, 648 [NF_SYSCTL_CT_CHECKSUM] = { 649 .procname = "nf_conntrack_checksum", 650 .data = &init_net.ct.sysctl_checksum, 651 .maxlen = sizeof(u8), 652 .mode = 0644, 653 .proc_handler = proc_dou8vec_minmax, 654 .extra1 = SYSCTL_ZERO, 655 .extra2 = SYSCTL_ONE, 656 }, 657 [NF_SYSCTL_CT_LOG_INVALID] = { 658 .procname = "nf_conntrack_log_invalid", 659 .data = &init_net.ct.sysctl_log_invalid, 660 .maxlen = sizeof(u8), 661 .mode = 0644, 662 .proc_handler = proc_dou8vec_minmax, 663 }, 664 [NF_SYSCTL_CT_EXPECT_MAX] = { 665 .procname = "nf_conntrack_expect_max", 666 .data = &nf_ct_expect_max, 667 .maxlen = sizeof(int), 668 .mode = 0644, 669 .proc_handler = proc_dointvec, 670 }, 671 [NF_SYSCTL_CT_ACCT] = { 672 .procname = "nf_conntrack_acct", 673 .data = &init_net.ct.sysctl_acct, 674 .maxlen = sizeof(u8), 675 .mode = 0644, 676 .proc_handler = proc_dou8vec_minmax, 677 .extra1 = SYSCTL_ZERO, 678 .extra2 = SYSCTL_ONE, 679 }, 680 [NF_SYSCTL_CT_HELPER] = { 681 .procname = "nf_conntrack_helper", 682 .maxlen = sizeof(u8), 683 .mode = 0644, 684 .proc_handler = proc_dou8vec_minmax, 685 .extra1 = SYSCTL_ZERO, 686 .extra2 = SYSCTL_ONE, 687 }, 688#ifdef CONFIG_NF_CONNTRACK_EVENTS 689 [NF_SYSCTL_CT_EVENTS] = { 690 .procname = "nf_conntrack_events", 691 .data = &init_net.ct.sysctl_events, 692 .maxlen = sizeof(u8), 693 .mode = 0644, 694 .proc_handler = proc_dou8vec_minmax, 695 .extra1 = SYSCTL_ZERO, 696 .extra2 = SYSCTL_TWO, 697 }, 698#endif 699#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 700 [NF_SYSCTL_CT_TIMESTAMP] = { 701 .procname = "nf_conntrack_timestamp", 702 .data = &init_net.ct.sysctl_tstamp, 703 .maxlen = sizeof(u8), 704 .mode = 0644, 705 .proc_handler = proc_dou8vec_minmax, 706 .extra1 = SYSCTL_ZERO, 707 .extra2 = SYSCTL_ONE, 708 }, 709#endif 710 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { 711 .procname = "nf_conntrack_generic_timeout", 712 .maxlen = sizeof(unsigned int), 713 .mode = 0644, 714 .proc_handler = proc_dointvec_jiffies, 715 }, 716 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = { 717 .procname = "nf_conntrack_tcp_timeout_syn_sent", 718 .maxlen = sizeof(unsigned int), 719 .mode = 0644, 720 .proc_handler = proc_dointvec_jiffies, 721 }, 722 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = { 723 .procname = "nf_conntrack_tcp_timeout_syn_recv", 724 .maxlen = sizeof(unsigned int), 725 .mode = 0644, 726 .proc_handler = proc_dointvec_jiffies, 727 }, 728 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = { 729 .procname = "nf_conntrack_tcp_timeout_established", 730 .maxlen = sizeof(unsigned int), 731 .mode = 0644, 732 .proc_handler = proc_dointvec_jiffies, 733 }, 734 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = { 735 .procname = "nf_conntrack_tcp_timeout_fin_wait", 736 .maxlen = sizeof(unsigned int), 737 .mode = 0644, 738 .proc_handler = proc_dointvec_jiffies, 739 }, 740 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = { 741 .procname = "nf_conntrack_tcp_timeout_close_wait", 742 .maxlen = sizeof(unsigned int), 743 .mode = 0644, 744 .proc_handler = proc_dointvec_jiffies, 745 }, 746 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = { 747 .procname = "nf_conntrack_tcp_timeout_last_ack", 748 .maxlen = sizeof(unsigned int), 749 .mode = 0644, 750 .proc_handler = proc_dointvec_jiffies, 751 }, 752 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = { 753 .procname = "nf_conntrack_tcp_timeout_time_wait", 754 .maxlen = sizeof(unsigned int), 755 .mode = 0644, 756 .proc_handler = proc_dointvec_jiffies, 757 }, 758 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = { 759 .procname = "nf_conntrack_tcp_timeout_close", 760 .maxlen = sizeof(unsigned int), 761 .mode = 0644, 762 .proc_handler = proc_dointvec_jiffies, 763 }, 764 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = { 765 .procname = "nf_conntrack_tcp_timeout_max_retrans", 766 .maxlen = sizeof(unsigned int), 767 .mode = 0644, 768 .proc_handler = proc_dointvec_jiffies, 