1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/types.h> 3 #include <linux/netfilter.h> 4 #include <linux/slab.h> 5 #include <linux/module.h> 6 #include <linux/skbuff.h> 7 #include <linux/proc_fs.h> 8 #include <linux/seq_file.h> 9 #include <linux/percpu.h> 10 #include <linux/netdevice.h> 11 #include <linux/security.h> 12 #include <net/net_namespace.h> 13 #ifdef CONFIG_SYSCTL 14 #include <linux/sysctl.h> 15 #endif 16 17 #include <net/netfilter/nf_log.h> 18 #include <net/netfilter/nf_conntrack.h> 19 #include <net/netfilter/nf_conntrack_core.h> 20 #include <net/netfilter/nf_conntrack_l4proto.h> 21 #include <net/netfilter/nf_conntrack_expect.h> 22 #include <net/netfilter/nf_conntrack_helper.h> 23 #include <net/netfilter/nf_conntrack_acct.h> 24 #include <net/netfilter/nf_conntrack_zones.h> 25 #include <net/netfilter/nf_conntrack_timestamp.h> 26 #include <linux/rculist_nulls.h> 27 28 static bool enable_hooks __read_mostly; 29 MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); 30 module_param(enable_hooks, bool, 0000); 31 32 unsigned int nf_conntrack_net_id __read_mostly; 33 34 #ifdef CONFIG_NF_CONNTRACK_PROCFS 35 void 36 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, 37 const struct nf_conntrack_l4proto *l4proto) 38 { 39 switch (tuple->src.l3num) { 40 case NFPROTO_IPV4: 41 seq_printf(s, "src=%pI4 dst=%pI4 ", 42 &tuple->src.u3.ip, &tuple->dst.u3.ip); 43 break; 44 case NFPROTO_IPV6: 45 seq_printf(s, "src=%pI6 dst=%pI6 ", 46 tuple->src.u3.ip6, tuple->dst.u3.ip6); 47 break; 48 default: 49 break; 50 } 51 52 switch (l4proto->l4proto) { 53 case IPPROTO_ICMP: 54 seq_printf(s, "type=%u code=%u id=%u ", 55 tuple->dst.u.icmp.type, 56 tuple->dst.u.icmp.code, 57 ntohs(tuple->src.u.icmp.id)); 58 break; 59 case IPPROTO_TCP: 60 seq_printf(s, "sport=%hu dport=%hu ", 61 ntohs(tuple->src.u.tcp.port), 62 ntohs(tuple->dst.u.tcp.port)); 63 break; 64 case IPPROTO_UDPLITE: 65 case IPPROTO_UDP: 66 seq_printf(s, "sport=%hu dport=%hu ", 67 ntohs(tuple->src.u.udp.port), 68 ntohs(tuple->dst.u.udp.port)); 69 70 break; 71 case IPPROTO_SCTP: 72 seq_printf(s, "sport=%hu dport=%hu ", 73 ntohs(tuple->src.u.sctp.port), 74 ntohs(tuple->dst.u.sctp.port)); 75 break; 76 case IPPROTO_ICMPV6: 77 seq_printf(s, "type=%u code=%u id=%u ", 78 tuple->dst.u.icmp.type, 79 tuple->dst.u.icmp.code, 80 ntohs(tuple->src.u.icmp.id)); 81 break; 82 case IPPROTO_GRE: 83 seq_printf(s, "srckey=0x%x dstkey=0x%x ", 84 ntohs(tuple->src.u.gre.key), 85 ntohs(tuple->dst.u.gre.key)); 86 break; 87 default: 88 break; 89 } 90 } 91 EXPORT_SYMBOL_GPL(print_tuple); 92 93 struct ct_iter_state { 94 struct seq_net_private p; 95 struct hlist_nulls_head *hash; 96 unsigned int htable_size; 97 unsigned int skip_elems; 98 unsigned int bucket; 99 u_int64_t time_now; 100 }; 101 102 static struct nf_conntrack_tuple_hash *ct_get_next(const struct net *net, 103 struct ct_iter_state *st) 104 { 105 struct nf_conntrack_tuple_hash *h; 106 struct hlist_nulls_node *n; 107 unsigned int i; 108 109 for (i = st->bucket; i < st->htable_size; i++) { 110 unsigned int skip = 0; 111 112 restart: 113 hlist_nulls_for_each_entry_rcu(h, n, &st->hash[i], hnnode) { 114 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); 115 struct hlist_nulls_node *tmp = n; 116 117 if (!net_eq(net, nf_ct_net(ct))) 118 continue; 119 120 if (++skip <= st->skip_elems) 121 continue; 122 123 /* h should be returned, skip to nulls marker. */ 124 while (!is_a_nulls(tmp)) 125 tmp = rcu_dereference(hlist_nulls_next_rcu(tmp)); 126 127 /* check if h is still linked to hash[i] */ 128 if (get_nulls_value(tmp) != i) { 129 skip = 0; 130 goto restart; 131 } 132 133 st->skip_elems = skip; 134 st->bucket = i; 135 return h; 136 } 137 138 skip = 0; 139 if (get_nulls_value(n) != i) 140 goto restart; 141 142 st->skip_elems = 0; 143 } 144 145 st->bucket = i; 146 return NULL; 147 } 148 149 static void *ct_seq_start(struct seq_file *seq, loff_t *pos) 150 __acquires(RCU) 151 { 152 struct ct_iter_state *st = seq->private; 153 struct net *net = seq_file_net(seq); 154 155 st->time_now = ktime_get_real_ns(); 156 rcu_read_lock(); 157 158 nf_conntrack_get_ht(&st->hash, &st->htable_size); 159 160 if (*pos == 0) { 161 st->skip_elems = 0; 162 st->bucket = 0; 163 } else if (st->skip_elems) { 164 /* resume from last dumped entry */ 165 st->skip_elems--; 166 } 167 168 