1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/types.h> 3 #include <linux/netfilter.h> 4 #include <linux/slab.h> 5 #include <linux/module.h> 6 #include <linux/skbuff.h> 7 #include <linux/proc_fs.h> 8 #include <linux/seq_file.h> 9 #include <linux/percpu.h> 10 #include <linux/netdevice.h> 11 #include <linux/security.h> 12 #include <net/net_namespace.h> 13 #ifdef CONFIG_SYSCTL 14 #include <linux/sysctl.h> 15 #endif 16 17 #include <net/netfilter/nf_conntrack.h> 18 #include <net/netfilter/nf_conntrack_core.h> 19 #include <net/netfilter/nf_conntrack_l4proto.h> 20 #include <net/netfilter/nf_conntrack_expect.h> 21 #include <net/netfilter/nf_conntrack_helper.h> 22 #include <net/netfilter/nf_conntrack_acct.h> 23 #include <net/netfilter/nf_conntrack_zones.h> 24 #include <net/netfilter/nf_conntrack_timestamp.h> 25 #ifdef CONFIG_LWTUNNEL 26 #include <net/netfilter/nf_hooks_lwtunnel.h> 27 #endif 28 #include <linux/rculist_nulls.h> 29 30 static bool enable_hooks __read_mostly; 31 MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); 32 module_param(enable_hooks, bool, 0000); 33 34 unsigned int nf_conntrack_net_id __read_mostly; 35 36 #ifdef CONFIG_NF_CONNTRACK_PROCFS 37 void 38 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, 39 const struct nf_conntrack_l4proto *l4proto) 40 { 41 switch (tuple->src.l3num) { 42 case NFPROTO_IPV4: 43 seq_printf(s, "src=%pI4 dst=%pI4 ", 44 &tuple->src.u3.ip, &tuple->dst.u3.ip); 45 break; 46 case NFPROTO_IPV6: 47 seq_printf(s, "src=%pI6 dst=%pI6 ", 48 tuple->src.u3.ip6, tuple->dst.u3.ip6); 49 break; 50 default: 51 break; 52 } 53 54 switch (l4proto->l4proto) { 55 case IPPROTO_ICMP: 56 seq_printf(s, "type=%u code=%u id=%u ", 57 tuple->dst.u.icmp.type, 58 tuple->dst.u.icmp.code, 59 ntohs(tuple->src.u.icmp.id)); 60 break; 61 case IPPROTO_TCP: 62 seq_printf(s, "sport=%hu dport=%hu ", 63 ntohs(tuple->src.u.tcp.port), 64 ntohs(tuple->dst.u.tcp.port)); 65 break; 66 case IPPROTO_UDPLITE: 67 case IPPROTO_UDP: 68 seq_printf(s, "sport=%hu dport=%hu ", 69 ntohs(tuple->src.u.udp.port), 70 ntohs(tuple->dst.u.udp.port)); 71 72 break; 73 case IPPROTO_DCCP: 74 seq_printf(s, "sport=%hu dport=%hu ", 75 ntohs(tuple->src.u.dccp.port), 76 ntohs(tuple->dst.u.dccp.port)); 77 break; 78 case IPPROTO_SCTP: 79 seq_printf(s, "sport=%hu dport=%hu ", 80 ntohs(tuple->src.u.sctp.port), 81 ntohs(tuple->dst.u.sctp.port)); 82 break; 83 case IPPROTO_ICMPV6: 84 seq_printf(s, "type=%u code=%u id=%u ", 85 tuple->dst.u.icmp.type, 86 tuple->dst.u.icmp.code, 87 ntohs(tuple->src.u.icmp.id)); 88 break; 89 case IPPROTO_GRE: 90 seq_printf(s, "srckey=0x%x dstkey=0x%x ", 91 ntohs(tuple->src.u.gre.key), 92 ntohs(tuple->dst.u.gre.key)); 93 break; 94 default: 95 break; 96 } 97 } 98 EXPORT_SYMBOL_GPL(print_tuple); 99 100 struct ct_iter_state { 101 struct seq_net_private p; 102 struct hlist_nulls_head *hash; 103 unsigned int htable_size; 104 unsigned int bucket; 105 u_int64_t time_now; 106 }; 107 108 static struct hlist_nulls_node *ct_get_first(struct seq_file *seq) 109 { 110 struct ct_iter_state *st = seq->private; 111 struct hlist_nulls_node *n; 112 113 for (st->bucket = 0; 114 st->bucket < st->htable_size; 115 st->bucket++) { 116 n = rcu_dereference( 117 hlist_nulls_first_rcu(&st->hash[st->bucket])); 118 if (!is_a_nulls(n)) 119 return n; 120 } 121 return NULL; 122 } 123 124 static struct hlist_nulls_node *ct_get_next(struct seq_file *seq, 125 struct hlist_nulls_node *head) 126 { 127 struct ct_iter_state *st = seq->private; 128 129 head = rcu_dereference(hlist_nulls_next_rcu(head)); 130 while (is_a_nulls(head)) { 131 if (likely(get_nulls_value(head) == st->bucket)) { 132 if (++st->bucket >= st->htable_size) 133 return NULL; 134 } 135 head = rcu_dereference( 136 hlist_nulls_first_rcu(&st->hash[st->bucket])); 137 } 138 return head; 139 } 140 141 static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos) 142 { 143 struct hlist_nulls_node *head = ct_get_first(seq); 144 145 if (head) 146 while (pos && (head = ct_get_next(seq, head))) 147 pos--; 148 return pos ? NULL : head; 149 } 150 151 static void *ct_seq_start(struct seq_file *seq, loff_t *pos) 152 __acquires(RCU) 153 { 154 struct ct_iter_state *st = seq->private; 155 156 st->time_now = ktime_get_real_ns(); 157 rcu_read_lock(); 158 159 nf_conntrack_get_ht(&st->hash, &st->htable_size); 160 return ct_get_idx(seq, *pos); 161 } 162 163 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos) 164 { 165 (*pos)++; 166 return ct_get_next(s, v); 167 } 168 169 static void ct_seq_stop(struct seq_file *s, void *v) 170 __releases(RCU) 171 { 172 rcu_read_unlock(); 173 } 174 175 #ifdef CONFIG_NF_CONNTRACK_SECMARK 176 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 177 { 