1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/types.h> 3 #include <linux/netfilter.h> 4 #include <linux/slab.h> 5 #include <linux/module.h> 6 #include <linux/skbuff.h> 7 #include <linux/proc_fs.h> 8 #include <linux/seq_file.h> 9 #include <linux/percpu.h> 10 #include <linux/netdevice.h> 11 #include <linux/security.h> 12 #include <net/net_namespace.h> 13 #ifdef CONFIG_SYSCTL 14 #include <linux/sysctl.h> 15 #endif 16 17 #include <net/netfilter/nf_conntrack.h> 18 #include <net/netfilter/nf_conntrack_core.h> 19 #include <net/netfilter/nf_conntrack_l4proto.h> 20 #include <net/netfilter/nf_conntrack_expect.h> 21 #include <net/netfilter/nf_conntrack_helper.h> 22 #include <net/netfilter/nf_conntrack_acct.h> 23 #include <net/netfilter/nf_conntrack_zones.h> 24 #include <net/netfilter/nf_conntrack_timestamp.h> 25 #ifdef CONFIG_LWTUNNEL 26 #include <net/netfilter/nf_hooks_lwtunnel.h> 27 #endif 28 #include <linux/rculist_nulls.h> 29 30 static bool enable_hooks __read_mostly; 31 MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); 32 module_param(enable_hooks, bool, 0000); 33 34 unsigned int nf_conntrack_net_id __read_mostly; 35 36 #ifdef CONFIG_NF_CONNTRACK_PROCFS 37 void 38 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, 39 const struct nf_conntrack_l4proto *l4proto) 40 { 41 switch (tuple->src.l3num) { 42 case NFPROTO_IPV4: 43 seq_printf(s, "src=%pI4 dst=%pI4 ", 44 &tuple->src.u3.ip, &tuple->dst.u3.ip); 45 break; 46 case NFPROTO_IPV6: 47 seq_printf(s, "src=%pI6 dst=%pI6 ", 48 tuple->src.u3.ip6, tuple->dst.u3.ip6); 49 break; 50 default: 51 break; 52 } 53 54 switch (l4proto->l4proto) { 55 case IPPROTO_ICMP: 56 seq_printf(s, "type=%u code=%u id=%u ", 57 tuple->dst.u.icmp.type, 58 tuple->dst.u.icmp.code, 59 ntohs(tuple->src.u.icmp.id)); 60 break; 61 case IPPROTO_TCP: 62 seq_printf(s, "sport=%hu dport=%hu ", 63 ntohs(tuple->src.u.tcp.port), 64 ntohs(tuple->dst.u.tcp.port)); 65 break; 66 case IPPROTO_UDPLITE: 67 case IPPROTO_UDP: 68 seq_printf(s, "sport=%hu dport=%hu ", 69 ntohs(tuple->src.u.udp.port), 70 ntohs(tuple->dst.u.udp.port)); 71 72 break; 73 case IPPROTO_DCCP: 74 seq_printf(s, "sport=%hu dport=%hu ", 75 ntohs(tuple->src.u.dccp.port), 76 ntohs(tuple->dst.u.dccp.port)); 77 break; 78 case IPPROTO_SCTP: 79 seq_printf(s, "sport=%hu dport=%hu ", 80 ntohs(tuple->src.u.sctp.port), 81 ntohs(tuple->dst.u.sctp.port)); 82 break; 83 case IPPROTO_ICMPV6: 84 seq_printf(s, "type=%u code=%u id=%u ", 85 tuple->dst.u.icmp.type, 86 tuple->dst.u.icmp.code, 87 ntohs(tuple->src.u.icmp.id)); 88 break; 89 case IPPROTO_GRE: 90 seq_printf(s, "srckey=0x%x dstkey=0x%x ", 91 ntohs(tuple->src.u.gre.key), 92 ntohs(tuple->dst.u.gre.key)); 93 break; 94 default: 95 break; 96 } 97 } 98 EXPORT_SYMBOL_GPL(print_tuple); 99 100 struct ct_iter_state { 101 struct seq_net_private p; 102 struct hlist_nulls_head *hash; 103 unsigned int htable_size; 104 unsigned int bucket; 105 u_int64_t time_now; 106 }; 107 108 static struct hlist_nulls_node *ct_get_first(struct seq_file *seq) 109 { 110 struct ct_iter_state *st = seq->private; 111 struct hlist_nulls_node *n; 112 113 for (st->bucket = 0; 114 st->bucket < st->htable_size; 115 st->bucket++) { 116 n = rcu_dereference( 117 hlist_nulls_first_rcu(&st->hash[st->bucket])); 118 if (!is_a_nulls(n)) 119 return n; 120 } 121 return NULL; 122 } 123 124 static struct hlist_nulls_node *ct_get_next(struct seq_file *seq, 125 struct hlist_nulls_node *head) 126 { 127 struct ct_iter_state *st = seq->private; 128 129 head = rcu_dereference(hlist_nulls_next_rcu(head)); 130 while (is_a_nulls(head)) { 131 if (likely(get_nulls_value(head) == st->bucket)) { 132 if (++st->bucket >= st->htable_size) 133 return NULL; 134 } 135 head = rcu_dereference( 136 hlist_nulls_first_rcu(&st->hash[st->bucket])); 137 } 138 return head; 139 } 140 141 static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos) 142 { 143 struct hlist_nulls_node *head = ct_get_first(seq); 144 145 if (head) 146 while (pos && (head = ct_get_next(seq, head))) 147 pos--; 148 return pos ? NULL : head; 149 } 150 151 static void *ct_seq_start(struct seq_file *seq, loff_t *pos) 152 __acquires(RCU) 153 { 154 struct ct_iter_state *st = seq->private; 155 156 st->time_now = ktime_get_real_ns(); 157 rcu_read_lock(); 158 159 nf_conntrack_get_ht(&st->hash, &st->htable_size); 160 return ct_get_idx(seq, *pos); 161 } 162 163 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos) 164 { 165 (*pos)++; 166 return ct_get_next(s, v); 167 } 168 169 static void ct_seq_stop(struct seq_file *s, void *v) 170 __releases(RCU) 171 { 172 rcu_read_unlock(); 173 } 174 175 #ifdef CONFIG_NF_CONNTRACK_SECMARK 176 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 177 { 178 int ret; 179 u32 len; 180 char *secctx; 