/net/netfilter/nf_conntrack_standalone.c
C | 1209 lines | 1060 code | 140 blank | 9 comment | 65 complexity | ddb0a36fe6123703da397ffb52c0db84 MD5 | raw file
1// SPDX-License-Identifier: GPL-2.0 2#include <linux/types.h> 3#include <linux/netfilter.h> 4#include <linux/slab.h> 5#include <linux/module.h> 6#include <linux/skbuff.h> 7#include <linux/proc_fs.h> 8#include <linux/seq_file.h> 9#include <linux/percpu.h> 10#include <linux/netdevice.h> 11#include <linux/security.h> 12#include <net/net_namespace.h> 13#ifdef CONFIG_SYSCTL 14#include <linux/sysctl.h> 15#endif 16 17#include <net/netfilter/nf_conntrack.h> 18#include <net/netfilter/nf_conntrack_core.h> 19#include <net/netfilter/nf_conntrack_l4proto.h> 20#include <net/netfilter/nf_conntrack_expect.h> 21#include <net/netfilter/nf_conntrack_helper.h> 22#include <net/netfilter/nf_conntrack_acct.h> 23#include <net/netfilter/nf_conntrack_zones.h> 24#include <net/netfilter/nf_conntrack_timestamp.h> 25#include <linux/rculist_nulls.h> 26 27static bool enable_hooks __read_mostly; 28MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); 29module_param(enable_hooks, bool, 0000); 30 31unsigned int nf_conntrack_net_id __read_mostly; 32 33#ifdef CONFIG_NF_CONNTRACK_PROCFS 34void 35print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, 36 const struct nf_conntrack_l4proto *l4proto) 37{ 38 switch (tuple->src.l3num) { 39 case NFPROTO_IPV4: 40 seq_printf(s, "src=%pI4 dst=%pI4 ", 41 &tuple->src.u3.ip, &tuple->dst.u3.ip); 42 break; 43 case NFPROTO_IPV6: 44 seq_printf(s, "src=%pI6 dst=%pI6 ", 45 tuple->src.u3.ip6, tuple->dst.u3.ip6); 46 break; 47 default: 48 break; 49 } 50 51 switch (l4proto->l4proto) { 52 case IPPROTO_ICMP: 53 seq_printf(s, "type=%u code=%u id=%u ", 54 tuple->dst.u.icmp.type, 55 tuple->dst.u.icmp.code, 56 ntohs(tuple->src.u.icmp.id)); 57 break; 58 case IPPROTO_TCP: 59 seq_printf(s, "sport=%hu dport=%hu ", 60 ntohs(tuple->src.u.tcp.port), 61 ntohs(tuple->dst.u.tcp.port)); 62 break; 63 case IPPROTO_UDPLITE: /* fallthrough */ 64 case IPPROTO_UDP: 65 seq_printf(s, "sport=%hu dport=%hu ", 66 ntohs(tuple->src.u.udp.port), 67 ntohs(tuple->dst.u.udp.port)); 68 69 break; 70 case IPPROTO_DCCP: 71 seq_printf(s, "sport=%hu dport=%hu ", 72 ntohs(tuple->src.u.dccp.port), 73 ntohs(tuple->dst.u.dccp.port)); 74 break; 75 case IPPROTO_SCTP: 76 seq_printf(s, "sport=%hu dport=%hu ", 77 ntohs(tuple->src.u.sctp.port), 78 ntohs(tuple->dst.u.sctp.port)); 79 break; 80 case IPPROTO_ICMPV6: 81 seq_printf(s, "type=%u code=%u id=%u ", 82 tuple->dst.u.icmp.type, 83 tuple->dst.u.icmp.code, 84 ntohs(tuple->src.u.icmp.id)); 85 break; 86 case IPPROTO_GRE: 87 seq_printf(s, "srckey=0x%x dstkey=0x%x ", 88 ntohs(tuple->src.u.gre.key), 89 ntohs(tuple->dst.u.gre.key)); 90 break; 91 default: 92 break; 93 } 94} 95EXPORT_SYMBOL_GPL(print_tuple); 96 97struct ct_iter_state { 98 struct seq_net_private p; 99 struct hlist_nulls_head *hash; 100 unsigned int htable_size; 101 unsigned int bucket; 102 u_int64_t time_now; 103}; 104 105static struct hlist_nulls_node *ct_get_first(struct seq_file *seq) 106{ 107 struct ct_iter_state *st = seq->private; 108 struct hlist_nulls_node *n; 109 110 for (st->bucket = 0; 111 st->bucket < st->htable_size; 112 st->bucket++) { 113 n = rcu_dereference( 114 hlist_nulls_first_rcu(&st->hash[st->bucket])); 115 if (!is_a_nulls(n)) 116 return n; 117 } 118 return NULL; 119} 120 121static struct hlist_nulls_node *ct_get_next(struct seq_file *seq, 122 struct hlist_nulls_node *head) 123{ 124 struct ct_iter_state *st = seq->private; 125 126 head = rcu_dereference(hlist_nulls_next_rcu(head)); 127 while (is_a_nulls(head)) { 128 if (likely(get_nulls_value(head) == st->bucket)) { 129 if (++st->bucket >= st->htable_size) 130 return NULL; 131 } 132 head = rcu_dereference( 133 hlist_nulls_first_rcu(&st->hash[st->bucket])); 134 } 135 return head; 136} 137 138static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos) 139{ 140 struct hlist_nulls_node *head = ct_get_first(seq); 141 142 if (head) 143 while (pos && (head = ct_get_next(seq, head))) 144 pos--; 145 return pos ? NULL : head; 146} 147 148static void *ct_seq_start(struct seq_file *seq, loff_t *pos) 149 __acquires(RCU) 150{ 151 struct ct_iter_state *st = seq->private; 152 153 st->time_now = ktime_get_real_ns(); 154 rcu_read_lock(); 155 156 nf_conntrack_get_ht(&st->hash, &st->htable_size); 157 return ct_get_idx(seq, *pos); 158} 159 160static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos) 161{ 162 (*pos)++; 163 return ct_get_next(s, v); 164} 165 166static void ct_seq_stop(struct seq_file *s, void *v) 167 __releases(RCU) 168{ 169 rcu_read_unlock(); 170} 171 172#ifdef CONFIG_NF_CONNTRACK_SECMARK 173static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 174{ 175 int ret; 176 u32 len; 177 char *secctx; 178 179 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 180 if (ret) 181 return; 182 183 seq_printf(s, "secctx=%s ", secctx); 184 185 security_release_secctx(secctx, len); 186} 187#else 188static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 189{ 190} 191#endif 192 193#ifdef CONFIG_NF_CONNTRACK_ZONES 194static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 195 int dir) 196{ 197 const struct nf_conntrack_zone *zone = nf_ct_zone(ct); 198 199 if (zone->dir != dir) 200 return; 201 switch (zone->dir) { 202 case NF_CT_DEFAULT_ZONE_DIR: 203 seq_printf(s, "zone=%u ", zone->id); 204 break; 205 case NF_CT_ZONE_DIR_ORIG: 206 seq_printf(s, "zone-orig=%u ", zone->id); 207 break; 208 case NF_CT_ZONE_DIR_REPL: 209 seq_printf(s, "zone-reply=%u ", zone->id); 210 break; 211 default: 212 break; 213 } 214} 215#else 216static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct, 217 int dir) 218{ 219} 220#endif 221 222#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 223static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 224{ 225 struct ct_iter_state *st = s->private; 226 struct nf_conn_tstamp *tstamp; 227 s64 delta_time; 228 229 tstamp = nf_conn_tstamp_find(ct); 230 if (tstamp) { 231 delta_time = st->time_now - tstamp->start; 232 if (delta_time > 0) 233 delta_time = div_s64(delta_time, NSEC_PER_SEC); 234 else 235 delta_time = 0; 236 237 seq_printf(s, "delta-time=%llu ", 238 (unsigned long long)delta_time); 239 } 240 return; 241} 242#else 243static inline void 244ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct) 245{ 246} 247#endif 248 249static const char* l3proto_name(u16 proto) 250{ 251 switch (proto) { 252 case AF_INET: return "ipv4"; 253 case AF_INET6: return "ipv6"; 254 } 255 256 return "unknown"; 257} 258 259static const char* l4proto_name(u16 proto) 260{ 261 switch (proto) { 262 case IPPROTO_ICMP: return "icmp"; 263 case IPPROTO_TCP: return "tcp"; 264 case IPPROTO_UDP: return "udp"; 265 case IPPROTO_DCCP: return "dccp"; 266 case IPPROTO_GRE: return "gre"; 267 case IPPROTO_SCTP: return "sctp"; 268 case IPPROTO_UDPLITE: return "udplite"; 269 } 270 271 return "unknown"; 272} 273 274static unsigned int 275seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir) 276{ 277 struct