1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/types.h> 3 #include <linux/netfilter.h> 4 #include <linux/slab.h> 5 #include <linux/module.h> 6 #include <linux/skbuff.h> 7 #include <linux/proc_fs.h> 8 #include <linux/seq_file.h> 9 #include <linux/percpu.h> 10 #include <linux/netdevice.h> 11 #include <linux/security.h> 12 #include <net/net_namespace.h> 13 #ifdef CONFIG_SYSCTL 14 #include <linux/sysctl.h> 15 #endif 16 17 #include <net/netfilter/nf_conntrack.h> 18 #include <net/netfilter/nf_conntrack_core.h> 19 #include <net/netfilter/nf_conntrack_l4proto.h> 20 #include <net/netfilter/nf_conntrack_expect.h> 21 #include <net/netfilter/nf_conntrack_helper.h> 22 #include <net/netfilter/nf_conntrack_acct.h> 23 #include <net/netfilter/nf_conntrack_zones.h> 24 #include <net/netfilter/nf_conntrack_timestamp.h> 25 #ifdef CONFIG_LWTUNNEL 26 #include <net/netfilter/nf_hooks_lwtunnel.h> 27 #endif 28 #include <linux/rculist_nulls.h> 29 30 static bool enable_hooks __read_mostly; 31 MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); 32 module_param(enable_hooks, bool, 0000); 33 34 unsigned int nf_conntrack_net_id __read_mostly; 35 36 #ifdef CONFIG_NF_CONNTRACK_PROCFS 37 void 38 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, 39 const struct nf_conntrack_l4proto *l4proto) 40 { 41 switch (tuple->src.l3num) { 42 case NFPROTO_IPV4: 43 seq_printf(s, "src=%pI4 dst=%pI4 ", 44 &tuple->src.u3.ip, &tuple->dst.u3.ip); 45 break; 46 case NFPROTO_IPV6: 47 seq_printf(s, "src=%pI6 dst=%pI6 ", 48 tuple->src.u3.ip6, tuple->dst.u3.ip6); 49 break; 50 default: 51 break; 52 } 53 54 switch (l4proto->l4proto) { 55 case IPPROTO_ICMP: 56 seq_printf(s, "type=%u code=%u id=%u ", 57 tuple->dst.u.icmp.type, 58 tuple->dst.u.icmp.code, 59 ntohs(tuple->src.u.icmp.id)); 60 break; 61 case IPPROTO_TCP: 62 seq_printf(s, "sport=%hu dport=%hu ", 63 ntohs(tuple->src.u.tcp.port), 64 ntohs(tuple->dst.u.tcp.port)); 65 break; 66 case IPPROTO_UDPLITE: 67 case IPPROTO_UDP: 68 seq_printf(s, "sport=%hu dport=%hu ", 69 ntohs(tuple->src.u.udp.port), 70 ntohs(tuple->dst.u.udp.port)); 71 72 break; 73 case IPPROTO_DCCP: 74 seq_printf(s, "sport=%hu dport=%hu ", 75 ntohs(tuple->src.u.dccp.port), 76 ntohs(tuple->dst.u.dccp.port)); 77 break; 78 case IPPROTO_SCTP: 79 seq_printf(s, "sport=%hu dport=%hu ", 80 ntohs(tuple->src.u.sctp.port), 81 ntohs(tuple->dst.u.sctp.port)); 82 break; 83 case IPPROTO_ICMPV6: 84 seq_printf(s, "type=%u code=%u id=%u ", 85 tuple->dst.u.icmp.type, 86 tuple->dst.u.icmp.code, 87 ntohs(tuple->src.u.icmp.id)); 88 break; 89 case IPPROTO_GRE: 90 seq_printf(s, "srckey=0x%x dstkey=0x%x ", 91 ntohs(tuple->src.u.gre.key), 92 ntohs(tuple->dst.u.gre.key)); 93 break; 94 default: 95 break; 96 } 97 } 98 EXPORT_SYMBOL_GPL(print_tuple); 99 100 struct ct_iter_state { 101 struct seq_net_private p; 102 struct hlist_nulls_head *hash; 103 unsigned int htable_size; 104 unsigned int bucket; 105 u_int64_t time_now; 106 }; 107 108 static struct hlist_nulls_node *ct_get_first(struct seq_file *seq) 109 { 110 struct ct_iter_state *st = seq->private; 111 struct hlist_nulls_node *n; 112 113 for (st->bucket = 0; 114 st->bucket < st->htable_size; 115 st->bucket++) { 116 n = rcu_dereference( 117 hlist_nulls_first_rcu(&st->hash[st->bucket])); 118 if (!is_a_nulls(n)) 119 return n; 120 } 121 return NULL; 122 } 123 124 static struct hlist_nulls_node *ct_get_next(struct seq_file *seq, 125 struct hlist_nulls_node *head) 126 { 127 struct ct_iter_state *st = seq->private; 128 129 head = rcu_dereference(hlist_nulls_next_rcu(head)); 130 while (is_a_nulls(head)) { 131 if (likely(get_nulls_value(head) == st->bucket)) { 132 if (++st->bucket >= st->htable_size) 133 return NULL; 134 } 135 head = rcu_dereference( 136 hlist_nulls_first_rcu(&st->hash[st->bucket])); 137 } 138 return head; 139 } 140 141 static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos) 142 { 143 struct hlist_nulls_node *head = ct_get_first(seq); 144 145 if (head) 146 while (pos && (head = ct_get_next(seq, head))) 147 pos--; 148 return pos ? NULL : head; 149 } 150 151 static void *ct_seq_start(struct seq_file *seq, loff_t *pos) 152 __acquires(RCU) 153 { 154 struct ct_iter_state *st = seq->private; 155 156 st->time_now = ktime_get_real_ns(); 157 rcu_read_lock(); 158 159 nf_conntrack_get_ht(&st->hash, &st->htable_size); 160 return ct_get_idx(seq, *pos); 161 } 162 163 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos) 164 { 165 (*pos)++; 166 return ct_get_next(s, v); 167 } 168 169 static void ct_seq_stop(struct seq_file *s, void *v) 170 __releases(RCU) 171 { 172 rcu_read_unlock(); 173 } 174 175 #ifdef CONFIG_NF_CONNTRACK_SECMARK 176 