1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/types.h> 3 #include <linux/netfilter.h> 4 #include <linux/slab.h> 5 #include <linux/module.h> 6 #include <linux/skbuff.h> 7 #include <linux/proc_fs.h> 8 #include <linux/seq_file.h> 9 #include <linux/percpu.h> 10 #include <linux/netdevice.h> 11 #include <linux/security.h> 12 #include <net/net_namespace.h> 13 #ifdef CONFIG_SYSCTL 14 #include <linux/sysctl.h> 15 #endif 16 17 #include <net/netfilter/nf_conntrack.h> 18 #include <net/netfilter/nf_conntrack_core.h> 19 #include <net/netfilter/nf_conntrack_l4proto.h> 20 #include <net/netfilter/nf_conntrack_expect.h> 21 #include <net/netfilter/nf_conntrack_helper.h> 22 #include <net/netfilter/nf_conntrack_acct.h> 23 #include <net/netfilter/nf_conntrack_zones.h> 24 #include <net/netfilter/nf_conntrack_timestamp.h> 25 #include <linux/rculist_nulls.h> 26 27 static bool enable_hooks __read_mostly; 28 MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); 29 module_param(enable_hooks, bool, 0000); 30 31 unsigned int nf_conntrack_net_id __read_mostly; 32 33 #ifdef CONFIG_NF_CONNTRACK_PROCFS 34 void 35 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, 36 const struct nf_conntrack_l4proto *l4proto) 37 { 38 switch (tuple->src.l3num) { 39 case NFPROTO_IPV4: 40 seq_printf(s, "src=%pI4 dst=%pI4 ", 41 &tuple->src.u3.ip, &tuple->dst.u3.ip); 42 break; 43 case NFPROTO_IPV6: 44 seq_printf(s, "src=%pI6 dst=%pI6 ", 45 tuple->src.u3.ip6, tuple->dst.u3.ip6); 46 break; 47 default: 48 break; 49 } 50 51 switch (l4proto->l4proto) { 52 case IPPROTO_ICMP: 53 seq_printf(s, "type=%u code=%u id=%u ", 54 tuple->dst.u.icmp.type, 55 tuple->dst.u.icmp.code, 56 ntohs(tuple->src.u.icmp.id)); 57 break; 58 case IPPROTO_TCP: 59 seq_printf(s, "sport=%hu dport=%hu ", 60 ntohs(tuple->src.u.tcp.port), 61 ntohs(tuple->dst.u.tcp.port)); 62 break; 63 case IPPROTO_UDPLITE: 64 case IPPROTO_UDP: 65 seq_printf(s, "sport=%hu dport=%hu ", 66 ntohs(tuple->src.u.udp.port), 67 ntohs(tuple->dst.u.udp.port)); 68 69 break; 70 case IPPROTO_DCCP: 71 seq_printf(s, "sport=%hu dport=%hu ", 72 ntohs(tuple->src.u.dccp.port), 73 ntohs(tuple->dst.u.dccp.port)); 74 break; 75 case IPPROTO_SCTP: 76 seq_printf(s, "sport=%hu dport=%hu ", 77 ntohs(tuple->src.u.sctp.port), 78 ntohs(tuple->dst.u.sctp.port)); 79 break; 80 case IPPROTO_ICMPV6: 81 seq_printf(s, "type=%u code=%u id=%u ", 82 tuple->dst.u.icmp.type, 83 tuple->dst.u.icmp.code, 84 ntohs(tuple->src.u.icmp.id)); 85 break; 86 case IPPROTO_GRE: 87 seq_printf(s, "srckey=0x%x dstkey=0x%x ", 88 ntohs(tuple->src.u.gre.key), 89 ntohs(tuple->dst.u.gre.key)); 90 break; 91 default: 92 break; 93 } 94 } 95 EXPORT_SYMBOL_GPL(print_tuple); 96 97 struct ct_iter_state { 98 struct seq_net_private p; 99 struct hlist_nulls_head *hash; 100 unsigned int htable_size; 101 unsigned int skip_elems; 102 unsigned int bucket; 103 u_int64_t time_now; 104 }; 105 106 static struct nf_conntrack_tuple_hash *ct_get_next(const struct net *net, 107 struct ct_iter_state *st) 108 { 109 struct nf_conntrack_tuple_hash *h; 110 struct hlist_nulls_node *n; 111 unsigned int i; 112 113 for (i = st->bucket; i < st->htable_size; i++) { 114 unsigned int skip = 0; 115 116 restart: 117 hlist_nulls_for_each_entry_rcu(h, n, &st->hash[i], hnnode) { 118 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); 119 struct hlist_nulls_node *tmp = n; 120 121 if (!net_eq(net, nf_ct_net(ct))) 122 continue; 123 124 if (++skip <= st->skip_elems) 125 continue; 126 127 /* h should be returned, skip to nulls marker. */ 128 while (!is_a_nulls(tmp)) 129 tmp = rcu_dereference(hlist_nulls_next_rcu(tmp)); 130 131 /* check if h is still linked to hash[i] */ 132 if (get_nulls_value(tmp) != i) { 133 skip = 0; 134 goto restart; 135 } 136 137 st->skip_elems = skip; 138 st->bucket = i; 139 return h; 140 } 141 142 skip = 0; 143 if (get_nulls_value(n) != i) 144 goto restart; 145 146 st->skip_elems = 0; 147 } 148 149 st->bucket = i; 150 return NULL; 151 } 152 153 static void *ct_seq_start(struct seq_file *seq, loff_t *pos) 154 __acquires(RCU) 155 { 156 struct ct_iter_state *st = seq->private; 157 struct net *net = seq_file_net(seq); 158 159 st->time_now = ktime_get_real_ns(); 160 rcu_read_lock(); 161 162 nf_conntrack_get_ht(&st->hash, &st->htable_size); 163 164 if (*pos == 0) { 165 st->skip_elems = 0; 166 st->bucket = 0; 167 } else if (st->skip_elems) { 168 /* resume from last dumped entry */ 169 st->skip_elems--; 170 } 171 172 return ct_get_next(net, st); 173 } 174 175 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos) 176 { 177 struct ct_iter_state *st = s->private; 178 struct net *net = seq_file_net(s); 179 180 (*pos)++; 181 return