1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/types.h>
3 #include <linux/netfilter.h>
4 #include <linux/slab.h>
5 #include <linux/module.h>
6 #include <linux/skbuff.h>
7 #include <linux/proc_fs.h>
8 #include <linux/seq_file.h>
9 #include <linux/percpu.h>
10 #include <linux/netdevice.h>
11 #include <linux/security.h>
12 #include <net/net_namespace.h>
13 #ifdef CONFIG_SYSCTL
14 #include <linux/sysctl.h>
15 #endif
16
17 #include <net/netfilter/nf_conntrack.h>
18 #include <net/netfilter/nf_conntrack_core.h>
19 #include <net/netfilter/nf_conntrack_l4proto.h>
20 #include <net/netfilter/nf_conntrack_expect.h>
21 #include <net/netfilter/nf_conntrack_helper.h>
22 #include <net/netfilter/nf_conntrack_acct.h>
23 #include <net/netfilter/nf_conntrack_zones.h>
24 #include <net/netfilter/nf_conntrack_timestamp.h>
25 #include <linux/rculist_nulls.h>
26
27 static bool enable_hooks __read_mostly;
28 MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks");
29 module_param(enable_hooks, bool, 0000);
30
31 unsigned int nf_conntrack_net_id __read_mostly;
32
33 #ifdef CONFIG_NF_CONNTRACK_PROCFS
34 void
print_tuple(struct seq_file * s,const struct nf_conntrack_tuple * tuple,const struct nf_conntrack_l4proto * l4proto)35 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,
36 const struct nf_conntrack_l4proto *l4proto)
37 {
38 switch (tuple->src.l3num) {
39 case NFPROTO_IPV4:
40 seq_printf(s, "src=%pI4 dst=%pI4 ",
41 &tuple->src.u3.ip, &tuple->dst.u3.ip);
42 break;
43 case NFPROTO_IPV6:
44 seq_printf(s, "src=%pI6 dst=%pI6 ",
45 tuple->src.u3.ip6, tuple->dst.u3.ip6);
46 break;
47 default:
48 break;
49 }
50
51 switch (l4proto->l4proto) {
52 case IPPROTO_ICMP:
53 seq_printf(s, "type=%u code=%u id=%u ",
54 tuple->dst.u.icmp.type,
55 tuple->dst.u.icmp.code,
56 ntohs(tuple->src.u.icmp.id));
57 break;
58 case IPPROTO_TCP:
59 seq_printf(s, "sport=%hu dport=%hu ",
60 ntohs(tuple->src.u.tcp.port),
61 ntohs(tuple->dst.u.tcp.port));
62 break;
63 case IPPROTO_UDPLITE:
64 case IPPROTO_UDP:
65 seq_printf(s, "sport=%hu dport=%hu ",
66 ntohs(tuple->src.u.udp.port),
67 ntohs(tuple->dst.u.udp.port));
68
69 break;
70 case IPPROTO_DCCP:
71 seq_printf(s, "sport=%hu dport=%hu ",
72 ntohs(tuple->src.u.dccp.port),
73 ntohs(tuple->dst.u.dccp.port));
74 break;
75 case IPPROTO_SCTP:
76 seq_printf(s, "sport=%hu dport=%hu ",
77 ntohs(tuple->src.u.sctp.port),
78 ntohs(tuple->dst.u.sctp.port));
79 break;
80 case IPPROTO_ICMPV6:
81 seq_printf(s, "type=%u code=%u id=%u ",
82 tuple->dst.u.icmp.type,
83 tuple->dst.u.icmp.code,
84 ntohs(tuple->src.u.icmp.id));
85 break;
86 case IPPROTO_GRE:
87 seq_printf(s, "srckey=0x%x dstkey=0x%x ",
88 ntohs(tuple->src.u.gre.key),
89 ntohs(tuple->dst.u.gre.key));
90 break;
91 default:
92 break;
93 }
94 }
95 EXPORT_SYMBOL_GPL(print_tuple);
96
97 struct ct_iter_state {
98 struct seq_net_private p;
99 struct hlist_nulls_head *hash;
100 unsigned int htable_size;
101 unsigned int bucket;
102 u_int64_t time_now;
103 };
104
ct_get_first(struct seq_file * seq)105 static struct hlist_nulls_node *ct_get_first(struct seq_file *seq)
106 {
107 struct ct_iter_state *st = seq->private;
108 struct hlist_nulls_node *n;
109
110 for (st->bucket = 0;
111 st->bucket < st->htable_size;
112 st->bucket++) {
113 n = rcu_dereference(
114 hlist_nulls_first_rcu(&st->hash[st->bucket]));
115 if (!is_a_nulls(n))
116 return n;
117 }
118 return NULL;
119 }
120
ct_get_next(struct seq_file * seq,struct hlist_nulls_node * head)121 static struct hlist_nulls_node *ct_get_next(struct seq_file *seq,
122 struct hlist_nulls_node *head)
123 {
124 struct ct_iter_state *st = seq->private;
125
126 head = rcu_dereference(hlist_nulls_next_rcu(head));
127 while (is_a_nulls(head)) {
128 if (likely(get_nulls_value(head) == st->bucket)) {
129 if (++st->bucket >= st->htable_size)
130 return NULL;
131 }
132 head = rcu_dereference(
133 hlist_nulls_first_rcu(&st->hash[st->bucket]));
134 }
135 return head;
136 }
137
ct_get_idx(struct seq_file * seq,loff_t pos)138 static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos)
139 {
140 struct hlist_nulls_node *head = ct_get_first(seq);
141
142 if (head)
143 while (pos && (head = ct_get_next(seq, head)))
144 pos--;
145 return pos ? NULL : head;
146 }
147
ct_seq_start(struct seq_file * seq,loff_t * pos)148 static void *ct_seq_start(struct seq_file *seq, loff_t *pos)
149 __acquires(RCU)
150 {
151 struct ct_iter_state *st = seq->private;
152
153 st->time_now = ktime_get_real_ns();
154 rcu_read_lock();
155
156 nf_conntrack_get_ht(&st->hash, &st->htable_size);
157 return ct_get_idx(seq, *pos);
158 }
159
ct_seq_next(struct seq_file * s,void * v,loff_t * pos)160 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos)
161 {
162 (*pos)++;
163 return ct_get_next(s, v);
164 }
165
ct_seq_stop(struct seq_file * s,void * v)166 static void ct_seq_stop(struct seq_file *s, void *v)
167 __releases(RCU)
168 {
