1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/types.h> 3 #include <linux/netfilter.h> 4 #include <linux/slab.h> 5 #include <linux/module.h> 6 #include <linux/skbuff.h> 7 #include <linux/proc_fs.h> 8 #include <linux/seq_file.h> 9 #include <linux/percpu.h> 10 #include <linux/netdevice.h> 11 #include <linux/security.h> 12 #include <net/net_namespace.h> 13 #ifdef CONFIG_SYSCTL 14 #include <linux/sysctl.h> 15 #endif 16 17 #include <net/netfilter/nf_conntrack.h> 18 #include <net/netfilter/nf_conntrack_core.h> 19 #include <net/netfilter/nf_conntrack_l4proto.h> 20 #include <net/netfilter/nf_conntrack_expect.h> 21 #include <net/netfilter/nf_conntrack_helper.h> 22 #include <net/netfilter/nf_conntrack_acct.h> 23 #include <net/netfilter/nf_conntrack_zones.h> 24 #include <net/netfilter/nf_conntrack_timestamp.h> 25 #include <linux/rculist_nulls.h> 26 27 static bool enable_hooks __read_mostly; 28 MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); 29 module_param(enable_hooks, bool, 0000); 30 31 unsigned int nf_conntrack_net_id __read_mostly; 32 33 #ifdef CONFIG_NF_CONNTRACK_PROCFS 34 void 35 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, 36 const struct nf_conntrack_l4proto *l4proto) 37 { 38 switch (tuple->src.l3num) { 39 case NFPROTO_IPV4: 40 seq_printf(s, "src=%pI4 dst=%pI4 ", 41 &tuple->src.u3.ip, &tuple->dst.u3.ip); 42 break; 43 case NFPROTO_IPV6: 44 seq_printf(s, "src=%pI6 dst=%pI6 ", 45 tuple->src.u3.ip6, tuple->dst.u3.ip6); 46 break; 47 default: 48 break; 49 } 50 51 switch (l4proto->l4proto) { 52 case IPPROTO_ICMP: 53 seq_printf(s, "type=%u code=%u id=%u ", 54 tuple->dst.u.icmp.type, 55 tuple->dst.u.icmp.code, 56 ntohs(tuple->src.u.icmp.id)); 57 break; 58 case IPPROTO_TCP: 59 seq_printf(s, "sport=%hu dport=%hu ", 60 ntohs(tuple->src.u.tcp.port), 61 ntohs(tuple->dst.u.tcp.port)); 62 break; 63 case IPPROTO_UDPLITE: 64 case IPPROTO_UDP: 65 seq_printf(s, "sport=%hu dport=%hu ", 66 ntohs(tuple->src.u.udp.port), 67 ntohs(tuple->dst.u.udp.port)); 68 69 break; 70 case IPPROTO_DCCP: 71 seq_printf(s, "sport=%hu dport=%hu ", 72 ntohs(tuple->src.u.dccp.port), 73 ntohs(tuple->dst.u.dccp.port)); 74 break; 75 case IPPROTO_SCTP: 76 seq_printf(s, "sport=%hu dport=%hu ", 77 ntohs(tuple->src.u.sctp.port), 78 ntohs(tuple->dst.u.sctp.port)); 79 break; 80 case IPPROTO_ICMPV6: 81 seq_printf(s, "type=%u code=%u id=%u ", 82 tuple->dst.u.icmp.type, 83 tuple->dst.u.icmp.code, 84 ntohs(tuple->src.u.icmp.id)); 85 break; 86 case IPPROTO_GRE: 87 seq_printf(s, "srckey=0x%x dstkey=0x%x ", 88 ntohs(tuple->src.u.gre.key), 89 ntohs(tuple->dst.u.gre.key)); 90 break; 91 default: 92 break; 93 } 94 } 95 EXPORT_SYMBOL_GPL(print_tuple); 96 97 struct ct_iter_state { 98 struct seq_net_private p; 99 struct hlist_nulls_head *hash; 100 unsigned int htable_size; 101 unsigned int bucket; 102 u_int64_t time_now; 103 }; 104 105 static struct hlist_nulls_node *ct_get_first(struct seq_file *seq) 106 { 107 struct ct_iter_state *st = seq->private; 108 struct hlist_nulls_node *n; 109 110 for (st->bucket = 0; 111 st->bucket < st->htable_size; 112 st->bucket++) { 113 n = rcu_dereference( 114 hlist_nulls_first_rcu(&st->hash[st->bucket])); 115 if (!is_a_nulls(n)) 116 return n; 117 } 118 return NULL; 119 } 120 121 static struct hlist_nulls_node *ct_get_next(struct seq_file *seq, 122 struct hlist_nulls_node *head) 123 { 124 struct ct_iter_state *st = seq->private; 125 126 head = rcu_dereference(hlist_nulls_next_rcu(head)); 127 while (is_a_nulls(head)) { 128 if (likely(get_nulls_value(head) == st->bucket)) { 129 if (++st->bucket >= st->htable_size) 130 return NULL; 131 } 132 head = rcu_dereference( 133 hlist_nulls_first_rcu(&st->hash[st->bucket])); 134 } 135 return head; 136 } 137 138 static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos) 139 { 140 struct hlist_nulls_node *head = ct_get_first(seq); 141 142 if (head) 143 while (pos && (head = ct_get_next(seq, head))) 144 pos--; 145 return pos ? NULL : head; 146 } 147 148 static void *ct_seq_start(struct seq_file *seq, loff_t *pos) 149 __acquires(RCU) 150 { 151 struct ct_iter_state *st = seq->private; 152 153 st->time_now = ktime_get_real_ns(); 154 rcu_read_lock(); 155 156 nf_conntrack_get_ht(&st->hash, &st->htable_size); 157 return ct_get_idx(seq, *pos); 158 } 159 160 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos) 161 { 162 (*pos)++; 163 return ct_get_next(s, v); 164 } 165 166 static void ct_seq_stop(struct seq_file *s, void *v) 167 __releases(RCU) 168 { 169 rcu_read_unlock(); 170 } 171 172 #ifdef CONFIG_NF_CONNTRACK_SECMARK 173 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 174 { 175 int ret; 176 u32 len; 177 char *secctx; 178 179 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 