1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/types.h> 3 #include <linux/netfilter.h> 4 #include <linux/slab.h> 5 #include <linux/module.h> 6 #include <linux/skbuff.h> 7 #include <linux/proc_fs.h> 8 #include <linux/seq_file.h> 9 #include <linux/percpu.h> 10 #include <linux/netdevice.h> 11 #include <linux/security.h> 12 #include <net/net_namespace.h> 13 #ifdef CONFIG_SYSCTL 14 #include <linux/sysctl.h> 15 #endif 16 17 #include <net/netfilter/nf_conntrack.h> 18 #include <net/netfilter/nf_conntrack_core.h> 19 #include <net/netfilter/nf_conntrack_l4proto.h> 20 #include <net/netfilter/nf_conntrack_expect.h> 21 #include <net/netfilter/nf_conntrack_helper.h> 22 #include <net/netfilter/nf_conntrack_acct.h> 23 #include <net/netfilter/nf_conntrack_zones.h> 24 #include <net/netfilter/nf_conntrack_timestamp.h> 25 #include <linux/rculist_nulls.h> 26 27 static bool enable_hooks __read_mostly; 28 MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); 29 module_param(enable_hooks, bool, 0000); 30 31 unsigned int nf_conntrack_net_id __read_mostly; 32 33 #ifdef CONFIG_NF_CONNTRACK_PROCFS 34 void 35 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, 36 const struct nf_conntrack_l4proto *l4proto) 37 { 38 switch (tuple->src.l3num) { 39 case NFPROTO_IPV4: 40 seq_printf(s, "src=%pI4 dst=%pI4 ", 41 &tuple->src.u3.ip, &tuple->dst.u3.ip); 42 break; 43 case NFPROTO_IPV6: 44 seq_printf(s, "src=%pI6 dst=%pI6 ", 45 tuple->src.u3.ip6, tuple->dst.u3.ip6); 46 break; 47 default: 48 break; 49 } 50 51 switch (l4proto->l4proto) { 52 case IPPROTO_ICMP: 53 seq_printf(s, "type=%u code=%u id=%u ", 54 tuple->dst.u.icmp.type, 55 tuple->dst.u.icmp.code, 56 ntohs(tuple->src.u.icmp.id)); 57 break; 58 case IPPROTO_TCP: 59 seq_printf(s, "sport=%hu dport=%hu ", 60 ntohs(tuple->src.u.tcp.port), 61 ntohs(tuple->dst.u.tcp.port)); 62 break; 63 case IPPROTO_UDPLITE: 64 case IPPROTO_UDP: 65 seq_printf(s, "sport=%hu dport=%hu ", 66 ntohs(tuple->src.u.udp.port), 67 ntohs(tuple->dst.u.udp.port)); 68 69 break; 70 case IPPROTO_DCCP: 71 seq_printf(s, "sport=%hu dport=%hu ", 72 ntohs(tuple->src.u.dccp.port), 73 ntohs(tuple->dst.u.dccp.port)); 74 break; 75 case IPPROTO_SCTP: 76 seq_printf(s, "sport=%hu dport=%hu ", 77 ntohs(tuple->src.u.sctp.port), 78 ntohs(tuple->dst.u.sctp.port)); 79 break; 80 case IPPROTO_ICMPV6: 81 seq_printf(s, "type=%u code=%u id=%u ", 82 tuple->dst.u.icmp.type, 83 tuple->dst.u.icmp.code, 84 ntohs(tuple->src.u.icmp.id)); 85 break; 86 case IPPROTO_GRE: 87 seq_printf(s, "srckey=0x%x dstkey=0x%x ", 88 ntohs(tuple->src.u.gre.key), 89 ntohs(tuple->dst.u.gre.key)); 90 break; 91 default: 92 break; 93 } 94 } 95 EXPORT_SYMBOL_GPL(print_tuple); 96 97 struct ct_iter_state { 98 struct seq_net_private p; 99 struct hlist_nulls_head *hash; 100 unsigned int htable_size; 101 unsigned int bucket; 102 u_int64_t time_now; 103 }; 104 105 static struct hlist_nulls_node *ct_get_first(struct seq_file *seq) 106 { 107 struct ct_iter_state *st = seq->private; 108 struct hlist_nulls_node *n; 109 110 for (st->bucket = 0; 111 st->bucket < st->htable_size; 112 st->bucket++) { 113 n = rcu_dereference( 114 hlist_nulls_first_rcu(&st->hash[st->bucket])); 115 if (!is_a_nulls(n)) 116 return n; 117 } 118 return NULL; 119 } 120 121 static struct hlist_nulls_node *ct_get_next(struct seq_file *seq, 122 struct hlist_nulls_node *head) 123 { 124 struct ct_iter_state *st = seq->private; 125 126 head = rcu_dereference(hlist_nulls_next_rcu(head)); 127 while (is_a_nulls(head)) { 128 if (likely(get_nulls_value(head) == st->bucket)) { 129 if (++st->bucket >= st->htable_size) 130 return NULL; 131 } 132 head = rcu_dereference( 133 hlist_nulls_first_rcu(&st->hash[st->bucket])); 134 } 135 return head; 136 } 137 138 static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos) 139 { 140 struct hlist_nulls_node *head = ct_get_first(seq); 141 142 if (head) 143 while (pos && (head = ct_get_next(seq, head))) 144 pos--; 145 return pos ? NULL : head; 146 } 147 148 static void *ct_seq_start(struct seq_file *seq, loff_t *pos) 149 __acquires(RCU) 150 { 151 struct ct_iter_state *st = seq->private; 152 153 st->time_now = ktime_get_real_ns(); 154 rcu_read_lock(); 155 156 nf_conntrack_get_ht(&st->hash, &st->htable_size); 157 return ct_get_idx(seq, *pos); 158 } 159 160 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos) 161 { 162 (*pos)++; 163 return ct_get_next(s, v); 164 } 165 166 static void ct_seq_stop(struct seq_file *s, void *v) 167 __releases(RCU) 168 { 169 rcu_read_unlock(); 170 } 