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 177 { 178 int ret; 179 u32 len; 180 char *secctx; 181 182 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 183 if (ret) 184 return; 185 186 seq_printf(s, "secctx=%s ", secctx); 187 188 security_release_secctx(secctx, len); 189 } 190 #else 191 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 192 { 193 } 194 #endif 195 196 #ifdef CONFIG_NF_CONNTRACK_ZONES 197 static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 198 int dir) 199 { 200 const struct nf_conntrack_zone *zone = nf_ct_zone(ct); 201 202 if (zone->dir != dir) 203 return; 204 switch (zone->dir) { 205 case NF_CT_DEFAULT_ZONE_DIR: 206 seq_printf(s, "zone=%u ", zone->id); 207 break; 208 case NF_CT_ZONE_DIR_ORIG: 209 seq_printf(s, "zone-orig=%u ", zone->id); 210 break; 211 case NF_CT_ZONE_DIR_REPL: 212 seq_printf(s, "zone-reply=%u ", zone->id); 213 break; 214 default: 215 break; 216 } 217 } 218 #else 219 static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 220 int dir) 221 { 222 } 223 #endif 224 225 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 226 static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 227 { 228 struct ct_iter_state *st = s->private; 229 struct nf_conn_tstamp *tstamp; 230 s64 delta_time; 231 232 tstamp = nf_conn_tstamp_find(ct); 233 if (tstamp) { 234 delta_time = st->time_now - tstamp->start; 235 if (delta_time > 0) 236 delta_time = div_s64(delta_time, NSEC_PER_SEC); 237 else 238 delta_time = 0; 239 240 seq_printf(s, "delta-time=%llu ", 241 (unsigned long long)delta_time); 242 } 243 return; 244 } 245 #else 246 static inline void 247 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 248 { 249 } 250 #endif 251 252 static const char* l3proto_name(u16 proto) 253 { 254 switch (proto) { 255 case AF_INET: return "ipv4"; 256 case AF_INET6: return "ipv6"; 257 } 258 259 return "unknown"; 260 } 261 262 static const char* l4proto_name(u16 proto) 263 { 264 switch (proto) { 265 case IPPROTO_ICMP: return "icmp"; 266 case IPPROTO_TCP: return "tcp"; 267 case IPPROTO_UDP: return "udp"; 268 case IPPROTO_DCCP: return "dccp"; 269 case IPPROTO_GRE: return "gre"; 270 case IPPROTO_SCTP: return "sctp"; 271 case IPPROTO_UDPLITE: return "udplite"; 272 case IPPROTO_ICMPV6: return "icmpv6"; 273 } 274 275 return "unknown"; 276 } 277 278 static unsigned int 279 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir) 280 { 281 struct nf_conn_acct *acct; 282 struct nf_conn_counter *counter; 283 284 acct = nf_conn_acct_find(ct); 285 if (!acct) 286 return 0; 287 288 counter = acct->counter; 289 seq_printf(s, "packets=%llu bytes=%llu ", 290 (unsigned long long)atomic64_read(&counter[dir].packets), 291 (unsigned long long)atomic64_read(&counter[dir].bytes)); 292 293 return 0; 294 } 295 296 /* return 0 on success, 1 in case of error */ 297 static int ct_seq_show(struct seq_file *s, void *v) 298 { 299 struct nf_conntrack_tuple_hash *hash = v; 300 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); 301 const struct nf_conntrack_l4proto *l4proto; 302 struct net *net = seq_file_net(s); 303 int ret = 0; 304 305 WARN_ON(!ct); 306 if (unlikely(!refcount_inc_not_zero(&ct->ct_general.use))) 307 return 0; 308 309 /* load ->status after refcount increase */ 310 smp_acquire__after_ctrl_dep(); 311 312 if (nf_ct_should_gc(ct)) { 313 nf_ct_kill(ct); 314 goto release; 315 } 316 317 /* we only want to print DIR_ORIGINAL */ 318 if (NF_CT_DIRECTION(hash)) 319 goto release; 320 321 if (!net_eq(nf_ct_net(ct), net)) 322 goto release; 323 324 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 325 326 ret = -ENOSPC; 327 seq_printf(s, "%-8s %u %-8s %u ", 328 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct), 329 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct)); 330 331 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status)) 332 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ); 333 334 if (l4proto->print_conntrack) 335 l4proto->print_conntrack(s, ct); 336 337 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 338 l4proto); 339 340 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG); 341 342 if (seq_has_overflowed(s)) 343 goto release; 344 345 if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL)) 346 goto release; 347 348 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) 349 seq_puts(s, "[UNREPLIED] "); 350 351 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto); 352 353 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL); 354 355 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY)) 356 goto release; 357 358 if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status)) 359 seq_puts(s, "[HW_OFFLOAD] "); 360 else