178 int ret; 179 u32 len; 180 char *secctx; 181 182 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 183 if (ret) 184 return; 185 186 seq_printf(s, "secctx=%s ", secctx); 187 188 security_release_secctx(secctx, len); 189 } 190 #else 191 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 192 { 193 } 194 #endif 195 196 #ifdef CONFIG_NF_CONNTRACK_ZONES 197 static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 198 int dir) 199 { 200 const struct nf_conntrack_zone *zone = nf_ct_zone(ct); 201 202 if (zone->dir != dir) 203 return; 204 switch (zone->dir) { 205 case NF_CT_DEFAULT_ZONE_DIR: 206 seq_printf(s, "zone=%u ", zone->id); 207 break; 208 case NF_CT_ZONE_DIR_ORIG: 209 seq_printf(s, "zone-orig=%u ", zone->id); 210 break; 211 case NF_CT_ZONE_DIR_REPL: 212 seq_printf(s, "zone-reply=%u ", zone->id); 213 break; 214 default: 215 break; 216 } 217 } 218 #else 219 static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 220 int dir) 221 { 222 } 223 #endif 224 225 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 226 static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 227 { 228 struct ct_iter_state *st = s->private; 229 struct nf_conn_tstamp *tstamp; 230 s64 delta_time; 231 232 tstamp = nf_conn_tstamp_find(ct); 233 if (tstamp) { 234 delta_time = st->time_now - tstamp->start; 235 if (delta_time > 0) 236 delta_time = div_s64(delta_time, NSEC_PER_SEC); 237 else 238 delta_time = 0; 239 240 seq_printf(s, "delta-time=%llu ", 241 (unsigned long long)delta_time); 242 } 243 return; 244 } 245 #else 246 static inline void 247 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 248 { 249 } 250 #endif 251 252 static const char* l3proto_name(u16 proto) 253 { 254 switch (proto) { 255 case AF_INET: return "ipv4"; 256 case AF_INET6: return "ipv6"; 257 } 258 259 return "unknown"; 260 } 261 262 static const char* l4proto_name(u16 proto) 263 { 264 switch (proto) { 265 case IPPROTO_ICMP: return "icmp"; 266 case IPPROTO_TCP: return "tcp"; 267 case IPPROTO_UDP: return "udp"; 268 case IPPROTO_DCCP: return "dccp"; 269 case IPPROTO_GRE: return "gre"; 270 case IPPROTO_SCTP: return "sctp"; 271 case IPPROTO_UDPLITE: return "udplite"; 272 case IPPROTO_ICMPV6: return "icmpv6"; 273 } 274 275 return "unknown"; 276 } 277 278 static unsigned int 279 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir) 280 { 281 struct nf_conn_acct *acct; 282 struct nf_conn_counter *counter; 283 284 acct = nf_conn_acct_find(ct); 285 if (!acct) 286 return 0; 287 288 counter = acct->counter; 289 seq_printf(s, "packets=%llu bytes=%llu ", 290 (unsigned long long)atomic64_read(&counter[dir].packets), 291 (unsigned long long)atomic64_read(&counter[dir].bytes)); 292 293 return 0; 294 } 295 296 /* return 0 on success, 1 in case of error */ 297 static int ct_seq_show(struct seq_file *s, void *v) 298 { 299 struct nf_conntrack_tuple_hash *hash = v; 300 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); 301 const struct nf_conntrack_l4proto *l4proto; 302 struct net *net = seq_file_net(s); 303 int ret = 0; 304 305 WARN_ON(!ct); 306 if (unlikely(!refcount_inc_not_zero(&ct->ct_general.use))) 307 return 0; 308 309 /* load ->status after refcount increase */ 310 smp_acquire__after_ctrl_dep(); 311 312 if (nf_ct_should_gc(ct)) { 313 nf_ct_kill(ct); 314 goto release; 315 } 316 317 /* we only want to print DIR_ORIGINAL */ 318 if (NF_CT_DIRECTION(hash)) 319 goto release; 320 321 if (!net_eq(nf_ct_net(ct), net)) 322 goto release; 323 324 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 325 326 ret = -ENOSPC; 327 seq_printf(s, "%-8s %u %-8s %u ", 328 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct), 329 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct)); 330 331 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status)) 332 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ); 333 334 if (l4proto->print_conntrack) 335 l4proto->print_conntrack(s, ct); 336 337 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 338 l4proto); 339 340 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG); 341 342 if (seq_has_overflowed(s)) 343 goto release; 344 345 if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL)) 346 goto release; 347 348 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) 349 seq_puts(s, "[UNREPLIED] "); 350 351 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto); 352 353 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL); 354 355 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY)) 356 goto release; 357 358 if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status)) 359 seq_puts(s, "[HW_OFFLOAD] "); 360 else if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 361 seq_puts(s, "[OFFLOAD] "); 