171 172 #ifdef CONFIG_NF_CONNTRACK_SECMARK 173 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 174 { 175 int ret; 176 u32 len; 177 char *secctx; 178 179 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 180 if (ret) 181 return; 182 183 seq_printf(s, "secctx=%s ", secctx); 184 185 security_release_secctx(secctx, len); 186 } 187 #else 188 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 189 { 190 } 191 #endif 192 193 #ifdef CONFIG_NF_CONNTRACK_ZONES 194 static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 195 int dir) 196 { 197 const struct nf_conntrack_zone *zone = nf_ct_zone(ct); 198 199 if (zone->dir != dir) 200 return; 201 switch (zone->dir) { 202 case NF_CT_DEFAULT_ZONE_DIR: 203 seq_printf(s, "zone=%u ", zone->id); 204 break; 205 case NF_CT_ZONE_DIR_ORIG: 206 seq_printf(s, "zone-orig=%u ", zone->id); 207 break; 208 case NF_CT_ZONE_DIR_REPL: 209 seq_printf(s, "zone-reply=%u ", zone->id); 210 break; 211 default: 212 break; 213 } 214 } 215 #else 216 static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 217 int dir) 218 { 219 } 220 #endif 221 222 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 223 static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 224 { 225 struct ct_iter_state *st = s->private; 226 struct nf_conn_tstamp *tstamp; 227 s64 delta_time; 228 229 tstamp = nf_conn_tstamp_find(ct); 230 if (tstamp) { 231 delta_time = st->time_now - tstamp->start; 232 if (delta_time > 0) 233 delta_time = div_s64(delta_time, NSEC_PER_SEC); 234 else 235 delta_time = 0; 236 237 seq_printf(s, "delta-time=%llu ", 238 (unsigned long long)delta_time); 239 } 240 return; 241 } 242 #else 243 static inline void 244 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 245 { 246 } 247 #endif 248 249 static const char* l3proto_name(u16 proto) 250 { 251 switch (proto) { 252 case AF_INET: return "ipv4"; 253 case AF_INET6: return "ipv6"; 254 } 255 256 return "unknown"; 257 } 258 259 static const char* l4proto_name(u16 proto) 260 { 261 switch (proto) { 262 case IPPROTO_ICMP: return "icmp"; 263 case IPPROTO_TCP: return "tcp"; 264 case IPPROTO_UDP: return "udp"; 265 case IPPROTO_DCCP: return "dccp"; 266 case IPPROTO_GRE: return "gre"; 267 case IPPROTO_SCTP: return "sctp"; 268 case IPPROTO_UDPLITE: return "udplite"; 269 } 270 271 return "unknown"; 272 } 273 274 static unsigned int 275 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir) 276 { 277 struct nf_conn_acct *acct; 278 struct nf_conn_counter *counter; 279 280 acct = nf_conn_acct_find(ct); 281 if (!acct) 282 return 0; 283 284 counter = acct->counter; 285 seq_printf(s, "packets=%llu bytes=%llu ", 286 (unsigned long long)atomic64_read(&counter[dir].packets), 287 (unsigned long long)atomic64_read(&counter[dir].bytes)); 288 289 return 0; 290 } 291 292 /* return 0 on success, 1 in case of error */ 293 static int ct_seq_show(struct seq_file *s, void *v) 294 { 295 struct nf_conntrack_tuple_hash *hash = v; 296 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); 297 const struct nf_conntrack_l4proto *l4proto; 298 struct net *net = seq_file_net(s); 299 int ret = 0; 300 301 WARN_ON(!ct); 302 if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use))) 303 return 0; 304 305 if (nf_ct_should_gc(ct)) { 306 nf_ct_kill(ct); 307 goto release; 308 } 309 310 /* we only want to print DIR_ORIGINAL */ 311 if (NF_CT_DIRECTION(hash)) 312 goto release; 313 314 if (!net_eq(nf_ct_net(ct), net)) 315 goto release; 316 317 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 318 319 ret = -ENOSPC; 320 seq_printf(s, "%-8s %u %-8s %u ", 321 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct), 322 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct)); 323 324 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status)) 325 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ); 326 327 if (l4proto->print_conntrack) 328 l4proto->print_conntrack(s, ct); 329 330 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 331 l4proto); 332 333 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG); 334 335 if (seq_has_overflowed(s)) 336 goto release; 337 338 if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL)) 339 goto release; 340 341 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) 342 seq_puts(s, "[UNREPLIED] "); 343 344 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto); 345 346 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL); 347 348 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY)) 349 goto release; 350 351 