if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 361 seq_puts(s, "[OFFLOAD] "); 362 else if (test_bit(IPS_ASSURED_BIT, &ct->status)) 363 seq_puts(s, "[ASSURED] "); 364 365 if (seq_has_overflowed(s)) 366 goto release; 367 368 #if defined(CONFIG_NF_CONNTRACK_MARK) 369 seq_printf(s, "mark=%u ", READ_ONCE(ct->mark)); 370 #endif 371 372 ct_show_secctx(s, ct); 373 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR); 374 ct_show_delta_time(s, ct); 375 376 seq_printf(s, "use=%u\n", refcount_read(&ct->ct_general.use)); 377 378 if (seq_has_overflowed(s)) 379 goto release; 380 381 ret = 0; 382 release: 383 nf_ct_put(ct); 384 return ret; 385 } 386 387 static const struct seq_operations ct_seq_ops = { 388 .start = ct_seq_start, 389 .next = ct_seq_next, 390 .stop = ct_seq_stop, 391 .show = ct_seq_show 392 }; 393 394 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos) 395 { 396 struct net *net = seq_file_net(seq); 397 int cpu; 398 399 if (*pos == 0) 400 return SEQ_START_TOKEN; 401 402 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) { 403 if (!cpu_possible(cpu)) 404 continue; 405 *pos = cpu + 1; 406 return per_cpu_ptr(net->ct.stat, cpu); 407 } 408 409 return NULL; 410 } 411 412 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) 413 { 414 struct net *net = seq_file_net(seq); 415 int cpu; 416 417 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) { 418 if (!cpu_possible(cpu)) 419 continue; 420 *pos = cpu + 1; 421 return per_cpu_ptr(net->ct.stat, cpu); 422 } 423 (*pos)++; 424 return NULL; 425 } 426 427 static void ct_cpu_seq_stop(struct seq_file *seq, void *v) 428 { 429 } 430 431 static int ct_cpu_seq_show(struct seq_file *seq, void *v) 432 { 433 struct net *net = seq_file_net(seq); 434 const struct ip_conntrack_stat *st = v; 435 unsigned int nr_conntracks; 436 437 if (v == SEQ_START_TOKEN) { 438 seq_puts(seq, "entries clashres found new invalid ignore delete chainlength insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); 439 return 0; 440 } 441 442 nr_conntracks = nf_conntrack_count(net); 443 444 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 445 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 446 nr_conntracks, 447 st->clash_resolve, 448 st->found, 449 0, 450 st->invalid, 451 0, 452 0, 453 st->chaintoolong, 454 st->insert, 455 st->insert_failed, 456 st->drop, 457 st->early_drop, 458 st->error, 459 460 st->expect_new, 461 st->expect_create, 462 st->expect_delete, 463 st->search_restart 464 ); 465 return 0; 466 } 467 468 static const struct seq_operations ct_cpu_seq_ops = { 469 .start = ct_cpu_seq_start, 470 .next = ct_cpu_seq_next, 471 .stop = ct_cpu_seq_stop, 472 .show = ct_cpu_seq_show, 473 }; 474 475 static int nf_conntrack_standalone_init_proc(struct net *net) 476 { 477 struct proc_dir_entry *pde; 478 kuid_t root_uid; 479 kgid_t root_gid; 480 481 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops, 482 sizeof(struct ct_iter_state)); 483 if (!pde) 484 goto out_nf_conntrack; 485 486 root_uid = make_kuid(net->user_ns, 0); 487 root_gid = make_kgid(net->user_ns, 0); 488 if (uid_valid(root_uid) && gid_valid(root_gid)) 489 proc_set_user(pde, root_uid, root_gid); 490 491 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat, 492 &ct_cpu_seq_ops, sizeof(struct seq_net_private)); 493 if (!pde) 494 goto out_stat_nf_conntrack; 495 return 0; 496 497 out_stat_nf_conntrack: 498 remove_proc_entry("nf_conntrack", net->proc_net); 499 out_nf_conntrack: 500 return -ENOMEM; 501 } 502 503 static void nf_conntrack_standalone_fini_proc(struct net *net) 504 { 505 remove_proc_entry("nf_conntrack", net->proc_net_stat); 506 remove_proc_entry("nf_conntrack", net->proc_net); 507 } 508 #else 509 static int nf_conntrack_standalone_init_proc(struct net *net) 510 { 511 return 0; 512 } 513 514 static void nf_conntrack_standalone_fini_proc(struct net *net) 515 { 516 } 517 #endif /* CONFIG_NF_CONNTRACK_PROCFS */ 518 519 u32 nf_conntrack_count(const struct net *net) 520 { 521 const struct nf_conntrack_net *cnet = nf_ct_pernet(net); 522 523 return atomic_read(&cnet->count); 524 } 525 EXPORT_SYMBOL_GPL(nf_conntrack_count); 526 527 /* Sysctl support */ 528 529 #ifdef CONFIG_SYSCTL 530 /* size the user *wants to set */ 531 static unsigned int nf_conntrack_htable_size_user __read_mostly; 532 533 static int 534 nf_conntrack_hash_sysctl(struct ctl_table *table, int write, 535 void *buffer, size_t *lenp, loff_t *ppos) 536 { 537 int ret; 538 539 /* module_param hashsize could have changed value */ 540 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 541 542 ret = proc_dointvec(table, write, buffer, lenp, ppos); 543 if (ret < 0 || !write) 544 return ret; 