362 else if (test_bit(IPS_ASSURED_BIT, &ct->status)) 363 seq_puts(s, "[ASSURED] "); 364 365 if (seq_has_overflowed(s)) 366 goto release; 367 368 #if defined(CONFIG_NF_CONNTRACK_MARK) 369 seq_printf(s, "mark=%u ", ct->mark); 370 #endif 371 372 ct_show_secctx(s, ct); 373 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR); 374 ct_show_delta_time(s, ct); 375 376 seq_printf(s, "use=%u\n", refcount_read(&ct->ct_general.use)); 377 378 if (seq_has_overflowed(s)) 379 goto release; 380 381 ret = 0; 382 release: 383 nf_ct_put(ct); 384 return ret; 385 } 386 387 static const struct seq_operations ct_seq_ops = { 388 .start = ct_seq_start, 389 .next = ct_seq_next, 390 .stop = ct_seq_stop, 391 .show = ct_seq_show 392 }; 393 394 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos) 395 { 396 struct net *net = seq_file_net(seq); 397 int cpu; 398 399 if (*pos == 0) 400 return SEQ_START_TOKEN; 401 402 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) { 403 if (!cpu_possible(cpu)) 404 continue; 405 *pos = cpu + 1; 406 return per_cpu_ptr(net->ct.stat, cpu); 407 } 408 409 return NULL; 410 } 411 412 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) 413 { 414 struct net *net = seq_file_net(seq); 415 int cpu; 416 417 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) { 418 if (!cpu_possible(cpu)) 419 continue; 420 *pos = cpu + 1; 421 return per_cpu_ptr(net->ct.stat, cpu); 422 } 423 (*pos)++; 424 return NULL; 425 } 426 427 static void ct_cpu_seq_stop(struct seq_file *seq, void *v) 428 { 429 } 430 431 static int ct_cpu_seq_show(struct seq_file *seq, void *v) 432 { 433 struct net *net = seq_file_net(seq); 434 const struct ip_conntrack_stat *st = v; 435 unsigned int nr_conntracks; 436 437 if (v == SEQ_START_TOKEN) { 438 seq_puts(seq, "entries clashres found new invalid ignore delete chainlength insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); 439 return 0; 440 } 441 442 nr_conntracks = nf_conntrack_count(net); 443 444 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 445 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 446 nr_conntracks, 447 st->clash_resolve, 448 st->found, 449 0, 450 st->invalid, 451 0, 452 0, 453 st->chaintoolong, 454 st->insert, 455 st->insert_failed, 456 st->drop, 457 st->early_drop, 458 st->error, 459 460 st->expect_new, 461 st->expect_create, 462 st->expect_delete, 463 st->search_restart 464 ); 465 return 0; 466 } 467 468 static const struct seq_operations ct_cpu_seq_ops = { 469 .start = ct_cpu_seq_start, 470 .next = ct_cpu_seq_next, 471 .stop = ct_cpu_seq_stop, 472 .show = ct_cpu_seq_show, 473 }; 474 475 static int nf_conntrack_standalone_init_proc(struct net *net) 476 { 477 struct proc_dir_entry *pde; 478 kuid_t root_uid; 479 kgid_t root_gid; 480 481 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops, 482 sizeof(struct ct_iter_state)); 483 if (!pde) 484 goto out_nf_conntrack; 485 486 root_uid = make_kuid(net->user_ns, 0); 487 root_gid = make_kgid(net->user_ns, 0); 488 if (uid_valid(root_uid) && gid_valid(root_gid)) 489 proc_set_user(pde, root_uid, root_gid); 490 491 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat, 492 &ct_cpu_seq_ops, sizeof(struct seq_net_private)); 493 if (!pde) 494 goto out_stat_nf_conntrack; 495 return 0; 496 497 out_stat_nf_conntrack: 498 remove_proc_entry("nf_conntrack", net->proc_net); 499 out_nf_conntrack: 500 return -ENOMEM; 501 } 502 503 static void nf_conntrack_standalone_fini_proc(struct net *net) 504 { 505 remove_proc_entry("nf_conntrack", net->proc_net_stat); 506 remove_proc_entry("nf_conntrack", net->proc_net); 507 } 508 #else 509 static int nf_conntrack_standalone_init_proc(struct net *net) 510 { 511 return 0; 512 } 513 514 static void nf_conntrack_standalone_fini_proc(struct net *net) 515 { 516 } 517 #endif /* CONFIG_NF_CONNTRACK_PROCFS */ 518 519 u32 nf_conntrack_count(const struct net *net) 520 { 521 const struct nf_conntrack_net *cnet = nf_ct_pernet(net); 522 523 return atomic_read(&cnet->count); 524 } 525 EXPORT_SYMBOL_GPL(nf_conntrack_count); 526 527 /* Sysctl support */ 528 529 #ifdef CONFIG_SYSCTL 530 /* size the user *wants to set */ 531 static unsigned int nf_conntrack_htable_size_user __read_mostly; 532 533 static int 534 nf_conntrack_hash_sysctl(struct ctl_table *table, int write, 535 void *buffer, size_t *lenp, loff_t *ppos) 536 { 537 int ret; 538 539 /* module_param hashsize could have changed value */ 540 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 541 542 ret = proc_dointvec(table, write, buffer, lenp, ppos); 543 if (ret < 0 || !write) 544 return ret; 545 546 /* update ret, we might not be able to satisfy request */ 547 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user); 