180 if (ret) 181 return; 182 183 seq_printf(s, "secctx=%s ", secctx); 184 185 security_release_secctx(secctx, len); 186 } 187 #else 188 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 189 { 190 } 191 #endif 192 193 #ifdef CONFIG_NF_CONNTRACK_ZONES 194 static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 195 int dir) 196 { 197 const struct nf_conntrack_zone *zone = nf_ct_zone(ct); 198 199 if (zone->dir != dir) 200 return; 201 switch (zone->dir) { 202 case NF_CT_DEFAULT_ZONE_DIR: 203 seq_printf(s, "zone=%u ", zone->id); 204 break; 205 case NF_CT_ZONE_DIR_ORIG: 206 seq_printf(s, "zone-orig=%u ", zone->id); 207 break; 208 case NF_CT_ZONE_DIR_REPL: 209 seq_printf(s, "zone-reply=%u ", zone->id); 210 break; 211 default: 212 break; 213 } 214 } 215 #else 216 static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 217 int dir) 218 { 219 } 220 #endif 221 222 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 223 static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 224 { 225 struct ct_iter_state *st = s->private; 226 struct nf_conn_tstamp *tstamp; 227 s64 delta_time; 228 229 tstamp = nf_conn_tstamp_find(ct); 230 if (tstamp) { 231 delta_time = st->time_now - tstamp->start; 232 if (delta_time > 0) 233 delta_time = div_s64(delta_time, NSEC_PER_SEC); 234 else 235 delta_time = 0; 236 237 seq_printf(s, "delta-time=%llu ", 238 (unsigned long long)delta_time); 239 } 240 return; 241 } 242 #else 243 static inline void 244 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 245 { 246 } 247 #endif 248 249 static const char* l3proto_name(u16 proto) 250 { 251 switch (proto) { 252 case AF_INET: return "ipv4"; 253 case AF_INET6: return "ipv6"; 254 } 255 256 return "unknown"; 257 } 258 259 static const char* l4proto_name(u16 proto) 260 { 261 switch (proto) { 262 case IPPROTO_ICMP: return "icmp"; 263 case IPPROTO_TCP: return "tcp"; 264 case IPPROTO_UDP: return "udp"; 265 case IPPROTO_DCCP: return "dccp"; 266 case IPPROTO_GRE: return "gre"; 267 case IPPROTO_SCTP: return "sctp"; 268 case IPPROTO_UDPLITE: return "udplite"; 269 case IPPROTO_ICMPV6: return "icmpv6"; 270 } 271 272 return "unknown"; 273 } 274 275 static unsigned int 276 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir) 277 { 278 struct nf_conn_acct *acct; 279 struct nf_conn_counter *counter; 280 281 acct = nf_conn_acct_find(ct); 282 if (!acct) 283 return 0; 284 285 counter = acct->counter; 286 seq_printf(s, "packets=%llu bytes=%llu ", 287 (unsigned long long)atomic64_read(&counter[dir].packets), 288 (unsigned long long)atomic64_read(&counter[dir].bytes)); 289 290 return 0; 291 } 292 293 /* return 0 on success, 1 in case of error */ 294 static int ct_seq_show(struct seq_file *s, void *v) 295 { 296 struct nf_conntrack_tuple_hash *hash = v; 297 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); 298 const struct nf_conntrack_l4proto *l4proto; 299 struct net *net = seq_file_net(s); 300 int ret = 0; 301 302 WARN_ON(!ct); 303 if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use))) 304 return 0; 305 306 if (nf_ct_should_gc(ct)) { 307 nf_ct_kill(ct); 308 goto release; 309 } 310 311 /* we only want to print DIR_ORIGINAL */ 312 if (NF_CT_DIRECTION(hash)) 313 goto release; 314 315 if (!net_eq(nf_ct_net(ct), net)) 316 goto release; 317 318 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 319 320 ret = -ENOSPC; 321 seq_printf(s, "%-8s %u %-8s %u ", 322 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct), 323 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct)); 324 325 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status)) 326 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ); 327 328 if (l4proto->print_conntrack) 329 l4proto->print_conntrack(s, ct); 330 331 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 332 l4proto); 333 334 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG); 335 336 if (seq_has_overflowed(s)) 337 goto release; 338 339 if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL)) 340 goto release; 341 342 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) 343 seq_puts(s, "[UNREPLIED] "); 344 345 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto); 346 347 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL); 348 349 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY)) 350 goto release; 351 352 if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status)) 353 seq_puts(s, "[HW_OFFLOAD] "); 354 else if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 355 seq_puts(s, "[OFFLOAD] "); 356 else if (test_bit(IPS_ASSURED_BIT, &ct->status)) 357 seq_puts(s, "[ASSURED] "); 358 359 if (seq_has_overflowed(s)) 360 goto release; 361 362 #if defined(CONFIG_NF_CONNTRACK_MARK) 363 