181 182 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 183 if (ret) 184 return; 185 186 seq_printf(s, "secctx=%s ", secctx); 187 188 security_release_secctx(secctx, len); 189 } 190 #else 191 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 192 { 193 } 194 #endif 195 196 #ifdef CONFIG_NF_CONNTRACK_ZONES 197 static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 198 int dir) 199 { 200 const struct nf_conntrack_zone *zone = nf_ct_zone(ct); 201 202 if (zone->dir != dir) 203 return; 204 switch (zone->dir) { 205 case NF_CT_DEFAULT_ZONE_DIR: 206 seq_printf(s, "zone=%u ", zone->id); 207 break; 208 case NF_CT_ZONE_DIR_ORIG: 209 seq_printf(s, "zone-orig=%u ", zone->id); 210 break; 211 case NF_CT_ZONE_DIR_REPL: 212 seq_printf(s, "zone-reply=%u ", zone->id); 213 break; 214 default: 215 break; 216 } 217 } 218 #else 219 static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 220 int dir) 221 { 222 } 223 #endif 224 225 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 226 static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 227 { 228 struct ct_iter_state *st = s->private; 229 struct nf_conn_tstamp *tstamp; 230 s64 delta_time; 231 232 tstamp = nf_conn_tstamp_find(ct); 233 if (tstamp) { 234 delta_time = st->time_now - tstamp->start; 235 if (delta_time > 0) 236 delta_time = div_s64(delta_time, NSEC_PER_SEC); 237 else 238 delta_time = 0; 239 240 seq_printf(s, "delta-time=%llu ", 241 (unsigned long long)delta_time); 242 } 243 return; 244 } 245 #else 246 static inline void 247 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 248 { 249 } 250 #endif 251 252 static const char* l3proto_name(u16 proto) 253 { 254 switch (proto) { 255 case AF_INET: return "ipv4"; 256 case AF_INET6: return "ipv6"; 257 } 258 259 return "unknown"; 260 } 261 262 static const char* l4proto_name(u16 proto) 263 { 264 switch (proto) { 265 case IPPROTO_ICMP: return "icmp"; 266 case IPPROTO_TCP: return "tcp"; 267 case IPPROTO_UDP: return "udp"; 268 case IPPROTO_DCCP: return "dccp"; 269 case IPPROTO_GRE: return "gre"; 270 case IPPROTO_SCTP: return "sctp"; 271 case IPPROTO_UDPLITE: return "udplite"; 272 case IPPROTO_ICMPV6: return "icmpv6"; 273 } 274 275 return "unknown"; 276 } 277 278 static unsigned int 279 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir) 280 { 281 struct nf_conn_acct *acct; 282 struct nf_conn_counter *counter; 283 284 acct = nf_conn_acct_find(ct); 285 if (!acct) 286 return 0; 287 288 counter = acct->counter; 289 seq_printf(s, "packets=%llu bytes=%llu ", 290 (unsigned long long)atomic64_read(&counter[dir].packets), 291 (unsigned long long)atomic64_read(&counter[dir].bytes)); 292 293 return 0; 294 } 295 296 /* return 0 on success, 1 in case of error */ 297 static int ct_seq_show(struct seq_file *s, void *v) 298 { 299 struct nf_conntrack_tuple_hash *hash = v; 300 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); 301 const struct nf_conntrack_l4proto *l4proto; 302 struct net *net = seq_file_net(s); 303 int ret = 0; 304 305 WARN_ON(!ct); 306 if (unlikely(!refcount_inc_not_zero(&ct->ct_general.use))) 307 return 0; 308 309 /* load ->status after refcount increase */ 310 smp_acquire__after_ctrl_dep(); 311 312 if (nf_ct_should_gc(ct)) { 313 nf_ct_kill(ct); 314 goto release; 315 } 316 317 /* we only want to print DIR_ORIGINAL */ 318 if (NF_CT_DIRECTION(hash)) 319 goto release; 320 321 if (!net_eq(nf_ct_net(ct), net)) 322 goto release; 323 324 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 325 326 ret = -ENOSPC; 327 seq_printf(s, "%-8s %u %-8s %u ", 328 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct), 329 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct)); 330 331 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status)) 332 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ); 333 334 if (l4proto->print_conntrack) 335 l4proto->print_conntrack(s, ct); 336 337 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 338 l4proto); 339 340 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG); 341 342 if (seq_has_overflowed(s)) 343 goto release; 344 345 if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL)) 346 goto release; 347 348 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) 349 seq_puts(s, "[UNREPLIED] "); 350 351 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto); 352 353 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL); 354 355 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY)) 356 goto release; 357 358 if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status)) 359 seq_puts(s, "[HW_OFFLOAD] "); 360 else if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 361 seq_puts(s, "[OFFLOAD] "); 362 else if (test_bit(IPS_ASSURED_BIT, &ct->status)) 363 seq_puts(s, "[ASSURED] "); 