ct_get_next(net, st); 182 } 183 184 static void ct_seq_stop(struct seq_file *s, void *v) 185 __releases(RCU) 186 { 187 rcu_read_unlock(); 188 } 189 190 #ifdef CONFIG_NF_CONNTRACK_SECMARK 191 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 192 { 193 struct lsm_context ctx; 194 int ret; 195 196 ret = security_secid_to_secctx(ct->secmark, &ctx); 197 if (ret < 0) 198 return; 199 200 seq_printf(s, "secctx=%s ", ctx.context); 201 202 security_release_secctx(&ctx); 203 } 204 #else 205 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 206 { 207 } 208 #endif 209 210 #ifdef CONFIG_NF_CONNTRACK_ZONES 211 static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 212 int dir) 213 { 214 const struct nf_conntrack_zone *zone = nf_ct_zone(ct); 215 216 if (zone->dir != dir) 217 return; 218 switch (zone->dir) { 219 case NF_CT_DEFAULT_ZONE_DIR: 220 seq_printf(s, "zone=%u ", zone->id); 221 break; 222 case NF_CT_ZONE_DIR_ORIG: 223 seq_printf(s, "zone-orig=%u ", zone->id); 224 break; 225 case NF_CT_ZONE_DIR_REPL: 226 seq_printf(s, "zone-reply=%u ", zone->id); 227 break; 228 default: 229 break; 230 } 231 } 232 #else 233 static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 234 int dir) 235 { 236 } 237 #endif 238 239 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 240 static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 241 { 242 struct ct_iter_state *st = s->private; 243 struct nf_conn_tstamp *tstamp; 244 s64 delta_time; 245 246 tstamp = nf_conn_tstamp_find(ct); 247 if (tstamp) { 248 delta_time = st->time_now - tstamp->start; 249 if (delta_time > 0) 250 delta_time = div_s64(delta_time, NSEC_PER_SEC); 251 else 252 delta_time = 0; 253 254 seq_printf(s, "delta-time=%llu ", 255 (unsigned long long)delta_time); 256 } 257 return; 258 } 259 #else 260 static inline void 261 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 262 { 263 } 264 #endif 265 266 static const char* l3proto_name(u16 proto) 267 { 268 switch (proto) { 269 case AF_INET: return "ipv4"; 270 case AF_INET6: return "ipv6"; 271 } 272 273 return "unknown"; 274 } 275 276 static const char* l4proto_name(u16 proto) 277 { 278 switch (proto) { 279 case IPPROTO_ICMP: return "icmp"; 280 case IPPROTO_TCP: return "tcp"; 281 case IPPROTO_UDP: return "udp"; 282 case IPPROTO_DCCP: return "dccp"; 283 case IPPROTO_GRE: return "gre"; 284 case IPPROTO_SCTP: return "sctp"; 285 case IPPROTO_UDPLITE: return "udplite"; 286 case IPPROTO_ICMPV6: return "icmpv6"; 287 } 288 289 return "unknown"; 290 } 291 292 static void 293 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir) 294 { 295 struct nf_conn_acct *acct; 296 struct nf_conn_counter *counter; 297 298 acct = nf_conn_acct_find(ct); 299 if (!acct) 300 return; 301 302 counter = acct->counter; 303 seq_printf(s, "packets=%llu bytes=%llu ", 304 (unsigned long long)atomic64_read(&counter[dir].packets), 305 (unsigned long long)atomic64_read(&counter[dir].bytes)); 306 } 307 308 /* return 0 on success, 1 in case of error */ 309 static int ct_seq_show(struct seq_file *s, void *v) 310 { 311 struct nf_conntrack_tuple_hash *hash = v; 312 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); 313 const struct nf_conntrack_l4proto *l4proto; 314 struct net *net = seq_file_net(s); 315 int ret = 0; 316 317 WARN_ON(!ct); 318 if (unlikely(!refcount_inc_not_zero(&ct->ct_general.use))) 319 return 0; 320 321 /* load ->status after refcount increase */ 322 smp_acquire__after_ctrl_dep(); 323 324 if (nf_ct_should_gc(ct)) { 325 nf_ct_kill(ct); 326 goto release; 327 } 328 329 /* we only want to print DIR_ORIGINAL */ 330 if (NF_CT_DIRECTION(hash)) 331 goto release; 332 333 if (!net_eq(nf_ct_net(ct), net)) 334 goto release; 335 336 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 337 338 ret = -ENOSPC; 339 seq_printf(s, "%-8s %u %-8s %u ", 340 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct), 341 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct)); 342 343 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status)) 344 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ); 345 346 if (l4proto->print_conntrack) 347 l4proto->print_conntrack(s, ct); 348 349 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 350 l4proto); 351 352 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG); 353 354 if (seq_has_overflowed(s)) 355 goto release; 356 357 seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL); 358 359 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) 360 seq_puts(s, "[UNREPLIED] "); 361 362 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto); 363 364 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL); 365 366 seq_print_acct(s, ct, IP_CT_DIR_REPLY); 