seq_printf(s, "mark=%u ", ct->mark); 364 #endif 365 366 ct_show_secctx(s, ct); 367 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR); 368 ct_show_delta_time(s, ct); 369 370 seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)); 371 372 if (seq_has_overflowed(s)) 373 goto release; 374 375 ret = 0; 376 release: 377 nf_ct_put(ct); 378 return ret; 379 } 380 381 static const struct seq_operations ct_seq_ops = { 382 .start = ct_seq_start, 383 .next = ct_seq_next, 384 .stop = ct_seq_stop, 385 .show = ct_seq_show 386 }; 387 388 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos) 389 { 390 struct net *net = seq_file_net(seq); 391 int cpu; 392 393 if (*pos == 0) 394 return SEQ_START_TOKEN; 395 396 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) { 397 if (!cpu_possible(cpu)) 398 continue; 399 *pos = cpu + 1; 400 return per_cpu_ptr(net->ct.stat, cpu); 401 } 402 403 return NULL; 404 } 405 406 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) 407 { 408 struct net *net = seq_file_net(seq); 409 int cpu; 410 411 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) { 412 if (!cpu_possible(cpu)) 413 continue; 414 *pos = cpu + 1; 415 return per_cpu_ptr(net->ct.stat, cpu); 416 } 417 (*pos)++; 418 return NULL; 419 } 420 421 static void ct_cpu_seq_stop(struct seq_file *seq, void *v) 422 { 423 } 424 425 static int ct_cpu_seq_show(struct seq_file *seq, void *v) 426 { 427 struct net *net = seq_file_net(seq); 428 const struct ip_conntrack_stat *st = v; 429 unsigned int nr_conntracks; 430 431 if (v == SEQ_START_TOKEN) { 432 seq_puts(seq, "entries clashres found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); 433 return 0; 434 } 435 436 nr_conntracks = nf_conntrack_count(net); 437 438 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 439 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 440 nr_conntracks, 441 st->clash_resolve, 442 st->found, 443 0, 444 st->invalid, 445 0, 446 0, 447 0, 448 st->insert, 449 st->insert_failed, 450 st->drop, 451 st->early_drop, 452 st->error, 453 454 st->expect_new, 455 st->expect_create, 456 st->expect_delete, 457 st->search_restart 458 ); 459 return 0; 460 } 461 462 static const struct seq_operations ct_cpu_seq_ops = { 463 .start = ct_cpu_seq_start, 464 .next = ct_cpu_seq_next, 465 .stop = ct_cpu_seq_stop, 466 .show = ct_cpu_seq_show, 467 }; 468 469 static int nf_conntrack_standalone_init_proc(struct net *net) 470 { 471 struct proc_dir_entry *pde; 472 kuid_t root_uid; 473 kgid_t root_gid; 474 475 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops, 476 sizeof(struct ct_iter_state)); 477 if (!pde) 478 goto out_nf_conntrack; 479 480 root_uid = make_kuid(net->user_ns, 0); 481 root_gid = make_kgid(net->user_ns, 0); 482 if (uid_valid(root_uid) && gid_valid(root_gid)) 483 proc_set_user(pde, root_uid, root_gid); 484 485 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat, 486 &ct_cpu_seq_ops, sizeof(struct seq_net_private)); 487 if (!pde) 488 goto out_stat_nf_conntrack; 489 return 0; 490 491 out_stat_nf_conntrack: 492 remove_proc_entry("nf_conntrack", net->proc_net); 493 out_nf_conntrack: 494 return -ENOMEM; 495 } 496 497 static void nf_conntrack_standalone_fini_proc(struct net *net) 498 { 499 remove_proc_entry("nf_conntrack", net->proc_net_stat); 500 remove_proc_entry("nf_conntrack", net->proc_net); 501 } 502 #else 503 static int nf_conntrack_standalone_init_proc(struct net *net) 504 { 505 return 0; 506 } 507 508 static void nf_conntrack_standalone_fini_proc(struct net *net) 509 { 510 } 511 #endif /* CONFIG_NF_CONNTRACK_PROCFS */ 512 513 u32 nf_conntrack_count(const struct net *net) 514 { 515 const struct nf_conntrack_net *cnet = nf_ct_pernet(net); 516 517 return atomic_read(&cnet->count); 518 } 519 EXPORT_SYMBOL_GPL(nf_conntrack_count); 520 521 /* Sysctl support */ 522 523 #ifdef CONFIG_SYSCTL 524 /* size the user *wants to set */ 525 static unsigned int nf_conntrack_htable_size_user __read_mostly; 526 527 static int 528 nf_conntrack_hash_sysctl(struct ctl_table *table, int write, 529 void *buffer, size_t *lenp, loff_t *ppos) 530 { 531 int ret; 532 533 /* module_param hashsize could have changed value */ 534 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 535 536 ret = proc_dointvec(table, write, buffer, lenp, ppos); 537 if (ret < 0 || !write) 538 return ret; 539 540 /* update ret, we might not be able to satisfy request */ 541 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user); 542 543 /* update it to the actual value used by conntrack */ 544 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 545 return ret; 546 } 547 548 static struct ctl_table_header *nf_ct_netfilter_header; 549 550 enum nf_ct_sysctl_index { 551 NF_SYSCTL_CT_MAX, 552 NF_SYSCTL_CT_COUNT, 