769 }, 770 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = { 771 .procname = "nf_conntrack_tcp_timeout_unacknowledged", 772 .maxlen = sizeof(unsigned int), 773 .mode = 0644, 774 .proc_handler = proc_dointvec_jiffies, 775 }, 776#if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 777 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD] = { 778 .procname = "nf_flowtable_tcp_timeout", 779 .maxlen = sizeof(unsigned int), 780 .mode = 0644, 781 .proc_handler = proc_dointvec_jiffies, 782 }, 783#endif 784 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { 785 .procname = "nf_conntrack_tcp_loose", 786 .maxlen = sizeof(u8), 787 .mode = 0644, 788 .proc_handler = proc_dou8vec_minmax, 789 .extra1 = SYSCTL_ZERO, 790 .extra2 = SYSCTL_ONE, 791 }, 792 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { 793 .procname = "nf_conntrack_tcp_be_liberal", 794 .maxlen = sizeof(u8), 795 .mode = 0644, 796 .proc_handler = proc_dou8vec_minmax, 797 .extra1 = SYSCTL_ZERO, 798 .extra2 = SYSCTL_ONE, 799 }, 800 [NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST] = { 801 .procname = "nf_conntrack_tcp_ignore_invalid_rst", 802 .maxlen = sizeof(u8), 803 .mode = 0644, 804 .proc_handler = proc_dou8vec_minmax, 805 .extra1 = SYSCTL_ZERO, 806 .extra2 = SYSCTL_ONE, 807 }, 808 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { 809 .procname = "nf_conntrack_tcp_max_retrans", 810 .maxlen = sizeof(u8), 811 .mode = 0644, 812 .proc_handler = proc_dou8vec_minmax, 813 }, 814 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = { 815 .procname = "nf_conntrack_udp_timeout", 816 .maxlen = sizeof(unsigned int), 817 .mode = 0644, 818 .proc_handler = proc_dointvec_jiffies, 819 }, 820 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = { 821 .procname = "nf_conntrack_udp_timeout_stream", 822 .maxlen = sizeof(unsigned int), 823 .mode = 0644, 824 .proc_handler = proc_dointvec_jiffies, 825 }, 826#if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 827 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD] = { 828 .procname = "nf_flowtable_udp_timeout", 829 .maxlen = sizeof(unsigned int), 830 .mode = 0644, 831 .proc_handler = proc_dointvec_jiffies, 832 }, 833#endif 834 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = { 835 .procname = "nf_conntrack_icmp_timeout", 836 .maxlen = sizeof(unsigned int), 837 .mode = 0644, 838 .proc_handler = proc_dointvec_jiffies, 839 }, 840 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = { 841 .procname = "nf_conntrack_icmpv6_timeout", 842 .maxlen = sizeof(unsigned int), 843 .mode = 0644, 844 .proc_handler = proc_dointvec_jiffies, 845 }, 846#ifdef CONFIG_NF_CT_PROTO_SCTP 847 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = { 848 .procname = "nf_conntrack_sctp_timeout_closed", 849 .maxlen = sizeof(unsigned int), 850 .mode = 0644, 851 .proc_handler = proc_dointvec_jiffies, 852 }, 853 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = { 854 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 855 .maxlen = sizeof(unsigned int), 856 .mode = 0644, 857 .proc_handler = proc_dointvec_jiffies, 858 }, 859 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = { 860 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 861 .maxlen = sizeof(unsigned int), 862 .mode = 0644, 863 .proc_handler = proc_dointvec_jiffies, 864 }, 865 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = { 866 .procname = "nf_conntrack_sctp_timeout_established", 867 .maxlen = sizeof(unsigned int), 868 .mode = 0644, 869 .proc_handler = proc_dointvec_jiffies, 870 }, 871 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = { 872 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 873 .maxlen = sizeof(unsigned int), 874 .mode = 0644, 875 .proc_handler = proc_dointvec_jiffies, 876 }, 877 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = { 878 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 879 .maxlen = sizeof(unsigned int), 880 .mode = 0644, 