367 368 if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status)) 369 seq_puts(s, "[HW_OFFLOAD] "); 370 else if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 371 seq_puts(s, "[OFFLOAD] "); 372 else if (test_bit(IPS_ASSURED_BIT, &ct->status)) 373 seq_puts(s, "[ASSURED] "); 374 375 if (seq_has_overflowed(s)) 376 goto release; 377 378 #if defined(CONFIG_NF_CONNTRACK_MARK) 379 seq_printf(s, "mark=%u ", READ_ONCE(ct->mark)); 380 #endif 381 382 ct_show_secctx(s, ct); 383 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR); 384 ct_show_delta_time(s, ct); 385 386 seq_printf(s, "use=%u\n", refcount_read(&ct->ct_general.use)); 387 388 if (seq_has_overflowed(s)) 389 goto release; 390 391 ret = 0; 392 release: 393 nf_ct_put(ct); 394 return ret; 395 } 396 397 static const struct seq_operations ct_seq_ops = { 398 .start = ct_seq_start, 399 .next = ct_seq_next, 400 .stop = ct_seq_stop, 401 .show = ct_seq_show 402 }; 403 404 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos) 405 { 406 struct net *net = seq_file_net(seq); 407 int cpu; 408 409 if (*pos == 0) 410 return SEQ_START_TOKEN; 411 412 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) { 413 if (!cpu_possible(cpu)) 414 continue; 415 *pos = cpu + 1; 416 return per_cpu_ptr(net->ct.stat, cpu); 417 } 418 419 return NULL; 420 } 421 422 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) 423 { 424 struct net *net = seq_file_net(seq); 425 int cpu; 426 427 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) { 428 if (!cpu_possible(cpu)) 429 continue; 430 *pos = cpu + 1; 431 return per_cpu_ptr(net->ct.stat, cpu); 432 } 433 (*pos)++; 434 return NULL; 435 } 436 437 static void ct_cpu_seq_stop(struct seq_file *seq, void *v) 438 { 439 } 440 441 static int ct_cpu_seq_show(struct seq_file *seq, void *v) 442 { 443 struct net *net = seq_file_net(seq); 444 const struct ip_conntrack_stat *st = v; 445 unsigned int nr_conntracks; 446 447 if (v == SEQ_START_TOKEN) { 448 seq_puts(seq, "entries clashres found new invalid ignore delete chainlength insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); 449 return 0; 450 } 451 452 nr_conntracks = nf_conntrack_count(net); 453 454 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 455 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 456 nr_conntracks, 457 st->clash_resolve, 458 st->found, 459 0, 460 st->invalid, 461 0, 462 0, 463 st->chaintoolong, 464 st->insert, 465 st->insert_failed, 466 st->drop, 467 st->early_drop, 468 st->error, 469 470 st->expect_new, 471 st->expect_create, 472 st->expect_delete, 473 st->search_restart 474 ); 475 return 0; 476 } 477 478 static const struct seq_operations ct_cpu_seq_ops = { 479 .start = ct_cpu_seq_start, 480 .next = ct_cpu_seq_next, 481 .stop = ct_cpu_seq_stop, 482 .show = ct_cpu_seq_show, 483 }; 484 485 static int nf_conntrack_standalone_init_proc(struct net *net) 486 { 487 struct proc_dir_entry *pde; 488 kuid_t root_uid; 489 kgid_t root_gid; 490 491 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops, 492 sizeof(struct ct_iter_state)); 493 if (!pde) 494 goto out_nf_conntrack; 495 496 root_uid = make_kuid(net->user_ns, 0); 497 root_gid = make_kgid(net->user_ns, 0); 498 if (uid_valid(root_uid) && gid_valid(root_gid)) 499 proc_set_user(pde, root_uid, root_gid); 500 501 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat, 502 &ct_cpu_seq_ops, sizeof(struct seq_net_private)); 503 if (!pde) 504 goto out_stat_nf_conntrack; 505 return 0; 506 507 out_stat_nf_conntrack: 508 remove_proc_entry("nf_conntrack", net->proc_net); 509 out_nf_conntrack: 510 return -ENOMEM; 511 } 512 513 static void nf_conntrack_standalone_fini_proc(struct net *net) 514 { 515 remove_proc_entry("nf_conntrack", net->proc_net_stat); 516 remove_proc_entry("nf_conntrack", net->proc_net); 517 } 518 #else 519 static int nf_conntrack_standalone_init_proc(struct net *net) 520 { 521 return 0; 522 } 523 524 static void nf_conntrack_standalone_fini_proc(struct net *net) 525 { 526 } 527 #endif /* CONFIG_NF_CONNTRACK_PROCFS */ 528 529 u32 nf_conntrack_count(const struct net *net) 530 { 531 const struct nf_conntrack_net *cnet = nf_ct_pernet(net); 532 533 return atomic_read(&cnet->count); 534 } 535 EXPORT_SYMBOL_GPL(nf_conntrack_count); 536 537 /* Sysctl support */ 538 539 #ifdef CONFIG_SYSCTL 540 /* size the user *wants to set */ 541 static unsigned int nf_conntrack_htable_size_user __read_mostly; 542 543 static int 544 nf_conntrack_hash_sysctl(const struct ctl_table *table, int write, 545 void *buffer, size_t *lenp, loff_t *ppos) 546 { 547 int ret; 548 549 /* module_param hashsize could have changed value */ 550 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 