548 549 /* update it to the actual value used by conntrack */ 550 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 551 return ret; 552 } 553 554 static struct ctl_table_header *nf_ct_netfilter_header; 555 556 enum nf_ct_sysctl_index { 557 NF_SYSCTL_CT_MAX, 558 NF_SYSCTL_CT_COUNT, 559 NF_SYSCTL_CT_BUCKETS, 560 NF_SYSCTL_CT_CHECKSUM, 561 NF_SYSCTL_CT_LOG_INVALID, 562 NF_SYSCTL_CT_EXPECT_MAX, 563 NF_SYSCTL_CT_ACCT, 564 #ifdef CONFIG_NF_CONNTRACK_EVENTS 565 NF_SYSCTL_CT_EVENTS, 566 #endif 567 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 568 NF_SYSCTL_CT_TIMESTAMP, 569 #endif 570 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC, 571 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT, 572 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV, 573 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED, 574 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT, 575 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT, 576 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK, 577 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT, 578 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE, 579 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS, 580 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK, 581 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 582 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD, 583 #endif 584 NF_SYSCTL_CT_PROTO_TCP_LOOSE, 585 NF_SYSCTL_CT_PROTO_TCP_LIBERAL, 586 NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST, 587 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS, 588 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP, 589 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM, 590 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 591 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD, 592 #endif 593 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP, 594 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6, 595 #ifdef CONFIG_NF_CT_PROTO_SCTP 596 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED, 597 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT, 598 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED, 599 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED, 600 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT, 601 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD, 602 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, 603 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, 604 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED, 605 #endif 606 #ifdef CONFIG_NF_CT_PROTO_DCCP 607 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, 608 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND, 609 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN, 610 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN, 611 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ, 612 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING, 613 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT, 614 NF_SYSCTL_CT_PROTO_DCCP_LOOSE, 615 #endif 616 #ifdef CONFIG_NF_CT_PROTO_GRE 617 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, 618 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, 619 #endif 620 #ifdef CONFIG_LWTUNNEL 621 NF_SYSCTL_CT_LWTUNNEL, 622 #endif 623 624 __NF_SYSCTL_CT_LAST_SYSCTL, 625 }; 626 627 #define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1) 628 629 static struct ctl_table nf_ct_sysctl_table[] = { 630 [NF_SYSCTL_CT_MAX] = { 631 .procname = "nf_conntrack_max", 632 .data = &nf_conntrack_max, 633 .maxlen = sizeof(int), 634 .mode = 0644, 635 .proc_handler = proc_dointvec, 636 }, 637 [NF_SYSCTL_CT_COUNT] = { 638 .procname = "nf_conntrack_count", 639 .maxlen = sizeof(int), 640 .mode = 0444, 641 .proc_handler = proc_dointvec, 642 }, 643 [NF_SYSCTL_CT_BUCKETS] = { 644 .procname = "nf_conntrack_buckets", 645 .data = &nf_conntrack_htable_size_user, 646 .maxlen = sizeof(unsigned int), 647 .mode = 0644, 648 .proc_handler = nf_conntrack_hash_sysctl, 649 }, 650 [NF_SYSCTL_CT_CHECKSUM] = { 651 .procname = "nf_conntrack_checksum", 652 .data = &init_net.ct.sysctl_checksum, 653 .maxlen = sizeof(u8), 654 .mode = 0644, 655 .proc_handler = proc_dou8vec_minmax, 656 .extra1 = SYSCTL_ZERO, 657 .extra2 = SYSCTL_ONE, 658 }, 659 [NF_SYSCTL_CT_LOG_INVALID] = { 660 .procname = "nf_conntrack_log_invalid", 661 .data = &init_net.ct.sysctl_log_invalid, 662 .maxlen = sizeof(u8), 663 .mode = 0644, 664 .proc_handler = proc_dou8vec_minmax, 665 }, 666 [NF_SYSCTL_CT_EXPECT_MAX] = { 667 .procname = "nf_conntrack_expect_max", 668 .data = &nf_ct_expect_max, 669 .maxlen = sizeof(int), 670 .mode = 0644, 671 .proc_handler = proc_dointvec, 672 }, 673 [NF_SYSCTL_CT_ACCT] = { 