nf_conn_acct *acct; 278 struct nf_conn_counter *counter; 279 280 acct = nf_conn_acct_find(ct); 281 if (!acct) 282 return 0; 283 284 counter = acct->counter; 285 seq_printf(s, "packets=%llu bytes=%llu ", 286 (unsigned long long)atomic64_read(&counter[dir].packets), 287 (unsigned long long)atomic64_read(&counter[dir].bytes)); 288 289 return 0; 290} 291 292/* return 0 on success, 1 in case of error */ 293static int ct_seq_show(struct seq_file *s, void *v) 294{ 295 struct nf_conntrack_tuple_hash *hash = v; 296 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); 297 const struct nf_conntrack_l4proto *l4proto; 298 struct net *net = seq_file_net(s); 299 int ret = 0; 300 301 WARN_ON(!ct); 302 if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use))) 303 return 0; 304 305 if (nf_ct_should_gc(ct)) { 306 nf_ct_kill(ct); 307 goto release; 308 } 309 310 /* we only want to print DIR_ORIGINAL */ 311 if (NF_CT_DIRECTION(hash)) 312 goto release; 313 314 if (!net_eq(nf_ct_net(ct), net)) 315 goto release; 316 317 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 318 319 ret = -ENOSPC; 320 seq_printf(s, "%-8s %u %-8s %u ", 321 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct), 322 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct)); 323 324 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status)) 325 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ); 326 327 if (l4proto->print_conntrack) 328 l4proto->print_conntrack(s, ct); 329 330 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 331 l4proto); 332 333 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG); 334 335 if (seq_has_overflowed(s)) 336 goto release; 337 338 if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL)) 339 goto release; 340 341 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) 342 seq_puts(s, "[UNREPLIED] "); 343 344 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto); 345 346 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL); 347 348 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY)) 349 goto release; 350 351 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 352 seq_puts(s, "[OFFLOAD] "); 353 else if (test_bit(IPS_ASSURED_BIT, &ct->status)) 354 seq_puts(s, "[ASSURED] "); 355 356 if (seq_has_overflowed(s)) 357 goto release; 358 359#if defined(CONFIG_NF_CONNTRACK_MARK) 360 seq_printf(s, "mark=%u ", ct->mark); 361#endif 362 363 ct_show_secctx(s, ct); 364 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR); 365 ct_show_delta_time(s, ct); 366 367 seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)); 368 369 if (seq_has_overflowed(s)) 370 goto release; 371 372 ret = 0; 373release: 374 nf_ct_put(ct); 375 return ret; 376} 377 378static const struct seq_operations ct_seq_ops = { 379 .start = ct_seq_start, 380 .next = ct_seq_next, 381 .stop = ct_seq_stop, 382 .show = ct_seq_show 383}; 384 385static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos) 386{ 387 struct net *net = seq_file_net(seq); 388 int cpu; 389 390 if (*pos == 0) 391 return SEQ_START_TOKEN; 392 393 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) { 394 if (!cpu_possible(cpu)) 395 continue; 396 *pos = cpu + 1; 397 return per_cpu_ptr(net->ct.stat, cpu); 398 } 399 400 return NULL; 401} 402 403static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) 404{ 405 struct net *net = seq_file_net(seq); 406 int cpu; 407 408 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) { 409 if (!cpu_possible(cpu)) 410 continue; 411 *pos = cpu + 1; 412 return