return ct_get_next(net, st); 169 } 170 171 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos) 172 { 173 struct ct_iter_state *st = s->private; 174 struct net *net = seq_file_net(s); 175 176 (*pos)++; 177 return ct_get_next(net, st); 178 } 179 180 static void ct_seq_stop(struct seq_file *s, void *v) 181 __releases(RCU) 182 { 183 rcu_read_unlock(); 184 } 185 186 #ifdef CONFIG_NF_CONNTRACK_SECMARK 187 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 188 { 189 struct lsm_context ctx; 190 int ret; 191 192 ret = security_secid_to_secctx(ct->secmark, &ctx); 193 if (ret < 0) 194 return; 195 196 seq_printf(s, "secctx=%s ", ctx.context); 197 198 security_release_secctx(&ctx); 199 } 200 #else 201 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 202 { 203 } 204 #endif 205 206 #ifdef CONFIG_NF_CONNTRACK_ZONES 207 static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 208 int dir) 209 { 210 const struct nf_conntrack_zone *zone = nf_ct_zone(ct); 211 212 if (zone->dir != dir) 213 return; 214 switch (zone->dir) { 215 case NF_CT_DEFAULT_ZONE_DIR: 216 seq_printf(s, "zone=%u ", zone->id); 217 break; 218 case NF_CT_ZONE_DIR_ORIG: 219 seq_printf(s, "zone-orig=%u ", zone->id); 220 break; 221 case NF_CT_ZONE_DIR_REPL: 222 seq_printf(s, "zone-reply=%u ", zone->id); 223 break; 224 default: 225 break; 226 } 227 } 228 #else 229 static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 230 int dir) 231 { 232 } 233 #endif 234 235 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 236 static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 237 { 238 struct ct_iter_state *st = s->private; 239 struct nf_conn_tstamp *tstamp; 240 s64 delta_time; 241 242 tstamp = nf_conn_tstamp_find(ct); 243 if (tstamp) { 244 delta_time = st->time_now - tstamp->start; 245 if (delta_time > 0) 246 delta_time = div_s64(delta_time, NSEC_PER_SEC); 247 else 248 delta_time = 0; 249 250 seq_printf(s, "delta-time=%llu ", 251 (unsigned long long)delta_time); 252 } 253 return; 254 } 255 #else 256 static inline void 257 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 258 { 259 } 260 #endif 261 262 static const char* l3proto_name(u16 proto) 263 { 264 switch (proto) { 265 case AF_INET: return "ipv4"; 266 case AF_INET6: return "ipv6"; 267 } 268 269 return "unknown"; 270 } 271 272 static const char* l4proto_name(u16 proto) 273 { 274 switch (proto) { 275 case IPPROTO_ICMP: return "icmp"; 276 case IPPROTO_TCP: return "tcp"; 277 case IPPROTO_UDP: return "udp"; 278 case IPPROTO_GRE: return "gre"; 279 case IPPROTO_SCTP: return "sctp"; 280 case IPPROTO_UDPLITE: return "udplite"; 281 case IPPROTO_ICMPV6: return "icmpv6"; 282 } 283 284 return "unknown"; 285 } 286 287 static void 288 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir) 289 { 290 struct nf_conn_acct *acct; 291 struct nf_conn_counter *counter; 292 293 acct = nf_conn_acct_find(ct); 294 if (!acct) 295 return; 296 297 counter = acct->counter; 298 seq_printf(s, "packets=%llu bytes=%llu ", 299 (unsigned long long)atomic64_read(&counter[dir].packets), 300 (unsigned long long)atomic64_read(&counter[dir].bytes)); 301 } 302 303 /* return 0 on success, 1 in case of error */ 304 static int ct_seq_show(struct seq_file *s, void *v) 305 { 306 struct nf_conntrack_tuple_hash *hash = v; 307 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); 308 const struct nf_conntrack_l4proto *l4proto; 309 struct net *net = seq_file_net(s); 310 int ret = 0; 311 312 WARN_ON(!ct); 313 if (unlikely(!refcount_inc_not_zero(&ct->ct_general.use))) 314 return 0; 315 316 /* load ->status after refcount increase */ 317 smp_acquire__after_ctrl_dep(); 318 319 if (nf_ct_should_gc(ct)) { 320 nf_ct_kill(ct); 321 goto release; 322 } 323 324 /* we only want to print DIR_ORIGINAL */ 325 if (NF_CT_DIRECTION(hash)) 326 goto release; 327 328 if (!net_eq(nf_ct_net(ct), net)) 329 goto release; 330 331 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 332 333 ret = -ENOSPC; 334 seq_printf(s, "%-8s %u %-8s %u ", 335 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct), 336 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct)); 337 338 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status)) 339 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ); 340 341 if (l4proto->print_conntrack) 342 l4proto->print_conntrack(s, ct); 343 344 