881 .proc_handler = proc_dointvec_jiffies, 882 }, 883 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { 884 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 885 .maxlen = sizeof(unsigned int), 886 .mode = 0644, 887 .proc_handler = proc_dointvec_jiffies, 888 }, 889 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = { 890 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent", 891 .maxlen = sizeof(unsigned int), 892 .mode = 0644, 893 .proc_handler = proc_dointvec_jiffies, 894 }, 895 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { 896 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked", 897 .maxlen = sizeof(unsigned int), 898 .mode = 0644, 899 .proc_handler = proc_dointvec_jiffies, 900 }, 901#endif 902#ifdef CONFIG_NF_CT_PROTO_DCCP 903 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { 904 .procname = "nf_conntrack_dccp_timeout_request", 905 .maxlen = sizeof(unsigned int), 906 .mode = 0644, 907 .proc_handler = proc_dointvec_jiffies, 908 }, 909 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = { 910 .procname = "nf_conntrack_dccp_timeout_respond", 911 .maxlen = sizeof(unsigned int), 912 .mode = 0644, 913 .proc_handler = proc_dointvec_jiffies, 914 }, 915 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = { 916 .procname = "nf_conntrack_dccp_timeout_partopen", 917 .maxlen = sizeof(unsigned int), 918 .mode = 0644, 919 .proc_handler = proc_dointvec_jiffies, 920 }, 921 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = { 922 .procname = "nf_conntrack_dccp_timeout_open", 923 .maxlen = sizeof(unsigned int), 924 .mode = 0644, 925 .proc_handler = proc_dointvec_jiffies, 926 }, 927 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = { 928 .procname = "nf_conntrack_dccp_timeout_closereq", 929 .maxlen = sizeof(unsigned int), 930 .mode = 0644, 931 .proc_handler = proc_dointvec_jiffies, 932 }, 933 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = { 934 .procname = "nf_conntrack_dccp_timeout_closing", 935 .maxlen = sizeof(unsigned int), 936 .mode = 0644, 937 .proc_handler = proc_dointvec_jiffies, 938 }, 939 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = { 940 .procname = "nf_conntrack_dccp_timeout_timewait", 941 .maxlen = sizeof(unsigned int), 942 .mode = 0644, 943 .proc_handler = proc_dointvec_jiffies, 944 }, 945 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = { 946 .procname = "nf_conntrack_dccp_loose", 947 .maxlen = sizeof(u8), 948 .mode = 0644, 949 .proc_handler = proc_dou8vec_minmax, 950 .extra1 = SYSCTL_ZERO, 951 .extra2 = SYSCTL_ONE, 952 }, 953#endif 954#ifdef CONFIG_NF_CT_PROTO_GRE 955 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = { 956 .procname = "nf_conntrack_gre_timeout", 957 .maxlen = sizeof(unsigned int), 958 .mode = 0644, 959 .proc_handler = proc_dointvec_jiffies, 960 }, 961 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = { 962 .procname = "nf_conntrack_gre_timeout_stream", 963 .maxlen = sizeof(unsigned int), 964 .mode = 0644, 965 .proc_handler = proc_dointvec_jiffies, 966 }, 967#endif 968#ifdef CONFIG_LWTUNNEL 969 [NF_SYSCTL_CT_LWTUNNEL] = { 970 .procname = "nf_hooks_lwtunnel", 971 .data = NULL, 972 .maxlen = sizeof(int), 973 .mode = 0644, 974 .proc_handler = nf_hooks_lwtunnel_sysctl_handler, 975 }, 976#endif 977 {} 978}; 979 980static struct ctl_table nf_ct_netfilter_table[] = { 981 { 982 .procname = "nf_conntrack_max", 983 .data = &nf_conntrack_max, 984 .maxlen = sizeof(int), 985 .mode = 0644, 986 .proc_handler = proc_dointvec, 987 }, 988 { } 989}; 990 991static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, 992 struct ctl_table *table) 993{ 994 struct nf_tcp_net *tn = nf_tcp_pernet(net); 995 996#define XASSIGN(XNAME, tn) \ 997 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \ 998 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME] 999 1000 XASSIGN(SYN_SENT, tn); 1001 XASSIGN(SYN_RECV, tn); 1002 XASSIGN(ESTABLISHED, tn); 1003 XASSIGN(FIN_WAIT, tn); 1004 