364 365 if (seq_has_overflowed(s)) 366 goto release; 367 368 #if defined(CONFIG_NF_CONNTRACK_MARK) 369 seq_printf(s, "mark=%u ", ct->mark); 370 #endif 371 372 ct_show_secctx(s, ct); 373 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR); 374 ct_show_delta_time(s, ct); 375 376 seq_printf(s, "use=%u\n", refcount_read(&ct->ct_general.use)); 377 378 if (seq_has_overflowed(s)) 379 goto release; 380 381 ret = 0; 382 release: 383 nf_ct_put(ct); 384 return ret; 385 } 386 387 static const struct seq_operations ct_seq_ops = { 388 .start = ct_seq_start, 389 .next = ct_seq_next, 390 .stop = ct_seq_stop, 391 .show = ct_seq_show 392 }; 393 394 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos) 395 { 396 struct net *net = seq_file_net(seq); 397 int cpu; 398 399 if (*pos == 0) 400 return SEQ_START_TOKEN; 401 402 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) { 403 if (!cpu_possible(cpu)) 404 continue; 405 *pos = cpu + 1; 406 return per_cpu_ptr(net->ct.stat, cpu); 407 } 408 409 return NULL; 410 } 411 412 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) 413 { 414 struct net *net = seq_file_net(seq); 415 int cpu; 416 417 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) { 418 if (!cpu_possible(cpu)) 419 continue; 420 *pos = cpu + 1; 421 return per_cpu_ptr(net->ct.stat, cpu); 422 } 423 (*pos)++; 424 return NULL; 425 } 426 427 static void ct_cpu_seq_stop(struct seq_file *seq, void *v) 428 { 429 } 430 431 static int ct_cpu_seq_show(struct seq_file *seq, void *v) 432 { 433 struct net *net = seq_file_net(seq); 434 const struct ip_conntrack_stat *st = v; 435 unsigned int nr_conntracks; 436 437 if (v == SEQ_START_TOKEN) { 438 seq_puts(seq, "entries clashres found new invalid ignore delete chainlength insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); 439 return 0; 440 } 441 442 nr_conntracks = nf_conntrack_count(net); 443 444 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 445 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 446 nr_conntracks, 447 st->clash_resolve, 448 st->found, 449 0, 450 st->invalid, 451 0, 452 0, 453 st->chaintoolong, 454 st->insert, 455 st->insert_failed, 456 st->drop, 457 st->early_drop, 458 st->error, 459 460 st->expect_new, 461 st->expect_create, 462 st->expect_delete, 463 st->search_restart 464 ); 465 return 0; 466 } 467 468 static const struct seq_operations ct_cpu_seq_ops = { 469 .start = ct_cpu_seq_start, 470 .next = ct_cpu_seq_next, 471 .stop = ct_cpu_seq_stop, 472 .show = ct_cpu_seq_show, 473 }; 474 475 static int nf_conntrack_standalone_init_proc(struct net *net) 476 { 477 struct proc_dir_entry *pde; 478 kuid_t root_uid; 479 kgid_t root_gid; 480 481 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops, 482 sizeof(struct ct_iter_state)); 483 if (!pde) 484 goto out_nf_conntrack; 485 486 root_uid = make_kuid(net->user_ns, 0); 487 root_gid = make_kgid(net->user_ns, 0); 488 if (uid_valid(root_uid) && gid_valid(root_gid)) 489 proc_set_user(pde, root_uid, root_gid); 490 491 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat, 492 &ct_cpu_seq_ops, sizeof(struct seq_net_private)); 493 if (!pde) 494 goto out_stat_nf_conntrack; 495 return 0; 496 497 out_stat_nf_conntrack: 498 remove_proc_entry("nf_conntrack", net->proc_net); 499 out_nf_conntrack: 500 return -ENOMEM; 501 } 502 503 static void nf_conntrack_standalone_fini_proc(struct net *net) 504 { 505 remove_proc_entry("nf_conntrack", net->proc_net_stat); 506 remove_proc_entry("nf_conntrack", net->proc_net); 507 } 508 #else 509 static int nf_conntrack_standalone_init_proc(struct net *net) 510 { 511 return 0; 512 } 513 514 static void nf_conntrack_standalone_fini_proc(struct net *net) 515 { 516 } 517 #endif /* CONFIG_NF_CONNTRACK_PROCFS */ 518 519 u32 nf_conntrack_count(const struct net *net) 520 { 521 const struct nf_conntrack_net *cnet = nf_ct_pernet(net); 522 523 return atomic_read(&cnet->count); 524 } 525 EXPORT_SYMBOL_GPL(nf_conntrack_count); 526 527 /* Sysctl support */ 528 529 #ifdef CONFIG_SYSCTL 530 /* size the user *wants to set */ 531 static unsigned int nf_conntrack_htable_size_user __read_mostly; 532 533 static int 534 nf_conntrack_hash_sysctl(struct ctl_table *table, int write, 535 void *buffer, size_t *lenp, loff_t *ppos) 536 { 537 int ret; 538 539 /* module_param hashsize could have changed value */ 540 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 541 542 ret = proc_dointvec(table, write, buffer, lenp, ppos); 543 if (ret < 0 || !write) 544 return ret; 545 546 /* update ret, we might not be able to satisfy request */ 547 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user); 548 549 /* update it to the actual value used by conntrack */ 550 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 