169 rcu_read_unlock();
170 }
171
172 #ifdef CONFIG_NF_CONNTRACK_SECMARK
ct_show_secctx(struct seq_file * s,const struct nf_conn * ct)173 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
174 {
175 int ret;
176 u32 len;
177 char *secctx;
178
179 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
180 if (ret)
181 return;
182
183 seq_printf(s, "secctx=%s ", secctx);
184
185 security_release_secctx(secctx, len);
186 }
187 #else
ct_show_secctx(struct seq_file * s,const struct nf_conn * ct)188 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
189 {
190 }
191 #endif
192
193 #ifdef CONFIG_NF_CONNTRACK_ZONES
ct_show_zone(struct seq_file * s,const struct nf_conn * ct,int dir)194 static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct,
195 int dir)
196 {
197 const struct nf_conntrack_zone *zone = nf_ct_zone(ct);
198
199 if (zone->dir != dir)
200 return;
201 switch (zone->dir) {
202 case NF_CT_DEFAULT_ZONE_DIR:
203 seq_printf(s, "zone=%u ", zone->id);
204 break;
205 case NF_CT_ZONE_DIR_ORIG:
206 seq_printf(s, "zone-orig=%u ", zone->id);
207 break;
208 case NF_CT_ZONE_DIR_REPL:
209 seq_printf(s, "zone-reply=%u ", zone->id);
210 break;
211 default:
212 break;
213 }
214 }
215 #else
ct_show_zone(struct seq_file * s,const struct nf_conn * ct,int dir)216 static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct,
217 int dir)
218 {
219 }
220 #endif
221
222 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
ct_show_delta_time(struct seq_file * s,const struct nf_conn * ct)223 static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct)
224 {
225 struct ct_iter_state *st = s->private;
226 struct nf_conn_tstamp *tstamp;
227 s64 delta_time;
228
229 tstamp = nf_conn_tstamp_find(ct);
230 if (tstamp) {
231 delta_time = st->time_now - tstamp->start;
232 if (delta_time > 0)
233 delta_time = div_s64(delta_time, NSEC_PER_SEC);
234 else
235 delta_time = 0;
236
237 seq_printf(s, "delta-time=%llu ",
238 (unsigned long long)delta_time);
239 }
240 return;
241 }
242 #else
243 static inline void
ct_show_delta_time(struct seq_file * s,const struct nf_conn * ct)244 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct)
245 {
246 }
247 #endif
248
l3proto_name(u16 proto)249 static const char* l3proto_name(u16 proto)
250 {
251 switch (proto) {
252 case AF_INET: return "ipv4";
253 case AF_INET6: return "ipv6";
254 }
255
256 return "unknown";
257 }
258
l4proto_name(u16 proto)259 static const char* l4proto_name(u16 proto)
260 {
261 switch (proto) {
262 case IPPROTO_ICMP: return "icmp";
263 case IPPROTO_TCP: return "tcp";
264 case IPPROTO_UDP: return "udp";
265 case IPPROTO_DCCP: return "dccp";
266 case IPPROTO_GRE: return "gre";
267 case IPPROTO_SCTP: return "sctp";
268 case IPPROTO_UDPLITE: return "udplite";
269 case IPPROTO_ICMPV6: return "icmpv6";
270 }
271
272 return "unknown";
273 }
274
275 static void
seq_print_acct(struct seq_file * s,const struct nf_conn * ct,int dir)276 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir)
277 {
278 struct nf_conn_acct *acct;
279 struct nf_conn_counter *counter;
280
281 acct = nf_conn_acct_find(ct);
282 if (!acct)
283 return;
284
285 counter = acct->counter;
286 seq_printf(s, "packets=%llu bytes=%llu ",
287 (unsigned long long)atomic64_read(&counter[dir].packets),
288 (unsigned long long)atomic64_read(&counter[dir].bytes));
289 }
290
291 /* return 0 on success, 1 in case of error */
ct_seq_show(struct seq_file * s,void * v)292 static int ct_seq_show(struct seq_file *s, void *v)
293 {
294 struct nf_conntrack_tuple_hash *hash = v;
295 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash);
296 const struct nf_conntrack_l4proto *l4proto;
297 struct net *net = seq_file_net(s);
298 int ret = 0;
299
300 WARN_ON(!ct);
301 if (unlikely(!refcount_inc_not_zero(&ct->ct_general.use)))
302 return 0;
303
304 /* load ->status after refcount increase */
305 smp_acquire__after_ctrl_dep();
306
307 if (nf_ct_should_gc(ct)) {
308 nf_ct_kill(ct);
309 goto release;
310 }
311
312 /* we only want to print DIR_ORIGINAL */
313 if (NF_CT_DIRECTION(hash))
314 goto release;
315
316 if (!net_eq(nf_ct_net(ct), net))
317 goto release;
318
319 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
320
321 ret = -ENOSPC;
322 seq_printf(s, "%-8s %u %-8s %u ",
323 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct),
324 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct));
325
326 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status))
327 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ);
328
329 if (l4proto->print_conntrack)
330 l4proto->print_conntrack(s, ct);
331
332 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
333 l4proto);
334
335 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG);
336
337 if (seq_has_overflowed(s))
338 goto release;
339
340 seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL);
341
342 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status)))
