1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/types.h> 3 #include <linux/netfilter.h> 4 #include <linux/slab.h> 5 #include <linux/module.h> 6 #include <linux/skbuff.h> 7 #include <linux/proc_fs.h> 8 #include <linux/seq_file.h> 9 #include <linux/percpu.h> 10 #include <linux/netdevice.h> 11 #include <linux/security.h> 12 #include <net/net_namespace.h> 13 #ifdef CONFIG_SYSCTL 14 #include <linux/sysctl.h> 15 #endif 16 17 #include <net/netfilter/nf_conntrack.h> 18 #include <net/netfilter/nf_conntrack_core.h> 19 #include <net/netfilter/nf_conntrack_l4proto.h> 20 #include <net/netfilter/nf_conntrack_expect.h> 21 #include <net/netfilter/nf_conntrack_helper.h> 22 #include <net/netfilter/nf_conntrack_acct.h> 23 #include <net/netfilter/nf_conntrack_zones.h> 24 #include <net/netfilter/nf_conntrack_timestamp.h> 25 #include <linux/rculist_nulls.h> 26 27 static bool enable_hooks __read_mostly; 28 MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); 29 module_param(enable_hooks, bool, 0000); 30 31 unsigned int nf_conntrack_net_id __read_mostly; 32 33 #ifdef CONFIG_NF_CONNTRACK_PROCFS 34 void 35 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, 36 const struct nf_conntrack_l4proto *l4proto) 37 { 38 switch (tuple->src.l3num) { 39 case NFPROTO_IPV4: 40 seq_printf(s, "src=%pI4 dst=%pI4 ", 41 &tuple->src.u3.ip, &tuple->dst.u3.ip); 42 break; 43 case NFPROTO_IPV6: 44 seq_printf(s, "src=%pI6 dst=%pI6 ", 45 tuple->src.u3.ip6, tuple->dst.u3.ip6); 46 break; 47 default: 48 break; 49 } 50 51 switch (l4proto->l4proto) { 52 case IPPROTO_ICMP: 53 seq_printf(s, "type=%u code=%u id=%u ", 54 tuple->dst.u.icmp.type, 55 tuple->dst.u.icmp.code, 56 ntohs(tuple->src.u.icmp.id)); 57 break; 58 case IPPROTO_TCP: 59 seq_printf(s, "sport=%hu dport=%hu ", 60 ntohs(tuple->src.u.tcp.port), 61 ntohs(tuple->dst.u.tcp.port)); 62 break; 63 case IPPROTO_UDPLITE: 64 case IPPROTO_UDP: 65 seq_printf(s, "sport=%hu dport=%hu ", 66 ntohs(tuple->src.u.udp.port), 67 ntohs(tuple->dst.u.udp.port)); 68 69 break; 70 case IPPROTO_DCCP: 71 seq_printf(s, "sport=%hu dport=%hu ", 72 ntohs(tuple->src.u.dccp.port), 73 ntohs(tuple->dst.u.dccp.port)); 74 break; 75 case IPPROTO_SCTP: 76 seq_printf(s, "sport=%hu dport=%hu ", 77 ntohs(tuple->src.u.sctp.port), 78 ntohs(tuple->dst.u.sctp.port)); 79 break; 80 case IPPROTO_ICMPV6: 81 seq_printf(s, "type=%u code=%u id=%u ", 82 tuple->dst.u.icmp.type, 83 tuple->dst.u.icmp.code, 84 ntohs(tuple->src.u.icmp.id)); 85 break; 86 case IPPROTO_GRE: 87 seq_printf(s, "srckey=0x%x dstkey=0x%x ", 88 ntohs(tuple->src.u.gre.key), 89 ntohs(tuple->dst.u.gre.key)); 90 break; 91 default: 92 break; 93 } 94 } 95 EXPORT_SYMBOL_GPL(print_tuple); 96 97 struct ct_iter_state { 98 struct seq_net_private p; 99 struct hlist_nulls_head *hash; 100 unsigned int htable_size; 101 unsigned int bucket; 102 u_int64_t time_now; 103 }; 104 105 static struct hlist_nulls_node *ct_get_first(struct seq_file *seq) 106 { 107 struct ct_iter_state *st = seq->private; 108 struct hlist_nulls_node *n; 109 110 for (st->bucket = 0; 111 st->bucket < st->htable_size; 112 st->bucket++) { 113 n = rcu_dereference( 114 hlist_nulls_first_rcu(&st->hash[st->bucket])); 115 if (!is_a_nulls(n)) 116 return n; 117 } 118 return NULL; 119 } 120 121 static struct hlist_nulls_node *ct_get_next(struct seq_file *seq, 122 struct hlist_nulls_node *head) 123 { 124 struct ct_iter_state *st = seq->private; 125 126 head = rcu_dereference(hlist_nulls_next_rcu(head)); 127 while (is_a_nulls(head)) { 128 if (likely(get_nulls_value(head) == st->bucket)) { 129 if (++st->bucket >= st->htable_size) 130 return NULL; 131 } 132 head = rcu_dereference( 133 hlist_nulls_first_rcu(&st->hash[st->bucket])); 134 } 135 return head; 136 } 137 138 static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos) 139 { 140 struct hlist_nulls_node *head = ct_get_first(seq); 141 142 if (head) 143 while (pos && (head = ct_get_next(seq, head))) 144 pos--; 145 return pos ? NULL : head; 146 } 147 148 static void *ct_seq_start(struct seq_file *seq, loff_t *pos) 149 __acquires(RCU) 150 { 151 struct ct_iter_state *st = seq->private; 152 153 st->time_now = ktime_get_real_ns(); 154 rcu_read_lock(); 155 156 nf_conntrack_get_ht(&st->hash, &st->htable_size); 157 return ct_get_idx(seq, *pos); 158 } 159 160 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos) 161 { 162 (*pos)++; 163 return ct_get_next(s, v); 164 } 165 166 static void ct_seq_stop(struct seq_file *s, void *v) 167 __releases(RCU) 168 { 169 rcu_read_unlock(); 170 } 171 172 #ifdef CONFIG_NF_CONNTRACK_SECMARK 173 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 