551 return ret; 552 } 553 554 static struct ctl_table_header *nf_ct_netfilter_header; 555 556 enum nf_ct_sysctl_index { 557 NF_SYSCTL_CT_MAX, 558 NF_SYSCTL_CT_COUNT, 559 NF_SYSCTL_CT_BUCKETS, 560 NF_SYSCTL_CT_CHECKSUM, 561 NF_SYSCTL_CT_LOG_INVALID, 562 NF_SYSCTL_CT_EXPECT_MAX, 563 NF_SYSCTL_CT_ACCT, 564 NF_SYSCTL_CT_HELPER, 565 #ifdef CONFIG_NF_CONNTRACK_EVENTS 566 NF_SYSCTL_CT_EVENTS, 567 #endif 568 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 569 NF_SYSCTL_CT_TIMESTAMP, 570 #endif 571 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC, 572 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT, 573 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV, 574 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED, 575 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT, 576 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT, 577 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK, 578 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT, 579 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE, 580 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS, 581 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK, 582 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 583 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD, 584 #endif 585 NF_SYSCTL_CT_PROTO_TCP_LOOSE, 586 NF_SYSCTL_CT_PROTO_TCP_LIBERAL, 587 NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST, 588 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS, 589 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP, 590 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM, 591 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 592 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD, 593 #endif 594 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP, 595 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6, 596 #ifdef CONFIG_NF_CT_PROTO_SCTP 597 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED, 598 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT, 599 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED, 600 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED, 601 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT, 602 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD, 603 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, 604 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, 605 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED, 606 #endif 607 #ifdef CONFIG_NF_CT_PROTO_DCCP 608 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, 609 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND, 610 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN, 611 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN, 612 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ, 613 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING, 614 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT, 615 NF_SYSCTL_CT_PROTO_DCCP_LOOSE, 616 #endif 617 #ifdef CONFIG_NF_CT_PROTO_GRE 618 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, 619 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, 620 #endif 621 #ifdef CONFIG_LWTUNNEL 622 NF_SYSCTL_CT_LWTUNNEL, 623 #endif 624 625 __NF_SYSCTL_CT_LAST_SYSCTL, 626 }; 627 628 #define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1) 629 630 static struct ctl_table nf_ct_sysctl_table[] = { 631 [NF_SYSCTL_CT_MAX] = { 632 .procname = "nf_conntrack_max", 633 .data = &nf_conntrack_max, 634 .maxlen = sizeof(int), 635 .mode = 0644, 636 .proc_handler = proc_dointvec, 637 }, 638 [NF_SYSCTL_CT_COUNT] = { 639 .procname = "nf_conntrack_count", 640 .maxlen = sizeof(int), 641 .mode = 0444, 642 .proc_handler = proc_dointvec, 643 }, 644 [NF_SYSCTL_CT_BUCKETS] = { 645 .procname = "nf_conntrack_buckets", 646 .data = &nf_conntrack_htable_size_user, 647 .maxlen = sizeof(unsigned int), 648 .mode = 0644, 649 .proc_handler = nf_conntrack_hash_sysctl, 650 }, 651 [NF_SYSCTL_CT_CHECKSUM] = { 652 .procname = "nf_conntrack_checksum", 653 .data = &init_net.ct.sysctl_checksum, 654 .maxlen = sizeof(u8), 655 .mode = 0644, 656 .proc_handler = proc_dou8vec_minmax, 657 .extra1 = SYSCTL_ZERO, 658 .extra2 = SYSCTL_ONE, 659 }, 660 [NF_SYSCTL_CT_LOG_INVALID] = { 661 .procname = "nf_conntrack_log_invalid", 662 .data = &init_net.ct.sysctl_log_invalid, 663 .maxlen = sizeof(u8), 664 .mode = 0644, 665 .proc_handler = proc_dou8vec_minmax, 666 }, 667 [NF_SYSCTL_CT_EXPECT_MAX] = { 668 .procname = "nf_conntrack_expect_max", 669 .data = &nf_ct_expect_max, 670 .maxlen = sizeof(int), 671 .mode = 0644, 672 .proc_handler = proc_dointvec, 673 }, 674 [NF_SYSCTL_CT_ACCT] = { 675 .procname = "nf_conntrack_acct", 676 .data = &init_net.ct.sysctl_acct, 677 .maxlen = sizeof(u8), 678 .mode = 0644, 679 .proc_handler = proc_dou8vec_minmax, 680 .extra1 = SYSCTL_ZERO, 681 .extra2 = SYSCTL_ONE, 682 }, 683 [NF_SYSCTL_CT_HELPER] = { 684 .procname = "nf_conntrack_helper", 685 .maxlen = sizeof(u8), 686 .mode = 0644, 687 .proc_handler = proc_dou8vec_minmax, 688 .extra1 = SYSCTL_ZERO, 689 .extra2 = SYSCTL_ONE, 690 }, 691 #ifdef CONFIG_NF_CONNTRACK_EVENTS 692 [NF_SYSCTL_CT_EVENTS] = { 693 .procname = "nf_conntrack_events", 694 .data = &init_net.ct.sysctl_events, 695 .maxlen = sizeof(u8), 696 .mode = 0644, 697 .proc_handler = proc_dou8vec_minmax, 698 .extra1 = SYSCTL_ZERO, 699 .extra2 = SYSCTL_TWO, 700 }, 701 #endif 702 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 703 [NF_SYSCTL_CT_TIMESTAMP] = { 704 .procname = "nf_conntrack_timestamp", 705 .data = &init_net.ct.sysctl_tstamp, 706 .maxlen = sizeof(u8), 707 .mode = 0644, 708 .proc_handler = proc_dou8vec_minmax, 709 .extra1 = SYSCTL_ZERO, 710 .extra2 = SYSCTL_ONE, 711 }, 712 #endif 713 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { 714 .procname = "nf_conntrack_generic_timeout", 715 .maxlen = sizeof(unsigned int), 716 .mode = 0644, 717 .proc_handler = proc_dointvec_jiffies, 718 }, 719 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = { 720 .procname = "nf_conntrack_tcp_timeout_syn_sent", 721 .maxlen = sizeof(unsigned int), 722 .mode = 0644, 723 .proc_handler = proc_dointvec_jiffies, 724 }, 725 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = { 726 .procname = "nf_conntrack_tcp_timeout_syn_recv", 727 .maxlen = sizeof(unsigned int), 728 .mode = 0644, 729 .proc_handler = proc_dointvec_jiffies, 730 }, 731 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = { 732 .procname = "nf_conntrack_tcp_timeout_established", 733 .maxlen = sizeof(unsigned int), 734 .mode = 0644, 735 .proc_handler = proc_dointvec_jiffies, 736 }, 737 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = { 738 .procname = "nf_conntrack_tcp_timeout_fin_wait", 739 .maxlen = sizeof(unsigned int), 740 .mode = 0644, 741 .proc_handler = proc_dointvec_jiffies, 742 }, 743 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = { 744 .procname = "nf_conntrack_tcp_timeout_close_wait", 745 .maxlen = sizeof(unsigned int), 746 .mode = 0644, 747 .proc_handler = proc_dointvec_jiffies, 748 }, 749 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = { 750 .procname = "nf_conntrack_tcp_timeout_last_ack", 751 .maxlen = sizeof(unsigned int), 752 .mode = 0644, 753 .proc_handler = proc_dointvec_jiffies, 754 }, 755 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = { 756 .procname = "nf_conntrack_tcp_timeout_time_wait", 757 .maxlen = sizeof(unsigned int), 758 .mode = 0644, 759 .proc_handler = proc_dointvec_jiffies, 760 }, 761 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = { 762 .procname = "nf_conntrack_tcp_timeout_close", 763 .maxlen = sizeof(unsigned int), 764 .mode = 0644, 765 .proc_handler = proc_dointvec_jiffies, 766 }, 767 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = { 768 .procname = "nf_conntrack_tcp_timeout_max_retrans", 769 .maxlen = sizeof(unsigned int), 770 .mode = 0644, 771 .proc_handler = proc_dointvec_jiffies, 772 }, 773 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = { 774 .procname = "nf_conntrack_tcp_timeout_unacknowledged", 775 .maxlen = sizeof(unsigned int), 776 .mode = 0644, 777 .proc_handler = proc_dointvec_jiffies, 778 }, 779 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 780 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD] = { 781 .procname = "nf_flowtable_tcp_timeout", 782 .maxlen = sizeof(unsigned int), 783 .mode = 0644, 784 .proc_handler = proc_dointvec_jiffies, 785 }, 786 #endif 787 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { 788 .procname = "nf_conntrack_tcp_loose", 789 .maxlen = sizeof(u8), 790 .mode = 0644, 791 .proc_handler = proc_dou8vec_minmax, 792 .extra1 = SYSCTL_ZERO, 793 .extra2 = SYSCTL_ONE, 794 }, 795 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { 796 .procname = "nf_conntrack_tcp_be_liberal", 797 .maxlen = sizeof(u8), 798 .mode = 0644, 799 .proc_handler = proc_dou8vec_minmax, 800 .extra1 = SYSCTL_ZERO, 801 .extra2 = SYSCTL_ONE, 802 }, 803 [NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST] = { 804 .procname = "nf_conntrack_tcp_ignore_invalid_rst", 805 .maxlen = sizeof(u8), 806 .mode = 0644, 807 .proc_handler = proc_dou8vec_minmax, 808 .extra1 = SYSCTL_ZERO, 809 .extra2 = SYSCTL_ONE, 810 }, 811 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { 812 .procname = "nf_conntrack_tcp_max_retrans", 813 .maxlen = sizeof(u8), 814 .mode = 0644, 815 .proc_handler = proc_dou8vec_minmax, 816 }, 817 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = { 818 .procname = "nf_conntrack_udp_timeout", 819 .maxlen = sizeof(unsigned