per_cpu_ptr(net->ct.stat, cpu); 413 } 414 (*pos)++; 415 return NULL; 416} 417 418static void ct_cpu_seq_stop(struct seq_file *seq, void *v) 419{ 420} 421 422static int ct_cpu_seq_show(struct seq_file *seq, void *v) 423{ 424 struct net *net = seq_file_net(seq); 425 unsigned int nr_conntracks = atomic_read(&net->ct.count); 426 const struct ip_conntrack_stat *st = v; 427 428 if (v == SEQ_START_TOKEN) { 429 seq_puts(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); 430 return 0; 431 } 432 433 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 434 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 435 nr_conntracks, 436 0, 437 st->found, 438 0, 439 st->invalid, 440 st->ignore, 441 0, 442 0, 443 st->insert, 444 st->insert_failed, 445 st->drop, 446 st->early_drop, 447 st->error, 448 449 st->expect_new, 450 st->expect_create, 451 st->expect_delete, 452 st->search_restart 453 ); 454 return 0; 455} 456 457static const struct seq_operations ct_cpu_seq_ops = { 458 .start = ct_cpu_seq_start, 459 .next = ct_cpu_seq_next, 460 .stop = ct_cpu_seq_stop, 461 .show = ct_cpu_seq_show, 462}; 463 464static int nf_conntrack_standalone_init_proc(struct net *net) 465{ 466 struct proc_dir_entry *pde; 467 kuid_t root_uid; 468 kgid_t root_gid; 469 470 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops, 471 sizeof(struct ct_iter_state)); 472 if (!pde) 473 goto out_nf_conntrack; 474 475 root_uid = make_kuid(net->user_ns, 0); 476 root_gid = make_kgid(net->user_ns, 0); 477 if (uid_valid(root_uid) && gid_valid(root_gid)) 478 proc_set_user(pde, root_uid, root_gid); 479 480 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat, 481 &ct_cpu_seq_ops, sizeof(struct seq_net_private)); 482 if (!pde) 483 goto out_stat_nf_conntrack; 484 return 0; 485 486out_stat_nf_conntrack: 487 remove_proc_entry("nf_conntrack", net->proc_net); 488out_nf_conntrack: 489 return -ENOMEM; 490} 491 492static void nf_conntrack_standalone_fini_proc(struct net *net) 493{ 494 remove_proc_entry("nf_conntrack", net->proc_net_stat); 495 remove_proc_entry("nf_conntrack", net->proc_net); 496} 497#else 498static int nf_conntrack_standalone_init_proc(struct net *net) 499{ 500 return 0; 501} 502 503static void nf_conntrack_standalone_fini_proc(struct net *net) 504{ 505} 506#endif /* CONFIG_NF_CONNTRACK_PROCFS */ 507 508/* Sysctl support */ 509 510#ifdef CONFIG_SYSCTL 511/* Log invalid packets of a given protocol */ 512static int log_invalid_proto_min __read_mostly; 513static int log_invalid_proto_max __read_mostly = 255; 514 515/* size the user *wants to set */ 516static unsigned int nf_conntrack_htable_size_user __read_mostly; 517 518static int 519nf_conntrack_hash_sysctl(struct ctl_table *table, int write, 520 void __user *buffer, size_t *lenp, loff_t *ppos) 521{ 522 int ret; 523 524 ret = proc_dointvec(table, write, buffer, lenp, ppos); 525 if (ret < 0 || !write) 526 return ret; 527 528 /* update ret, we might not be able to satisfy request */ 529 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user); 530 531 /* update it to the actual value used by conntrack */ 532 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 533 return ret; 534} 535 536static struct ctl_table_header *nf_ct_netfilter_header; 537 538enum nf_ct_sysctl_index { 539 NF_SYSCTL_CT_MAX, 540 NF_SYSCTL_CT_COUNT, 541 NF_SYSCTL_CT_BUCKETS, 542 NF_SYSCTL_CT_CHECKSUM, 543 NF_SYSCTL_CT_LOG_INVALID, 544 NF_SYSCTL_CT_EXPECT_MAX, 545 NF_SYSCTL_CT_ACCT, 546 NF_SYSCTL_CT_HELPER, 547#ifdef CONFIG_NF_CONNTRACK_EVENTS 548 NF_SYSCTL_CT_EVENTS, 549#endif 