674 .procname = "nf_conntrack_acct", 675 .data = &init_net.ct.sysctl_acct, 676 .maxlen = sizeof(u8), 677 .mode = 0644, 678 .proc_handler = proc_dou8vec_minmax, 679 .extra1 = SYSCTL_ZERO, 680 .extra2 = SYSCTL_ONE, 681 }, 682 #ifdef CONFIG_NF_CONNTRACK_EVENTS 683 [NF_SYSCTL_CT_EVENTS] = { 684 .procname = "nf_conntrack_events", 685 .data = &init_net.ct.sysctl_events, 686 .maxlen = sizeof(u8), 687 .mode = 0644, 688 .proc_handler = proc_dou8vec_minmax, 689 .extra1 = SYSCTL_ZERO, 690 .extra2 = SYSCTL_TWO, 691 }, 692 #endif 693 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 694 [NF_SYSCTL_CT_TIMESTAMP] = { 695 .procname = "nf_conntrack_timestamp", 696 .data = &init_net.ct.sysctl_tstamp, 697 .maxlen = sizeof(u8), 698 .mode = 0644, 699 .proc_handler = proc_dou8vec_minmax, 700 .extra1 = SYSCTL_ZERO, 701 .extra2 = SYSCTL_ONE, 702 }, 703 #endif 704 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { 705 .procname = "nf_conntrack_generic_timeout", 706 .maxlen = sizeof(unsigned int), 707 .mode = 0644, 708 .proc_handler = proc_dointvec_jiffies, 709 }, 710 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = { 711 .procname = "nf_conntrack_tcp_timeout_syn_sent", 712 .maxlen = sizeof(unsigned int), 713 .mode = 0644, 714 .proc_handler = proc_dointvec_jiffies, 715 }, 716 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = { 717 .procname = "nf_conntrack_tcp_timeout_syn_recv", 718 .maxlen = sizeof(unsigned int), 719 .mode = 0644, 720 .proc_handler = proc_dointvec_jiffies, 721 }, 722 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = { 723 .procname = "nf_conntrack_tcp_timeout_established", 724 .maxlen = sizeof(unsigned int), 725 .mode = 0644, 726 .proc_handler = proc_dointvec_jiffies, 727 }, 728 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = { 729 .procname = "nf_conntrack_tcp_timeout_fin_wait", 730 .maxlen = sizeof(unsigned int), 731 .mode = 0644, 732 .proc_handler = proc_dointvec_jiffies, 733 }, 734 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = { 735 .procname = "nf_conntrack_tcp_timeout_close_wait", 736 .maxlen = sizeof(unsigned int), 737 .mode = 0644, 738 .proc_handler = proc_dointvec_jiffies, 739 }, 740 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = { 741 .procname = "nf_conntrack_tcp_timeout_last_ack", 742 .maxlen = sizeof(unsigned int), 743 .mode = 0644, 744 .proc_handler = proc_dointvec_jiffies, 745 }, 746 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = { 747 .procname = "nf_conntrack_tcp_timeout_time_wait", 748 .maxlen = sizeof(unsigned int), 749 .mode = 0644, 750 .proc_handler = proc_dointvec_jiffies, 751 }, 752 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = { 753 .procname = "nf_conntrack_tcp_timeout_close", 754 .maxlen = sizeof(unsigned int), 755 .mode = 0644, 756 .proc_handler = proc_dointvec_jiffies, 757 }, 758 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = { 759 .procname = "nf_conntrack_tcp_timeout_max_retrans", 760 .maxlen = sizeof(unsigned int), 761 .mode = 0644, 762 .proc_handler = proc_dointvec_jiffies, 763 }, 764 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = { 765 .procname = "nf_conntrack_tcp_timeout_unacknowledged", 766 .maxlen = sizeof(unsigned int), 767 .mode = 0644, 768 .proc_handler = proc_dointvec_jiffies, 769 }, 770 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 771 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD] = { 772 .procname = "nf_flowtable_tcp_timeout", 773 .maxlen = sizeof(unsigned int), 774 .mode = 0644, 775 .proc_handler = proc_dointvec_jiffies, 776 }, 777 #endif 778 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { 779 .procname = "nf_conntrack_tcp_loose", 780 .maxlen = sizeof(u8), 781 .mode = 0644, 782 .proc_handler = proc_dou8vec_minmax, 783 .extra1 = SYSCTL_ZERO, 784 .extra2 = SYSCTL_ONE, 785 }, 786 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { 787 .procname = "nf_conntrack_tcp_be_liberal", 788 .maxlen = sizeof(u8), 789 .mode = 0644, 790 .proc_handler = proc_dou8vec_minmax, 791 .extra1 = SYSCTL_ZERO, 792 .extra2 = SYSCTL_ONE, 793 }, 794 [NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST] = { 795 .procname = "nf_conntrack_tcp_ignore_invalid_rst", 796 .maxlen = sizeof(u8), 797 .mode = 0644, 798 .proc_handler = proc_dou8vec_minmax, 799 .extra1 = SYSCTL_ZERO, 800 .extra2 = SYSCTL_ONE, 801 }, 802 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { 803 .procname = "nf_conntrack_tcp_max_retrans", 804 .maxlen = sizeof(u8), 805 .mode = 0644, 806 .proc_handler = proc_dou8vec_minmax, 807 }, 808 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = { 809 .procname = "nf_conntrack_udp_timeout", 810 .maxlen = sizeof(unsigned int), 811 .mode = 0644, 812 .proc_handler = proc_dointvec_jiffies, 813 }, 814 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = { 815 .procname = "nf_conntrack_udp_timeout_stream", 816 .maxlen = sizeof(unsigned int), 817 .mode = 0644, 818 .proc_handler = proc_dointvec_jiffies, 819 }, 820 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 821 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD] = { 822 .procname = "nf_flowtable_udp_timeout", 823 .maxlen = sizeof(unsigned int), 824 .mode = 0644, 825 .proc_handler = proc_dointvec_jiffies, 826 }, 827 #endif 828 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = { 829 .procname = "nf_conntrack_icmp_timeout", 830 .maxlen = sizeof(unsigned int), 831 .mode = 0644, 832 .proc_handler = proc_dointvec_jiffies, 833 }, 834 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = { 835 .procname = "nf_conntrack_icmpv6_timeout", 836 .maxlen = sizeof(unsigned int), 837 .mode = 0644, 838 .proc_handler = proc_dointvec_jiffies, 839 }, 840 #ifdef CONFIG_NF_CT_PROTO_SCTP 841 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = { 842 .procname = "nf_conntrack_sctp_timeout_closed", 843 .maxlen = sizeof(unsigned int), 844 .mode = 0644, 845 .proc_handler = proc_dointvec_jiffies, 846 }, 847 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = { 848 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 849 .maxlen = sizeof(unsigned int), 850 .mode = 0644, 851 .proc_handler = proc_dointvec_jiffies, 852 }, 853 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = { 854 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 855 .maxlen = sizeof(unsigned int), 856 .mode = 0644, 857 .proc_handler = proc_dointvec_jiffies, 858 }, 859 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = { 860 .procname = "nf_conntrack_sctp_timeout_established", 861 .maxlen = sizeof(unsigned int), 862 .mode = 0644, 863 .proc_handler = proc_dointvec_jiffies, 864 }, 865 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = { 866 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 867 .maxlen = sizeof(unsigned int), 868 .mode = 0644, 869 .proc_handler = proc_dointvec_jiffies, 870 }, 871 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = { 872 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 873 .maxlen = sizeof(unsigned int), 874 .mode = 0644, 875 .proc_handler = proc_dointvec_jiffies, 876 }, 877 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { 878 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 879 .maxlen = sizeof(unsigned int), 880 .mode = 0644, 881 .proc_handler = proc_dointvec_jiffies, 882 }, 883 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = { 884 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent", 885 .maxlen = sizeof(unsigned int), 886 .mode = 0644, 887 .proc_handler = proc_dointvec_jiffies, 888 }, 889 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { 890 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked", 891 .maxlen = sizeof(unsigned int), 892 .mode = 0644, 893 .proc_handler = proc_dointvec_jiffies, 894 }, 895 #endif 896 #ifdef CONFIG_NF_CT_PROTO_DCCP 897 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { 898 .procname = "nf_conntrack_dccp_timeout_request", 899 .maxlen = sizeof(unsigned int), 900 .mode = 0644, 901 .proc_handler = proc_dointvec_jiffies, 902 }, 903 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = { 904 .procname = "nf_conntrack_dccp_timeout_respond", 905 .maxlen = sizeof(unsigned int), 906 .mode = 0644, 907 .proc_handler = proc_dointvec_jiffies, 908 }, 909 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = { 910 .procname = "nf_conntrack_dccp_timeout_partopen", 911 .maxlen = sizeof(unsigned int), 912 .mode = 0644, 913 .proc_handler = proc_dointvec_jiffies, 914 }, 915 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = { 916 .procname = "nf_conntrack_dccp_timeout_open", 917 .maxlen = sizeof(unsigned int), 918 .mode = 0644, 919 .proc_handler = proc_dointvec_jiffies, 920 }, 921 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = { 922 .procname = "nf_conntrack_dccp_timeout_closereq", 923 .maxlen = sizeof(unsigned int), 924 .mode = 0644, 925 .proc_handler = proc_dointvec_jiffies, 926 }, 927 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = { 928 .procname = "nf_conntrack_dccp_timeout_closing", 929 .maxlen = sizeof(unsigned int), 930 .mode = 0644, 931 .proc_handler = proc_dointvec_jiffies, 932 }, 933 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = { 934 .procname = "nf_conntrack_dccp_timeout_timewait", 935 .maxlen = sizeof(unsigned int), 936 .mode = 0644, 937 .proc_handler = proc_dointvec_jiffies, 938 }, 939 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = { 940 .procname = "nf_conntrack_dccp_loose", 941 .maxlen = sizeof(u8), 942 .mode = 0644, 943 .proc_handler = proc_dou8vec_minmax, 944 .extra1 = SYSCTL_ZERO, 945 .extra2 = SYSCTL_ONE, 946 }, 947 #endif 948 #ifdef CONFIG_NF_CT_PROTO_GRE 949 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = { 950 .procname = "nf_conntrack_gre_timeout", 951 .maxlen = sizeof(unsigned int), 952 .mode = 0644, 953 .proc_handler = proc_dointvec_jiffies, 954 }, 955 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = { 956 .procname = "nf_conntrack_gre_timeout_stream", 957 .maxlen = sizeof(unsigned int), 958 .mode = 0644, 959 .proc_handler = proc_dointvec_jiffies, 960 }, 961 #endif 962 #ifdef CONFIG_LWTUNNEL 963 [NF_SYSCTL_CT_LWTUNNEL] = { 964 .procname = "nf_hooks_lwtunnel", 965 .data = NULL, 966 .maxlen = sizeof(int), 967 .mode = 0644, 968 .proc_handler = nf_hooks_lwtunnel_sysctl_handler, 969 }, 970 #endif 971 {} 972 }; 973 974 static struct ctl_table nf_ct_netfilter_table[] = { 975 { 976 .procname = "nf_conntrack_max", 977 .data = &nf_conntrack_max, 978 .maxlen = sizeof(int), 979 .mode = 0644, 980 .proc_handler = proc_dointvec, 981 }, 982 { } 983 }; 984 985 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, 986 struct ctl_table *table) 987 { 988 struct nf_tcp_net *tn = nf_tcp_pernet(net); 989 990 #define XASSIGN(XNAME, tn) \ 991 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \ 992 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME] 993 994 XASSIGN(SYN_SENT, tn); 995 XASSIGN(SYN_RECV, tn); 996 XASSIGN(ESTABLISHED, tn); 997 XASSIGN(FIN_WAIT, tn); 998 XASSIGN(CLOSE_WAIT, tn); 999 XASSIGN(LAST_ACK, tn); 1000 XASSIGN(TIME_WAIT, tn); 1001 XASSIGN(CLOSE, tn); 1002 XASSIGN(RETRANS, tn); 1003 XASSIGN(UNACK, tn); 1004 #undef XASSIGN 1005 #define XASSIGN(XNAME, rval) \ 1006 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval) 1007 1008 XASSIGN(LOOSE, &tn->tcp_loose); 1009 XASSIGN(LIBERAL, &tn->tcp_be_liberal); 1010 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans); 1011 XASSIGN(IGNORE_INVALID_RST, &tn->tcp_ignore_invalid_rst); 1012 #undef XASSIGN 1013 1014 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1015 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD].data = &tn->offload_timeout; 1016 #endif 1017 1018 } 1019 1020 static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, 1021 struct ctl_table *table) 1022 { 1023 #ifdef CONFIG_NF_CT_PROTO_SCTP 1024 struct nf_sctp_net *sn = nf_sctp_pernet(net); 1025 1026 #define XASSIGN(XNAME, sn) \ 1027 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \ 1028 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME] 1029 1030 XASSIGN(CLOSED, sn); 1031 XASSIGN(COOKIE_WAIT, sn); 1032 XASSIGN(COOKIE_ECHOED, sn); 1033 XASSIGN(ESTABLISHED, sn); 1034 XASSIGN(SHUTDOWN_SENT, sn); 1035 XASSIGN(SHUTDOWN_RECD, sn); 1036 XASSIGN(SHUTDOWN_ACK_SENT, sn); 1037 XASSIGN(HEARTBEAT_SENT, sn); 1038 XASSIGN(HEARTBEAT_ACKED, sn); 1039 #undef XASSIGN 1040 #endif 1041 } 1042 1043 static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net, 1044 struct ctl_table *table) 1045 { 1046 #ifdef CONFIG_NF_CT_PROTO_DCCP 1047 struct nf_dccp_net *dn = nf_dccp_pernet(net); 1048 1049 #define XASSIGN(XNAME, dn) \ 1050 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \ 1051 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME] 1052 1053 XASSIGN(REQUEST, dn); 1054 XASSIGN(RESPOND, dn); 1055 XASSIGN(PARTOPEN, dn); 1056 XASSIGN(OPEN, dn); 1057 XASSIGN(CLOSEREQ, dn); 1058 XASSIGN(CLOSING, dn); 1059 XASSIGN(TIMEWAIT, dn); 1060 #undef XASSIGN 1061 1062 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose; 1063 #endif 1064 } 1065 1066 static void nf_conntrack_standalone_init_gre_sysctl(struct net *net, 1067 struct ctl_table *table) 1068 { 1069 #ifdef CONFIG_NF_CT_PROTO_GRE 1070 struct nf_gre_net *gn = nf_gre_pernet(net); 1071 1072 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED]; 1073 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED]; 1074 #endif 1075 } 1076 1077 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1078 { 1079 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1080 struct nf_udp_net *un = nf_udp_pernet(net); 1081 struct ctl_table *table; 1082 1083 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL); 1084 1085 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table), 1086 GFP_KERNEL); 1087 if (!table) 1088 return -ENOMEM; 1089 1090 table[NF_SYSCTL_CT_COUNT].data = &cnet->count; 1091 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum; 1092 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; 1093 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct; 1094 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1095 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events; 1096 #endif 1097 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 1098 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp; 1099 #endif 1100 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout; 1101 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout; 1102 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout; 1103 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED]; 1104 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED]; 1105 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1106 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD].data = &un->offload_timeout; 1107 #endif 1108 1109 nf_conntrack_standalone_init_tcp_sysctl(net, table); 1110 nf_conntrack_standalone_init_sctp_sysctl(net, table); 1111 nf_conntrack_standalone_init_dccp_sysctl(net, table); 1112 nf_conntrack_standalone_init_gre_sysctl(net, table); 1113 1114 /* Don't allow non-init_net ns to alter global sysctls */ 1115 if (!net_eq(&init_net, net)) { 1116 table[NF_SYSCTL_CT_MAX].mode = 0444; 1117 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; 1118 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1119 } 1120 1121 cnet->sysctl_header = register_net_sysctl(net, "net/netfilter", table); 1122 if (!cnet->sysctl_header) 1123 goto out_unregister_netfilter; 1124 1125 return 0; 1126 1127 out_unregister_netfilter: 1128 kfree(table); 1129 return -ENOMEM; 1130 } 1131 1132 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1133 { 1134 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1135 struct ctl_table *table; 1136 1137 table = cnet->sysctl_header->ctl_table_arg; 1138 unregister_net_sysctl_table(cnet->sysctl_header); 1139 kfree(table); 1140 } 1141 #else 1142 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1143 { 1144 return 0; 1145 } 1146 1147 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1148 { 1149 } 1150 #endif /* CONFIG_SYSCTL */ 1151 1152 static void nf_conntrack_fini_net(struct net *net) 1153 { 1154 if (enable_hooks) 1155 nf_ct_netns_put(net, NFPROTO_INET); 1156 1157 nf_conntrack_standalone_fini_proc(net); 1158 nf_conntrack_standalone_fini_sysctl(net); 1159 } 1160 1161 static int nf_conntrack_pernet_init(struct net *net) 1162 { 1163 int ret; 1164 1165 net->ct.sysctl_checksum = 1; 1166 1167 ret = nf_conntrack_standalone_init_sysctl(net); 1168 if (ret < 0) 1169 return ret; 1170 1171 ret = nf_conntrack_standalone_init_proc(net); 1172 if (ret < 0) 1173 goto out_proc; 1174 1175 ret = nf_conntrack_init_net(net); 1176 if (ret < 0) 1177 goto out_init_net; 1178 1179 if (enable_hooks) { 1180 ret = nf_ct_netns_get(net, NFPROTO_INET); 1181 if (ret < 0) 1182 goto out_hooks; 1183 } 1184 1185 return 0; 1186 1187 out_hooks: 1188 nf_conntrack_cleanup_net(net); 1189 out_init_net: 1190 nf_conntrack_standalone_fini_proc(net); 1191 out_proc: 1192 nf_conntrack_standalone_fini_sysctl(net); 1193 return ret; 1194 } 1195 1196 static void nf_conntrack_pernet_exit(struct list_head *net_exit_list) 1197 { 1198 struct net *net; 1199 1200 list_for_each_entry(net, net_exit_list, exit_list) 1201 nf_conntrack_fini_net(net); 1202 1203 nf_conntrack_cleanup_net_list(net_exit_list); 1204 } 1205 1206 static struct pernet_operations nf_conntrack_net_ops = { 1207 .init = nf_conntrack_pernet_init, 1208 .exit_batch = nf_conntrack_pernet_exit, 1209 .id = &nf_conntrack_net_id, 1210 .size = sizeof(struct nf_conntrack_net), 1211 }; 1212 1213 static int __init nf_conntrack_standalone_init(void) 1214 { 1215 int ret = nf_conntrack_init_start(); 1216 if (ret < 0) 1217 goto out_start; 1218 1219 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER); 1220 1221 #ifdef CONFIG_SYSCTL 1222 nf_ct_netfilter_header = 1223 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); 1224 if (!nf_ct_netfilter_header) { 1225 pr_err("nf_conntrack: can't register to sysctl.\n"); 1226 ret = -ENOMEM; 1227 goto out_sysctl; 1228 } 1229 1230 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 1231 #endif 1232 1233 ret = register_pernet_subsys(&nf_conntrack_net_ops); 1234 if (ret < 0) 1235 goto out_pernet; 1236 1237 nf_conntrack_init_end(); 1238 return 0; 1239 1240 out_pernet: 1241 #ifdef CONFIG_SYSCTL 1242 unregister_net_sysctl_table(nf_ct_netfilter_header); 1243 out_sysctl: 1244 #endif 1245 nf_conntrack_cleanup_end(); 1246 out_start: 1247 return ret; 1248 } 1249 1250 static void __exit nf_conntrack_standalone_fini(void) 1251 { 1252 nf_conntrack_cleanup_start(); 1253 unregister_pernet_subsys(&nf_conntrack_net_ops); 1254 #ifdef CONFIG_SYSCTL 1255 unregister_net_sysctl_table(nf_ct_netfilter_header); 1256 #endif 1257 nf_conntrack_cleanup_end(); 1258 } 1259 1260 module_init(nf_conntrack_standalone_init); 1261 module_exit(nf_conntrack_standalone_fini); 1262