XASSIGN(CLOSE_WAIT, tn); 1005 XASSIGN(LAST_ACK, tn); 1006 XASSIGN(TIME_WAIT, tn); 1007 XASSIGN(CLOSE, tn); 1008 XASSIGN(RETRANS, tn); 1009 XASSIGN(UNACK, tn); 1010#undef XASSIGN 1011#define XASSIGN(XNAME, rval) \ 1012 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval) 1013 1014 XASSIGN(LOOSE, &tn->tcp_loose); 1015 XASSIGN(LIBERAL, &tn->tcp_be_liberal); 1016 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans); 1017 XASSIGN(IGNORE_INVALID_RST, &tn->tcp_ignore_invalid_rst); 1018#undef XASSIGN 1019 1020#if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1021 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD].data = &tn->offload_timeout; 1022#endif 1023 1024} 1025 1026static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, 1027 struct ctl_table *table) 1028{ 1029#ifdef CONFIG_NF_CT_PROTO_SCTP 1030 struct nf_sctp_net *sn = nf_sctp_pernet(net); 1031 1032#define XASSIGN(XNAME, sn) \ 1033 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \ 1034 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME] 1035 1036 XASSIGN(CLOSED, sn); 1037 XASSIGN(COOKIE_WAIT, sn); 1038 XASSIGN(COOKIE_ECHOED, sn); 1039 XASSIGN(ESTABLISHED, sn); 1040 XASSIGN(SHUTDOWN_SENT, sn); 1041 XASSIGN(SHUTDOWN_RECD, sn); 1042 XASSIGN(SHUTDOWN_ACK_SENT, sn); 1043 XASSIGN(HEARTBEAT_SENT, sn); 1044 XASSIGN(HEARTBEAT_ACKED, sn); 1045#undef XASSIGN 1046#endif 1047} 1048 1049static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net, 1050 struct ctl_table *table) 1051{ 1052#ifdef CONFIG_NF_CT_PROTO_DCCP 1053 struct nf_dccp_net *dn = nf_dccp_pernet(net); 1054 1055#define XASSIGN(XNAME, dn) \ 1056 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \ 1057 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME] 1058 1059 XASSIGN(REQUEST, dn); 1060 XASSIGN(RESPOND, dn); 1061 XASSIGN(PARTOPEN, dn); 1062 XASSIGN(OPEN, dn); 1063 XASSIGN(CLOSEREQ, dn); 1064 XASSIGN(CLOSING, dn); 1065 XASSIGN(TIMEWAIT, dn); 1066#undef XASSIGN 1067 1068 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose; 1069#endif 1070} 1071 1072static void nf_conntrack_standalone_init_gre_sysctl(struct net *net, 1073 struct ctl_table *table) 1074{ 1075#ifdef CONFIG_NF_CT_PROTO_GRE 1076 struct nf_gre_net *gn = nf_gre_pernet(net); 1077 1078 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED]; 1079 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED]; 1080#endif 1081} 1082 1083static int nf_conntrack_standalone_init_sysctl(struct net *net) 1084{ 1085 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1086 struct nf_udp_net *un = nf_udp_pernet(net); 1087 struct ctl_table *table; 1088 1089 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL); 1090 1091 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table), 1092 GFP_KERNEL); 1093 if (!table) 1094 return -ENOMEM; 1095 1096 table[NF_SYSCTL_CT_COUNT].data = &cnet->count; 1097 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum; 1098 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; 1099 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct; 1100 table[NF_SYSCTL_CT_HELPER].data = &cnet->sysctl_auto_assign_helper; 1101#ifdef CONFIG_NF_CONNTRACK_EVENTS 1102 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events; 1103#endif 1104#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 1105 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp; 1106#endif 1107 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout; 1108 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout; 1109 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout; 1110 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED]; 1111 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED]; 1112#if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1113 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD].data = &un->offload_timeout; 1114#endif 1115 1116 nf_conntrack_standalone_init_tcp_sysctl(net, table); 1117 nf_conntrack_standalone_init_sctp_sysctl(net, table); 