if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status)) 352 seq_puts(s, "[HW_OFFLOAD] "); 353 else if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 354 seq_puts(s, "[OFFLOAD] "); 355 else if (test_bit(IPS_ASSURED_BIT, &ct->status)) 356 seq_puts(s, "[ASSURED] "); 357 358 if (seq_has_overflowed(s)) 359 goto release; 360 361 #if defined(CONFIG_NF_CONNTRACK_MARK) 362 seq_printf(s, "mark=%u ", ct->mark); 363 #endif 364 365 ct_show_secctx(s, ct); 366 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR); 367 ct_show_delta_time(s, ct); 368 369 seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)); 370 371 if (seq_has_overflowed(s)) 372 goto release; 373 374 ret = 0; 375 release: 376 nf_ct_put(ct); 377 return ret; 378 } 379 380 static const struct seq_operations ct_seq_ops = { 381 .start = ct_seq_start, 382 .next = ct_seq_next, 383 .stop = ct_seq_stop, 384 .show = ct_seq_show 385 }; 386 387 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos) 388 { 389 struct net *net = seq_file_net(seq); 390 int cpu; 391 392 if (*pos == 0) 393 return SEQ_START_TOKEN; 394 395 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) { 396 if (!cpu_possible(cpu)) 397 continue; 398 *pos = cpu + 1; 399 return per_cpu_ptr(net->ct.stat, cpu); 400 } 401 402 return NULL; 403 } 404 405 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) 406 { 407 struct net *net = seq_file_net(seq); 408 int cpu; 409 410 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) { 411 if (!cpu_possible(cpu)) 412 continue; 413 *pos = cpu + 1; 414 return per_cpu_ptr(net->ct.stat, cpu); 415 } 416 (*pos)++; 417 return NULL; 418 } 419 420 static void ct_cpu_seq_stop(struct seq_file *seq, void *v) 421 { 422 } 423 424 static int ct_cpu_seq_show(struct seq_file *seq, void *v) 425 { 426 struct net *net = seq_file_net(seq); 427 unsigned int nr_conntracks = atomic_read(&net->ct.count); 428 const struct ip_conntrack_stat *st = v; 429 430 if (v == SEQ_START_TOKEN) { 431 seq_puts(seq, "entries clashres found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); 432 return 0; 433 } 434 435 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 436 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 437 nr_conntracks, 438 st->clash_resolve, 439 st->found, 440 0, 441 st->invalid, 442 0, 443 0, 444 0, 445 st->insert, 446 st->insert_failed, 447 st->drop, 448 st->early_drop, 449 st->error, 450 451 st->expect_new, 452 st->expect_create, 453 st->expect_delete, 454 st->search_restart 455 ); 456 return 0; 457 } 458 459 static const struct seq_operations ct_cpu_seq_ops = { 460 .start = ct_cpu_seq_start, 461 .next = ct_cpu_seq_next, 462 .stop = ct_cpu_seq_stop, 463 .show = ct_cpu_seq_show, 464 }; 465 466 static int nf_conntrack_standalone_init_proc(struct net *net) 467 { 468 struct proc_dir_entry *pde; 469 kuid_t root_uid; 470 kgid_t root_gid; 471 472 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops, 473 sizeof(struct ct_iter_state)); 474 if (!pde) 475 goto out_nf_conntrack; 476 477 root_uid = make_kuid(net->user_ns, 0); 478 root_gid = make_kgid(net->user_ns, 0); 479 if (uid_valid(root_uid) && gid_valid(root_gid)) 480 proc_set_user(pde, root_uid, root_gid); 481 482 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat, 483 &ct_cpu_seq_ops, sizeof(struct seq_net_private)); 484 if (!pde) 485 goto out_stat_nf_conntrack; 486 return 0; 487 488 out_stat_nf_conntrack: 489 remove_proc_entry("nf_conntrack", net->proc_net); 490 out_nf_conntrack: 491 return -ENOMEM; 492 } 493 494 static void nf_conntrack_standalone_fini_proc(struct net *net) 495 { 496 remove_proc_entry("nf_conntrack", net->proc_net_stat); 497 remove_proc_entry("nf_conntrack", net->proc_net); 498 } 499 #else 500 static int nf_conntrack_standalone_init_proc(struct net *net) 501 { 502 return 0; 503 } 504 505 static void nf_conntrack_standalone_fini_proc(struct net *net) 506 { 507 } 508 #endif /* CONFIG_NF_CONNTRACK_PROCFS */ 509 510 /* Sysctl support */ 511 512 #ifdef CONFIG_SYSCTL 513 /* Log invalid packets of a given protocol */ 514 static int log_invalid_proto_min __read_mostly; 515 static int log_invalid_proto_max __read_mostly = 255; 516 517 /* size the user *wants to set */ 518 static unsigned int nf_conntrack_htable_size_user __read_mostly; 519 520 static int 521 nf_conntrack_hash_sysctl(struct ctl_table *table, int write, 522 void *buffer, size_t *lenp, loff_t *ppos) 523 { 524 int ret; 525 526 /* module_param hashsize could have changed value */ 527 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 