545 546 /* update ret, we might not be able to satisfy request */ 547 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user); 548 549 /* update it to the actual value used by conntrack */ 550 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 551 return ret; 552 } 553 554 static struct ctl_table_header *nf_ct_netfilter_header; 555 556 enum nf_ct_sysctl_index { 557 NF_SYSCTL_CT_MAX, 558 NF_SYSCTL_CT_COUNT, 559 NF_SYSCTL_CT_BUCKETS, 560 NF_SYSCTL_CT_CHECKSUM, 561 NF_SYSCTL_CT_LOG_INVALID, 562 NF_SYSCTL_CT_EXPECT_MAX, 563 NF_SYSCTL_CT_ACCT, 564 #ifdef CONFIG_NF_CONNTRACK_EVENTS 565 NF_SYSCTL_CT_EVENTS, 566 #endif 567 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 568 NF_SYSCTL_CT_TIMESTAMP, 569 #endif 570 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC, 571 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT, 572 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV, 573 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED, 574 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT, 575 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT, 576 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK, 577 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT, 578 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE, 579 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS, 580 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK, 581 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 582 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD, 583 #endif 584 NF_SYSCTL_CT_PROTO_TCP_LOOSE, 585 NF_SYSCTL_CT_PROTO_TCP_LIBERAL, 586 NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST, 587 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS, 588 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP, 589 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM, 590 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 591 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD, 592 #endif 593 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP, 594 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6, 595 #ifdef CONFIG_NF_CT_PROTO_SCTP 596 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED, 597 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT, 598 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED, 599 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED, 600 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT, 601 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD, 602 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, 603 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, 604 #endif 605 #ifdef CONFIG_NF_CT_PROTO_DCCP 606 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, 607 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND, 608 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN, 609 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN, 610 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ, 611 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING, 612 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT, 613 NF_SYSCTL_CT_PROTO_DCCP_LOOSE, 614 #endif 615 #ifdef CONFIG_NF_CT_PROTO_GRE 616 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, 617 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, 618 #endif 619 #ifdef CONFIG_LWTUNNEL 620 NF_SYSCTL_CT_LWTUNNEL, 621 #endif 622 623 __NF_SYSCTL_CT_LAST_SYSCTL, 624 }; 625 626 #define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1) 627 628 static struct ctl_table nf_ct_sysctl_table[] = { 629 [NF_SYSCTL_CT_MAX] = { 630 .procname = "nf_conntrack_max", 631 .data = &nf_conntrack_max, 632 .maxlen = sizeof(int), 633 .mode = 0644, 634 .proc_handler = proc_dointvec, 635 }, 636 [NF_SYSCTL_CT_COUNT] = { 637 .procname = "nf_conntrack_count", 638 .maxlen = sizeof(int), 639 .mode = 0444, 640 .proc_handler = proc_dointvec, 641 }, 642 [NF_SYSCTL_CT_BUCKETS] = { 643 .procname = "nf_conntrack_buckets", 644 .data = &nf_conntrack_htable_size_user, 645 .maxlen = sizeof(unsigned int), 646 .mode = 0644, 647 .proc_handler = nf_conntrack_hash_sysctl, 648 }, 649 [NF_SYSCTL_CT_CHECKSUM] = { 650 .procname = "nf_conntrack_checksum", 651 .data = &init_net.ct.sysctl_checksum, 652 .maxlen = sizeof(u8), 653 .mode = 0644, 654 .proc_handler = proc_dou8vec_minmax, 655 .extra1 = SYSCTL_ZERO, 656 .extra2 = SYSCTL_ONE, 657 }, 658 [NF_SYSCTL_CT_LOG_INVALID] = { 659 .procname = "nf_conntrack_log_invalid", 660 .data = &init_net.ct.sysctl_log_invalid, 661 .maxlen = sizeof(u8), 662 .mode = 0644, 663 .proc_handler = proc_dou8vec_minmax, 664 }, 665 [NF_SYSCTL_CT_EXPECT_MAX] = { 666 .procname = "nf_conntrack_expect_max", 667 .data = &nf_ct_expect_max, 