1118 nf_conntrack_standalone_init_dccp_sysctl(net, table); 1119 nf_conntrack_standalone_init_gre_sysctl(net, table); 1120 1121 /* Don't allow non-init_net ns to alter global sysctls */ 1122 if (!net_eq(&init_net, net)) { 1123 table[NF_SYSCTL_CT_MAX].mode = 0444; 1124 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; 1125 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1126 } 1127 1128 cnet->sysctl_header = register_net_sysctl(net, "net/netfilter", table); 1129 if (!cnet->sysctl_header) 1130 goto out_unregister_netfilter; 1131 1132 return 0; 1133 1134out_unregister_netfilter: 1135 kfree(table); 1136 return -ENOMEM; 1137} 1138 1139static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1140{ 1141 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1142 struct ctl_table *table; 1143 1144 table = cnet->sysctl_header->ctl_table_arg; 1145 unregister_net_sysctl_table(cnet->sysctl_header); 1146 kfree(table); 1147} 1148#else 1149static int nf_conntrack_standalone_init_sysctl(struct net *net) 1150{ 1151 return 0; 1152} 1153 1154static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1155{ 1156} 1157#endif /* CONFIG_SYSCTL */ 1158 1159static void nf_conntrack_fini_net(struct net *net) 1160{ 1161 if (enable_hooks) 1162 nf_ct_netns_put(net, NFPROTO_INET); 1163 1164 nf_conntrack_standalone_fini_proc(net); 1165 nf_conntrack_standalone_fini_sysctl(net); 1166} 1167 1168static int nf_conntrack_pernet_init(struct net *net) 1169{ 1170 int ret; 1171 1172 net->ct.sysctl_checksum = 1; 1173 1174 ret = nf_conntrack_standalone_init_sysctl(net); 1175 if (ret < 0) 1176 return ret; 1177 1178 ret = nf_conntrack_standalone_init_proc(net); 1179 if (ret < 0) 1180 goto out_proc; 1181 1182 ret = nf_conntrack_init_net(net); 1183 if (ret < 0) 1184 goto out_init_net; 1185 1186 if (enable_hooks) { 1187 ret = nf_ct_netns_get(net, NFPROTO_INET); 1188 if (ret < 0) 1189 goto out_hooks; 1190 } 1191 1192 return 0; 1193 1194out_hooks: 1195 nf_conntrack_cleanup_net(net); 1196out_init_net: 1197 nf_conntrack_standalone_fini_proc(net); 1198out_proc: 1199 nf_conntrack_standalone_fini_sysctl(net); 1200 return ret; 1201} 1202 1203static void nf_conntrack_pernet_exit(struct list_head *net_exit_list) 1204{ 1205 struct net *net; 1206 1207 list_for_each_entry(net, net_exit_list, exit_list) 1208 nf_conntrack_fini_net(net); 1209 1210 nf_conntrack_cleanup_net_list(net_exit_list); 1211} 1212 1213static struct pernet_operations nf_conntrack_net_ops = { 1214 .init = nf_conntrack_pernet_init, 1215 .exit_batch = nf_conntrack_pernet_exit, 1216 .id = &nf_conntrack_net_id, 1217 .size = sizeof(struct nf_conntrack_net), 1218}; 1219 1220static int __init nf_conntrack_standalone_init(void) 1221{ 1222 int ret = nf_conntrack_init_start(); 1223 if (ret < 0) 1224 goto out_start; 1225 1226 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER); 1227 1228#ifdef CONFIG_SYSCTL 1229 nf_ct_netfilter_header = 1230 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); 1231 if (!nf_ct_netfilter_header) { 1232 pr_err("nf_conntrack: can't register to sysctl.\n"); 1233 ret = -ENOMEM; 1234 goto out_sysctl; 1235 } 1236 1237 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 1238#endif 1239 1240 ret = register_pernet_subsys(&nf_conntrack_net_ops); 1241 if (ret < 0) 1242 goto out_pernet; 1243 1244 nf_conntrack_init_end(); 1245 return 0; 1246 1247out_pernet: 1248#ifdef CONFIG_SYSCTL 1249 unregister_net_sysctl_table(nf_ct_netfilter_header); 1250out_sysctl: 1251#endif 1252 nf_conntrack_cleanup_end(); 1253out_start: 1254 return ret; 1255} 1256 1257static void __exit nf_conntrack_standalone_fini(void) 1258{ 1259 nf_conntrack_cleanup_start(); 1260 unregister_pernet_subsys(&nf_conntrack_net_ops); 1261#ifdef CONFIG_SYSCTL 1262 unregister_net_sysctl_table(nf_ct_netfilter_header); 1263#endif 1264 nf_conntrack_cleanup_end(); 1265} 1266 1267module_init(nf_conntrack_standalone_init); 1268module_exit(nf_conntrack_standalone_fini);