553 NF_SYSCTL_CT_BUCKETS, 554 NF_SYSCTL_CT_CHECKSUM, 555 NF_SYSCTL_CT_LOG_INVALID, 556 NF_SYSCTL_CT_EXPECT_MAX, 557 NF_SYSCTL_CT_ACCT, 558 NF_SYSCTL_CT_HELPER, 559 #ifdef CONFIG_NF_CONNTRACK_EVENTS 560 NF_SYSCTL_CT_EVENTS, 561 #endif 562 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 563 NF_SYSCTL_CT_TIMESTAMP, 564 #endif 565 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC, 566 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT, 567 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV, 568 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED, 569 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT, 570 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT, 571 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK, 572 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT, 573 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE, 574 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS, 575 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK, 576 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 577 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD, 578 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD_PICKUP, 579 #endif 580 NF_SYSCTL_CT_PROTO_TCP_LOOSE, 581 NF_SYSCTL_CT_PROTO_TCP_LIBERAL, 582 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS, 583 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP, 584 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM, 585 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 586 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD, 587 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD_PICKUP, 588 #endif 589 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP, 590 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6, 591 #ifdef CONFIG_NF_CT_PROTO_SCTP 592 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED, 593 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT, 594 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED, 595 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED, 596 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT, 597 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD, 598 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, 599 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, 600 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED, 601 #endif 602 #ifdef CONFIG_NF_CT_PROTO_DCCP 603 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, 604 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND, 605 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN, 606 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN, 607 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ, 608 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING, 609 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT, 610 NF_SYSCTL_CT_PROTO_DCCP_LOOSE, 611 #endif 612 #ifdef CONFIG_NF_CT_PROTO_GRE 613 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, 614 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, 615 #endif 616 617 __NF_SYSCTL_CT_LAST_SYSCTL, 618 }; 619 620 #define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1) 621 622 static struct ctl_table nf_ct_sysctl_table[] = { 623 [NF_SYSCTL_CT_MAX] = { 624 .procname = "nf_conntrack_max", 625 .data = &nf_conntrack_max, 626 .maxlen = sizeof(int), 627 .mode = 0644, 628 .proc_handler = proc_dointvec, 629 }, 630 [NF_SYSCTL_CT_COUNT] = { 631 .procname = "nf_conntrack_count", 632 .maxlen = sizeof(int), 633 .mode = 0444, 634 .proc_handler = proc_dointvec, 635 }, 636 [NF_SYSCTL_CT_BUCKETS] = { 637 .procname = "nf_conntrack_buckets", 638 .data = &nf_conntrack_htable_size_user, 639 .maxlen = sizeof(unsigned int), 640 .mode = 0644, 641 .proc_handler = nf_conntrack_hash_sysctl, 642 }, 643 [NF_SYSCTL_CT_CHECKSUM] = { 644 .procname = "nf_conntrack_checksum", 645 .data = &init_net.ct.sysctl_checksum, 646 .maxlen = sizeof(u8), 647 .mode = 0644, 648 .proc_handler = proc_dou8vec_minmax, 649 .extra1 = SYSCTL_ZERO, 650 .extra2 = SYSCTL_ONE, 651 }, 652 [NF_SYSCTL_CT_LOG_INVALID] = { 653 .procname = "nf_conntrack_log_invalid", 654 .data = &init_net.ct.sysctl_log_invalid, 655 .maxlen = sizeof(u8), 656 .mode = 0644, 657 .proc_handler = proc_dou8vec_minmax, 658 }, 659 [NF_SYSCTL_CT_EXPECT_MAX] = { 660 .procname = "nf_conntrack_expect_max", 661 .data = &nf_ct_expect_max, 662 .maxlen = sizeof(int), 663 .mode = 0644, 664 .proc_handler = proc_dointvec, 665 }, 666 [NF_SYSCTL_CT_ACCT] = { 667 .procname = "nf_conntrack_acct", 668 .data = &init_net.ct.sysctl_acct, 669 .maxlen = sizeof(u8), 670 .mode = 0644, 671 .proc_handler = proc_dou8vec_minmax, 672 .extra1 = SYSCTL_ZERO, 673 .extra2 = SYSCTL_ONE, 674 }, 675 [NF_SYSCTL_CT_HELPER] = { 676 .procname = "nf_conntrack_helper", 677 .maxlen = sizeof(u8), 678 .mode = 0644, 679 .proc_handler = proc_dou8vec_minmax, 680 .extra1 = SYSCTL_ZERO, 681 .extra2 = SYSCTL_ONE, 682 }, 683 #ifdef CONFIG_NF_CONNTRACK_EVENTS 684 [NF_SYSCTL_CT_EVENTS] = { 685 .procname = "nf_conntrack_events", 686 .data = &init_net.ct.sysctl_events, 687 .maxlen = sizeof(u8), 688 .mode = 0644, 689 .proc_handler = proc_dou8vec_minmax, 690 .extra1 = SYSCTL_ZERO, 691 .extra2 = SYSCTL_ONE, 692 }, 693 #endif 694 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 695 [NF_SYSCTL_CT_TIMESTAMP] = { 696 .procname = "nf_conntrack_timestamp", 697 .data = &init_net.ct.sysctl_tstamp, 698 .maxlen = sizeof(u8), 699 .mode = 0644, 700 .proc_handler = proc_dou8vec_minmax, 701 .extra1 = SYSCTL_ZERO, 702 .extra2 = SYSCTL_ONE, 703 }, 704 #endif 705 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { 706 .procname = "nf_conntrack_generic_timeout", 707 .maxlen = sizeof(unsigned int), 708 .mode = 0644, 709 .proc_handler = proc_dointvec_jiffies, 710 }, 711 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = { 712 .procname = "nf_conntrack_tcp_timeout_syn_sent", 713 .maxlen = sizeof(unsigned int), 714 .mode = 0644, 715 .proc_handler = proc_dointvec_jiffies, 716 }, 717 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = { 718 .procname = "nf_conntrack_tcp_timeout_syn_recv", 719 .maxlen = sizeof(unsigned int), 720 .mode = 0644, 721 .proc_handler = proc_dointvec_jiffies, 722 }, 723 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = { 724 .procname = "nf_conntrack_tcp_timeout_established", 725 .maxlen = sizeof(unsigned int), 726 .mode = 0644, 727 .proc_handler = proc_dointvec_jiffies, 728 }, 729 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = { 730 .procname = "nf_conntrack_tcp_timeout_fin_wait", 731 .maxlen = sizeof(unsigned int), 732 .mode = 0644, 733 .proc_handler = proc_dointvec_jiffies, 734 }, 735 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = { 736 .procname = "nf_conntrack_tcp_timeout_close_wait", 737 .maxlen = sizeof(unsigned int), 738 .mode = 0644, 739 .proc_handler = proc_dointvec_jiffies, 740 }, 741 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = { 742 .procname = "nf_conntrack_tcp_timeout_last_ack", 743 .maxlen = sizeof(unsigned int), 744 .mode = 0644, 745 .proc_handler = proc_dointvec_jiffies, 746 }, 747 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = { 748 .procname = "nf_conntrack_tcp_timeout_time_wait", 749 .maxlen = sizeof(unsigned int), 750 .mode = 0644, 751 .proc_handler = proc_dointvec_jiffies, 752 }, 753 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = { 754 .procname = "nf_conntrack_tcp_timeout_close", 755 .maxlen = sizeof(unsigned int), 756 .mode = 0644, 757 .proc_handler = proc_dointvec_jiffies, 758 }, 759 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = { 760 .procname = "nf_conntrack_tcp_timeout_max_retrans", 761 .maxlen = sizeof(unsigned int), 762 .mode = 0644, 763 .proc_handler = proc_dointvec_jiffies, 764 }, 765 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = { 766 .procname = "nf_conntrack_tcp_timeout_unacknowledged", 767 .maxlen = sizeof(unsigned int), 768 .mode = 0644, 769 .proc_handler = proc_dointvec_jiffies, 770 }, 771 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 772 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD] = { 773 .procname = "nf_flowtable_tcp_timeout", 774 .maxlen = sizeof(unsigned int), 775 .mode = 0644, 776 .proc_handler = proc_dointvec_jiffies, 777 }, 778 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD_PICKUP] = { 779 .procname = "nf_flowtable_tcp_pickup", 780 .maxlen = sizeof(unsigned int), 781 .mode = 0644, 782 .proc_handler = proc_dointvec_jiffies, 783 }, 784 #endif 785 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { 786 .procname = "nf_conntrack_tcp_loose", 787 .maxlen = sizeof(u8), 788 .mode = 0644, 789 .proc_handler = proc_dou8vec_minmax, 790 .extra1 = SYSCTL_ZERO, 791 .extra2 = SYSCTL_ONE, 792 }, 793 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { 794 .procname = "nf_conntrack_tcp_be_liberal", 795 .maxlen = sizeof(u8), 796 .mode = 0644, 797 .proc_handler = proc_dou8vec_minmax, 798 .extra1 = SYSCTL_ZERO, 799 .extra2 = SYSCTL_ONE, 800 }, 801 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { 802 .procname = "nf_conntrack_tcp_max_retrans", 803 .maxlen = sizeof(u8), 804 .mode = 0644, 805 .proc_handler = proc_dou8vec_minmax, 806 }, 807 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = { 808 .procname = "nf_conntrack_udp_timeout", 809 .maxlen = sizeof(unsigned int), 810 .mode = 0644, 811 .proc_handler = proc_dointvec_jiffies, 812 }, 813 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = { 814 .procname = "nf_conntrack_udp_timeout_stream", 815 .maxlen = sizeof(unsigned int), 816 .mode = 0644, 817 .proc_handler = proc_dointvec_jiffies, 818 }, 819 #if IS_ENABLED(CONFIG_NFT_FLOW_OFFLOAD) 820 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD] = { 821 .procname = "nf_flowtable_udp_timeout", 822 .maxlen = sizeof(unsigned int), 823 .mode = 0644, 824 .proc_handler = proc_dointvec_jiffies, 825 }, 826 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD_PICKUP] = { 827 .procname = "nf_flowtable_udp_pickup", 828 .maxlen = sizeof(unsigned int), 829 .mode = 0644, 830 .proc_handler = proc_dointvec_jiffies, 831 }, 832 #endif 833 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = { 834 .procname = "nf_conntrack_icmp_timeout", 835 .maxlen = sizeof(unsigned int), 836 .mode = 0644, 837 .proc_handler = proc_dointvec_jiffies, 838 }, 839 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = { 840 .procname = "nf_conntrack_icmpv6_timeout", 841 .maxlen = sizeof(unsigned int), 842 .mode = 0644, 843 .proc_handler = proc_dointvec_jiffies, 844 }, 845 #ifdef CONFIG_NF_CT_PROTO_SCTP 846 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = { 847 .procname = "nf_conntrack_sctp_timeout_closed", 848 .maxlen = sizeof(unsigned int), 849 .mode = 0644, 850 .proc_handler = proc_dointvec_jiffies, 851 }, 852 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = { 853 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 854 .maxlen = sizeof(unsigned int), 855 .mode = 0644, 856 .proc_handler = proc_dointvec_jiffies, 857 }, 858 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = { 859 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 860 .maxlen = sizeof(unsigned int), 861 .mode = 0644, 862 .proc_handler = proc_dointvec_jiffies, 863 }, 864 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = { 865 .procname = "nf_conntrack_sctp_timeout_established", 866 .maxlen = sizeof(unsigned int), 867 .mode = 0644, 868 .proc_handler = proc_dointvec_jiffies, 869 }, 870 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = { 871 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 872 .maxlen = sizeof(unsigned int), 873 .mode = 0644, 874 .proc_handler = proc_dointvec_jiffies, 875 }, 876 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = { 877 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 878 .maxlen = sizeof(unsigned int), 879 .mode = 0644, 880 .proc_handler = proc_dointvec_jiffies, 881 }, 882 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { 883 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 884 .maxlen = sizeof(unsigned int), 885 .mode = 0644, 886 .proc_handler = proc_dointvec_jiffies, 887 }, 888 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = { 889 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent", 890 .maxlen = sizeof(unsigned int), 891 .mode = 0644, 892 .proc_handler = proc_dointvec_jiffies, 893 }, 894 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { 895 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked", 896 .maxlen = sizeof(unsigned int), 897 .mode = 0644, 898 .proc_handler = proc_dointvec_jiffies, 899 }, 900 #endif 901 #ifdef CONFIG_NF_CT_PROTO_DCCP 902 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { 903 .procname = "nf_conntrack_dccp_timeout_request", 904 .maxlen = sizeof(unsigned int), 905 .mode = 0644, 906 .proc_handler = proc_dointvec_jiffies, 907 }, 908 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = { 909 .procname = "nf_conntrack_dccp_timeout_respond", 910 .maxlen = sizeof(unsigned int), 911 .mode = 0644, 912 .proc_handler = proc_dointvec_jiffies, 913 }, 914 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = { 915 .procname = "nf_conntrack_dccp_timeout_partopen", 916 .maxlen = sizeof(unsigned int), 917 .mode = 0644, 918 .proc_handler = proc_dointvec_jiffies, 919 }, 920 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = { 921 .procname = "nf_conntrack_dccp_timeout_open", 922 .maxlen = sizeof(unsigned int), 923 .mode = 0644, 924 .proc_handler = proc_dointvec_jiffies, 925 }, 926 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = { 927 .procname = "nf_conntrack_dccp_timeout_closereq", 928 .maxlen = sizeof(unsigned int), 929 .mode = 0644, 930 .proc_handler = proc_dointvec_jiffies, 931 }, 932 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = { 933 .procname = "nf_conntrack_dccp_timeout_closing", 934 .maxlen = sizeof(unsigned int), 935 .mode = 0644, 936 .proc_handler = proc_dointvec_jiffies, 937 }, 938 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = { 939 .procname = "nf_conntrack_dccp_timeout_timewait", 940 .maxlen = sizeof(unsigned int), 941 .mode = 0644, 942 .proc_handler = proc_dointvec_jiffies, 943 }, 944 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = { 945 .procname = "nf_conntrack_dccp_loose", 946 .maxlen = sizeof(u8), 947 .mode = 0644, 948 .proc_handler = proc_dou8vec_minmax, 949 .extra1 = SYSCTL_ZERO, 950 .extra2 = SYSCTL_ONE, 951 }, 952 #endif 953 #ifdef CONFIG_NF_CT_PROTO_GRE 954 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = { 955 .procname = "nf_conntrack_gre_timeout", 956 .maxlen = sizeof(unsigned int), 957 .mode = 0644, 958 .proc_handler = proc_dointvec_jiffies, 959 }, 960 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = { 961 .procname = "nf_conntrack_gre_timeout_stream", 962 .maxlen = sizeof(unsigned int), 963 .mode = 0644, 964 .proc_handler = proc_dointvec_jiffies, 965 }, 966 #endif 967 {} 968 }; 969 970 static struct ctl_table nf_ct_netfilter_table[] = { 971 { 972 .procname = "nf_conntrack_max", 973 .data = &nf_conntrack_max, 974 .maxlen = sizeof(int), 975 .mode = 0644, 976 .proc_handler = proc_dointvec, 977 }, 978 { } 979 }; 980 981 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, 982 struct ctl_table *table) 983 { 984 struct nf_tcp_net *tn = nf_tcp_pernet(net); 985 986 #define XASSIGN(XNAME, tn) \ 987 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \ 988 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME] 989 990 XASSIGN(SYN_SENT, tn); 991 XASSIGN(SYN_RECV, tn); 992 XASSIGN(ESTABLISHED, tn); 993 XASSIGN(FIN_WAIT, tn); 994 XASSIGN(CLOSE_WAIT, tn); 995 XASSIGN(LAST_ACK, tn); 996 XASSIGN(TIME_WAIT, tn); 997 XASSIGN(CLOSE, tn); 998 XASSIGN(RETRANS, tn); 999 XASSIGN(UNACK, tn); 1000 #undef XASSIGN 1001 #define XASSIGN(XNAME, rval) \ 1002 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval) 1003 1004 XASSIGN(LOOSE, &tn->tcp_loose); 1005 XASSIGN(LIBERAL, &tn->tcp_be_liberal); 1006 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans); 1007 #undef XASSIGN 1008 1009 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1010 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD].data = &tn->offload_timeout; 1011 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD_PICKUP].data = &tn->offload_pickup; 1012 #endif 1013 1014 } 1015 1016 static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, 1017 struct ctl_table *table) 1018 { 1019 #ifdef CONFIG_NF_CT_PROTO_SCTP 1020 struct nf_sctp_net *sn = nf_sctp_pernet(net); 1021 1022 #define XASSIGN(XNAME, sn) \ 1023 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \ 1024 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME] 1025 1026 XASSIGN(CLOSED, sn); 1027 XASSIGN(COOKIE_WAIT, sn); 1028 XASSIGN(COOKIE_ECHOED, sn); 1029 XASSIGN(ESTABLISHED, sn); 1030 XASSIGN(SHUTDOWN_SENT, sn); 1031 XASSIGN(SHUTDOWN_RECD, sn); 1032 XASSIGN(SHUTDOWN_ACK_SENT, sn); 1033 XASSIGN(HEARTBEAT_SENT, sn); 1034 XASSIGN(HEARTBEAT_ACKED, sn); 1035 #undef XASSIGN 1036 #endif 1037 } 1038 1039 static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net, 1040 struct ctl_table *table) 1041 { 1042 #ifdef CONFIG_NF_CT_PROTO_DCCP 1043 struct nf_dccp_net *dn = nf_dccp_pernet(net); 1044 1045 #define XASSIGN(XNAME, dn) \ 1046 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \ 1047 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME] 1048 1049 XASSIGN(REQUEST, dn); 1050 XASSIGN(RESPOND, dn); 1051 XASSIGN(PARTOPEN, dn); 1052 XASSIGN(OPEN, dn); 1053 XASSIGN(CLOSEREQ, dn); 1054 XASSIGN(CLOSING, dn); 1055 XASSIGN(TIMEWAIT, dn); 1056 #undef XASSIGN 1057 1058 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose; 1059 #endif 1060 } 1061 1062 static void nf_conntrack_standalone_init_gre_sysctl(struct net *net, 1063 struct ctl_table *table) 1064 { 1065 #ifdef CONFIG_NF_CT_PROTO_GRE 1066 struct nf_gre_net *gn = nf_gre_pernet(net); 1067 1068 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED]; 1069 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED]; 1070 #endif 1071 } 1072 1073 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1074 { 1075 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1076 struct nf_udp_net *un = nf_udp_pernet(net); 1077 struct ctl_table *table; 1078 1079 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL); 1080 1081 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table), 1082 GFP_KERNEL); 1083 if (!table) 1084 return -ENOMEM; 1085 1086 table[NF_SYSCTL_CT_COUNT].data = &cnet->count; 1087 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum; 1088 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; 1089 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct; 1090 table[NF_SYSCTL_CT_HELPER].data = &cnet->sysctl_auto_assign_helper; 1091 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1092 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events; 1093 #endif 1094 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 1095 