343 seq_puts(s, "[UNREPLIED] ");
344
345 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto);
346
347 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL);
348
349 seq_print_acct(s, ct, IP_CT_DIR_REPLY);
350
351 if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status))
352 seq_puts(s, "[HW_OFFLOAD] ");
353 else if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
354 seq_puts(s, "[OFFLOAD] ");
355 else if (test_bit(IPS_ASSURED_BIT, &ct->status))
356 seq_puts(s, "[ASSURED] ");
357
358 if (seq_has_overflowed(s))
359 goto release;
360
361 #if defined(CONFIG_NF_CONNTRACK_MARK)
362 seq_printf(s, "mark=%u ", READ_ONCE(ct->mark));
363 #endif
364
365 ct_show_secctx(s, ct);
366 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR);
367 ct_show_delta_time(s, ct);
368
369 seq_printf(s, "use=%u\n", refcount_read(&ct->ct_general.use));
370
371 if (seq_has_overflowed(s))
372 goto release;
373
374 ret = 0;
375 release:
376 nf_ct_put(ct);
377 return ret;
378 }
379
380 static const struct seq_operations ct_seq_ops = {
381 .start = ct_seq_start,
382 .next = ct_seq_next,
383 .stop = ct_seq_stop,
384 .show = ct_seq_show
385 };
386
ct_cpu_seq_start(struct seq_file * seq,loff_t * pos)387 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos)
388 {
389 struct net *net = seq_file_net(seq);
390 int cpu;
391
392 if (*pos == 0)
393 return SEQ_START_TOKEN;
394
395 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) {
396 if (!cpu_possible(cpu))
397 continue;
398 *pos = cpu + 1;
399 return per_cpu_ptr(net->ct.stat, cpu);
400 }
401
402 return NULL;
403 }
404
ct_cpu_seq_next(struct seq_file * seq,void * v,loff_t * pos)405 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
406 {
407 struct net *net = seq_file_net(seq);
408 int cpu;
409
410 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) {
411 if (!cpu_possible(cpu))
412 continue;
413 *pos = cpu + 1;
414 return per_cpu_ptr(net->ct.stat, cpu);
415 }
416 (*pos)++;
417 return NULL;
418 }
419
ct_cpu_seq_stop(struct seq_file * seq,void * v)420 static void ct_cpu_seq_stop(struct seq_file *seq, void *v)
421 {
422 }
423
ct_cpu_seq_show(struct seq_file * seq,void * v)424 static int ct_cpu_seq_show(struct seq_file *seq, void *v)
425 {
426 struct net *net = seq_file_net(seq);
427 const struct ip_conntrack_stat *st = v;
428 unsigned int nr_conntracks;
429
430 if (v == SEQ_START_TOKEN) {
431 seq_puts(seq, "entries clashres found new invalid ignore delete chainlength insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n");
432 return 0;
433 }
434
435 nr_conntracks = nf_conntrack_count(net);
436
437 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x "
438 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n",
439 nr_conntracks,
440 st->clash_resolve,
441 st->found,
442 0,
443 st->invalid,
444 0,
445 0,
446 st->chaintoolong,
447 st->insert,
448 st->insert_failed,
449 st->drop,
450 st->early_drop,
451 st->error,
452
453 st->expect_new,
454 st->expect_create,
455 st->expect_delete,
456 st->search_restart
457 );
458 return 0;
459 }
460
461 static const struct seq_operations ct_cpu_seq_ops = {
462 .start = ct_cpu_seq_start,
463 .next = ct_cpu_seq_next,
464 .stop = ct_cpu_seq_stop,
465 .show = ct_cpu_seq_show,
466 };
467
nf_conntrack_standalone_init_proc(struct net * net)468 static int nf_conntrack_standalone_init_proc(struct net *net)
469 {
470 struct proc_dir_entry *pde;
471 kuid_t root_uid;
472 kgid_t root_gid;
473
474 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops,
475 sizeof(struct ct_iter_state));
476 if (!pde)
477 goto out_nf_conntrack;
478
479 root_uid = make_kuid(net->user_ns, 0);
480 root_gid = make_kgid(net->user_ns, 0);
481 if (uid_valid(root_uid) && gid_valid(root_gid))
482 proc_set_user(pde, root_uid, root_gid);
483
484 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat,
485 &ct_cpu_seq_ops, sizeof(struct seq_net_private));
486 if (!pde)
487 goto out_stat_nf_conntrack;
488 return 0;
489
490 out_stat_nf_conntrack:
491 remove_proc_entry("nf_conntrack", net->proc_net);
492 out_nf_conntrack:
493 return -ENOMEM;
494 }
495
nf_conntrack_standalone_fini_proc(struct net * net)496 static void nf_conntrack_standalone_fini_proc(struct net *net)
497 {
498 remove_proc_entry("nf_conntrack", net->proc_net_stat);
499 remove_proc_entry("nf_conntrack", net->proc_net);
500 }
501 #else
nf_conntrack_standalone_init_proc(struct net * net)502 static int nf_conntrack_standalone_init_proc(struct net *net)
503 {
504 return 0;
505 }
506
nf_conntrack_standalone_fini_proc(struct net * net)507 static void nf_conntrack_standalone_fini_proc(struct net *net)
508 {
509 }
510 #endif /* CONFIG_NF_CONNTRACK_PROCFS */
511
nf_conntrack_count(const struct net * net)512 u32 nf_conntrack_count(const struct net *net)
513 {
514 const struct nf_conntrack_net *cnet = nf_ct_pernet(net);
515
516 return atomic_read(&cnet->count);
517 }