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 345 l4proto); 346 347 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG); 348 349 if (seq_has_overflowed(s)) 350 goto release; 351 352 seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL); 353 354 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) 355 seq_puts(s, "[UNREPLIED] "); 356 357 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto); 358 359 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL); 360 361 seq_print_acct(s, ct, IP_CT_DIR_REPLY); 362 363 if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status)) 364 seq_puts(s, "[HW_OFFLOAD] "); 365 else if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 366 seq_puts(s, "[OFFLOAD] "); 367 else if (test_bit(IPS_ASSURED_BIT, &ct->status)) 368 seq_puts(s, "[ASSURED] "); 369 370 if (seq_has_overflowed(s)) 371 goto release; 372 373 #if defined(CONFIG_NF_CONNTRACK_MARK) 374 seq_printf(s, "mark=%u ", READ_ONCE(ct->mark)); 375 #endif 376 377 ct_show_secctx(s, ct); 378 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR); 379 ct_show_delta_time(s, ct); 380 381 seq_printf(s, "use=%u\n", refcount_read(&ct->ct_general.use)); 382 383 if (seq_has_overflowed(s)) 384 goto release; 385 386 ret = 0; 387 release: 388 nf_ct_put(ct); 389 return ret; 390 } 391 392 static const struct seq_operations ct_seq_ops = { 393 .start = ct_seq_start, 394 .next = ct_seq_next, 395 .stop = ct_seq_stop, 396 .show = ct_seq_show 397 }; 398 399 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos) 400 { 401 struct net *net = seq_file_net(seq); 402 int cpu; 403 404 if (*pos == 0) 405 return SEQ_START_TOKEN; 406 407 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) { 408 if (!cpu_possible(cpu)) 409 continue; 410 *pos = cpu + 1; 411 return per_cpu_ptr(net->ct.stat, cpu); 412 } 413 414 return NULL; 415 } 416 417 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) 418 { 419 struct net *net = seq_file_net(seq); 420 int cpu; 421 422 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) { 423 if (!cpu_possible(cpu)) 424 continue; 425 *pos = cpu + 1; 426 return per_cpu_ptr(net->ct.stat, cpu); 427 } 428 (*pos)++; 429 return NULL; 430 } 431 432 static void ct_cpu_seq_stop(struct seq_file *seq, void *v) 433 { 434 } 435 436 static int ct_cpu_seq_show(struct seq_file *seq, void *v) 437 { 438 struct net *net = seq_file_net(seq); 439 const struct ip_conntrack_stat *st = v; 440 unsigned int nr_conntracks; 441 442 if (v == SEQ_START_TOKEN) { 443 seq_puts(seq, "entries clashres found new invalid ignore delete chainlength insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); 444 return 0; 445 } 446 447 nr_conntracks = nf_conntrack_count(net); 448 449 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 450 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 451 nr_conntracks, 452 st->clash_resolve, 453 st->found, 454 0, 455 st->invalid, 456 0, 457 0, 458 st->chaintoolong, 459 st->insert, 460 st->insert_failed, 461 st->drop, 462 st->early_drop, 463 st->error, 464 465 st->expect_new, 466 st->expect_create, 467 st->expect_delete, 468 st->search_restart 469 ); 470 return 0; 471 } 472 473 static const struct seq_operations ct_cpu_seq_ops = { 474 .start = ct_cpu_seq_start, 475 .next = ct_cpu_seq_next, 476 .stop = ct_cpu_seq_stop, 477 .show = ct_cpu_seq_show, 478 }; 479 480 static int nf_conntrack_standalone_init_proc(struct net *net) 481 { 482 struct proc_dir_entry *pde; 483 kuid_t root_uid; 484 kgid_t root_gid; 485 486 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops, 487 sizeof(struct ct_iter_state)); 488 if (!pde) 489 goto out_nf_conntrack; 490 491 root_uid = make_kuid(net->user_ns, 0); 492 root_gid = make_kgid(net->user_ns, 0); 493 if (uid_valid(root_uid) && gid_valid(root_gid)) 494 proc_set_user(pde, root_uid, root_gid); 495 496 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat, 497 &ct_cpu_seq_ops, sizeof(struct seq_net_private)); 498 if (!pde) 499 goto out_stat_nf_conntrack; 500 return 0; 501 502 out_stat_nf_conntrack: 503 remove_proc_entry("nf_conntrack", net->proc_net); 504 out_nf_conntrack: 505 return -ENOMEM; 506 } 507 508 static void nf_conntrack_standalone_fini_proc(struct net *net) 509 { 510 remove_proc_entry("nf_conntrack", net->proc_net_stat); 511 remove_proc_entry("nf_conntrack", net->proc_net); 512 } 513 #else 