668 .maxlen = sizeof(int), 669 .mode = 0644, 670 .proc_handler = proc_dointvec, 671 }, 672 [NF_SYSCTL_CT_ACCT] = { 673 .procname = "nf_conntrack_acct", 674 .data = &init_net.ct.sysctl_acct, 675 .maxlen = sizeof(u8), 676 .mode = 0644, 677 .proc_handler = proc_dou8vec_minmax, 678 .extra1 = SYSCTL_ZERO, 679 .extra2 = SYSCTL_ONE, 680 }, 681 #ifdef CONFIG_NF_CONNTRACK_EVENTS 682 [NF_SYSCTL_CT_EVENTS] = { 683 .procname = "nf_conntrack_events", 684 .data = &init_net.ct.sysctl_events, 685 .maxlen = sizeof(u8), 686 .mode = 0644, 687 .proc_handler = proc_dou8vec_minmax, 688 .extra1 = SYSCTL_ZERO, 689 .extra2 = SYSCTL_TWO, 690 }, 691 #endif 692 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 693 [NF_SYSCTL_CT_TIMESTAMP] = { 694 .procname = "nf_conntrack_timestamp", 695 .data = &init_net.ct.sysctl_tstamp, 696 .maxlen = sizeof(u8), 697 .mode = 0644, 698 .proc_handler = proc_dou8vec_minmax, 699 .extra1 = SYSCTL_ZERO, 700 .extra2 = SYSCTL_ONE, 701 }, 702 #endif 703 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { 704 .procname = "nf_conntrack_generic_timeout", 705 .maxlen = sizeof(unsigned int), 706 .mode = 0644, 707 .proc_handler = proc_dointvec_jiffies, 708 }, 709 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = { 710 .procname = "nf_conntrack_tcp_timeout_syn_sent", 711 .maxlen = sizeof(unsigned int), 712 .mode = 0644, 713 .proc_handler = proc_dointvec_jiffies, 714 }, 715 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = { 716 .procname = "nf_conntrack_tcp_timeout_syn_recv", 717 .maxlen = sizeof(unsigned int), 718 .mode = 0644, 719 .proc_handler = proc_dointvec_jiffies, 720 }, 721 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = { 722 .procname = "nf_conntrack_tcp_timeout_established", 723 .maxlen = sizeof(unsigned int), 724 .mode = 0644, 725 .proc_handler = proc_dointvec_jiffies, 726 }, 727 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = { 728 .procname = "nf_conntrack_tcp_timeout_fin_wait", 729 .maxlen = sizeof(unsigned int), 730 .mode = 0644, 731 .proc_handler = proc_dointvec_jiffies, 732 }, 733 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = { 734 .procname = "nf_conntrack_tcp_timeout_close_wait", 735 .maxlen = sizeof(unsigned int), 736 .mode = 0644, 737 .proc_handler = proc_dointvec_jiffies, 738 }, 739 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = { 740 .procname = "nf_conntrack_tcp_timeout_last_ack", 741 .maxlen = sizeof(unsigned int), 742 .mode = 0644, 743 .proc_handler = proc_dointvec_jiffies, 744 }, 745 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = { 746 .procname = "nf_conntrack_tcp_timeout_time_wait", 747 .maxlen = sizeof(unsigned int), 748 .mode = 0644, 749 .proc_handler = proc_dointvec_jiffies, 750 }, 751 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = { 752 .procname = "nf_conntrack_tcp_timeout_close", 753 .maxlen = sizeof(unsigned int), 754 .mode = 0644, 755 .proc_handler = proc_dointvec_jiffies, 756 }, 757 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = { 758 .procname = "nf_conntrack_tcp_timeout_max_retrans", 759 .maxlen = sizeof(unsigned int), 760 .mode = 0644, 761 .proc_handler = proc_dointvec_jiffies, 762 }, 763 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = { 764 .procname = "nf_conntrack_tcp_timeout_unacknowledged", 765 .maxlen = sizeof(unsigned int), 766 .mode = 0644, 767 .proc_handler = proc_dointvec_jiffies, 768 }, 769 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 770 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD] = { 771 .procname = "nf_flowtable_tcp_timeout", 772 .maxlen = sizeof(unsigned int), 773 .mode = 0644, 774 .proc_handler = proc_dointvec_jiffies, 775 }, 776 #endif 777 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { 778 .procname = "nf_conntrack_tcp_loose", 779 .maxlen = sizeof(u8), 780 .mode = 0644, 781 .proc_handler = proc_dou8vec_minmax, 782 .extra1 = SYSCTL_ZERO, 783 .extra2 = SYSCTL_ONE, 784 }, 785 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { 786 .procname = "nf_conntrack_tcp_be_liberal", 787 .maxlen = sizeof(u8), 788 .mode = 0644, 789 .proc_handler = proc_dou8vec_minmax, 790 .extra1 = SYSCTL_ZERO, 791 .extra2 = SYSCTL_ONE, 792 }, 793 [NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST] = { 794 .procname = "nf_conntrack_tcp_ignore_invalid_rst", 795 .maxlen = sizeof(u8), 796 .mode = 0644, 797 .proc_handler = proc_dou8vec_minmax, 798 .extra1 = SYSCTL_ZERO, 799 .extra2 = SYSCTL_ONE, 800 }, 801 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { 802 .procname = "nf_conntrack_tcp_max_retrans", 803 .maxlen = sizeof(u8), 804 .mode = 0644, 805 .proc_handler = proc_dou8vec_minmax, 806 }, 807 