518 EXPORT_SYMBOL_GPL(nf_conntrack_count);
519
520 /* Sysctl support */
521
522 #ifdef CONFIG_SYSCTL
523 /* size the user *wants to set */
524 static unsigned int nf_conntrack_htable_size_user __read_mostly;
525
526 static int
nf_conntrack_hash_sysctl(const struct ctl_table * table,int write,void * buffer,size_t * lenp,loff_t * ppos)527 nf_conntrack_hash_sysctl(const struct ctl_table *table, int write,
528 void *buffer, size_t *lenp, loff_t *ppos)
529 {
530 int ret;
531
532 /* module_param hashsize could have changed value */
533 nf_conntrack_htable_size_user = nf_conntrack_htable_size;
534
535 ret = proc_dointvec(table, write, buffer, lenp, ppos);
536 if (ret < 0 || !write)
537 return ret;
538
539 /* update ret, we might not be able to satisfy request */
540 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user);
541
542 /* update it to the actual value used by conntrack */
543 nf_conntrack_htable_size_user = nf_conntrack_htable_size;
544 return ret;
545 }
546
547 static struct ctl_table_header *nf_ct_netfilter_header;
548
549 enum nf_ct_sysctl_index {
550 NF_SYSCTL_CT_MAX,
551 NF_SYSCTL_CT_COUNT,
552 NF_SYSCTL_CT_BUCKETS,
553 NF_SYSCTL_CT_CHECKSUM,
554 NF_SYSCTL_CT_LOG_INVALID,
555 NF_SYSCTL_CT_EXPECT_MAX,
556 NF_SYSCTL_CT_ACCT,
557 #ifdef CONFIG_NF_CONNTRACK_EVENTS
558 NF_SYSCTL_CT_EVENTS,
559 #endif
560 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
561 NF_SYSCTL_CT_TIMESTAMP,
562 #endif
563 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC,
564 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT,
565 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV,
566 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED,
567 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT,
568 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT,
569 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK,
570 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT,
571 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE,
572 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS,
573 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK,
574 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
575 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD,
576 #endif
577 NF_SYSCTL_CT_PROTO_TCP_LOOSE,
578 NF_SYSCTL_CT_PROTO_TCP_LIBERAL,
579 NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST,
580 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS,
581 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP,
582 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM,
583 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
584 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD,
585 #endif
586 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP,
587 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6,
588 #ifdef CONFIG_NF_CT_PROTO_SCTP
589 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED,
590 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT,
591 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED,
592 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED,
593 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT,
594 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD,
595 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
596 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT,
597 #endif
598 #ifdef CONFIG_NF_CT_PROTO_DCCP
599 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST,
600 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND,
601 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN,
602 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN,
603 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ,
604 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING,
605 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT,
606 NF_SYSCTL_CT_PROTO_DCCP_LOOSE,
607 #endif
608 #ifdef CONFIG_NF_CT_PROTO_GRE
609 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE,
610 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM,
611 #endif
612
613 NF_SYSCTL_CT_LAST_SYSCTL,
614 };
615
616 static struct ctl_table nf_ct_sysctl_table[] = {
617 [NF_SYSCTL_CT_MAX] = {
618 .procname = "nf_conntrack_max",
619 .data = &nf_conntrack_max,
620 .maxlen = sizeof(int),
621 .mode = 0644,
622 .proc_handler = proc_dointvec,
623 },
624 [NF_SYSCTL_CT_COUNT] = {
625 .procname = "nf_conntrack_count",
626 .maxlen = sizeof(int),
627 .mode = 0444,
628 .proc_handler = proc_dointvec,
629 },
630 [NF_SYSCTL_CT_BUCKETS] = {
631 .procname = "nf_conntrack_buckets",
632 .data = &nf_conntrack_htable_size_user,
633 .maxlen = sizeof(unsigned int),
634 .mode = 0644,
635 .proc_handler = nf_conntrack_hash_sysctl,
636 },
637 [NF_SYSCTL_CT_CHECKSUM] = {
638 .procname = "nf_conntrack_checksum",
639 .data = &init_net.ct.sysctl_checksum,
640 .maxlen = sizeof(u8),
641 .mode = 0644,
642 .proc_handler = proc_dou8vec_minmax,
643 .extra1 = SYSCTL_ZERO,
644 .extra2 = SYSCTL_ONE,