551 552 ret = proc_dointvec(table, write, buffer, lenp, ppos); 553 if (ret < 0 || !write) 554 return ret; 555 556 /* update ret, we might not be able to satisfy request */ 557 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user); 558 559 /* update it to the actual value used by conntrack */ 560 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 561 return ret; 562 } 563 564 static struct ctl_table_header *nf_ct_netfilter_header; 565 566 enum nf_ct_sysctl_index { 567 NF_SYSCTL_CT_MAX, 568 NF_SYSCTL_CT_COUNT, 569 NF_SYSCTL_CT_BUCKETS, 570 NF_SYSCTL_CT_CHECKSUM, 571 NF_SYSCTL_CT_LOG_INVALID, 572 NF_SYSCTL_CT_EXPECT_MAX, 573 NF_SYSCTL_CT_ACCT, 574 #ifdef CONFIG_NF_CONNTRACK_EVENTS 575 NF_SYSCTL_CT_EVENTS, 576 #endif 577 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 578 NF_SYSCTL_CT_TIMESTAMP, 579 #endif 580 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC, 581 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT, 582 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV, 583 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED, 584 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT, 585 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT, 586 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK, 587 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT, 588 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE, 589 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS, 590 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK, 591 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 592 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD, 593 #endif 594 NF_SYSCTL_CT_PROTO_TCP_LOOSE, 595 NF_SYSCTL_CT_PROTO_TCP_LIBERAL, 596 NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST, 597 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS, 598 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP, 599 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM, 600 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 601 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD, 602 #endif 603 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP, 604 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6, 605 #ifdef CONFIG_NF_CT_PROTO_SCTP 606 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED, 607 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT, 608 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED, 609 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED, 610 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT, 611 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD, 612 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, 613 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, 614 #endif 615 #ifdef CONFIG_NF_CT_PROTO_DCCP 616 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, 617 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND, 618 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN, 619 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN, 620 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ, 621 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING, 622 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT, 623 NF_SYSCTL_CT_PROTO_DCCP_LOOSE, 624 #endif 625 #ifdef CONFIG_NF_CT_PROTO_GRE 626 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, 627 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, 628 #endif 629 630 NF_SYSCTL_CT_LAST_SYSCTL, 631 }; 632 633 static struct ctl_table nf_ct_sysctl_table[] = { 634 [NF_SYSCTL_CT_MAX] = { 635 .procname = "nf_conntrack_max", 636 .data = &nf_conntrack_max, 637 .maxlen = sizeof(int), 638 .mode = 0644, 639 .proc_handler = proc_dointvec_minmax, 640 .extra1 = SYSCTL_ZERO, 641 .extra2 = SYSCTL_INT_MAX, 642 }, 643 [NF_SYSCTL_CT_COUNT] = { 644 .procname = "nf_conntrack_count", 645 .maxlen = sizeof(int), 646 .mode = 0444, 647 .proc_handler = proc_dointvec, 648 }, 649 [NF_SYSCTL_CT_BUCKETS] = { 650 .procname = "nf_conntrack_buckets", 651 .data = &nf_conntrack_htable_size_user, 652 .maxlen = sizeof(unsigned int), 653 .mode = 0644, 654 .proc_handler = nf_conntrack_hash_sysctl, 655 }, 656 [NF_SYSCTL_CT_CHECKSUM] = { 657 .procname = "nf_conntrack_checksum", 658 .data = &init_net.ct.sysctl_checksum, 659 .maxlen = sizeof(u8), 660 .mode = 0644, 661 .proc_handler = proc_dou8vec_minmax, 662 .extra1 = SYSCTL_ZERO, 663 .extra2 = SYSCTL_ONE, 664 }, 665 [NF_SYSCTL_CT_LOG_INVALID] = { 666 .procname = "nf_conntrack_log_invalid", 667 .data = &init_net.ct.sysctl_log_invalid, 668 .maxlen = sizeof(u8), 669 .mode = 0644, 670 .proc_handler = proc_dou8vec_minmax, 671 }, 672 [NF_SYSCTL_CT_EXPECT_MAX] = { 673 .procname = "nf_conntrack_expect_max", 674 .data = &nf_ct_expect_max, 675 .maxlen = sizeof(int), 676 .mode = 0644, 677 .proc_handler = proc_dointvec_minmax, 678 .extra1 = SYSCTL_ONE, 679 .extra2 = SYSCTL_INT_MAX, 680 }, 681 [NF_SYSCTL_CT_ACCT] = { 682 .procname = "nf_conntrack_acct", 683 .data = &init_net.ct.sysctl_acct, 684 .maxlen = sizeof(u8), 685 .mode = 0644, 686 .proc_handler = proc_dou8vec_minmax, 687 .extra1 = SYSCTL_ZERO, 688 .extra2 = SYSCTL_ONE, 689 }, 690 #ifdef CONFIG_NF_CONNTRACK_EVENTS 691 [NF_SYSCTL_CT_EVENTS] = { 692 .procname = "nf_conntrack_events", 693 .data = &init_net.ct.sysctl_events, 694 .maxlen = sizeof(u8), 695 .mode = 0644, 696 .proc_handler = proc_dou8vec_minmax, 697 .extra1 = SYSCTL_ZERO, 698 .extra2 = SYSCTL_TWO, 699 }, 700 #endif 701 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 702 [NF_SYSCTL_CT_TIMESTAMP] = { 703 .procname = "nf_conntrack_timestamp", 704 .data = &init_net.ct.sysctl_tstamp, 705 .maxlen = sizeof(u8), 706 .mode = 0644, 707 .proc_handler = proc_dou8vec_minmax, 708 .extra1 = SYSCTL_ZERO, 709 .extra2 = SYSCTL_ONE, 710 }, 711 #endif 712 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { 713 .procname = "nf_conntrack_generic_timeout", 714 .maxlen = sizeof(unsigned int), 715 .mode = 0644, 716 .proc_handler = proc_dointvec_jiffies, 717 }, 718 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = { 719 .procname = "nf_conntrack_tcp_timeout_syn_sent", 720 .maxlen = sizeof(unsigned int), 721 .mode = 0644, 722 .proc_handler = proc_dointvec_jiffies, 723 }, 724 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = { 725 .procname = "nf_conntrack_tcp_timeout_syn_recv", 726 .maxlen = sizeof(unsigned int), 727 .mode = 0644, 728 .proc_handler = proc_dointvec_jiffies, 729 }, 730 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = { 731 .procname = "nf_conntrack_tcp_timeout_established", 732 .maxlen = sizeof(unsigned int), 733 .mode = 0644, 734 .proc_handler = proc_dointvec_jiffies, 735 }, 736 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = { 737 .procname = "nf_conntrack_tcp_timeout_fin_wait", 738 .maxlen = sizeof(unsigned int), 739 .mode = 0644, 740 .proc_handler = proc_dointvec_jiffies, 741 }, 742 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = { 743 .procname = "nf_conntrack_tcp_timeout_close_wait", 744 .maxlen = sizeof(unsigned int), 745 .mode = 0644, 746 .proc_handler = proc_dointvec_jiffies, 747 }, 748 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = { 749 .procname = "nf_conntrack_tcp_timeout_last_ack", 750 .maxlen = sizeof(unsigned int), 751 .mode = 0644, 752 .proc_handler = proc_dointvec_jiffies, 753 }, 754 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = { 755 .procname = "nf_conntrack_tcp_timeout_time_wait", 756 .maxlen = sizeof(unsigned int), 757 .mode = 0644, 758 .proc_handler = proc_dointvec_jiffies, 759 }, 760 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = { 761 .procname = "nf_conntrack_tcp_timeout_close", 762 .maxlen = sizeof(unsigned int), 763 .mode = 0644, 764 .proc_handler = proc_dointvec_jiffies, 765 }, 766 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = { 767 .procname = "nf_conntrack_tcp_timeout_max_retrans", 768 .maxlen = sizeof(unsigned int), 769 .mode = 0644, 770 .proc_handler = proc_dointvec_jiffies, 771 }, 772 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = { 773 .procname = "nf_conntrack_tcp_timeout_unacknowledged", 774 .maxlen = sizeof(unsigned int), 775 .mode = 0644, 776 .proc_handler = proc_dointvec_jiffies, 777 }, 778 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 779 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD] = { 780 .procname = "nf_flowtable_tcp_timeout", 781 .maxlen = sizeof(unsigned int), 782 .mode = 0644, 783 .proc_handler = proc_dointvec_jiffies, 784 }, 785 #endif 786 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { 787 .procname = "nf_conntrack_tcp_loose", 788 .maxlen = sizeof(u8), 789 .mode = 0644, 790 .proc_handler = proc_dou8vec_minmax, 791 .extra1 = SYSCTL_ZERO, 792 .extra2 = SYSCTL_ONE, 793 }, 794 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { 795 .procname = "nf_conntrack_tcp_be_liberal", 796 .maxlen = sizeof(u8), 797 .mode = 0644, 798 .proc_handler = proc_dou8vec_minmax, 799 .extra1 = SYSCTL_ZERO, 800 .extra2 = SYSCTL_ONE, 801 }, 802 [NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST] = { 803 .procname = "nf_conntrack_tcp_ignore_invalid_rst", 804 .maxlen = sizeof(u8), 805 .mode = 0644, 806 .proc_handler = proc_dou8vec_minmax, 807 .extra1 = SYSCTL_ZERO, 808 .extra2 = SYSCTL_ONE, 809 }, 810 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { 811 .procname = "nf_conntrack_tcp_max_retrans", 812 .maxlen = sizeof(u8), 813 .mode = 0644, 814 .proc_handler = proc_dou8vec_minmax, 815 }, 816 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = { 817 .procname = "nf_conntrack_udp_timeout", 818 .maxlen = sizeof(unsigned int), 819 .mode = 0644, 820 .proc_handler = proc_dointvec_jiffies, 821 }, 822 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = { 823 .procname = "nf_conntrack_udp_timeout_stream", 824 .maxlen = sizeof(unsigned int), 825 .mode = 0644, 826 .proc_handler = proc_dointvec_jiffies, 827 }, 828 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 829 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD] = { 830 .procname = "nf_flowtable_udp_timeout", 831 .maxlen = sizeof(unsigned int), 832 .mode = 0644, 833 .proc_handler = proc_dointvec_jiffies, 834 }, 835 #endif 836 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = { 837 .procname = "nf_conntrack_icmp_timeout", 838 .maxlen = sizeof(unsigned int), 839 .mode = 0644, 840 .proc_handler = proc_dointvec_jiffies, 841 }, 842 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = { 843 .procname = "nf_conntrack_icmpv6_timeout", 844 .maxlen = sizeof(unsigned int), 845 .mode = 0644, 846 .proc_handler = proc_dointvec_jiffies, 847 }, 848 #ifdef CONFIG_NF_CT_PROTO_SCTP 849 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = { 850 .procname = "nf_conntrack_sctp_timeout_closed", 851 .maxlen = sizeof(unsigned int), 852 .mode = 0644, 853 .proc_handler = proc_dointvec_jiffies, 854 }, 855 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = { 856 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 857 .maxlen = sizeof(unsigned int), 858 .mode = 0644, 859 .proc_handler = proc_dointvec_jiffies, 860 }, 861 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = { 862 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 863 .maxlen = sizeof(unsigned int), 864 .mode = 0644, 865 .proc_handler = proc_dointvec_jiffies, 866 }, 867 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = { 868 .procname = "nf_conntrack_sctp_timeout_established", 869 .maxlen = sizeof(unsigned int), 870 .mode = 0644, 871 .proc_handler = proc_dointvec_jiffies, 872 }, 873 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = { 874 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 875 .maxlen = sizeof(unsigned int), 876 .mode = 0644, 877 .proc_handler = proc_dointvec_jiffies, 878 }, 879 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = { 880 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 881 .maxlen = sizeof(unsigned int), 882 .mode = 0644, 883 .proc_handler = proc_dointvec_jiffies, 884 }, 885 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { 886 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 887 .maxlen = sizeof(unsigned int), 888 .mode = 0644, 889 .proc_handler = proc_dointvec_jiffies, 890 }, 891 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = { 892 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent", 893 .maxlen = sizeof(unsigned int), 894 .mode = 0644, 895 .proc_handler = proc_dointvec_jiffies, 896 }, 897 #endif 898 #ifdef CONFIG_NF_CT_PROTO_DCCP 899 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { 900 .procname = "nf_conntrack_dccp_timeout_request", 901 .maxlen = sizeof(unsigned int), 902 .mode = 0644, 903 .proc_handler = proc_dointvec_jiffies, 904 }, 905 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = { 906 .procname = "nf_conntrack_dccp_timeout_respond", 907 .maxlen = sizeof(unsigned int), 908 .mode = 0644, 909 .proc_handler = proc_dointvec_jiffies, 910 }, 911 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = { 912 .procname = "nf_conntrack_dccp_timeout_partopen", 913 .maxlen = sizeof(unsigned int), 914 .mode = 0644, 915 .proc_handler = proc_dointvec_jiffies, 916 }, 917 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = { 918 .procname = "nf_conntrack_dccp_timeout_open", 919 .maxlen = sizeof(unsigned int), 920 .mode = 0644, 921 .proc_handler = proc_dointvec_jiffies, 922 }, 923 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = { 924 .procname = "nf_conntrack_dccp_timeout_closereq", 925 .maxlen = sizeof(unsigned int), 926 .mode = 0644, 927 .proc_handler = proc_dointvec_jiffies, 928 }, 929 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = { 930 .procname = "nf_conntrack_dccp_timeout_closing", 931 .maxlen = sizeof(unsigned int), 932 .mode = 0644, 933 .proc_handler = proc_dointvec_jiffies, 934 }, 935 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = { 936 .procname = "nf_conntrack_dccp_timeout_timewait", 937 .maxlen = sizeof(unsigned int), 938 .mode = 0644, 939 .proc_handler = proc_dointvec_jiffies, 940 }, 941 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = { 942 .procname = "nf_conntrack_dccp_loose", 943 .maxlen = sizeof(u8), 944 .mode = 0644, 945 .proc_handler = proc_dou8vec_minmax, 946 .extra1 = SYSCTL_ZERO, 947 .extra2 = SYSCTL_ONE, 948 }, 949 #endif 950 #ifdef CONFIG_NF_CT_PROTO_GRE 951 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = { 952 .procname = "nf_conntrack_gre_timeout", 953 .maxlen = sizeof(unsigned int), 954 .mode = 0644, 955 .proc_handler = proc_dointvec_jiffies, 956 }, 957 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = { 958 .procname = "nf_conntrack_gre_timeout_stream", 959 .maxlen = sizeof(unsigned int), 960 .mode = 0644, 961 .proc_handler = proc_dointvec_jiffies, 962 }, 963 #endif 964 }; 965 966 static struct ctl_table nf_ct_netfilter_table[] = { 967 { 968 .procname = "nf_conntrack_max", 969 .data = &nf_conntrack_max, 970 .maxlen = sizeof(int), 971 .mode = 0644, 972 .proc_handler = proc_dointvec_minmax, 973 .extra1 = SYSCTL_ZERO, 974 .extra2 = SYSCTL_INT_MAX, 975 }, 976 }; 977 978 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, 979 struct ctl_table *table) 980 { 981 struct nf_tcp_net *tn = nf_tcp_pernet(net); 982 983 #define XASSIGN(XNAME, tn) \ 984 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \ 985 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME] 986 987 XASSIGN(SYN_SENT, tn); 988 XASSIGN(SYN_RECV, tn); 989 XASSIGN(ESTABLISHED, tn); 990 XASSIGN(FIN_WAIT, tn); 991 XASSIGN(CLOSE_WAIT, tn); 992 XASSIGN(LAST_ACK, tn); 993 XASSIGN(TIME_WAIT, tn); 994 XASSIGN(CLOSE, tn); 995 XASSIGN(RETRANS, tn); 996 XASSIGN(UNACK, tn); 997 #undef XASSIGN 998 #define XASSIGN(XNAME, rval) \ 999 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval) 1000 1001 XASSIGN(LOOSE, &tn->tcp_loose); 1002 XASSIGN(LIBERAL, &tn->tcp_be_liberal); 1003 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans); 1004 XASSIGN(IGNORE_INVALID_RST, &tn->tcp_ignore_invalid_rst); 1005 #undef XASSIGN 1006 1007 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1008 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD].data = &tn->offload_timeout; 1009 #endif 1010 1011 } 1012 1013 static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, 1014 struct ctl_table *table) 1015 { 1016 #ifdef CONFIG_NF_CT_PROTO_SCTP 1017 struct nf_sctp_net *sn = nf_sctp_pernet(net); 1018 1019 #define XASSIGN(XNAME, sn) \ 1020 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \ 1021 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME] 1022 1023 XASSIGN(CLOSED, sn); 1024 XASSIGN(COOKIE_WAIT, sn); 1025 XASSIGN(COOKIE_ECHOED, sn); 1026 XASSIGN(ESTABLISHED, sn); 1027 XASSIGN(SHUTDOWN_SENT, sn); 1028 XASSIGN(SHUTDOWN_RECD, sn); 1029 XASSIGN(SHUTDOWN_ACK_SENT, sn); 1030 XASSIGN(HEARTBEAT_SENT, sn); 1031 #undef XASSIGN 1032 #endif 1033 } 1034 1035 static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net, 1036 struct ctl_table *table) 1037 { 1038 #ifdef CONFIG_NF_CT_PROTO_DCCP 1039 struct nf_dccp_net *dn = nf_dccp_pernet(net); 1040 1041 #define XASSIGN(XNAME, dn) \ 1042 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \ 1043 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME] 1044 1045 XASSIGN(REQUEST, dn); 1046 XASSIGN(RESPOND, dn); 1047 XASSIGN(PARTOPEN, dn); 1048 XASSIGN(OPEN, dn); 1049 XASSIGN(CLOSEREQ, dn); 1050 XASSIGN(CLOSING, dn); 1051 XASSIGN(TIMEWAIT, dn); 1052 #undef XASSIGN 1053 1054 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose; 1055 #endif 1056 } 1057 1058 static void nf_conntrack_standalone_init_gre_sysctl(struct net *net, 1059 struct ctl_table *table) 1060 { 1061 #ifdef CONFIG_NF_CT_PROTO_GRE 1062 struct nf_gre_net *gn = nf_gre_pernet(net); 1063 1064 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED]; 1065 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED]; 1066 #endif 1067 } 1068 1069 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1070 { 1071 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1072 struct nf_udp_net *un = nf_udp_pernet(net); 1073 struct ctl_table *table; 1074 1075 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL); 1076 1077 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table), 1078 GFP_KERNEL); 1079 if (!table) 1080 return -ENOMEM; 1081 1082 table[NF_SYSCTL_CT_COUNT].data = &cnet->count; 1083 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum; 1084 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; 1085 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct; 1086 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1087 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events; 1088 #endif 1089 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 1090 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp; 