174 { 175 int ret; 176 u32 len; 177 char *secctx; 178 179 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 180 if (ret) 181 return; 182 183 seq_printf(s, "secctx=%s ", secctx); 184 185 security_release_secctx(secctx, len); 186 } 187 #else 188 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 189 { 190 } 191 #endif 192 193 #ifdef CONFIG_NF_CONNTRACK_ZONES 194 static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 195 int dir) 196 { 197 const struct nf_conntrack_zone *zone = nf_ct_zone(ct); 198 199 if (zone->dir != dir) 200 return; 201 switch (zone->dir) { 202 case NF_CT_DEFAULT_ZONE_DIR: 203 seq_printf(s, "zone=%u ", zone->id); 204 break; 205 case NF_CT_ZONE_DIR_ORIG: 206 seq_printf(s, "zone-orig=%u ", zone->id); 207 break; 208 case NF_CT_ZONE_DIR_REPL: 209 seq_printf(s, "zone-reply=%u ", zone->id); 210 break; 211 default: 212 break; 213 } 214 } 215 #else 216 static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 217 int dir) 218 { 219 } 220 #endif 221 222 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 223 static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 224 { 225 struct ct_iter_state *st = s->private; 226 struct nf_conn_tstamp *tstamp; 227 s64 delta_time; 228 229 tstamp = nf_conn_tstamp_find(ct); 230 if (tstamp) { 231 delta_time = st->time_now - tstamp->start; 232 if (delta_time > 0) 233 delta_time = div_s64(delta_time, NSEC_PER_SEC); 234 else 235 delta_time = 0; 236 237 seq_printf(s, "delta-time=%llu ", 238 (unsigned long long)delta_time); 239 } 240 return; 241 } 242 #else 243 static inline void 244 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 245 { 246 } 247 #endif 248 249 static const char* l3proto_name(u16 proto) 250 { 251 switch (proto) { 252 case AF_INET: return "ipv4"; 253 case AF_INET6: return "ipv6"; 254 } 255 256 return "unknown"; 257 } 258 259 static const char* l4proto_name(u16 proto) 260 { 261 switch (proto) { 262 case IPPROTO_ICMP: return "icmp"; 263 case IPPROTO_TCP: return "tcp"; 264 case IPPROTO_UDP: return "udp"; 265 case IPPROTO_DCCP: return "dccp"; 266 case IPPROTO_GRE: return "gre"; 267 case IPPROTO_SCTP: return "sctp"; 268 case IPPROTO_UDPLITE: return "udplite"; 269 case IPPROTO_ICMPV6: return "icmpv6"; 270 } 271 272 return "unknown"; 273 } 274 275 static void 276 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir) 277 { 278 struct nf_conn_acct *acct; 279 struct nf_conn_counter *counter; 280 281 acct = nf_conn_acct_find(ct); 282 if (!acct) 283 return; 284 285 counter = acct->counter; 286 seq_printf(s, "packets=%llu bytes=%llu ", 287 (unsigned long long)atomic64_read(&counter[dir].packets), 288 (unsigned long long)atomic64_read(&counter[dir].bytes)); 289 } 290 291 /* return 0 on success, 1 in case of error */ 292 static int ct_seq_show(struct seq_file *s, void *v) 293 { 294 struct nf_conntrack_tuple_hash *hash = v; 295 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); 296 const struct nf_conntrack_l4proto *l4proto; 297 struct net *net = seq_file_net(s); 298 int ret = 0; 299 300 WARN_ON(!ct); 301 if (unlikely(!refcount_inc_not_zero(&ct->ct_general.use))) 302 return 0; 303 304 /* load ->status after refcount increase */ 305 smp_acquire__after_ctrl_dep(); 306 307 if (nf_ct_should_gc(ct)) { 308 nf_ct_kill(ct); 309 goto release; 310 } 311 312 /* we only want to print DIR_ORIGINAL */ 313 if (NF_CT_DIRECTION(hash)) 314 goto release; 315 316 if (!net_eq(nf_ct_net(ct), net)) 317 goto release; 318 319 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 320 321 ret = -ENOSPC; 322 seq_printf(s, "%-8s %u %-8s %u ", 323 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct), 324 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct)); 325 326 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status)) 327 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ); 328 329 if (l4proto->print_conntrack) 330 l4proto->print_conntrack(s, ct); 331 332 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 333 l4proto); 334 335 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG); 336 337 if (seq_has_overflowed(s)) 338 goto release; 339 340 seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL); 341 342 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) 343 seq_puts(s, "[UNREPLIED] "); 344 345 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto); 346 347 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL); 348 349 seq_print_acct(s, ct, IP_CT_DIR_REPLY); 350 351 if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status)) 352 seq_puts(s, "[HW_OFFLOAD] "); 353 else if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 354 