514 static int nf_conntrack_standalone_init_proc(struct net *net) 515 { 516 return 0; 517 } 518 519 static void nf_conntrack_standalone_fini_proc(struct net *net) 520 { 521 } 522 #endif /* CONFIG_NF_CONNTRACK_PROCFS */ 523 524 u32 nf_conntrack_count(const struct net *net) 525 { 526 const struct nf_conntrack_net *cnet = nf_ct_pernet(net); 527 528 return atomic_read(&cnet->count); 529 } 530 EXPORT_SYMBOL_GPL(nf_conntrack_count); 531 532 /* Sysctl support */ 533 534 #ifdef CONFIG_SYSCTL 535 /* size the user *wants to set */ 536 static unsigned int nf_conntrack_htable_size_user __read_mostly; 537 538 static int 539 nf_conntrack_hash_sysctl(const struct ctl_table *table, int write, 540 void *buffer, size_t *lenp, loff_t *ppos) 541 { 542 int ret; 543 544 /* module_param hashsize could have changed value */ 545 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 546 547 ret = proc_dointvec(table, write, buffer, lenp, ppos); 548 if (ret < 0 || !write) 549 return ret; 550 551 /* update ret, we might not be able to satisfy request */ 552 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user); 553 554 /* update it to the actual value used by conntrack */ 555 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 556 return ret; 557 } 558 559 static int 560 nf_conntrack_log_invalid_sysctl(const struct ctl_table *table, int write, 561 void *buffer, size_t *lenp, loff_t *ppos) 562 { 563 int ret, i; 564 565 ret = proc_dou8vec_minmax(table, write, buffer, lenp, ppos); 566 if (ret < 0 || !write) 567 return ret; 568 569 if (*(u8 *)table->data == 0) 570 return 0; 571 572 /* Load nf_log_syslog only if no logger is currently registered */ 573 for (i = 0; i < NFPROTO_NUMPROTO; i++) { 574 if (nf_log_is_registered(i)) 575 return 0; 576 } 577 request_module("%s", "nf_log_syslog"); 578 579 return 0; 580 } 581 582 static struct ctl_table_header *nf_ct_netfilter_header; 583 584 enum nf_ct_sysctl_index { 585 NF_SYSCTL_CT_MAX, 586 NF_SYSCTL_CT_COUNT, 587 NF_SYSCTL_CT_BUCKETS, 588 NF_SYSCTL_CT_CHECKSUM, 589 NF_SYSCTL_CT_LOG_INVALID, 590 NF_SYSCTL_CT_EXPECT_MAX, 591 NF_SYSCTL_CT_ACCT, 592 #ifdef CONFIG_NF_CONNTRACK_EVENTS 593 NF_SYSCTL_CT_EVENTS, 594 #endif 595 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 596 NF_SYSCTL_CT_TIMESTAMP, 597 #endif 598 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC, 599 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT, 600 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV, 601 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED, 602 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT, 603 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT, 604 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK, 605 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT, 606 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE, 607 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS, 608 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK, 609 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 610 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD, 611 #endif 612 NF_SYSCTL_CT_PROTO_TCP_LOOSE, 613 NF_SYSCTL_CT_PROTO_TCP_LIBERAL, 614 NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST, 615 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS, 616 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP, 617 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM, 618 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 619 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD, 620 #endif 621 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP, 622 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6, 623 #ifdef CONFIG_NF_CT_PROTO_SCTP 624 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED, 625 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT, 626 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED, 627 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED, 628 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT, 629 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD, 630 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, 631 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, 632 #endif 633 #ifdef CONFIG_NF_CT_PROTO_GRE 634 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, 635 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, 636 #endif 