645 },
646 [NF_SYSCTL_CT_LOG_INVALID] = {
647 .procname = "nf_conntrack_log_invalid",
648 .data = &init_net.ct.sysctl_log_invalid,
649 .maxlen = sizeof(u8),
650 .mode = 0644,
651 .proc_handler = proc_dou8vec_minmax,
652 },
653 [NF_SYSCTL_CT_EXPECT_MAX] = {
654 .procname = "nf_conntrack_expect_max",
655 .data = &nf_ct_expect_max,
656 .maxlen = sizeof(int),
657 .mode = 0644,
658 .proc_handler = proc_dointvec,
659 },
660 [NF_SYSCTL_CT_ACCT] = {
661 .procname = "nf_conntrack_acct",
662 .data = &init_net.ct.sysctl_acct,
663 .maxlen = sizeof(u8),
664 .mode = 0644,
665 .proc_handler = proc_dou8vec_minmax,
666 .extra1 = SYSCTL_ZERO,
667 .extra2 = SYSCTL_ONE,
668 },
669 #ifdef CONFIG_NF_CONNTRACK_EVENTS
670 [NF_SYSCTL_CT_EVENTS] = {
671 .procname = "nf_conntrack_events",
672 .data = &init_net.ct.sysctl_events,
673 .maxlen = sizeof(u8),
674 .mode = 0644,
675 .proc_handler = proc_dou8vec_minmax,
676 .extra1 = SYSCTL_ZERO,
677 .extra2 = SYSCTL_TWO,
678 },
679 #endif
680 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
681 [NF_SYSCTL_CT_TIMESTAMP] = {
682 .procname = "nf_conntrack_timestamp",
683 .data = &init_net.ct.sysctl_tstamp,
684 .maxlen = sizeof(u8),
685 .mode = 0644,
686 .proc_handler = proc_dou8vec_minmax,
687 .extra1 = SYSCTL_ZERO,
688 .extra2 = SYSCTL_ONE,
689 },
690 #endif
691 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = {
692 .procname = "nf_conntrack_generic_timeout",
693 .maxlen = sizeof(unsigned int),
694 .mode = 0644,
695 .proc_handler = proc_dointvec_jiffies,
696 },
697 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = {
698 .procname = "nf_conntrack_tcp_timeout_syn_sent",
699 .maxlen = sizeof(unsigned int),
700 .mode = 0644,
701 .proc_handler = proc_dointvec_jiffies,
702 },
703 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = {
704 .procname = "nf_conntrack_tcp_timeout_syn_recv",
705 .maxlen = sizeof(unsigned int),
706 .mode = 0644,
707 .proc_handler = proc_dointvec_jiffies,
708 },
709 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = {
710 .procname = "nf_conntrack_tcp_timeout_established",
711 .maxlen = sizeof(unsigned int),
712 .mode = 0644,
713 .proc_handler = proc_dointvec_jiffies,
714 },
715 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = {
716 .procname = "nf_conntrack_tcp_timeout_fin_wait",
717 .maxlen = sizeof(unsigned int),
718 .mode = 0644,
719 .proc_handler = proc_dointvec_jiffies,
720 },
721 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = {
722 .procname = "nf_conntrack_tcp_timeout_close_wait",
723 .maxlen = sizeof(unsigned int),
724 .mode = 0644,
725 .proc_handler = proc_dointvec_jiffies,
726 },
727 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = {
728 .procname = "nf_conntrack_tcp_timeout_last_ack",
729 .maxlen = sizeof(unsigned int),
730 .mode = 0644,
731 .proc_handler = proc_dointvec_jiffies,
732 },
733 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = {
734 .procname = "nf_conntrack_tcp_timeout_time_wait",
735 .maxlen = sizeof(unsigned int),
736 .mode = 0644,
737 .proc_handler = proc_dointvec_jiffies,
738 },
739 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = {
740 .procname = "nf_conntrack_tcp_timeout_close",
741 .maxlen = sizeof(unsigned int),
742 .mode = 0644,
743 .proc_handler = proc_dointvec_jiffies,
744 },
745 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = {
746 .procname = "nf_conntrack_tcp_timeout_max_retrans",
747 .maxlen = sizeof(unsigned int),
748 .mode = 0644,
749 .proc_handler = proc_dointvec_jiffies,
750 },
751 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = {
752 .procname = "nf_conntrack_tcp_timeout_unacknowledged",
753 .maxlen = sizeof(unsigned int),
754 .mode = 0644,
755 .proc_handler = proc_dointvec_jiffies,
756 },
757 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
758 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD] = {
759 .procname = "nf_flowtable_tcp_timeout",
760 .maxlen = sizeof(unsigned int),
761 .mode = 0644,
762 .proc_handler = proc_dointvec_jiffies,
763 },
764 #endif
765 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = {
766 .procname = "nf_conntrack_tcp_loose",
767 .maxlen = sizeof(u8),
768 .mode = 0644,
769 .proc_handler = proc_dou8vec_minmax,
770 .extra1 = SYSCTL_ZERO,
771 .extra2 = SYSCTL_ONE,
772 },
773 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = {
774 .procname = "nf_conntrack_tcp_be_liberal",
775 .maxlen = sizeof(u8),
776 .mode = 0644,
777 .proc_handler = proc_dou8vec_minmax,
778 .extra1 = SYSCTL_ZERO,
779 .extra2 = SYSCTL_ONE,
780 },
781 [NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST] = {
782 .procname = "nf_conntrack_tcp_ignore_invalid_rst",
783 .maxlen = sizeof(u8),
784 .mode = 0644,
785 .proc_handler = proc_dou8vec_minmax,
786 .extra1 = SYSCTL_ZERO,
787 .extra2 = SYSCTL_ONE,
788 },
789 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = {
790 .procname = "nf_conntrack_tcp_max_retrans",