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = { 808 .procname = "nf_conntrack_udp_timeout", 809 .maxlen = sizeof(unsigned int), 810 .mode = 0644, 811 .proc_handler = proc_dointvec_jiffies, 812 }, 813 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = { 814 .procname = "nf_conntrack_udp_timeout_stream", 815 .maxlen = sizeof(unsigned int), 816 .mode = 0644, 817 .proc_handler = proc_dointvec_jiffies, 818 }, 819 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 820 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD] = { 821 .procname = "nf_flowtable_udp_timeout", 822 .maxlen = sizeof(unsigned int), 823 .mode = 0644, 824 .proc_handler = proc_dointvec_jiffies, 825 }, 826 #endif 827 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = { 828 .procname = "nf_conntrack_icmp_timeout", 829 .maxlen = sizeof(unsigned int), 830 .mode = 0644, 831 .proc_handler = proc_dointvec_jiffies, 832 }, 833 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = { 834 .procname = "nf_conntrack_icmpv6_timeout", 835 .maxlen = sizeof(unsigned int), 836 .mode = 0644, 837 .proc_handler = proc_dointvec_jiffies, 838 }, 839 #ifdef CONFIG_NF_CT_PROTO_SCTP 840 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = { 841 .procname = "nf_conntrack_sctp_timeout_closed", 842 .maxlen = sizeof(unsigned int), 843 .mode = 0644, 844 .proc_handler = proc_dointvec_jiffies, 845 }, 846 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = { 847 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 848 .maxlen = sizeof(unsigned int), 849 .mode = 0644, 850 .proc_handler = proc_dointvec_jiffies, 851 }, 852 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = { 853 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 854 .maxlen = sizeof(unsigned int), 855 .mode = 0644, 856 .proc_handler = proc_dointvec_jiffies, 857 }, 858 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = { 859 .procname = "nf_conntrack_sctp_timeout_established", 860 .maxlen = sizeof(unsigned int), 861 .mode = 0644, 862 .proc_handler = proc_dointvec_jiffies, 863 }, 864 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = { 865 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 866 .maxlen = sizeof(unsigned int), 867 .mode = 0644, 868 .proc_handler = proc_dointvec_jiffies, 869 }, 870 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = { 871 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 872 .maxlen = sizeof(unsigned int), 873 .mode = 0644, 874 .proc_handler = proc_dointvec_jiffies, 875 }, 876 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { 877 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 878 .maxlen = sizeof(unsigned int), 879 .mode = 0644, 880 .proc_handler = proc_dointvec_jiffies, 881 }, 882 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = { 883 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent", 884 .maxlen = sizeof(unsigned int), 885 .mode = 0644, 886 .proc_handler = proc_dointvec_jiffies, 887 }, 888 #endif 889 #ifdef CONFIG_NF_CT_PROTO_DCCP 890 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { 891 .procname = "nf_conntrack_dccp_timeout_request", 892 .maxlen = sizeof(unsigned int), 893 .mode = 0644, 894 .proc_handler = proc_dointvec_jiffies, 895 }, 896 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = { 897 .procname = "nf_conntrack_dccp_timeout_respond", 898 .maxlen = sizeof(unsigned int), 899 .mode = 0644, 900 .proc_handler = proc_dointvec_jiffies, 901 }, 902 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = { 903 .procname = "nf_conntrack_dccp_timeout_partopen", 904 .maxlen = sizeof(unsigned int), 905 .mode = 0644, 906 .proc_handler = proc_dointvec_jiffies, 907 }, 908 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = { 909 .procname = "nf_conntrack_dccp_timeout_open", 910 .maxlen = sizeof(unsigned int), 911 .mode = 0644, 912 .proc_handler = proc_dointvec_jiffies, 913 }, 914 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = { 915 .procname = "nf_conntrack_dccp_timeout_closereq", 916 .maxlen = sizeof(unsigned int), 917 .mode = 0644, 918 .proc_handler = proc_dointvec_jiffies, 919 }, 920 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = { 921 .procname = "nf_conntrack_dccp_timeout_closing", 922 .maxlen = sizeof(unsigned int), 923 .mode = 0644, 924 .proc_handler = proc_dointvec_jiffies, 925 }, 926 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = { 927 .procname = "nf_conntrack_dccp_timeout_timewait", 928 .maxlen = sizeof(unsigned int), 929 .mode = 0644, 930 .proc_handler = proc_dointvec_jiffies, 931 }, 932 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = { 933 .procname = "nf_conntrack_dccp_loose", 934 .maxlen = sizeof(u8), 935 .mode = 0644, 936 .proc_handler = proc_dou8vec_minmax, 937 .extra1 = SYSCTL_ZERO, 938 .extra2 = SYSCTL_ONE, 939 }, 940 #endif 941 #ifdef CONFIG_NF_CT_PROTO_GRE 942 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = { 943 .procname = "nf_conntrack_gre_timeout", 944 .maxlen = sizeof(unsigned int), 945 .mode = 0644, 946 .proc_handler = proc_dointvec_jiffies, 947 }, 948 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = { 949 .procname = "nf_conntrack_gre_timeout_stream", 950 .maxlen = sizeof(unsigned int), 951 .mode = 0644, 952 .proc_handler = proc_dointvec_jiffies, 953 }, 954 #endif 955 #ifdef CONFIG_LWTUNNEL 956 [NF_SYSCTL_CT_LWTUNNEL] = { 957 .procname = "nf_hooks_lwtunnel", 958 .data = NULL, 959 .maxlen = sizeof(int), 960 .mode = 0644, 961 .proc_handler = nf_hooks_lwtunnel_sysctl_handler, 962 }, 963 #endif 964 {} 965 }; 966 967 static struct ctl_table nf_ct_netfilter_table[] = { 968 { 969 .procname = "nf_conntrack_max", 970 .data = &nf_conntrack_max, 971 .maxlen = sizeof(int), 972 .mode = 0644, 973 .proc_handler = proc_dointvec, 974 }, 975 { } 976 }; 977 978 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, 979 struct ctl_table *table) 980 { 981 struct nf_tcp_net *tn = nf_tcp_pernet(net); 982 983 #define XASSIGN(XNAME, tn) \ 984 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \ 985 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME] 986 987 XASSIGN(SYN_SENT, tn); 988 XASSIGN(SYN_RECV, tn); 989 XASSIGN(ESTABLISHED, tn); 990 XASSIGN(FIN_WAIT, tn); 991 XASSIGN(CLOSE_WAIT, tn); 992 XASSIGN(LAST_ACK, tn); 993 XASSIGN(TIME_WAIT, tn); 994 XASSIGN(CLOSE, tn); 995 XASSIGN(RETRANS, tn); 996 XASSIGN(UNACK, tn); 997 #undef XASSIGN 998 #define XASSIGN(XNAME, rval) \ 999 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval) 1000 1001 XASSIGN(LOOSE, &tn->tcp_loose); 1002 XASSIGN(LIBERAL, &tn->tcp_be_liberal); 1003 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans); 1004 XASSIGN(IGNORE_INVALID_RST, &tn->tcp_ignore_invalid_rst); 1005 #undef XASSIGN 1006 1007 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1008 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD].data = &tn->offload_timeout; 1009 #endif 1010 1011 } 1012 1013 static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, 1014 struct ctl_table *table) 1015 { 1016 #ifdef CONFIG_NF_CT_PROTO_SCTP 1017 struct nf_sctp_net *sn = nf_sctp_pernet(net); 1018 1019 #define XASSIGN(XNAME, sn) \ 1020 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \ 1021 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME] 1022 1023 XASSIGN(CLOSED, sn); 1024 XASSIGN(COOKIE_WAIT, sn); 1025 XASSIGN(COOKIE_ECHOED, sn); 1026 XASSIGN(ESTABLISHED, sn); 1027 XASSIGN(SHUTDOWN_SENT, sn); 1028 XASSIGN(SHUTDOWN_RECD, sn); 1029 XASSIGN(SHUTDOWN_ACK_SENT, sn); 1030 XASSIGN(HEARTBEAT_SENT, sn); 1031 #undef XASSIGN 1032 #endif 1033 } 1034 1035 static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net, 1036 struct ctl_table *table) 1037 { 1038 #ifdef CONFIG_NF_CT_PROTO_DCCP 1039 struct nf_dccp_net *dn = nf_dccp_pernet(net); 1040 1041 #define XASSIGN(XNAME, dn) \ 1042 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \ 1043 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME] 1044 1045 XASSIGN(REQUEST, dn); 1046 XASSIGN(RESPOND, dn); 1047 XASSIGN(PARTOPEN, dn); 1048 XASSIGN(OPEN, dn); 1049 XASSIGN(CLOSEREQ, dn); 1050 XASSIGN(CLOSING, dn); 1051 XASSIGN(TIMEWAIT, dn); 1052 #undef XASSIGN 1053 1054 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose; 1055 #endif 1056 } 1057 1058 static void nf_conntrack_standalone_init_gre_sysctl(struct net *net, 1059 struct ctl_table *table) 1060 { 1061 #ifdef CONFIG_NF_CT_PROTO_GRE 1062 struct nf_gre_net *gn = nf_gre_pernet(net); 1063 1064 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED]; 1065 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED]; 1066 #endif 1067 } 1068 1069 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1070 { 1071 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1072 struct nf_udp_net *un = nf_udp_pernet(net); 1073 struct ctl_table *table; 1074 1075 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL); 1076 1077 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table), 1078 GFP_KERNEL); 1079 if (!table) 1080 return -ENOMEM; 1081 1082 table[NF_SYSCTL_CT_COUNT].data = &cnet->count; 1083 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum; 1084 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; 1085 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct; 1086 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1087 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events; 1088 #endif 1089 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 