637 638 NF_SYSCTL_CT_LAST_SYSCTL, 639 }; 640 641 static struct ctl_table nf_ct_sysctl_table[] = { 642 [NF_SYSCTL_CT_MAX] = { 643 .procname = "nf_conntrack_max", 644 .data = &nf_conntrack_max, 645 .maxlen = sizeof(int), 646 .mode = 0644, 647 .proc_handler = proc_dointvec_minmax, 648 .extra1 = SYSCTL_ZERO, 649 .extra2 = SYSCTL_INT_MAX, 650 }, 651 [NF_SYSCTL_CT_COUNT] = { 652 .procname = "nf_conntrack_count", 653 .maxlen = sizeof(int), 654 .mode = 0444, 655 .proc_handler = proc_dointvec, 656 }, 657 [NF_SYSCTL_CT_BUCKETS] = { 658 .procname = "nf_conntrack_buckets", 659 .data = &nf_conntrack_htable_size_user, 660 .maxlen = sizeof(unsigned int), 661 .mode = 0644, 662 .proc_handler = nf_conntrack_hash_sysctl, 663 }, 664 [NF_SYSCTL_CT_CHECKSUM] = { 665 .procname = "nf_conntrack_checksum", 666 .data = &init_net.ct.sysctl_checksum, 667 .maxlen = sizeof(u8), 668 .mode = 0644, 669 .proc_handler = proc_dou8vec_minmax, 670 .extra1 = SYSCTL_ZERO, 671 .extra2 = SYSCTL_ONE, 672 }, 673 [NF_SYSCTL_CT_LOG_INVALID] = { 674 .procname = "nf_conntrack_log_invalid", 675 .data = &init_net.ct.sysctl_log_invalid, 676 .maxlen = sizeof(u8), 677 .mode = 0644, 678 .proc_handler = nf_conntrack_log_invalid_sysctl, 679 }, 680 [NF_SYSCTL_CT_EXPECT_MAX] = { 681 .procname = "nf_conntrack_expect_max", 682 .data = &nf_ct_expect_max, 683 .maxlen = sizeof(int), 684 .mode = 0644, 685 .proc_handler = proc_dointvec_minmax, 686 .extra1 = SYSCTL_ONE, 687 .extra2 = SYSCTL_INT_MAX, 688 }, 689 [NF_SYSCTL_CT_ACCT] = { 690 .procname = "nf_conntrack_acct", 691 .data = &init_net.ct.sysctl_acct, 692 .maxlen = sizeof(u8), 693 .mode = 0644, 694 .proc_handler = proc_dou8vec_minmax, 695 .extra1 = SYSCTL_ZERO, 696 .extra2 = SYSCTL_ONE, 697 }, 698 #ifdef CONFIG_NF_CONNTRACK_EVENTS 699 [NF_SYSCTL_CT_EVENTS] = { 700 .procname = "nf_conntrack_events", 701 .data = &init_net.ct.sysctl_events, 702 .maxlen = sizeof(u8), 703 .mode = 0644, 704 .proc_handler = proc_dou8vec_minmax, 705 .extra1 = SYSCTL_ZERO, 706 .extra2 = SYSCTL_TWO, 707 }, 708 #endif 709 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 710 [NF_SYSCTL_CT_TIMESTAMP] = { 711 .procname = "nf_conntrack_timestamp", 712 .data = &init_net.ct.sysctl_tstamp, 713 .maxlen = sizeof(u8), 714 .mode = 0644, 715 .proc_handler = proc_dou8vec_minmax, 716 .extra1 = SYSCTL_ZERO, 717 .extra2 = SYSCTL_ONE, 718 }, 719 #endif 720 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { 721 .procname = "nf_conntrack_generic_timeout", 722 .maxlen = sizeof(unsigned int), 723 .mode = 0644, 724 .proc_handler = proc_dointvec_jiffies, 725 }, 726 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = { 727 .procname = "nf_conntrack_tcp_timeout_syn_sent", 728 .maxlen = sizeof(unsigned int), 729 .mode = 0644, 730 .proc_handler = proc_dointvec_jiffies, 731 }, 732 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = { 733 .procname = "nf_conntrack_tcp_timeout_syn_recv", 734 .maxlen = sizeof(unsigned int), 735 .mode = 0644, 736 .proc_handler = proc_dointvec_jiffies, 737 }, 738 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = { 739 .procname = "nf_conntrack_tcp_timeout_established", 740 .maxlen = sizeof(unsigned int), 741 .mode = 0644, 742 .proc_handler = proc_dointvec_jiffies, 743 }, 744 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = { 745 .procname = "nf_conntrack_tcp_timeout_fin_wait", 746 .maxlen = sizeof(unsigned int), 747 .mode = 0644, 748 .proc_handler = proc_dointvec_jiffies, 749 }, 750 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = { 751 .procname = "nf_conntrack_tcp_timeout_close_wait", 752 .maxlen = sizeof(unsigned int), 753 .mode = 0644, 754 .proc_handler = proc_dointvec_jiffies, 755 }, 756 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = { 757 .procname = "nf_conntrack_tcp_timeout_last_ack", 758 .maxlen = sizeof(unsigned int), 759 .mode = 0644, 760 .proc_handler = proc_dointvec_jiffies, 761 }, 762 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = { 763 .procname = "nf_conntrack_tcp_timeout_time_wait", 764 .maxlen = sizeof(unsigned int), 765 .mode = 0644, 766 .proc_handler = proc_dointvec_jiffies, 767 }, 768 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = { 769 .procname = "nf_conntrack_tcp_timeout_close", 770 .maxlen = sizeof(unsigned int), 771 .mode = 0644, 772 .proc_handler = proc_dointvec_jiffies, 773 }, 774 