791 .maxlen = sizeof(u8),
792 .mode = 0644,
793 .proc_handler = proc_dou8vec_minmax,
794 },
795 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = {
796 .procname = "nf_conntrack_udp_timeout",
797 .maxlen = sizeof(unsigned int),
798 .mode = 0644,
799 .proc_handler = proc_dointvec_jiffies,
800 },
801 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = {
802 .procname = "nf_conntrack_udp_timeout_stream",
803 .maxlen = sizeof(unsigned int),
804 .mode = 0644,
805 .proc_handler = proc_dointvec_jiffies,
806 },
807 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
808 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD] = {
809 .procname = "nf_flowtable_udp_timeout",
810 .maxlen = sizeof(unsigned int),
811 .mode = 0644,
812 .proc_handler = proc_dointvec_jiffies,
813 },
814 #endif
815 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = {
816 .procname = "nf_conntrack_icmp_timeout",
817 .maxlen = sizeof(unsigned int),
818 .mode = 0644,
819 .proc_handler = proc_dointvec_jiffies,
820 },
821 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = {
822 .procname = "nf_conntrack_icmpv6_timeout",
823 .maxlen = sizeof(unsigned int),
824 .mode = 0644,
825 .proc_handler = proc_dointvec_jiffies,
826 },
827 #ifdef CONFIG_NF_CT_PROTO_SCTP
828 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = {
829 .procname = "nf_conntrack_sctp_timeout_closed",
830 .maxlen = sizeof(unsigned int),
831 .mode = 0644,
832 .proc_handler = proc_dointvec_jiffies,
833 },
834 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = {
835 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
836 .maxlen = sizeof(unsigned int),
837 .mode = 0644,
838 .proc_handler = proc_dointvec_jiffies,
839 },
840 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = {
841 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
842 .maxlen = sizeof(unsigned int),
843 .mode = 0644,
844 .proc_handler = proc_dointvec_jiffies,
845 },
846 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = {
847 .procname = "nf_conntrack_sctp_timeout_established",
848 .maxlen = sizeof(unsigned int),
849 .mode = 0644,
850 .proc_handler = proc_dointvec_jiffies,
851 },
852 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = {
853 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
854 .maxlen = sizeof(unsigned int),
855 .mode = 0644,
856 .proc_handler = proc_dointvec_jiffies,
857 },
858 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = {
859 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
860 .maxlen = sizeof(unsigned int),
861 .mode = 0644,
862 .proc_handler = proc_dointvec_jiffies,
863 },
864 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = {
865 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
866 .maxlen = sizeof(unsigned int),
867 .mode = 0644,
868 .proc_handler = proc_dointvec_jiffies,
869 },
870 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = {
871 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
872 .maxlen = sizeof(unsigned int),
873 .mode = 0644,
874 .proc_handler = proc_dointvec_jiffies,
875 },
876 #endif
877 #ifdef CONFIG_NF_CT_PROTO_DCCP
878 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = {
879 .procname = "nf_conntrack_dccp_timeout_request",
880 .maxlen = sizeof(unsigned int),
881 .mode = 0644,
882 .proc_handler = proc_dointvec_jiffies,
883 },
884 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = {
885 .procname = "nf_conntrack_dccp_timeout_respond",
886 .maxlen = sizeof(unsigned int),
887 .mode = 0644,
888 .proc_handler = proc_dointvec_jiffies,
889 },
890 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = {
891 .procname = "nf_conntrack_dccp_timeout_partopen",
892 .maxlen = sizeof(unsigned int),
893 .mode = 0644,
894 .proc_handler = proc_dointvec_jiffies,
895 },
896 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = {
897 .procname = "nf_conntrack_dccp_timeout_open",
898 .maxlen = sizeof(unsigned int),
899 .mode = 0644,
900 .proc_handler = proc_dointvec_jiffies,
901 },
902 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = {
903 .procname = "nf_conntrack_dccp_timeout_closereq",
904 .maxlen = sizeof(unsigned int),
905 .mode = 0644,
906 .proc_handler = proc_dointvec_jiffies,
907 },
908 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = {
909 .procname = "nf_conntrack_dccp_timeout_closing",
910 .maxlen = sizeof(unsigned int),
911 .mode = 0644,
912 .proc_handler = proc_dointvec_jiffies,
913 },
914 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = {
915 .procname = "nf_conntrack_dccp_timeout_timewait",
916 .maxlen = sizeof(unsigned int),
917 .mode = 0644,
918 .proc_handler = proc_dointvec_jiffies,
919 },
920 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = {
921 .procname = "nf_conntrack_dccp_loose",
922 .maxlen = sizeof(u8),
923 .mode = 0644,
924 .proc_handler = proc_dou8vec_minmax,
925 .extra1 = SYSCTL_ZERO,
926 .extra2 = SYSCTL_ONE,
927 },
928 #endif
929 #ifdef CONFIG_NF_CT_PROTO_GRE