1090 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp; 1091 #endif 1092 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout; 1093 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout; 1094 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout; 1095 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED]; 1096 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED]; 1097 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1098 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD].data = &un->offload_timeout; 1099 #endif 1100 1101 nf_conntrack_standalone_init_tcp_sysctl(net, table); 1102 nf_conntrack_standalone_init_sctp_sysctl(net, table); 1103 nf_conntrack_standalone_init_dccp_sysctl(net, table); 1104 nf_conntrack_standalone_init_gre_sysctl(net, table); 1105 1106 /* Don't allow non-init_net ns to alter global sysctls */ 1107 if (!net_eq(&init_net, net)) { 1108 table[NF_SYSCTL_CT_MAX].mode = 0444; 1109 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; 1110 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1111 } 1112 1113 cnet->sysctl_header = register_net_sysctl(net, "net/netfilter", table); 1114 if (!cnet->sysctl_header) 1115 goto out_unregister_netfilter; 1116 1117 return 0; 1118 1119 out_unregister_netfilter: 1120 kfree(table); 1121 return -ENOMEM; 1122 } 1123 1124 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1125 { 1126 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1127 struct ctl_table *table; 1128 1129 table = cnet->sysctl_header->ctl_table_arg; 1130 unregister_net_sysctl_table(cnet->sysctl_header); 1131 kfree(table); 1132 } 1133 #else 1134 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1135 { 1136 return 0; 1137 } 1138 1139 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1140 { 1141 } 1142 #endif /* CONFIG_SYSCTL */ 1143 1144 static void nf_conntrack_fini_net(struct net *net) 1145 { 1146 if (enable_hooks) 1147 nf_ct_netns_put(net, NFPROTO_INET); 1148 1149 nf_conntrack_standalone_fini_proc(net); 1150 nf_conntrack_standalone_fini_sysctl(net); 1151 } 1152 1153 static int nf_conntrack_pernet_init(struct net *net) 1154 { 1155 int ret; 1156 1157 net->ct.sysctl_checksum = 1; 1158 1159 ret = nf_conntrack_standalone_init_sysctl(net); 1160 if (ret < 0) 1161 return ret; 1162 1163 ret = nf_conntrack_standalone_init_proc(net); 1164 if (ret < 0) 1165 goto out_proc; 1166 1167 ret = nf_conntrack_init_net(net); 1168 if (ret < 0) 1169 goto out_init_net; 1170 1171 if (enable_hooks) { 1172 ret = nf_ct_netns_get(net, NFPROTO_INET); 1173 if (ret < 0) 1174 goto out_hooks; 1175 } 1176 1177 return 0; 1178 1179 out_hooks: 1180 nf_conntrack_cleanup_net(net); 1181 out_init_net: 1182 nf_conntrack_standalone_fini_proc(net); 1183 out_proc: 1184 nf_conntrack_standalone_fini_sysctl(net); 1185 return ret; 1186 } 1187 1188 static void nf_conntrack_pernet_exit(struct list_head *net_exit_list) 1189 { 1190 struct net *net; 1191 1192 list_for_each_entry(net, net_exit_list, exit_list) 1193 nf_conntrack_fini_net(net); 1194 1195 nf_conntrack_cleanup_net_list(net_exit_list); 1196 } 1197 1198 static struct pernet_operations nf_conntrack_net_ops = { 1199 .init = nf_conntrack_pernet_init, 1200 .exit_batch = nf_conntrack_pernet_exit, 1201 .id = &nf_conntrack_net_id, 1202 .size = sizeof(struct nf_conntrack_net), 1203 }; 1204 1205 static int __init nf_conntrack_standalone_init(void) 1206 { 1207 int ret = nf_conntrack_init_start(); 1208 if (ret < 0) 1209 goto out_start; 1210 1211 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER); 1212 1213 #ifdef CONFIG_SYSCTL 1214 nf_ct_netfilter_header = 1215 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); 1216 if (!nf_ct_netfilter_header) { 1217 pr_err("nf_conntrack: can't register to sysctl.\n"); 1218 ret = -ENOMEM; 1219 goto out_sysctl; 1220 } 1221 1222 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 1223 #endif 1224 1225 ret = register_pernet_subsys(&nf_conntrack_net_ops); 1226 if (ret < 0) 1227 goto out_pernet; 1228 1229 nf_conntrack_init_end(); 1230 return 0; 1231 1232 out_pernet: 1233 #ifdef CONFIG_SYSCTL 1234 unregister_net_sysctl_table(nf_ct_netfilter_header); 1235 out_sysctl: 1236 #endif 1237 nf_conntrack_cleanup_end(); 1238 out_start: 1239 return ret; 1240 } 1241 1242 static void __exit nf_conntrack_standalone_fini(void) 1243 { 1244 nf_conntrack_cleanup_start(); 1245 unregister_pernet_subsys(&nf_conntrack_net_ops); 1246 #ifdef CONFIG_SYSCTL 1247 unregister_net_sysctl_table(nf_ct_netfilter_header); 1248 #endif 1249 nf_conntrack_cleanup_end(); 1250 } 1251 1252 module_init(nf_conntrack_standalone_init); 1253 module_exit(nf_conntrack_standalone_fini); 1254