int), 820 .mode = 0644, 821 .proc_handler = proc_dointvec_jiffies, 822 }, 823 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = { 824 .procname = "nf_conntrack_udp_timeout_stream", 825 .maxlen = sizeof(unsigned int), 826 .mode = 0644, 827 .proc_handler = proc_dointvec_jiffies, 828 }, 829 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 830 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD] = { 831 .procname = "nf_flowtable_udp_timeout", 832 .maxlen = sizeof(unsigned int), 833 .mode = 0644, 834 .proc_handler = proc_dointvec_jiffies, 835 }, 836 #endif 837 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = { 838 .procname = "nf_conntrack_icmp_timeout", 839 .maxlen = sizeof(unsigned int), 840 .mode = 0644, 841 .proc_handler = proc_dointvec_jiffies, 842 }, 843 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = { 844 .procname = "nf_conntrack_icmpv6_timeout", 845 .maxlen = sizeof(unsigned int), 846 .mode = 0644, 847 .proc_handler = proc_dointvec_jiffies, 848 }, 849 #ifdef CONFIG_NF_CT_PROTO_SCTP 850 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = { 851 .procname = "nf_conntrack_sctp_timeout_closed", 852 .maxlen = sizeof(unsigned int), 853 .mode = 0644, 854 .proc_handler = proc_dointvec_jiffies, 855 }, 856 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = { 857 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 858 .maxlen = sizeof(unsigned int), 859 .mode = 0644, 860 .proc_handler = proc_dointvec_jiffies, 861 }, 862 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = { 863 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 864 .maxlen = sizeof(unsigned int), 865 .mode = 0644, 866 .proc_handler = proc_dointvec_jiffies, 867 }, 868 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = { 869 .procname = "nf_conntrack_sctp_timeout_established", 870 .maxlen = sizeof(unsigned int), 871 .mode = 0644, 872 .proc_handler = proc_dointvec_jiffies, 873 }, 874 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = { 875 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 876 .maxlen = sizeof(unsigned int), 877 .mode = 0644, 878 .proc_handler = proc_dointvec_jiffies, 879 }, 880 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = { 881 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 882 .maxlen = sizeof(unsigned int), 883 .mode = 0644, 884 .proc_handler = proc_dointvec_jiffies, 885 }, 886 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { 887 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 888 .maxlen = sizeof(unsigned int), 889 .mode = 0644, 890 .proc_handler = proc_dointvec_jiffies, 891 }, 892 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = { 893 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent", 894 .maxlen = sizeof(unsigned int), 895 .mode = 0644, 896 .proc_handler = proc_dointvec_jiffies, 897 }, 898 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { 899 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked", 900 .maxlen = sizeof(unsigned int), 901 .mode = 0644, 902 .proc_handler = proc_dointvec_jiffies, 903 }, 904 #endif 905 #ifdef CONFIG_NF_CT_PROTO_DCCP 906 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { 907 .procname = "nf_conntrack_dccp_timeout_request", 908 .maxlen = sizeof(unsigned int), 909 .mode = 0644, 910 .proc_handler = proc_dointvec_jiffies, 911 }, 912 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = { 913 .procname = "nf_conntrack_dccp_timeout_respond", 914 .maxlen = sizeof(unsigned int), 915 .mode = 0644, 916 .proc_handler = proc_dointvec_jiffies, 917 }, 918 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = { 919 .procname = "nf_conntrack_dccp_timeout_partopen", 920 .maxlen = sizeof(unsigned int), 921 .mode = 0644, 922 .proc_handler = proc_dointvec_jiffies, 923 }, 924 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = { 925 .procname = "nf_conntrack_dccp_timeout_open", 926 .maxlen = sizeof(unsigned int), 927 .mode = 0644, 928 .proc_handler = proc_dointvec_jiffies, 929 }, 930 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = { 931 .procname = "nf_conntrack_dccp_timeout_closereq", 932 .maxlen = sizeof(unsigned int), 933 .mode = 0644, 934 .proc_handler = proc_dointvec_jiffies, 935 }, 936 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = { 937 .procname = "nf_conntrack_dccp_timeout_closing", 938 .maxlen = sizeof(unsigned int), 939 .mode = 0644, 940 .proc_handler = proc_dointvec_jiffies, 941 }, 942 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = { 943 .procname = "nf_conntrack_dccp_timeout_timewait", 944 .maxlen = sizeof(unsigned int), 945 .mode = 0644, 946 .proc_handler = proc_dointvec_jiffies, 947 }, 948 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = { 949 .procname = "nf_conntrack_dccp_loose", 950 .maxlen = sizeof(u8), 951 .mode = 0644, 952 .proc_handler = proc_dou8vec_minmax, 953 .extra1 = SYSCTL_ZERO, 954 .extra2 = SYSCTL_ONE, 955 }, 956 #endif 957 #ifdef CONFIG_NF_CT_PROTO_GRE 958 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = { 959 .procname = "nf_conntrack_gre_timeout", 960 .maxlen = sizeof(unsigned int), 961 .mode = 0644, 962 .proc_handler = proc_dointvec_jiffies, 963 }, 964 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = { 965 .procname = "nf_conntrack_gre_timeout_stream", 966 .maxlen = sizeof(unsigned int), 967 .mode = 0644, 968 .proc_handler = proc_dointvec_jiffies, 969 }, 970 #endif 971 #ifdef CONFIG_LWTUNNEL 972 [NF_SYSCTL_CT_LWTUNNEL] = { 973 .procname = "nf_hooks_lwtunnel", 974 .data = NULL, 975 .maxlen = sizeof(int), 976 .mode = 0644, 977 .proc_handler = nf_hooks_lwtunnel_sysctl_handler, 978 }, 979 #endif 980 {} 981 }; 982 983 static struct ctl_table nf_ct_netfilter_table[] = { 984 { 985 .procname = "nf_conntrack_max", 986 .data = &nf_conntrack_max, 987 .maxlen = sizeof(int), 988 .mode = 0644, 989 .proc_handler = proc_dointvec, 990 }, 991 { } 992 }; 993 994 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, 995 struct ctl_table *table) 996 { 997 struct nf_tcp_net *tn = nf_tcp_pernet(net); 998 999 #define XASSIGN(XNAME, tn) \ 1000 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \ 1001 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME] 1002 1003 XASSIGN(SYN_SENT, tn); 1004 XASSIGN(SYN_RECV, tn); 1005 XASSIGN(ESTABLISHED, tn); 1006 XASSIGN(FIN_WAIT, tn); 1007 XASSIGN(CLOSE_WAIT, tn); 1008 XASSIGN(LAST_ACK, tn); 1009 XASSIGN(TIME_WAIT, tn); 1010 XASSIGN(CLOSE, tn); 1011 XASSIGN(RETRANS, tn); 1012 XASSIGN(UNACK, tn); 1013 #undef XASSIGN 1014 #define XASSIGN(XNAME, rval) \ 1015 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval) 1016 1017 XASSIGN(LOOSE, &tn->tcp_loose); 1018 XASSIGN(LIBERAL, &tn->tcp_be_liberal); 1019 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans); 1020 XASSIGN(IGNORE_INVALID_RST, &tn->tcp_ignore_invalid_rst); 1021 #undef XASSIGN 1022 1023 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1024 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD].data = &tn->offload_timeout; 1025 #endif 1026 1027 } 1028 1029 static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, 1030 struct ctl_table *table) 1031 { 1032 #ifdef CONFIG_NF_CT_PROTO_SCTP 1033 struct nf_sctp_net *sn = nf_sctp_pernet(net); 1034 1035 #define XASSIGN(XNAME, sn) \ 1036 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \ 1037 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME] 1038 1039 XASSIGN(CLOSED, sn); 1040 XASSIGN(COOKIE_WAIT, sn); 1041 XASSIGN(COOKIE_ECHOED, sn); 1042 XASSIGN(ESTABLISHED, sn); 1043 XASSIGN(SHUTDOWN_SENT, sn); 1044 XASSIGN(SHUTDOWN_RECD, sn); 1045 XASSIGN(SHUTDOWN_ACK_SENT, sn); 1046 XASSIGN(HEARTBEAT_SENT, sn); 1047 XASSIGN(HEARTBEAT_ACKED, sn); 1048 #undef XASSIGN 1049 #endif 1050 } 1051 1052 static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net, 1053 struct ctl_table *table) 1054 { 1055 #ifdef CONFIG_NF_CT_PROTO_DCCP 1056 struct nf_dccp_net *dn = nf_dccp_pernet(net); 1057 1058 #define XASSIGN(XNAME, dn) \ 1059 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \ 1060 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME] 1061 1062 XASSIGN(REQUEST, dn); 1063 XASSIGN(RESPOND, dn); 1064 XASSIGN(PARTOPEN, dn); 1065 XASSIGN(OPEN, dn); 1066 XASSIGN(CLOSEREQ, dn); 1067 XASSIGN(CLOSING, dn); 1068 XASSIGN(TIMEWAIT, dn); 1069 #undef XASSIGN 1070 1071 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose; 1072 #endif 1073 } 1074 1075 static void nf_conntrack_standalone_init_gre_sysctl(struct net *net, 1076 struct ctl_table *table) 1077 { 1078 #ifdef CONFIG_NF_CT_PROTO_GRE 1079 struct nf_gre_net *gn = nf_gre_pernet(net); 1080 1081 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED]; 1082 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED]; 1083 #endif 1084 } 1085 1086 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1087 { 1088 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1089 struct nf_udp_net *un = nf_udp_pernet(net); 1090 struct ctl_table *table; 1091 1092 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL); 1093 1094 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table), 1095 GFP_KERNEL); 1096 if (!table) 1097 return -ENOMEM; 1098 1099 table[NF_SYSCTL_CT_COUNT].data = &cnet->count; 1100 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum; 1101 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; 1102 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct; 1103 table[NF_SYSCTL_CT_HELPER].data = &cnet->sysctl_auto_assign_helper; 1104 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1105 