seq_puts(s, "[OFFLOAD] "); 355 else if (test_bit(IPS_ASSURED_BIT, &ct->status)) 356 seq_puts(s, "[ASSURED] "); 357 358 if (seq_has_overflowed(s)) 359 goto release; 360 361 #if defined(CONFIG_NF_CONNTRACK_MARK) 362 seq_printf(s, "mark=%u ", READ_ONCE(ct->mark)); 363 #endif 364 365 ct_show_secctx(s, ct); 366 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR); 367 ct_show_delta_time(s, ct); 368 369 seq_printf(s, "use=%u\n", refcount_read(&ct->ct_general.use)); 370 371 if (seq_has_overflowed(s)) 372 goto release; 373 374 ret = 0; 375 release: 376 nf_ct_put(ct); 377 return ret; 378 } 379 380 static const struct seq_operations ct_seq_ops = { 381 .start = ct_seq_start, 382 .next = ct_seq_next, 383 .stop = ct_seq_stop, 384 .show = ct_seq_show 385 }; 386 387 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos) 388 { 389 struct net *net = seq_file_net(seq); 390 int cpu; 391 392 if (*pos == 0) 393 return SEQ_START_TOKEN; 394 395 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) { 396 if (!cpu_possible(cpu)) 397 continue; 398 *pos = cpu + 1; 399 return per_cpu_ptr(net->ct.stat, cpu); 400 } 401 402 return NULL; 403 } 404 405 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) 406 { 407 struct net *net = seq_file_net(seq); 408 int cpu; 409 410 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) { 411 if (!cpu_possible(cpu)) 412 continue; 413 *pos = cpu + 1; 414 return per_cpu_ptr(net->ct.stat, cpu); 415 } 416 (*pos)++; 417 return NULL; 418 } 419 420 static void ct_cpu_seq_stop(struct seq_file *seq, void *v) 421 { 422 } 423 424 static int ct_cpu_seq_show(struct seq_file *seq, void *v) 425 { 426 struct net *net = seq_file_net(seq); 427 const struct ip_conntrack_stat *st = v; 428 unsigned int nr_conntracks; 429 430 if (v == SEQ_START_TOKEN) { 431 seq_puts(seq, "entries clashres found new invalid ignore delete chainlength insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); 432 return 0; 433 } 434 435 nr_conntracks = nf_conntrack_count(net); 436 437 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 438 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 439 nr_conntracks, 440 st->clash_resolve, 441 st->found, 442 0, 443 st->invalid, 444 0, 445 0, 446 st->chaintoolong, 447 st->insert, 448 st->insert_failed, 449 st->drop, 450 st->early_drop, 451 st->error, 452 453 st->expect_new, 454 st->expect_create, 455 st->expect_delete, 456 st->search_restart 457 ); 458 return 0; 459 } 460 461 static const struct seq_operations ct_cpu_seq_ops = { 462 .start = ct_cpu_seq_start, 463 .next = ct_cpu_seq_next, 464 .stop = ct_cpu_seq_stop, 465 .show = ct_cpu_seq_show, 466 }; 467 468 static int nf_conntrack_standalone_init_proc(struct net *net) 469 { 470 struct proc_dir_entry *pde; 471 kuid_t root_uid; 472 kgid_t root_gid; 473 474 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops, 475 sizeof(struct ct_iter_state)); 476 if (!pde) 477 goto out_nf_conntrack; 478 479 root_uid = make_kuid(net->user_ns, 0); 480 root_gid = make_kgid(net->user_ns, 0); 481 if (uid_valid(root_uid) && gid_valid(root_gid)) 482 proc_set_user(pde, root_uid, root_gid); 483 484 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat, 485 &ct_cpu_seq_ops, sizeof(struct seq_net_private)); 486 if (!pde) 487 goto out_stat_nf_conntrack; 488 return 0; 489 490 out_stat_nf_conntrack: 491 remove_proc_entry("nf_conntrack", net->proc_net); 492 out_nf_conntrack: 493 return -ENOMEM; 494 } 495 496 static void nf_conntrack_standalone_fini_proc(struct net *net) 497 { 498 remove_proc_entry("nf_conntrack", net->proc_net_stat); 499 remove_proc_entry("nf_conntrack", net->proc_net); 500 } 501 #else 502 static int nf_conntrack_standalone_init_proc(struct net *net) 503 { 504 return 0; 505 } 506 507 static void nf_conntrack_standalone_fini_proc(struct net *net) 508 { 509 } 510 #endif /* CONFIG_NF_CONNTRACK_PROCFS */ 511 512 u32 nf_conntrack_count(const struct net *net) 513 { 514 const struct nf_conntrack_net *cnet = nf_ct_pernet(net); 515 516 return atomic_read(&cnet->count); 517 } 518 EXPORT_SYMBOL_GPL(nf_conntrack_count); 519 520 /* Sysctl support */ 521 522 #ifdef CONFIG_SYSCTL 523 /* size the user *wants to set */ 524 static unsigned int nf_conntrack_htable_size_user __read_mostly; 525 526 static int 527 nf_conntrack_hash_sysctl(struct ctl_table *table, int write, 528 void *buffer, size_t *lenp, loff_t *ppos) 529 { 530 int ret; 531 532 /* module_param hashsize could have changed value */ 533 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 534 535 ret = proc_dointvec(table, write, buffer, lenp, ppos); 536 if (ret < 0 || !write) 537 return ret; 538 