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = { 775 .procname = "nf_conntrack_tcp_timeout_max_retrans", 776 .maxlen = sizeof(unsigned int), 777 .mode = 0644, 778 .proc_handler = proc_dointvec_jiffies, 779 }, 780 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = { 781 .procname = "nf_conntrack_tcp_timeout_unacknowledged", 782 .maxlen = sizeof(unsigned int), 783 .mode = 0644, 784 .proc_handler = proc_dointvec_jiffies, 785 }, 786 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 787 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD] = { 788 .procname = "nf_flowtable_tcp_timeout", 789 .maxlen = sizeof(unsigned int), 790 .mode = 0644, 791 .proc_handler = proc_dointvec_jiffies, 792 }, 793 #endif 794 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { 795 .procname = "nf_conntrack_tcp_loose", 796 .maxlen = sizeof(u8), 797 .mode = 0644, 798 .proc_handler = proc_dou8vec_minmax, 799 .extra1 = SYSCTL_ZERO, 800 .extra2 = SYSCTL_ONE, 801 }, 802 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { 803 .procname = "nf_conntrack_tcp_be_liberal", 804 .maxlen = sizeof(u8), 805 .mode = 0644, 806 .proc_handler = proc_dou8vec_minmax, 807 .extra1 = SYSCTL_ZERO, 808 .extra2 = SYSCTL_ONE, 809 }, 810 [NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST] = { 811 .procname = "nf_conntrack_tcp_ignore_invalid_rst", 812 .maxlen = sizeof(u8), 813 .mode = 0644, 814 .proc_handler = proc_dou8vec_minmax, 815 .extra1 = SYSCTL_ZERO, 816 .extra2 = SYSCTL_ONE, 817 }, 818 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { 819 .procname = "nf_conntrack_tcp_max_retrans", 820 .maxlen = sizeof(u8), 821 .mode = 0644, 822 .proc_handler = proc_dou8vec_minmax, 823 }, 824 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = { 825 .procname = "nf_conntrack_udp_timeout", 826 .maxlen = sizeof(unsigned int), 827 .mode = 0644, 828 .proc_handler = proc_dointvec_jiffies, 829 }, 830 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = { 831 .procname = "nf_conntrack_udp_timeout_stream", 832 .maxlen = sizeof(unsigned int), 833 .mode = 0644, 834 .proc_handler = proc_dointvec_jiffies, 835 }, 836 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 837 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD] = { 838 .procname = "nf_flowtable_udp_timeout", 839 .maxlen = sizeof(unsigned int), 840 .mode = 0644, 841 .proc_handler = proc_dointvec_jiffies, 842 }, 843 #endif 844 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = { 845 .procname = "nf_conntrack_icmp_timeout", 846 .maxlen = sizeof(unsigned int), 847 .mode = 0644, 848 .proc_handler = proc_dointvec_jiffies, 849 }, 850 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = { 851 .procname = "nf_conntrack_icmpv6_timeout", 852 .maxlen = sizeof(unsigned int), 853 .mode = 0644, 854 .proc_handler = proc_dointvec_jiffies, 855 }, 856 #ifdef CONFIG_NF_CT_PROTO_SCTP 857 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = { 858 .procname = "nf_conntrack_sctp_timeout_closed", 859 .maxlen = sizeof(unsigned int), 860 .mode = 0644, 861 .proc_handler = proc_dointvec_jiffies, 862 }, 863 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = { 864 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 865 .maxlen = sizeof(unsigned int), 866 .mode = 0644, 867 .proc_handler = proc_dointvec_jiffies, 868 }, 869 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = { 870 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 871 .maxlen = sizeof(unsigned int), 872 .mode = 0644, 873 .proc_handler = proc_dointvec_jiffies, 874 }, 875 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = { 876 .procname = "nf_conntrack_sctp_timeout_established", 877 .maxlen = sizeof(unsigned int), 878 .mode = 0644, 879 .proc_handler = proc_dointvec_jiffies, 880 }, 881 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = { 882 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 883 .maxlen = sizeof(unsigned int), 884 .mode = 0644, 885 .proc_handler = proc_dointvec_jiffies, 886 }, 887 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = { 888 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 889 .maxlen = sizeof(unsigned int), 890 .mode = 0644, 891 .proc_handler = proc_dointvec_jiffies, 892 }, 893 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { 894 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 895 .maxlen = sizeof(unsigned int), 896 .mode = 0644, 897 .proc_handler = proc_dointvec_jiffies, 898 }, 899 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = { 900 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent", 901 .maxlen = sizeof(unsigned int), 902 .mode = 0644, 903 .proc_handler = proc_dointvec_jiffies, 904 }, 905 #endif 906 #ifdef CONFIG_NF_CT_PROTO_GRE 907 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = { 908 .procname = "nf_conntrack_gre_timeout", 909 .maxlen = sizeof(unsigned int), 910 .mode = 0644, 911 .proc_handler = proc_dointvec_jiffies, 912 }, 913 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = { 914 .procname = "nf_conntrack_gre_timeout_stream", 915 .maxlen = sizeof(unsigned int), 916 .mode = 0644, 917 .proc_handler = proc_dointvec_jiffies, 918 }, 919 #endif 920 }; 921 922 static struct ctl_table nf_ct_netfilter_table[] = { 923 { 924 .procname = "nf_conntrack_max", 925 .data = &nf_conntrack_max, 926 .maxlen = sizeof(int), 927 .mode = 0644, 928 .proc_handler = proc_dointvec_minmax, 929 .extra1 = SYSCTL_ZERO, 930 .extra2 = SYSCTL_INT_MAX, 931 }, 932 }; 933 934 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, 935 struct ctl_table *table) 936 { 937 struct nf_tcp_net *tn = nf_tcp_pernet(net); 938 939 #define XASSIGN(XNAME, tn) \ 940 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \ 941 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME] 942 943 XASSIGN(SYN_SENT, tn); 944 XASSIGN(SYN_RECV, tn); 945 XASSIGN(ESTABLISHED, tn); 946 XASSIGN(FIN_WAIT, tn); 947 XASSIGN(CLOSE_WAIT, tn); 948 XASSIGN(LAST_ACK, tn); 949 XASSIGN(TIME_WAIT, tn); 950 XASSIGN(CLOSE, tn); 951 XASSIGN(RETRANS, tn); 952 XASSIGN(UNACK, tn); 953 #undef XASSIGN 954 #define XASSIGN(XNAME, rval) \ 955 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval) 956 957 XASSIGN(LOOSE, &tn->tcp_loose); 958 XASSIGN(LIBERAL, &tn->tcp_be_liberal); 959 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans); 960 XASSIGN(IGNORE_INVALID_RST, &tn->tcp_ignore_invalid_rst); 961 #undef XASSIGN 962 963 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 964 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD].data = &tn->offload_timeout; 965 #endif 966 967 } 968 969 static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, 970 struct ctl_table *table) 971 { 972 #ifdef CONFIG_NF_CT_PROTO_SCTP 973 struct nf_sctp_net *sn = nf_sctp_pernet(net); 974 975 #define XASSIGN(XNAME, sn) \ 976 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \ 977 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME] 978 979 XASSIGN(CLOSED, sn); 980 XASSIGN(COOKIE_WAIT, sn); 981 XASSIGN(COOKIE_ECHOED, sn); 982 XASSIGN(ESTABLISHED, sn); 983 XASSIGN(SHUTDOWN_SENT, sn); 984 XASSIGN(SHUTDOWN_RECD, sn); 985 XASSIGN(SHUTDOWN_ACK_SENT, sn); 986 XASSIGN(HEARTBEAT_SENT, sn); 987 #undef XASSIGN 988 #endif 989 } 990 991 static void nf_conntrack_standalone_init_gre_sysctl(struct net *net, 992 struct ctl_table *table) 993 { 994 #ifdef CONFIG_NF_CT_PROTO_GRE 995 struct nf_gre_net *gn = nf_gre_pernet(net); 996 997 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED]; 998 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED]; 999 #endif 1000 } 1001 1002 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1003 { 1004 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1005 struct nf_udp_net *un = nf_udp_pernet(net); 1006 struct ctl_table *table; 1007 1008 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL); 1009 1010 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table), 1011 GFP_KERNEL); 1012 if (!table) 1013 return -ENOMEM; 1014 1015 table[NF_SYSCTL_CT_COUNT].data = &cnet->count; 1016 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum; 1017 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; 1018 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct; 1019 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1020 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events; 1021 #endif 1022 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 1023 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp; 1024 #endif 1025 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout; 1026 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout; 1027 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout; 1028 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED]; 