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events; 1106 #endif 1107 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 1108 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp; 1109 #endif 1110 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout; 1111 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout; 1112 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout; 1113 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED]; 1114 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED]; 1115 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1116 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD].data = &un->offload_timeout; 1117 #endif 1118 1119 nf_conntrack_standalone_init_tcp_sysctl(net, table); 1120 nf_conntrack_standalone_init_sctp_sysctl(net, table); 1121 nf_conntrack_standalone_init_dccp_sysctl(net, table); 1122 nf_conntrack_standalone_init_gre_sysctl(net, table); 1123 1124 /* Don't allow non-init_net ns to alter global sysctls */ 1125 if (!net_eq(&init_net, net)) { 1126 table[NF_SYSCTL_CT_MAX].mode = 0444; 1127 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; 1128 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1129 } 1130 1131 cnet->sysctl_header = register_net_sysctl(net, "net/netfilter", table); 1132 if (!cnet->sysctl_header) 1133 goto out_unregister_netfilter; 1134 1135 return 0; 1136 1137 out_unregister_netfilter: 1138 kfree(table); 1139 return -ENOMEM; 1140 } 1141 1142 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1143 { 1144 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1145 struct ctl_table *table; 1146 1147 table = cnet->sysctl_header->ctl_table_arg; 1148 unregister_net_sysctl_table(cnet->sysctl_header); 1149 kfree(table); 1150 } 1151 #else 1152 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1153 { 1154 return 0; 1155 } 1156 1157 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1158 { 1159 } 1160 #endif /* CONFIG_SYSCTL */ 1161 1162 static void nf_conntrack_fini_net(struct net *net) 1163 { 1164 if (enable_hooks) 1165 nf_ct_netns_put(net, NFPROTO_INET); 1166 1167 nf_conntrack_standalone_fini_proc(net); 1168 nf_conntrack_standalone_fini_sysctl(net); 1169 } 1170 1171 static int nf_conntrack_pernet_init(struct net *net) 1172 { 1173 int ret; 1174 1175 net->ct.sysctl_checksum = 1; 1176 1177 ret = nf_conntrack_standalone_init_sysctl(net); 1178 if (ret < 0) 1179 return ret; 1180 1181 ret = nf_conntrack_standalone_init_proc(net); 1182 if (ret < 0) 1183 goto out_proc; 1184 1185 ret = nf_conntrack_init_net(net); 1186 if (ret < 0) 1187 goto out_init_net; 1188 1189 if (enable_hooks) { 1190 ret = nf_ct_netns_get(net, NFPROTO_INET); 1191 if (ret < 0) 1192 goto out_hooks; 1193 } 1194 1195 return 0; 1196 1197 out_hooks: 1198 nf_conntrack_cleanup_net(net); 1199 out_init_net: 1200 nf_conntrack_standalone_fini_proc(net); 1201 out_proc: 1202 nf_conntrack_standalone_fini_sysctl(net); 1203 return ret; 1204 } 1205 1206 static void nf_conntrack_pernet_exit(struct list_head *net_exit_list) 1207 { 1208 struct net *net; 1209 1210 list_for_each_entry(net, net_exit_list, exit_list) 1211 nf_conntrack_fini_net(net); 1212 1213 nf_conntrack_cleanup_net_list(net_exit_list); 1214 } 1215 1216 static struct pernet_operations nf_conntrack_net_ops = { 1217 .init = nf_conntrack_pernet_init, 1218 .exit_batch = nf_conntrack_pernet_exit, 1219 .id = &nf_conntrack_net_id, 1220 .size = sizeof(struct nf_conntrack_net), 1221 }; 1222 1223 static int __init nf_conntrack_standalone_init(void) 1224 { 1225 int ret = nf_conntrack_init_start(); 1226 if (ret < 0) 1227 goto out_start; 1228 1229 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER); 1230 1231 #ifdef CONFIG_SYSCTL 1232 nf_ct_netfilter_header = 1233 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); 1234 if (!nf_ct_netfilter_header) { 1235 pr_err("nf_conntrack: can't register to sysctl.\n"); 1236 ret = -ENOMEM; 1237 goto out_sysctl; 1238 } 1239 1240 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 1241 #endif 1242 1243 ret = register_pernet_subsys(&nf_conntrack_net_ops); 1244 if (ret < 0) 1245 goto out_pernet; 1246 1247 nf_conntrack_init_end(); 1248 return 0; 1249 1250 out_pernet: 1251 #ifdef CONFIG_SYSCTL 1252 unregister_net_sysctl_table(nf_ct_netfilter_header); 1253 out_sysctl: 1254 #endif 1255 nf_conntrack_cleanup_end(); 1256 out_start: 1257 return ret; 1258 } 1259 1260 static void __exit nf_conntrack_standalone_fini(void) 1261 { 1262 nf_conntrack_cleanup_start(); 1263 unregister_pernet_subsys(&nf_conntrack_net_ops); 1264 #ifdef CONFIG_SYSCTL 1265 unregister_net_sysctl_table(nf_ct_netfilter_header); 1266 #endif 1267 nf_conntrack_cleanup_end(); 1268 } 1269 1270 module_init(nf_conntrack_standalone_init); 1271 module_exit(nf_conntrack_standalone_fini); 1272