930 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = {
931 .procname = "nf_conntrack_gre_timeout",
932 .maxlen = sizeof(unsigned int),
933 .mode = 0644,
934 .proc_handler = proc_dointvec_jiffies,
935 },
936 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = {
937 .procname = "nf_conntrack_gre_timeout_stream",
938 .maxlen = sizeof(unsigned int),
939 .mode = 0644,
940 .proc_handler = proc_dointvec_jiffies,
941 },
942 #endif
943 };
944
945 static struct ctl_table nf_ct_netfilter_table[] = {
946 {
947 .procname = "nf_conntrack_max",
948 .data = &nf_conntrack_max,
949 .maxlen = sizeof(int),
950 .mode = 0644,
951 .proc_handler = proc_dointvec,
952 },
953 };
954
nf_conntrack_standalone_init_tcp_sysctl(struct net * net,struct ctl_table * table)955 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net,
956 struct ctl_table *table)
957 {
958 struct nf_tcp_net *tn = nf_tcp_pernet(net);
959
960 #define XASSIGN(XNAME, tn) \
961 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \
962 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME]
963
964 XASSIGN(SYN_SENT, tn);
965 XASSIGN(SYN_RECV, tn);
966 XASSIGN(ESTABLISHED, tn);
967 XASSIGN(FIN_WAIT, tn);
968 XASSIGN(CLOSE_WAIT, tn);
969 XASSIGN(LAST_ACK, tn);
970 XASSIGN(TIME_WAIT, tn);
971 XASSIGN(CLOSE, tn);
972 XASSIGN(RETRANS, tn);
973 XASSIGN(UNACK, tn);
974 #undef XASSIGN
975 #define XASSIGN(XNAME, rval) \
976 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval)
977
978 XASSIGN(LOOSE, &tn->tcp_loose);
979 XASSIGN(LIBERAL, &tn->tcp_be_liberal);
980 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans);
981 XASSIGN(IGNORE_INVALID_RST, &tn->tcp_ignore_invalid_rst);
982 #undef XASSIGN
983
984 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
985 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD].data = &tn->offload_timeout;
986 #endif
987
988 }
989
nf_conntrack_standalone_init_sctp_sysctl(struct net * net,struct ctl_table * table)990 static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net,
991 struct ctl_table *table)
992 {
993 #ifdef CONFIG_NF_CT_PROTO_SCTP
994 struct nf_sctp_net *sn = nf_sctp_pernet(net);
995
996 #define XASSIGN(XNAME, sn) \
997 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \
998 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME]
999
1000 XASSIGN(CLOSED, sn);
1001 XASSIGN(COOKIE_WAIT, sn);
1002 XASSIGN(COOKIE_ECHOED, sn);
1003 XASSIGN(ESTABLISHED, sn);
1004 XASSIGN(SHUTDOWN_SENT, sn);
1005 XASSIGN(SHUTDOWN_RECD, sn);
1006 XASSIGN(SHUTDOWN_ACK_SENT, sn);
1007 XASSIGN(HEARTBEAT_SENT, sn);
1008 #undef XASSIGN
1009 #endif
1010 }
1011
nf_conntrack_standalone_init_dccp_sysctl(struct net * net,struct ctl_table * table)1012 static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net,
1013 struct ctl_table *table)
1014 {
1015 #ifdef CONFIG_NF_CT_PROTO_DCCP
1016 struct nf_dccp_net *dn = nf_dccp_pernet(net);
1017
1018 #define XASSIGN(XNAME, dn) \
1019 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \
1020 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME]
1021
1022 XASSIGN(REQUEST, dn);
1023 XASSIGN(RESPOND, dn);
1024 XASSIGN(PARTOPEN, dn);
1025 XASSIGN(OPEN, dn);
1026 XASSIGN(CLOSEREQ, dn);
1027 XASSIGN(CLOSING, dn);
1028 XASSIGN(TIMEWAIT, dn);
1029 #undef XASSIGN
1030
1031 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose;
1032 #endif
1033 }
1034
nf_conntrack_standalone_init_gre_sysctl(struct net * net,struct ctl_table * table)1035 static void nf_conntrack_standalone_init_gre_sysctl(struct net *net,
1036 struct ctl_table *table)
1037 {
1038 #ifdef CONFIG_NF_CT_PROTO_GRE
1039 struct nf_gre_net *gn = nf_gre_pernet(net);
1040
1041 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED];
1042 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED];
1043 #endif
1044 }
1045
nf_conntrack_standalone_init_sysctl(struct net * net)1046 static int nf_conntrack_standalone_init_sysctl(struct net *net)
1047 {
1048 struct nf_conntrack_net *cnet = nf_ct_pernet(net);
1049 struct nf_udp_net *un = nf_udp_pernet(net);
1050 struct ctl_table *table;
1051
1052 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL);
1053
1054 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table),
1055 GFP_KERNEL);
1056 if (!table)
1057 return -ENOMEM;
1058
1059 table[NF_SYSCTL_CT_COUNT].data = &cnet->count;
1060 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum;
1061 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid;
1062 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct;
1063 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1064 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events;
1065 #endif
1066 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
1067 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp;
1068 #endif
1069 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout;
1070 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout;