539 /* update ret, we might not be able to satisfy request */ 540 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user); 541 542 /* update it to the actual value used by conntrack */ 543 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 544 return ret; 545 } 546 547 static struct ctl_table_header *nf_ct_netfilter_header; 548 549 enum nf_ct_sysctl_index { 550 NF_SYSCTL_CT_MAX, 551 NF_SYSCTL_CT_COUNT, 552 NF_SYSCTL_CT_BUCKETS, 553 NF_SYSCTL_CT_CHECKSUM, 554 NF_SYSCTL_CT_LOG_INVALID, 555 NF_SYSCTL_CT_EXPECT_MAX, 556 NF_SYSCTL_CT_ACCT, 557 #ifdef CONFIG_NF_CONNTRACK_EVENTS 558 NF_SYSCTL_CT_EVENTS, 559 #endif 560 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 561 NF_SYSCTL_CT_TIMESTAMP, 562 #endif 563 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC, 564 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT, 565 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV, 566 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED, 567 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT, 568 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT, 569 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK, 570 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT, 571 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE, 572 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS, 573 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK, 574 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 575 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD, 576 #endif 577 NF_SYSCTL_CT_PROTO_TCP_LOOSE, 578 NF_SYSCTL_CT_PROTO_TCP_LIBERAL, 579 NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST, 580 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS, 581 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP, 582 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM, 583 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 584 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD, 585 #endif 586 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP, 587 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6, 588 #ifdef CONFIG_NF_CT_PROTO_SCTP 589 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED, 590 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT, 591 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED, 592 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED, 593 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT, 594 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD, 595 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, 596 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, 597 #endif 598 #ifdef CONFIG_NF_CT_PROTO_DCCP 599 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, 600 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND, 601 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN, 602 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN, 603 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ, 604 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING, 605 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT, 606 NF_SYSCTL_CT_PROTO_DCCP_LOOSE, 607 #endif 608 #ifdef CONFIG_NF_CT_PROTO_GRE 609 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, 610 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, 611 #endif 612 613 __NF_SYSCTL_CT_LAST_SYSCTL, 614 }; 615 616 #define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1) 617 618 static struct ctl_table nf_ct_sysctl_table[] = { 619 [NF_SYSCTL_CT_MAX] = { 620 .procname = "nf_conntrack_max", 621 .data = &nf_conntrack_max, 622 .maxlen = sizeof(int), 623 .mode = 0644, 624 .proc_handler = proc_dointvec, 625 }, 626 [NF_SYSCTL_CT_COUNT] = { 627 .procname = "nf_conntrack_count", 628 .maxlen = sizeof(int), 629 .mode = 0444, 630 .proc_handler = proc_dointvec, 631 }, 632 [NF_SYSCTL_CT_BUCKETS] = { 633 .procname = "nf_conntrack_buckets", 634 .data = &nf_conntrack_htable_size_user, 635 .maxlen = sizeof(unsigned int), 636 .mode = 0644, 637 .proc_handler = nf_conntrack_hash_sysctl, 638 }, 639 [NF_SYSCTL_CT_CHECKSUM] = { 640 .procname = "nf_conntrack_checksum", 641 .data = &init_net.ct.sysctl_checksum, 642 .maxlen = sizeof(u8), 643 .mode = 0644, 644 .proc_handler = proc_dou8vec_minmax, 645 .extra1 = SYSCTL_ZERO, 646 .extra2 = SYSCTL_ONE, 647 }, 648 [NF_SYSCTL_CT_LOG_INVALID] = { 649 .procname = "nf_conntrack_log_invalid", 650 .data = &init_net.ct.sysctl_log_invalid, 651 .maxlen = sizeof(u8), 652 .mode = 0644, 653 .proc_handler = proc_dou8vec_minmax, 654 }, 655 [NF_SYSCTL_CT_EXPECT_MAX] = { 656 .procname = "nf_conntrack_expect_max", 657 .data = &nf_ct_expect_max, 658 .maxlen = sizeof(int), 659 .mode = 0644, 660 .proc_handler = proc_dointvec, 661 }, 662 [NF_SYSCTL_CT_ACCT] = { 663 .procname = "nf_conntrack_acct", 664 .data = &init_net.ct.sysctl_acct, 665 .maxlen = sizeof(u8), 666 .mode = 0644, 667 .proc_handler = proc_dou8vec_minmax, 668 .extra1 = SYSCTL_ZERO, 669 .extra2 = SYSCTL_ONE, 670 }, 671 #ifdef CONFIG_NF_CONNTRACK_EVENTS 672 [NF_SYSCTL_CT_EVENTS] = { 673 .procname = "nf_conntrack_events", 674 .data = &init_net.ct.sysctl_events, 675 .maxlen = sizeof(u8), 676 .mode = 0644, 677 .proc_handler = proc_dou8vec_minmax, 678 .extra1 = SYSCTL_ZERO, 679 .extra2 = SYSCTL_TWO, 680 }, 681 #endif 682 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 683 [NF_SYSCTL_CT_TIMESTAMP] = { 684 .procname = "nf_conntrack_timestamp", 685 .data = &init_net.ct.sysctl_tstamp, 686 .maxlen = sizeof(u8), 687 .mode = 0644, 688 .proc_handler = proc_dou8vec_minmax, 689 .extra1 = SYSCTL_ZERO, 690 .extra2 = SYSCTL_ONE, 691 }, 692 #endif 693 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { 694 .procname = "nf_conntrack_generic_timeout", 695 .maxlen = sizeof(unsigned int), 696 .mode = 0644, 697 .proc_handler = proc_dointvec_jiffies, 698 }, 699 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = { 700 .procname = "nf_conntrack_tcp_timeout_syn_sent", 701 .maxlen = sizeof(unsigned int), 702 .mode = 0644, 703 .proc_handler = proc_dointvec_jiffies, 704 }, 705 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = { 706 .procname = "nf_conntrack_tcp_timeout_syn_recv", 707 .maxlen = sizeof(unsigned int), 708 .mode = 0644, 709 .proc_handler = proc_dointvec_jiffies, 710 }, 711 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = { 712 .procname = "nf_conntrack_tcp_timeout_established", 713 .maxlen = sizeof(unsigned int), 714 .mode = 0644, 715 .proc_handler = proc_dointvec_jiffies, 716 }, 717 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = { 718 .procname = "nf_conntrack_tcp_timeout_fin_wait", 719 .maxlen = sizeof(unsigned int), 720 .mode = 0644, 721 .proc_handler = proc_dointvec_jiffies, 722 }, 723 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = { 724 .procname = "nf_conntrack_tcp_timeout_close_wait", 725 .maxlen = sizeof(unsigned int), 726 .mode = 0644, 727 .proc_handler = proc_dointvec_jiffies, 728 }, 729 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = { 730 .procname = "nf_conntrack_tcp_timeout_last_ack", 731 .maxlen = sizeof(unsigned int), 732 .mode = 0644, 733 .proc_handler = proc_dointvec_jiffies, 734 }, 735 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = { 736 .procname = "nf_conntrack_tcp_timeout_time_wait", 737 .maxlen = sizeof(unsigned int), 738 .mode = 0644, 739 .proc_handler = proc_dointvec_jiffies, 740 }, 741 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = { 742 .procname = "nf_conntrack_tcp_timeout_close", 743 .maxlen = sizeof(unsigned int), 744 .mode = 0644, 745 .proc_handler = proc_dointvec_jiffies, 746 }, 747 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = { 748 .procname = "nf_conntrack_tcp_timeout_max_retrans", 749 .maxlen = sizeof(unsigned int), 750 .mode = 0644, 751 .proc_handler = proc_dointvec_jiffies, 752 }, 753 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = { 754 .procname = "nf_conntrack_tcp_timeout_unacknowledged", 755 .maxlen = sizeof(unsigned int), 756 .mode = 0644, 757 .proc_handler = proc_dointvec_jiffies, 758 }, 759 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 760 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD] = { 761 .procname = "nf_flowtable_tcp_timeout", 762 .maxlen = sizeof(unsigned int), 763 .mode = 0644, 764 .proc_handler = proc_dointvec_jiffies, 765 }, 766 #endif 767 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { 768 .procname = "nf_conntrack_tcp_loose", 769 .maxlen = sizeof(u8), 770 .mode = 0644, 771 .proc_handler = proc_dou8vec_minmax, 772 .extra1 = SYSCTL_ZERO, 773 .extra2 = SYSCTL_ONE, 774 }, 775 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { 776 .procname = "nf_conntrack_tcp_be_liberal", 777 .maxlen = sizeof(u8), 778 .mode = 0644, 779 .proc_handler = proc_dou8vec_minmax, 780 .extra1 = SYSCTL_ZERO, 781 .extra2 = SYSCTL_ONE, 782 }, 783 [NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST] = { 784 .procname = "nf_conntrack_tcp_ignore_invalid_rst", 785 .maxlen = sizeof(u8), 786 .mode = 0644, 787 .proc_handler = proc_dou8vec_minmax, 788 .extra1 = SYSCTL_ZERO, 789 .extra2 = SYSCTL_ONE, 790 }, 791 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { 792 .procname = "nf_conntrack_tcp_max_retrans", 793 .maxlen = sizeof(u8), 794 .mode = 0644, 795 .proc_handler = proc_dou8vec_minmax, 