1029 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED]; 1030 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1031 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD].data = &un->offload_timeout; 1032 #endif 1033 1034 nf_conntrack_standalone_init_tcp_sysctl(net, table); 1035 nf_conntrack_standalone_init_sctp_sysctl(net, table); 1036 nf_conntrack_standalone_init_gre_sysctl(net, table); 1037 1038 /* Don't allow non-init_net ns to alter global sysctls */ 1039 if (!net_eq(&init_net, net)) { 1040 table[NF_SYSCTL_CT_MAX].mode = 0444; 1041 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; 1042 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1043 } 1044 1045 cnet->sysctl_header = register_net_sysctl_sz(net, "net/netfilter", 1046 table, 1047 ARRAY_SIZE(nf_ct_sysctl_table)); 1048 if (!cnet->sysctl_header) 1049 goto out_unregister_netfilter; 1050 1051 return 0; 1052 1053 out_unregister_netfilter: 1054 kfree(table); 1055 return -ENOMEM; 1056 } 1057 1058 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1059 { 1060 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1061 const struct ctl_table *table; 1062 1063 table = cnet->sysctl_header->ctl_table_arg; 1064 unregister_net_sysctl_table(cnet->sysctl_header); 1065 kfree(table); 1066 } 1067 #else 1068 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1069 { 1070 return 0; 1071 } 1072 1073 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1074 { 1075 } 1076 #endif /* CONFIG_SYSCTL */ 1077 1078 static void nf_conntrack_fini_net(struct net *net) 1079 { 1080 if (enable_hooks) 1081 nf_ct_netns_put(net, NFPROTO_INET); 1082 1083 nf_conntrack_standalone_fini_proc(net); 1084 nf_conntrack_standalone_fini_sysctl(net); 1085 } 1086 1087 static int nf_conntrack_pernet_init(struct net *net) 1088 { 1089 int ret; 1090 1091 net->ct.sysctl_checksum = 1; 1092 1093 ret = nf_conntrack_standalone_init_sysctl(net); 1094 if (ret < 0) 1095 return ret; 1096 1097 ret = nf_conntrack_standalone_init_proc(net); 1098 if (ret < 0) 1099 goto out_proc; 1100 1101 ret = nf_conntrack_init_net(net); 1102 if (ret < 0) 1103 goto out_init_net; 1104 1105 if (enable_hooks) { 1106 ret = nf_ct_netns_get(net, NFPROTO_INET); 1107 if (ret < 0) 1108 goto out_hooks; 1109 } 1110 1111 return 0; 1112 1113 out_hooks: 1114 nf_conntrack_cleanup_net(net); 1115 out_init_net: 1116 nf_conntrack_standalone_fini_proc(net); 1117 out_proc: 1118 nf_conntrack_standalone_fini_sysctl(net); 1119 return ret; 1120 } 1121 1122 static void nf_conntrack_pernet_exit(struct list_head *net_exit_list) 1123 { 1124 struct net *net; 1125 1126 list_for_each_entry(net, net_exit_list, exit_list) 1127 nf_conntrack_fini_net(net); 1128 1129 nf_conntrack_cleanup_net_list(net_exit_list); 1130 } 1131 1132 static struct pernet_operations nf_conntrack_net_ops = { 1133 .init = nf_conntrack_pernet_init, 1134 .exit_batch = nf_conntrack_pernet_exit, 1135 .id = &nf_conntrack_net_id, 1136 .size = sizeof(struct nf_conntrack_net), 1137 }; 1138 1139 static int __init nf_conntrack_standalone_init(void) 1140 { 1141 int ret = nf_conntrack_init_start(); 1142 if (ret < 0) 1143 goto out_start; 1144 1145 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER); 1146 1147 #ifdef CONFIG_SYSCTL 1148 nf_ct_netfilter_header = 1149 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); 1150 if (!nf_ct_netfilter_header) { 1151 pr_err("nf_conntrack: can't register to sysctl.\n"); 1152 ret = -ENOMEM; 1153 goto out_sysctl; 1154 } 1155 1156 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 1157 #endif 1158 1159 nf_conntrack_init_end(); 1160 1161 ret = register_pernet_subsys(&nf_conntrack_net_ops); 1162 if (ret < 0) 1163 goto out_pernet; 1164 1165 return 0; 1166 1167 out_pernet: 1168 #ifdef CONFIG_SYSCTL 1169 unregister_net_sysctl_table(nf_ct_netfilter_header); 1170 out_sysctl: 1171 #endif 1172 nf_conntrack_cleanup_end(); 1173 out_start: 1174 return ret; 1175 } 1176 1177 static void __exit nf_conntrack_standalone_fini(void) 1178 { 1179 nf_conntrack_cleanup_start(); 1180 unregister_pernet_subsys(&nf_conntrack_net_ops); 1181 #ifdef CONFIG_SYSCTL 1182 unregister_net_sysctl_table(nf_ct_netfilter_header); 1183 #endif 1184 nf_conntrack_cleanup_end(); 1185 } 1186 1187 module_init(nf_conntrack_standalone_init); 1188 module_exit(nf_conntrack_standalone_fini); 1189