528 529 ret = proc_dointvec(table, write, buffer, lenp, ppos); 530 if (ret < 0 || !write) 531 return ret; 532 533 /* update ret, we might not be able to satisfy request */ 534 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user); 535 536 /* update it to the actual value used by conntrack */ 537 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 538 return ret; 539 } 540 541 static struct ctl_table_header *nf_ct_netfilter_header; 542 543 enum nf_ct_sysctl_index { 544 NF_SYSCTL_CT_MAX, 545 NF_SYSCTL_CT_COUNT, 546 NF_SYSCTL_CT_BUCKETS, 547 NF_SYSCTL_CT_CHECKSUM, 548 NF_SYSCTL_CT_LOG_INVALID, 549 NF_SYSCTL_CT_EXPECT_MAX, 550 NF_SYSCTL_CT_ACCT, 551 NF_SYSCTL_CT_HELPER, 552 #ifdef CONFIG_NF_CONNTRACK_EVENTS 553 NF_SYSCTL_CT_EVENTS, 554 #endif 555 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 556 NF_SYSCTL_CT_TIMESTAMP, 557 #endif 558 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC, 559 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT, 560 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV, 561 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED, 562 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT, 563 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT, 564 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK, 565 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT, 566 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE, 567 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS, 568 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK, 569 NF_SYSCTL_CT_PROTO_TCP_LOOSE, 570 NF_SYSCTL_CT_PROTO_TCP_LIBERAL, 571 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS, 572 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP, 573 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM, 574 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP, 575 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6, 576 #ifdef CONFIG_NF_CT_PROTO_SCTP 577 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED, 578 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT, 579 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED, 580 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED, 581 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT, 582 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD, 583 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, 584 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, 585 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED, 586 #endif 587 #ifdef CONFIG_NF_CT_PROTO_DCCP 588 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, 589 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND, 590 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN, 591 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN, 592 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ, 593 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING, 594 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT, 595 NF_SYSCTL_CT_PROTO_DCCP_LOOSE, 596 #endif 597 #ifdef CONFIG_NF_CT_PROTO_GRE 598 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, 599 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, 600 #endif 601 602 __NF_SYSCTL_CT_LAST_SYSCTL, 603 }; 604 605 #define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1) 606 607 static struct ctl_table nf_ct_sysctl_table[] = { 608 [NF_SYSCTL_CT_MAX] = { 609 .procname = "nf_conntrack_max", 610 .data = &nf_conntrack_max, 611 .maxlen = sizeof(int), 612 .mode = 0644, 613 .proc_handler = proc_dointvec, 614 }, 615 [NF_SYSCTL_CT_COUNT] = { 616 .procname = "nf_conntrack_count", 617 .data = &init_net.ct.count, 618 .maxlen = sizeof(int), 619 .mode = 0444, 620 .proc_handler = proc_dointvec, 621 }, 622 [NF_SYSCTL_CT_BUCKETS] = { 623 .procname = "nf_conntrack_buckets", 624 .data = &nf_conntrack_htable_size_user, 625 .maxlen = sizeof(unsigned int), 626 .mode = 0644, 627 .proc_handler = nf_conntrack_hash_sysctl, 628 }, 629 [NF_SYSCTL_CT_CHECKSUM] = { 630 .procname = "nf_conntrack_checksum", 631 .data = &init_net.ct.sysctl_checksum, 632 .maxlen = sizeof(int), 633 .mode = 0644, 634 .proc_handler = proc_dointvec_minmax, 635 .extra1 = SYSCTL_ZERO, 636 .extra2 = SYSCTL_ONE, 637 }, 638 [NF_SYSCTL_CT_LOG_INVALID] = { 639 .procname = "nf_conntrack_log_invalid", 640 .data = &init_net.ct.sysctl_log_invalid, 641 .maxlen = sizeof(unsigned int), 642 .mode = 0644, 643 .proc_handler = proc_dointvec_minmax, 644 .extra1 = &log_invalid_proto_min, 645 .extra2 = &log_invalid_proto_max, 646 }, 647 [NF_SYSCTL_CT_EXPECT_MAX] = { 648 .procname = "nf_conntrack_expect_max", 649 .data = &nf_ct_expect_max, 650 .maxlen = sizeof(int), 651 .mode = 0644, 652 .proc_handler = proc_dointvec, 653 }, 654 [NF_SYSCTL_CT_ACCT] = { 655 .procname = "nf_conntrack_acct", 656 .data = &init_net.ct.sysctl_acct, 657 .maxlen = sizeof(int), 658 .mode = 0644, 659 .proc_handler = proc_dointvec_minmax, 660 .extra1 = SYSCTL_ZERO, 661 .extra2 = SYSCTL_ONE, 662 }, 663 [NF_SYSCTL_CT_HELPER] = { 664 .procname = "nf_conntrack_helper", 665 .data = &init_net.ct.sysctl_auto_assign_helper, 666 .maxlen = sizeof(int), 667 .mode = 0644, 668 .proc_handler = proc_dointvec_minmax, 669 .extra1 = SYSCTL_ZERO, 670 .extra2 = SYSCTL_ONE, 671 }, 672 #ifdef CONFIG_NF_CONNTRACK_EVENTS 673 [NF_SYSCTL_CT_EVENTS] = { 674 .procname = "nf_conntrack_events", 675 .data = &init_net.ct.sysctl_events, 676 .maxlen = sizeof(int), 677 .mode = 0644, 678 .proc_handler = proc_dointvec_minmax, 679 .extra1 = SYSCTL_ZERO, 680 .extra2 = SYSCTL_ONE, 681 }, 682 #endif 683 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 684 [NF_SYSCTL_CT_TIMESTAMP] = { 685 .procname = "nf_conntrack_timestamp", 686 .data = &init_net.ct.sysctl_tstamp, 687 .maxlen = sizeof(int), 688 .mode = 0644, 689 .proc_handler = proc_dointvec_minmax, 690 .extra1 = SYSCTL_ZERO, 691 .extra2 = SYSCTL_ONE, 692 }, 693 #endif 694 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { 695 .procname = "nf_conntrack_generic_timeout", 696 .maxlen = sizeof(unsigned int), 697 .mode = 0644, 698 .proc_handler = proc_dointvec_jiffies, 699 }, 700 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = { 701 .procname = "nf_conntrack_tcp_timeout_syn_sent", 702 .maxlen = sizeof(unsigned int), 703 .mode = 0644, 704 .proc_handler = proc_dointvec_jiffies, 705 }, 706 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = { 707 .procname = "nf_conntrack_tcp_timeout_syn_recv", 708 .maxlen = sizeof(unsigned int), 709 .mode = 0644, 710 .proc_handler = proc_dointvec_jiffies, 711 }, 712 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = { 713 .procname = "nf_conntrack_tcp_timeout_established", 714 .maxlen = sizeof(unsigned int), 715 .mode = 0644, 716 .proc_handler = proc_dointvec_jiffies, 717 }, 718 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = { 719 .procname = "nf_conntrack_tcp_timeout_fin_wait", 720 .maxlen = sizeof(unsigned int), 721 .mode = 0644, 722 .proc_handler = proc_dointvec_jiffies, 723 }, 724 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = { 725 .procname = "nf_conntrack_tcp_timeout_close_wait", 726 .maxlen = sizeof(unsigned int), 727 .mode = 0644, 728 .proc_handler = proc_dointvec_jiffies, 729 }, 730 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = { 731 .procname = "nf_conntrack_tcp_timeout_last_ack", 732 .maxlen = sizeof(unsigned int), 733 .mode = 0644, 734 .proc_handler = proc_dointvec_jiffies, 735 }, 736 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = { 737 .procname = "nf_conntrack_tcp_timeout_time_wait", 738 .maxlen = sizeof(unsigned int), 739 .mode = 0644, 740 .proc_handler = proc_dointvec_jiffies, 741 }, 742 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = { 743 .procname = "nf_conntrack_tcp_timeout_close", 744 .maxlen = sizeof(unsigned int), 745 .mode = 0644, 746 .proc_handler = proc_dointvec_jiffies, 747 }, 748 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = { 749 .procname = "nf_conntrack_tcp_timeout_max_retrans", 750 .maxlen = sizeof(unsigned int), 751 .mode = 0644, 752 .proc_handler = proc_dointvec_jiffies, 753 }, 754 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = { 755 .procname = "nf_conntrack_tcp_timeout_unacknowledged", 756 .maxlen = sizeof(unsigned int), 757 .mode = 0644, 758 .proc_handler = proc_dointvec_jiffies, 759 }, 760 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { 761 .procname = "nf_conntrack_tcp_loose", 762 .maxlen = sizeof(int), 763 .mode = 0644, 764 .proc_handler = proc_dointvec_minmax, 765 .extra1 = SYSCTL_ZERO, 766 .extra2 = SYSCTL_ONE, 767 }, 768 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { 769 .procname = "nf_conntrack_tcp_be_liberal", 770 .maxlen = sizeof(int), 771 .mode = 0644, 772 .proc_handler = proc_dointvec_minmax, 773 .extra1 = SYSCTL_ZERO, 774 .extra2 = SYSCTL_ONE, 775 }, 776 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { 777 .procname = "nf_conntrack_tcp_max_retrans", 778 .maxlen = sizeof(unsigned int), 779 .mode = 0644, 780 .proc_handler = proc_dointvec, 781 }, 782 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = { 783 .procname = "nf_conntrack_udp_timeout", 784 .maxlen = sizeof(unsigned int), 785 .mode = 0644, 786 .proc_handler = proc_dointvec_jiffies, 787 }, 788 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = { 789 .procname = "nf_conntrack_udp_timeout_stream", 790 .maxlen = sizeof(unsigned int), 791 .mode = 0644, 792 .proc_handler = proc_dointvec_jiffies, 793 }, 794 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = { 795 .procname = "nf_conntrack_icmp_timeout", 796 .maxlen = sizeof(unsigned int), 797 .mode = 0644, 798 .proc_handler = proc_dointvec_jiffies, 799 }, 800 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = { 801 .procname = "nf_conntrack_icmpv6_timeout", 802 .maxlen = sizeof(unsigned int), 803 .mode = 0644, 804 .proc_handler = proc_dointvec_jiffies, 805 }, 806 #ifdef CONFIG_NF_CT_PROTO_SCTP 807 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = { 808 .procname = "nf_conntrack_sctp_timeout_closed", 809 .maxlen = sizeof(unsigned int), 810 .mode = 0644, 811 .proc_handler = proc_dointvec_jiffies, 812 }, 813 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = { 814 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 815 .maxlen = sizeof(unsigned int), 816 .mode = 0644, 817 .proc_handler = proc_dointvec_jiffies, 818 }, 819 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = { 820 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 821 .maxlen = sizeof(unsigned int), 822 .mode = 0644, 823 .proc_handler = proc_dointvec_jiffies, 824 }, 825 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = { 826 .procname = "nf_conntrack_sctp_timeout_established", 827 .maxlen = sizeof(unsigned int), 828 .mode = 0644, 829 .proc_handler = proc_dointvec_jiffies, 830 }, 831 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = { 832 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 833 .maxlen = sizeof(unsigned int), 834 .mode = 0644, 835 .proc_handler = proc_dointvec_jiffies, 836 }, 837 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = { 838 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 839 .maxlen = sizeof(unsigned int), 840 .mode = 0644, 841 .proc_handler = proc_dointvec_jiffies, 842 }, 843 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { 844 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 845 .maxlen = sizeof(unsigned int), 846 .mode = 0644, 847 .proc_handler = proc_dointvec_jiffies, 848 }, 849 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = { 850 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent", 851 .maxlen = sizeof(unsigned int), 852 .mode = 0644, 853 .proc_handler = proc_dointvec_jiffies, 854 }, 855 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { 856 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked", 857 .maxlen = sizeof(unsigned int), 858 .mode = 0644, 859 .proc_handler = proc_dointvec_jiffies, 860 }, 861 #endif 862 #ifdef CONFIG_NF_CT_PROTO_DCCP 863 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { 864 .procname = "nf_conntrack_dccp_timeout_request", 865 .maxlen = sizeof(unsigned int), 866 .mode = 0644, 867 .proc_handler = proc_dointvec_jiffies, 868 }, 869 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = { 870 .procname = "nf_conntrack_dccp_timeout_respond", 871 .maxlen = sizeof(unsigned int), 872 .mode = 0644, 873 .proc_handler = proc_dointvec_jiffies, 874 }, 875 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = { 876 .procname = "nf_conntrack_dccp_timeout_partopen", 877 .maxlen = sizeof(unsigned int), 878 .mode = 0644, 879 .proc_handler = proc_dointvec_jiffies, 880 }, 881 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = { 882 .procname = "nf_conntrack_dccp_timeout_open", 883 .maxlen = sizeof(unsigned int), 884 .mode = 0644, 885 .proc_handler = proc_dointvec_jiffies, 886 }, 887 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = { 888 .procname = "nf_conntrack_dccp_timeout_closereq", 889 .maxlen = sizeof(unsigned int), 890 .mode = 0644, 891 .proc_handler = proc_dointvec_jiffies, 892 }, 893 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = { 894 .procname = "nf_conntrack_dccp_timeout_closing", 895 .maxlen = sizeof(unsigned int), 896 .mode = 0644, 897 .proc_handler = proc_dointvec_jiffies, 898 }, 899 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = { 900 .procname = "nf_conntrack_dccp_timeout_timewait", 901 .maxlen = sizeof(unsigned int), 902 .mode = 0644, 903 .proc_handler = proc_dointvec_jiffies, 904 }, 905 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = { 906 .procname = "nf_conntrack_dccp_loose", 907 .maxlen = sizeof(int), 908 .mode = 0644, 909 .proc_handler = proc_dointvec_minmax, 910 .extra1 = SYSCTL_ZERO, 911 .extra2 = SYSCTL_ONE, 912 }, 913 #endif 914 #ifdef CONFIG_NF_CT_PROTO_GRE 915 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = { 916 .procname = "nf_conntrack_gre_timeout", 917 .maxlen = sizeof(unsigned int), 918 .mode = 0644, 919 .proc_handler = proc_dointvec_jiffies, 920 }, 921 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = { 922 .procname = "nf_conntrack_gre_timeout_stream", 923 .maxlen = sizeof(unsigned int), 924 .mode = 0644, 925 .proc_handler = proc_dointvec_jiffies, 926 }, 927 #endif 928 {} 929 }; 930 931 static struct ctl_table nf_ct_netfilter_table[] = { 932 { 933 .procname = "nf_conntrack_max", 934 .data = &nf_conntrack_max, 935 .maxlen = sizeof(int), 936 .mode = 0644, 937 .proc_handler = proc_dointvec, 938 }, 939 { } 940 }; 941 942 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, 943 struct ctl_table *table) 944 { 945 struct nf_tcp_net *tn = nf_tcp_pernet(net); 946 947 #define XASSIGN(XNAME, tn) \ 948 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \ 949 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME] 950 951 XASSIGN(SYN_SENT, tn); 952 XASSIGN(SYN_RECV, tn); 953 XASSIGN(ESTABLISHED, tn); 954 XASSIGN(FIN_WAIT, tn); 955 XASSIGN(CLOSE_WAIT, tn); 956 XASSIGN(LAST_ACK, tn); 957 XASSIGN(TIME_WAIT, tn); 958 XASSIGN(CLOSE, tn); 959 XASSIGN(RETRANS, tn); 960 XASSIGN(UNACK, tn); 961 #undef XASSIGN 962 #define XASSIGN(XNAME, rval) \ 963 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval) 964 965 XASSIGN(LOOSE, &tn->tcp_loose); 966 XASSIGN(LIBERAL, &tn->tcp_be_liberal); 967 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans); 968 #undef XASSIGN 969 } 970 971 static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, 972 struct ctl_table *table) 973 { 974 #ifdef CONFIG_NF_CT_PROTO_SCTP 975 struct nf_sctp_net *sn = nf_sctp_pernet(net); 976 977 #define XASSIGN(XNAME, sn) \ 978 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \ 979 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME] 980 981 XASSIGN(CLOSED, sn); 982 XASSIGN(COOKIE_WAIT, sn); 983 XASSIGN(COOKIE_ECHOED, sn); 984 XASSIGN(ESTABLISHED, sn); 985 XASSIGN(SHUTDOWN_SENT, sn); 986 XASSIGN(SHUTDOWN_RECD, sn); 987 XASSIGN(SHUTDOWN_ACK_SENT, sn); 988 XASSIGN(HEARTBEAT_SENT, sn); 989 XASSIGN(HEARTBEAT_ACKED, sn); 990 #undef XASSIGN 991 #endif 992 } 993 994 static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net, 995 struct ctl_table *table) 996 { 997 #ifdef CONFIG_NF_CT_PROTO_DCCP 998 struct nf_dccp_net *dn = nf_dccp_pernet(net); 999 1000 #define XASSIGN(XNAME, dn) \ 1001 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \ 1002 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME] 1003 1004 XASSIGN(REQUEST, dn); 1005 XASSIGN(RESPOND, dn); 1006 XASSIGN(PARTOPEN, dn); 1007 XASSIGN(OPEN, dn); 1008 XASSIGN(CLOSEREQ, dn); 1009 XASSIGN(CLOSING, dn); 1010 XASSIGN(TIMEWAIT, dn); 1011 #undef XASSIGN 1012 1013 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose; 1014 #endif 1015 } 1016 1017 static void nf_conntrack_standalone_init_gre_sysctl(struct net *net, 1018 struct ctl_table *table) 1019 { 1020 #ifdef CONFIG_NF_CT_PROTO_GRE 1021 struct nf_gre_net *gn = nf_gre_pernet(net); 1022 1023 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED]; 1024 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED]; 1025 #endif 1026 } 1027 1028 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1029 { 1030 struct nf_udp_net *un = nf_udp_pernet(net); 1031 struct ctl_table *table; 1032 1033 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL); 1034 1035 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table), 1036 GFP_KERNEL); 1037 if (!table) 1038 return -ENOMEM; 1039 1040 table[NF_SYSCTL_CT_COUNT].data = &net->ct.count; 1041 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum; 1042 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; 1043 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct; 1044 table[NF_SYSCTL_CT_HELPER].data = &net->ct.sysctl_auto_assign_helper; 1045 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1046 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events; 1047 #endif 1048 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 1049 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp; 1050 #endif 1051 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout; 1052 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout; 