1091 #endif 1092 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout; 1093 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout; 1094 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout; 1095 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED]; 1096 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED]; 1097 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 1098 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD].data = &un->offload_timeout; 1099 #endif 1100 1101 nf_conntrack_standalone_init_tcp_sysctl(net, table); 1102 nf_conntrack_standalone_init_sctp_sysctl(net, table); 1103 nf_conntrack_standalone_init_dccp_sysctl(net, table); 1104 nf_conntrack_standalone_init_gre_sysctl(net, table); 1105 1106 /* Don't allow non-init_net ns to alter global sysctls */ 1107 if (!net_eq(&init_net, net)) { 1108 table[NF_SYSCTL_CT_MAX].mode = 0444; 1109 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; 1110 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1111 } 1112 1113 cnet->sysctl_header = register_net_sysctl_sz(net, "net/netfilter", 1114 table, 1115 ARRAY_SIZE(nf_ct_sysctl_table)); 1116 if (!cnet->sysctl_header) 1117 goto out_unregister_netfilter; 1118 1119 return 0; 1120 1121 out_unregister_netfilter: 1122 kfree(table); 1123 return -ENOMEM; 1124 } 1125 1126 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1127 { 1128 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 1129 const struct ctl_table *table; 1130 1131 table = cnet->sysctl_header->ctl_table_arg; 1132 unregister_net_sysctl_table(cnet->sysctl_header); 1133 kfree(table); 1134 } 1135 #else 1136 static int nf_conntrack_standalone_init_sysctl(struct net *net) 1137 { 1138 return 0; 1139 } 1140 1141 static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1142 { 1143 } 1144 #endif /* CONFIG_SYSCTL */ 1145 1146 static void nf_conntrack_fini_net(struct net *net) 1147 { 1148 if (enable_hooks) 1149 nf_ct_netns_put(net, NFPROTO_INET); 1150 1151 nf_conntrack_standalone_fini_proc(net); 1152 nf_conntrack_standalone_fini_sysctl(net); 1153 } 1154 1155 static int nf_conntrack_pernet_init(struct net *net) 1156 { 1157 int ret; 1158 1159 net->ct.sysctl_checksum = 1; 1160 1161 ret = nf_conntrack_standalone_init_sysctl(net); 1162 if (ret < 0) 1163 return ret; 1164 1165 ret = nf_conntrack_standalone_init_proc(net); 1166 if (ret < 0) 1167 goto out_proc; 1168 1169 ret = nf_conntrack_init_net(net); 1170 if (ret < 0) 1171 goto out_init_net; 1172 1173 if (enable_hooks) { 1174 ret = nf_ct_netns_get(net, NFPROTO_INET); 1175 if (ret < 0) 1176 goto out_hooks; 1177 } 1178 1179 return 0; 1180 1181 out_hooks: 1182 nf_conntrack_cleanup_net(net); 1183 out_init_net: 1184 nf_conntrack_standalone_fini_proc(net); 1185 out_proc: 1186 nf_conntrack_standalone_fini_sysctl(net); 1187 return ret; 1188 } 1189 1190 static void nf_conntrack_pernet_exit(struct list_head *net_exit_list) 1191 { 1192 struct net *net; 1193 1194 list_for_each_entry(net, net_exit_list, exit_list) 1195 nf_conntrack_fini_net(net); 1196 1197 nf_conntrack_cleanup_net_list(net_exit_list); 1198 } 1199 1200 static struct pernet_operations nf_conntrack_net_ops = { 1201 .init = nf_conntrack_pernet_init, 1202 .exit_batch = nf_conntrack_pernet_exit, 1203 .id = &nf_conntrack_net_id, 1204 .size = sizeof(struct nf_conntrack_net), 1205 }; 1206 1207 static int __init nf_conntrack_standalone_init(void) 1208 { 1209 int ret = nf_conntrack_init_start(); 1210 if (ret < 0) 1211 goto out_start; 1212 1213 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER); 1214 1215 #ifdef CONFIG_SYSCTL 1216 nf_ct_netfilter_header = 1217 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); 1218 if (!nf_ct_netfilter_header) { 1219 pr_err("nf_conntrack: can't register to sysctl.\n"); 1220 ret = -ENOMEM; 1221 goto out_sysctl; 1222 } 1223 1224 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 1225 #endif 1226 1227 nf_conntrack_init_end(); 1228 1229 ret = register_pernet_subsys(&nf_conntrack_net_ops); 1230 if (ret < 0) 1231 goto out_pernet; 1232 1233 return 0; 1234 1235 out_pernet: 1236 #ifdef CONFIG_SYSCTL 1237 unregister_net_sysctl_table(nf_ct_netfilter_header); 1238 out_sysctl: 1239 #endif 1240 nf_conntrack_cleanup_end(); 1241 out_start: 1242 return ret; 1243 } 1244 1245 static void __exit nf_conntrack_standalone_fini(void) 1246 { 1247 nf_conntrack_cleanup_start(); 1248 unregister_pernet_subsys(&nf_conntrack_net_ops); 1249 #ifdef CONFIG_SYSCTL 1250 unregister_net_sysctl_table(nf_ct_netfilter_header); 1251 #endif 1252 nf_conntrack_cleanup_end(); 1253 } 1254 1255 module_init(nf_conntrack_standalone_init); 1256 module_exit(nf_conntrack_standalone_fini); 1257