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp; 1096 #endif 1097 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout; 1098 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout; 1099 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout; 1100 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED]; 1101 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED]; 1102 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1103 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD].data = &un->offload_timeout; 1104 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD_PICKUP].data = &un->offload_pickup; 1105 #endif 1106 1107 nf_conntrack_standalone_init_tcp_sysctl(net, table); 1108 nf_conntrack_standalone_init_sctp_sysctl(net, table); 1109 nf_conntrack_standalone_init_dccp_sysctl(net, table); 1110 nf_conntrack_standalone_init_gre_sysctl(net, table); 1111 1112 /* Don't allow non-init_net ns to alter global sysctls */ 1113 if (!net_eq(&init_net, net)) { 1114 table[NF_SYSCTL_CT_MAX].mode = 0444; 1115 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; 1116 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1117 } 1118 1119 cnet->sysctl_header = register_net_sysctl(net, "net/netfilter", table); 1120 if (!cnet->sysctl_header) 1121 goto out_unregister_netfilter; 1122 1123 return 0; 1124 1125 out_unregister_netfilter: 1126 kfree(table); 1127 return -ENOMEM; 1128 } 1129 1130 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1131 { 1132 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1133 struct ctl_table *table; 1134 1135 table = cnet->sysctl_header->ctl_table_arg; 1136 unregister_net_sysctl_table(cnet->sysctl_header); 1137 kfree(table); 1138 } 1139 #else 1140 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1141 { 1142 return 0; 1143 } 1144 1145 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1146 { 1147 } 1148 #endif /* CONFIG_SYSCTL */ 1149 1150 static void nf_conntrack_fini_net(struct net *net) 1151 { 1152 if (enable_hooks) 1153 nf_ct_netns_put(net, NFPROTO_INET); 1154 1155 nf_conntrack_standalone_fini_proc(net); 1156 nf_conntrack_standalone_fini_sysctl(net); 1157 } 1158 1159 static int nf_conntrack_pernet_init(struct net *net) 1160 { 1161 int ret; 1162 1163 net->ct.sysctl_checksum = 1; 1164 1165 ret = nf_conntrack_standalone_init_sysctl(net); 1166 if (ret < 0) 1167 return ret; 1168 1169 ret = nf_conntrack_standalone_init_proc(net); 1170 if (ret < 0) 1171 goto out_proc; 1172 1173 ret = nf_conntrack_init_net(net); 1174 if (ret < 0) 1175 goto out_init_net; 1176 1177 if (enable_hooks) { 1178 ret = nf_ct_netns_get(net, NFPROTO_INET); 1179 if (ret < 0) 1180 goto out_hooks; 1181 } 1182 1183 return 0; 1184 1185 out_hooks: 1186 nf_conntrack_cleanup_net(net); 1187 out_init_net: 1188 nf_conntrack_standalone_fini_proc(net); 1189 out_proc: 1190 nf_conntrack_standalone_fini_sysctl(net); 1191 return ret; 1192 } 1193 1194 static void nf_conntrack_pernet_exit(struct list_head *net_exit_list) 1195 { 1196 struct net *net; 1197 1198 list_for_each_entry(net, net_exit_list, exit_list) 1199 nf_conntrack_fini_net(net); 1200 1201 nf_conntrack_cleanup_net_list(net_exit_list); 1202 } 1203 1204 static struct pernet_operations nf_conntrack_net_ops = { 1205 .init = nf_conntrack_pernet_init, 1206 .exit_batch = nf_conntrack_pernet_exit, 1207 .id = &nf_conntrack_net_id, 1208 .size = sizeof(struct nf_conntrack_net), 1209 }; 1210 1211 static int __init nf_conntrack_standalone_init(void) 1212 { 1213 int ret = nf_conntrack_init_start(); 1214 if (ret < 0) 1215 goto out_start; 1216 1217 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER); 1218 1219 #ifdef CONFIG_SYSCTL 1220 nf_ct_netfilter_header = 1221 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); 1222 if (!nf_ct_netfilter_header) { 1223 pr_err("nf_conntrack: can't register to sysctl.\n"); 1224 ret = -ENOMEM; 1225 goto out_sysctl; 1226 } 1227 1228 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 1229 #endif 1230 1231 ret = register_pernet_subsys(&nf_conntrack_net_ops); 1232 if (ret < 0) 1233 goto out_pernet; 1234 1235 nf_conntrack_init_end(); 1236 return 0; 1237 1238 out_pernet: 1239 #ifdef CONFIG_SYSCTL 1240 unregister_net_sysctl_table(nf_ct_netfilter_header); 1241 out_sysctl: 1242 #endif 1243 nf_conntrack_cleanup_end(); 1244 out_start: 1245 return ret; 1246 } 1247 1248 static void __exit nf_conntrack_standalone_fini(void) 1249 { 1250 nf_conntrack_cleanup_start(); 1251 unregister_pernet_subsys(&nf_conntrack_net_ops); 1252 #ifdef CONFIG_SYSCTL 1253 unregister_net_sysctl_table(nf_ct_netfilter_header); 1254 #endif 1255 nf_conntrack_cleanup_end(); 1256 } 1257 1258 module_init(nf_conntrack_standalone_init); 1259 module_exit(nf_conntrack_standalone_fini); 1260