796 }, 797 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = { 798 .procname = "nf_conntrack_udp_timeout", 799 .maxlen = sizeof(unsigned int), 800 .mode = 0644, 801 .proc_handler = proc_dointvec_jiffies, 802 }, 803 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = { 804 .procname = "nf_conntrack_udp_timeout_stream", 805 .maxlen = sizeof(unsigned int), 806 .mode = 0644, 807 .proc_handler = proc_dointvec_jiffies, 808 }, 809 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 810 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD] = { 811 .procname = "nf_flowtable_udp_timeout", 812 .maxlen = sizeof(unsigned int), 813 .mode = 0644, 814 .proc_handler = proc_dointvec_jiffies, 815 }, 816 #endif 817 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = { 818 .procname = "nf_conntrack_icmp_timeout", 819 .maxlen = sizeof(unsigned int), 820 .mode = 0644, 821 .proc_handler = proc_dointvec_jiffies, 822 }, 823 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = { 824 .procname = "nf_conntrack_icmpv6_timeout", 825 .maxlen = sizeof(unsigned int), 826 .mode = 0644, 827 .proc_handler = proc_dointvec_jiffies, 828 }, 829 #ifdef CONFIG_NF_CT_PROTO_SCTP 830 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = { 831 .procname = "nf_conntrack_sctp_timeout_closed", 832 .maxlen = sizeof(unsigned int), 833 .mode = 0644, 834 .proc_handler = proc_dointvec_jiffies, 835 }, 836 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = { 837 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 838 .maxlen = sizeof(unsigned int), 839 .mode = 0644, 840 .proc_handler = proc_dointvec_jiffies, 841 }, 842 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = { 843 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 844 .maxlen = sizeof(unsigned int), 845 .mode = 0644, 846 .proc_handler = proc_dointvec_jiffies, 847 }, 848 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = { 849 .procname = "nf_conntrack_sctp_timeout_established", 850 .maxlen = sizeof(unsigned int), 851 .mode = 0644, 852 .proc_handler = proc_dointvec_jiffies, 853 }, 854 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = { 855 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 856 .maxlen = sizeof(unsigned int), 857 .mode = 0644, 858 .proc_handler = proc_dointvec_jiffies, 859 }, 860 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = { 861 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 862 .maxlen = sizeof(unsigned int), 863 .mode = 0644, 864 .proc_handler = proc_dointvec_jiffies, 865 }, 866 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { 867 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 868 .maxlen = sizeof(unsigned int), 869 .mode = 0644, 870 .proc_handler = proc_dointvec_jiffies, 871 }, 872 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = { 873 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent", 874 .maxlen = sizeof(unsigned int), 875 .mode = 0644, 876 .proc_handler = proc_dointvec_jiffies, 877 }, 878 #endif 879 #ifdef CONFIG_NF_CT_PROTO_DCCP 880 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { 881 .procname = "nf_conntrack_dccp_timeout_request", 882 .maxlen = sizeof(unsigned int), 883 .mode = 0644, 884 .proc_handler = proc_dointvec_jiffies, 885 }, 886 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = { 887 .procname = "nf_conntrack_dccp_timeout_respond", 888 .maxlen = sizeof(unsigned int), 889 .mode = 0644, 890 .proc_handler = proc_dointvec_jiffies, 891 }, 892 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = { 893 .procname = "nf_conntrack_dccp_timeout_partopen", 894 .maxlen = sizeof(unsigned int), 895 .mode = 0644, 896 .proc_handler = proc_dointvec_jiffies, 897 }, 898 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = { 899 .procname = "nf_conntrack_dccp_timeout_open", 900 .maxlen = sizeof(unsigned int), 901 .mode = 0644, 902 .proc_handler = proc_dointvec_jiffies, 903 }, 904 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = { 905 .procname = "nf_conntrack_dccp_timeout_closereq", 906 .maxlen = sizeof(unsigned int), 907 .mode = 0644, 908 .proc_handler = proc_dointvec_jiffies, 909 }, 910 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = { 911 .procname = "nf_conntrack_dccp_timeout_closing", 912 .maxlen = sizeof(unsigned int), 913 .mode = 0644, 914 .proc_handler = proc_dointvec_jiffies, 915 }, 916 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = { 917 .procname = "nf_conntrack_dccp_timeout_timewait", 918 .maxlen = sizeof(unsigned int), 919 .mode = 0644, 920 .proc_handler = proc_dointvec_jiffies, 921 }, 922 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = { 923 .procname = "nf_conntrack_dccp_loose", 924 .maxlen = sizeof(u8), 925 .mode = 0644, 926 .proc_handler = proc_dou8vec_minmax, 927 .extra1 = SYSCTL_ZERO, 928 .extra2 = SYSCTL_ONE, 929 }, 930 #endif 931 #ifdef CONFIG_NF_CT_PROTO_GRE 932 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = { 933 .procname = "nf_conntrack_gre_timeout", 934 .maxlen = sizeof(unsigned int), 935 .mode = 0644, 936 .proc_handler = proc_dointvec_jiffies, 937 }, 938 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = { 939 .procname = "nf_conntrack_gre_timeout_stream", 940 .maxlen = sizeof(unsigned int), 941 .mode = 0644, 942 .proc_handler = proc_dointvec_jiffies, 943 }, 944 #endif 945 {} 946 }; 947 948 static struct ctl_table nf_ct_netfilter_table[] = { 949 { 950 .procname = "nf_conntrack_max", 951 .data = &nf_conntrack_max, 952 .maxlen = sizeof(int), 953 .mode = 0644, 954 .proc_handler = proc_dointvec, 955 }, 956 { } 957 }; 958 959 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, 960 struct ctl_table *table) 961 { 962 struct nf_tcp_net *tn = nf_tcp_pernet(net); 963 964 #define XASSIGN(XNAME, tn) \ 965 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \ 966 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME] 967 968 XASSIGN(SYN_SENT, tn); 969 XASSIGN(SYN_RECV, tn); 970 XASSIGN(ESTABLISHED, tn); 971 XASSIGN(FIN_WAIT, tn); 972 XASSIGN(CLOSE_WAIT, tn); 973 XASSIGN(LAST_ACK, tn); 974 XASSIGN(TIME_WAIT, tn); 975 XASSIGN(CLOSE, tn); 976 XASSIGN(RETRANS, tn); 977 XASSIGN(UNACK, tn); 978 #undef XASSIGN 979 #define XASSIGN(XNAME, rval) \ 980 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval) 981 982 XASSIGN(LOOSE, &tn->tcp_loose); 983 XASSIGN(LIBERAL, &tn->tcp_be_liberal); 984 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans); 985 XASSIGN(IGNORE_INVALID_RST, &tn->tcp_ignore_invalid_rst); 986 #undef XASSIGN 987 988 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 989 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD].data = &tn->offload_timeout; 990 #endif 991 992 } 993 994 static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, 995 struct ctl_table *table) 996 { 997 #ifdef CONFIG_NF_CT_PROTO_SCTP 998 struct nf_sctp_net *sn = nf_sctp_pernet(net); 999 1000 #define XASSIGN(XNAME, sn) \ 1001 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \ 1002 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME] 1003 1004 XASSIGN(CLOSED, sn); 1005 XASSIGN(COOKIE_WAIT, sn); 1006 XASSIGN(COOKIE_ECHOED, sn); 1007 XASSIGN(ESTABLISHED, sn); 1008 XASSIGN(SHUTDOWN_SENT, sn); 1009 XASSIGN(SHUTDOWN_RECD, sn); 1010 XASSIGN(SHUTDOWN_ACK_SENT, sn); 1011 XASSIGN(HEARTBEAT_SENT, sn); 1012 #undef XASSIGN 1013 #endif 1014 } 1015 1016 static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net, 1017 struct ctl_table *table) 1018 { 1019 #ifdef CONFIG_NF_CT_PROTO_DCCP 1020 struct nf_dccp_net *dn = nf_dccp_pernet(net); 1021 1022 #define XASSIGN(XNAME, dn) \ 1023 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \ 1024 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME] 1025 1026 XASSIGN(REQUEST, dn); 1027 XASSIGN(RESPOND, dn); 1028 XASSIGN(PARTOPEN, dn); 1029 XASSIGN(OPEN, dn); 1030 XASSIGN(CLOSEREQ, dn); 1031 XASSIGN(CLOSING, dn); 1032 XASSIGN(TIMEWAIT, dn); 1033 #undef XASSIGN 1034 1035 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose; 1036 #endif 1037 } 1038 1039 static void nf_conntrack_standalone_init_gre_sysctl(struct net *net, 1040 struct ctl_table *table) 1041 { 1042 #ifdef CONFIG_NF_CT_PROTO_GRE 1043 struct nf_gre_net *gn = nf_gre_pernet(net); 1044 1045 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED]; 1046 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED]; 1047 #endif 1048 } 1049 1050 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1051 { 1052 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1053 struct nf_udp_net *un = nf_udp_pernet(net); 1054 struct ctl_table *table; 1055 1056 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL); 1057 1058 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table), 1059 GFP_KERNEL); 1060 if (!table) 1061 return -ENOMEM; 1062 1063 table[NF_SYSCTL_CT_COUNT].data = &cnet->count; 1064 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum; 1065 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; 1066 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct; 1067 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1068 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events; 1069 #endif 1070 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 1071 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp; 1072 #endif 1073 