1053 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout; 1054 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED]; 1055 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED]; 1056 1057 nf_conntrack_standalone_init_tcp_sysctl(net, table); 1058 nf_conntrack_standalone_init_sctp_sysctl(net, table); 1059 nf_conntrack_standalone_init_dccp_sysctl(net, table); 1060 nf_conntrack_standalone_init_gre_sysctl(net, table); 1061 1062 /* Don't allow unprivileged users to alter certain sysctls */ 1063 if (net->user_ns != &init_user_ns) { 1064 table[NF_SYSCTL_CT_MAX].mode = 0444; 1065 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; 1066 table[NF_SYSCTL_CT_HELPER].mode = 0444; 1067 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1068 table[NF_SYSCTL_CT_EVENTS].mode = 0444; 1069 #endif 1070 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1071 } else if (!net_eq(&init_net, net)) { 1072 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1073 } 1074 1075 net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table); 1076 if (!net->ct.sysctl_header) 1077 goto out_unregister_netfilter; 1078 1079 return 0; 1080 1081 out_unregister_netfilter: 1082 kfree(table); 1083 return -ENOMEM; 1084 } 1085 1086 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1087 { 1088 struct ctl_table *table; 1089 1090 table = net->ct.sysctl_header->ctl_table_arg; 1091 unregister_net_sysctl_table(net->ct.sysctl_header); 1092 kfree(table); 1093 } 1094 #else 1095 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1096 { 1097 return 0; 1098 } 1099 1100 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1101 { 1102 } 1103 #endif /* CONFIG_SYSCTL */ 1104 1105 static void nf_conntrack_fini_net(struct net *net) 1106 { 1107 if (enable_hooks) 1108 nf_ct_netns_put(net, NFPROTO_INET); 1109 1110 nf_conntrack_standalone_fini_proc(net); 1111 nf_conntrack_standalone_fini_sysctl(net); 1112 } 1113 1114 static int nf_conntrack_pernet_init(struct net *net) 1115 { 1116 int ret; 1117 1118 net->ct.sysctl_checksum = 1; 1119 1120 ret = nf_conntrack_standalone_init_sysctl(net); 1121 if (ret < 0) 1122 return ret; 1123 1124 ret = nf_conntrack_standalone_init_proc(net); 1125 if (ret < 0) 1126 goto out_proc; 1127 1128 ret = nf_conntrack_init_net(net); 1129 if (ret < 0) 1130 goto out_init_net; 1131 1132 if (enable_hooks) { 1133 ret = nf_ct_netns_get(net, NFPROTO_INET); 1134 if (ret < 0) 1135 goto out_hooks; 1136 } 1137 1138 return 0; 1139 1140 out_hooks: 1141 nf_conntrack_cleanup_net(net); 1142 out_init_net: 1143 nf_conntrack_standalone_fini_proc(net); 1144 out_proc: 1145 nf_conntrack_standalone_fini_sysctl(net); 1146 return ret; 1147 } 1148 1149 static void nf_conntrack_pernet_exit(struct list_head *net_exit_list) 1150 { 1151 struct net *net; 1152 1153 list_for_each_entry(net, net_exit_list, exit_list) 1154 nf_conntrack_fini_net(net); 1155 1156 nf_conntrack_cleanup_net_list(net_exit_list); 1157 } 1158 1159 static struct pernet_operations nf_conntrack_net_ops = { 1160 .init = nf_conntrack_pernet_init, 1161 .exit_batch = nf_conntrack_pernet_exit, 1162 .id = &nf_conntrack_net_id, 1163 .size = sizeof(struct nf_conntrack_net), 1164 }; 1165 1166 static int __init nf_conntrack_standalone_init(void) 1167 { 1168 int ret = nf_conntrack_init_start(); 1169 if (ret < 0) 1170 goto out_start; 1171 1172 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER); 1173 1174 #ifdef CONFIG_SYSCTL 1175 nf_ct_netfilter_header = 1176 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); 1177 if (!nf_ct_netfilter_header) { 1178 pr_err("nf_conntrack: can't register to sysctl.\n"); 1179 ret = -ENOMEM; 1180 goto out_sysctl; 1181 } 1182 1183 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 1184 #endif 1185 1186 ret = register_pernet_subsys(&nf_conntrack_net_ops); 1187 if (ret < 0) 1188 goto out_pernet; 1189 1190 nf_conntrack_init_end(); 1191 return 0; 1192 1193 out_pernet: 1194 #ifdef CONFIG_SYSCTL 1195 unregister_net_sysctl_table(nf_ct_netfilter_header); 1196 out_sysctl: 1197 #endif 1198 nf_conntrack_cleanup_end(); 1199 out_start: 1200 return ret; 1201 } 1202 1203 static void __exit nf_conntrack_standalone_fini(void) 1204 { 1205 nf_conntrack_cleanup_start(); 1206 unregister_pernet_subsys(&nf_conntrack_net_ops); 1207 #ifdef CONFIG_SYSCTL 1208 unregister_net_sysctl_table(nf_ct_netfilter_header); 1209 #endif 1210 nf_conntrack_cleanup_end(); 1211 } 1212 1213 module_init(nf_conntrack_standalone_init); 1214 module_exit(nf_conntrack_standalone_fini); 1215