1071 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout;
1072 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED];
1073 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED];
1074 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
1075 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD].data = &un->offload_timeout;
1076 #endif
1077
1078 nf_conntrack_standalone_init_tcp_sysctl(net, table);
1079 nf_conntrack_standalone_init_sctp_sysctl(net, table);
1080 nf_conntrack_standalone_init_dccp_sysctl(net, table);
1081 nf_conntrack_standalone_init_gre_sysctl(net, table);
1082
1083 /* Don't allow non-init_net ns to alter global sysctls */
1084 if (!net_eq(&init_net, net)) {
1085 table[NF_SYSCTL_CT_MAX].mode = 0444;
1086 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444;
1087 table[NF_SYSCTL_CT_BUCKETS].mode = 0444;
1088 }
1089
1090 cnet->sysctl_header = register_net_sysctl_sz(net, "net/netfilter",
1091 table,
1092 ARRAY_SIZE(nf_ct_sysctl_table));
1093 if (!cnet->sysctl_header)
1094 goto out_unregister_netfilter;
1095
1096 return 0;
1097
1098 out_unregister_netfilter:
1099 kfree(table);
1100 return -ENOMEM;
1101 }
1102
nf_conntrack_standalone_fini_sysctl(struct net * net)1103 static void nf_conntrack_standalone_fini_sysctl(struct net *net)
1104 {
1105 struct nf_conntrack_net *cnet = nf_ct_pernet(net);
1106 const struct ctl_table *table;
1107
1108 table = cnet->sysctl_header->ctl_table_arg;
1109 unregister_net_sysctl_table(cnet->sysctl_header);
1110 kfree(table);
1111 }
1112 #else
nf_conntrack_standalone_init_sysctl(struct net * net)1113 static int nf_conntrack_standalone_init_sysctl(struct net *net)
1114 {
1115 return 0;
1116 }
1117
nf_conntrack_standalone_fini_sysctl(struct net * net)1118 static void nf_conntrack_standalone_fini_sysctl(struct net *net)
1119 {
1120 }
1121 #endif /* CONFIG_SYSCTL */
1122
nf_conntrack_fini_net(struct net * net)1123 static void nf_conntrack_fini_net(struct net *net)
1124 {
1125 if (enable_hooks)
1126 nf_ct_netns_put(net, NFPROTO_INET);
1127
1128 nf_conntrack_standalone_fini_proc(net);
1129 nf_conntrack_standalone_fini_sysctl(net);
1130 }
1131
nf_conntrack_pernet_init(struct net * net)1132 static int nf_conntrack_pernet_init(struct net *net)
1133 {
1134 int ret;
1135
1136 net->ct.sysctl_checksum = 1;
1137
1138 ret = nf_conntrack_standalone_init_sysctl(net);
1139 if (ret < 0)
1140 return ret;
1141
1142 ret = nf_conntrack_standalone_init_proc(net);
1143 if (ret < 0)
1144 goto out_proc;
1145
1146 ret = nf_conntrack_init_net(net);
1147 if (ret < 0)
1148 goto out_init_net;
1149
1150 if (enable_hooks) {
1151 ret = nf_ct_netns_get(net, NFPROTO_INET);
1152 if (ret < 0)
1153 goto out_hooks;
1154 }
1155
1156 return 0;
1157
1158 out_hooks:
1159 nf_conntrack_cleanup_net(net);
1160 out_init_net:
1161 nf_conntrack_standalone_fini_proc(net);
1162 out_proc:
1163 nf_conntrack_standalone_fini_sysctl(net);
1164 return ret;
1165 }
1166
nf_conntrack_pernet_exit(struct list_head * net_exit_list)1167 static void nf_conntrack_pernet_exit(struct list_head *net_exit_list)
1168 {
1169 struct net *net;
1170
1171 list_for_each_entry(net, net_exit_list, exit_list)
1172 nf_conntrack_fini_net(net);
1173
1174 nf_conntrack_cleanup_net_list(net_exit_list);
1175 }
1176
1177 static struct pernet_operations nf_conntrack_net_ops = {
1178 .init = nf_conntrack_pernet_init,
1179 .exit_batch = nf_conntrack_pernet_exit,
1180 .id = &nf_conntrack_net_id,
1181 .size = sizeof(struct nf_conntrack_net),
1182 };
1183
nf_conntrack_standalone_init(void)1184 static int __init nf_conntrack_standalone_init(void)
1185 {
1186 int ret = nf_conntrack_init_start();
1187 if (ret < 0)
1188 goto out_start;
1189
1190 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER);
1191
1192 #ifdef CONFIG_SYSCTL
1193 nf_ct_netfilter_header =
1194 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table);
1195 if (!nf_ct_netfilter_header) {
1196 pr_err("nf_conntrack: can't register to sysctl.\n");
1197 ret = -ENOMEM;
1198 goto out_sysctl;
1199 }
1200
1201 nf_conntrack_htable_size_user = nf_conntrack_htable_size;
1202 #endif
1203
1204 nf_conntrack_init_end();
1205
1206 ret = register_pernet_subsys(&nf_conntrack_net_ops);
1207 if (ret < 0)
1208 goto out_pernet;
1209
1210 return 0;
1211
1212 out_pernet:
1213 #ifdef CONFIG_SYSCTL
1214 unregister_net_sysctl_table(nf_ct_netfilter_header);
1215 out_sysctl:
1216 #endif
1217 nf_conntrack_cleanup_end();
1218 out_start:
1219 return ret;
1220 }
1221
nf_conntrack_standalone_fini(void)1222 static void __exit nf_conntrack_standalone_fini(void)
1223 {
1224 nf_conntrack_cleanup_start();
1225 unregister_pernet_subsys(&nf_conntrack_net_ops);
1226 #ifdef CONFIG_SYSCTL
1227 unregister_net_sysctl_table(nf_ct_netfilter_header);
1228 #endif
1229 nf_conntrack_cleanup_end();
1230 }
1231
1232 module_init(nf_conntrack_standalone_init);
1233 module_exit(nf_conntrack_standalone_fini);
1234