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout; 1074 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout; 1075 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout; 1076 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED]; 1077 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED]; 1078 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1079 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD].data = &un->offload_timeout; 1080 #endif 1081 1082 nf_conntrack_standalone_init_tcp_sysctl(net, table); 1083 nf_conntrack_standalone_init_sctp_sysctl(net, table); 1084 nf_conntrack_standalone_init_dccp_sysctl(net, table); 1085 nf_conntrack_standalone_init_gre_sysctl(net, table); 1086 1087 /* Don't allow non-init_net ns to alter global sysctls */ 1088 if (!net_eq(&init_net, net)) { 1089 table[NF_SYSCTL_CT_MAX].mode = 0444; 1090 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; 1091 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1092 } 1093 1094 cnet->sysctl_header = register_net_sysctl_sz(net, "net/netfilter", 1095 table, 1096 ARRAY_SIZE(nf_ct_sysctl_table)); 1097 if (!cnet->sysctl_header) 1098 goto out_unregister_netfilter; 1099 1100 return 0; 1101 1102 out_unregister_netfilter: 1103 kfree(table); 1104 return -ENOMEM; 1105 } 1106 1107 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1108 { 1109 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1110 struct ctl_table *table; 1111 1112 table = cnet->sysctl_header->ctl_table_arg; 1113 unregister_net_sysctl_table(cnet->sysctl_header); 1114 kfree(table); 1115 } 1116 #else 1117 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1118 { 1119 return 0; 1120 } 1121 1122 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1123 { 1124 } 1125 #endif /* CONFIG_SYSCTL */ 1126 1127 static void nf_conntrack_fini_net(struct net *net) 1128 { 1129 if (enable_hooks) 1130 nf_ct_netns_put(net, NFPROTO_INET); 1131 1132 nf_conntrack_standalone_fini_proc(net); 1133 nf_conntrack_standalone_fini_sysctl(net); 1134 } 1135 1136 static int nf_conntrack_pernet_init(struct net *net) 1137 { 1138 int ret; 1139 1140 net->ct.sysctl_checksum = 1; 1141 1142 ret = nf_conntrack_standalone_init_sysctl(net); 1143 if (ret < 0) 1144 return ret; 1145 1146 ret = nf_conntrack_standalone_init_proc(net); 1147 if (ret < 0) 1148 goto out_proc; 1149 1150 ret = nf_conntrack_init_net(net); 1151 if (ret < 0) 1152 goto out_init_net; 1153 1154 if (enable_hooks) { 1155 ret = nf_ct_netns_get(net, NFPROTO_INET); 1156 if (ret < 0) 1157 goto out_hooks; 1158 } 1159 1160 return 0; 1161 1162 out_hooks: 1163 nf_conntrack_cleanup_net(net); 1164 out_init_net: 1165 nf_conntrack_standalone_fini_proc(net); 1166 out_proc: 1167 nf_conntrack_standalone_fini_sysctl(net); 1168 return ret; 1169 } 1170 1171 static void nf_conntrack_pernet_exit(struct list_head *net_exit_list) 1172 { 1173 struct net *net; 1174 1175 list_for_each_entry(net, net_exit_list, exit_list) 1176 nf_conntrack_fini_net(net); 1177 1178 nf_conntrack_cleanup_net_list(net_exit_list); 1179 } 1180 1181 static struct pernet_operations nf_conntrack_net_ops = { 1182 .init = nf_conntrack_pernet_init, 1183 .exit_batch = nf_conntrack_pernet_exit, 1184 .id = &nf_conntrack_net_id, 1185 .size = sizeof(struct nf_conntrack_net), 1186 }; 1187 1188 static int __init nf_conntrack_standalone_init(void) 1189 { 1190 int ret = nf_conntrack_init_start(); 1191 if (ret < 0) 1192 goto out_start; 1193 1194 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER); 1195 1196 #ifdef CONFIG_SYSCTL 1197 nf_ct_netfilter_header = 1198 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); 1199 if (!nf_ct_netfilter_header) { 1200 pr_err("nf_conntrack: can't register to sysctl.\n"); 1201 ret = -ENOMEM; 1202 goto out_sysctl; 1203 } 1204 1205 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 1206 #endif 1207 1208 nf_conntrack_init_end(); 1209 1210 ret = register_pernet_subsys(&nf_conntrack_net_ops); 1211 if (ret < 0) 1212 goto out_pernet; 1213 1214 return 0; 1215 1216 out_pernet: 1217 #ifdef CONFIG_SYSCTL 1218 unregister_net_sysctl_table(nf_ct_netfilter_header); 1219 out_sysctl: 1220 #endif 1221 nf_conntrack_cleanup_end(); 1222 out_start: 1223 return ret; 1224 } 1225 1226 static void __exit nf_conntrack_standalone_fini(void) 1227 { 1228 nf_conntrack_cleanup_start(); 1229 unregister_pernet_subsys(&nf_conntrack_net_ops); 1230 #ifdef CONFIG_SYSCTL 1231 unregister_net_sysctl_table(nf_ct_netfilter_header); 1232 #endif 1233 nf_conntrack_cleanup_end(); 1234 } 1235 1236 module_init(nf_conntrack_standalone_init); 1237 module_exit(nf_conntrack_standalone_fini); 1238