550#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 551 NF_SYSCTL_CT_TIMESTAMP, 552#endif 553 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC, 554 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT, 555 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV, 556 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED, 557 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT, 558 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT, 559 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK, 560 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT, 561 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE, 562 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS, 563 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK, 564 NF_SYSCTL_CT_PROTO_TCP_LOOSE, 565 NF_SYSCTL_CT_PROTO_TCP_LIBERAL, 566 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS, 567 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP, 568 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM, 569 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP, 570 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6, 571#ifdef CONFIG_NF_CT_PROTO_SCTP 572 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED, 573 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT, 574 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED, 575 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED, 576 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT, 577 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD, 578 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, 579 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, 580 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED, 581#endif 582#ifdef CONFIG_NF_CT_PROTO_DCCP 583 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, 584 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND, 585 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN, 586 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN, 587 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ, 588 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING, 589 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT, 590 NF_SYSCTL_CT_PROTO_DCCP_LOOSE, 591#endif 592#ifdef CONFIG_NF_CT_PROTO_GRE 593 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE, 594 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM, 595#endif 596 597 __NF_SYSCTL_CT_LAST_SYSCTL, 598}; 599 600#define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1) 601 602static struct ctl_table nf_ct_sysctl_table[] = { 603 [NF_SYSCTL_CT_MAX] = { 604 .procname = "nf_conntrack_max", 605 .data = &nf_conntrack_max, 606 .maxlen = sizeof(int), 607 .mode = 0644, 608 .proc_handler = proc_dointvec, 609 }, 610 [NF_SYSCTL_CT_COUNT] = { 611 .procname = "nf_conntrack_count", 612 .data = &init_net.ct.count, 613 .maxlen = sizeof(int), 614 .mode = 0444, 615 .proc_handler = proc_dointvec, 616 }, 617 [NF_SYSCTL_CT_BUCKETS] = { 618 .procname = "nf_conntrack_buckets", 619 .data = &nf_conntrack_htable_size_user, 620 .maxlen = sizeof(unsigned int), 621 .mode = 0644, 622 .proc_handler = nf_conntrack_hash_sysctl, 623 }, 624 [NF_SYSCTL_CT_CHECKSUM] = { 625 .procname = "nf_conntrack_checksum", 626 .data = &init_net.ct.sysctl_checksum, 627 .maxlen = sizeof(int), 628 .mode = 0644, 629 .proc_handler = proc_dointvec_minmax, 630 .extra1 = SYSCTL_ZERO, 631 .extra2 = SYSCTL_ONE, 632 }, 633 [NF_SYSCTL_CT_LOG_INVALID] = { 634 .procname = "nf_conntrack_log_invalid", 635 .data = &init_net.ct.sysctl_log_invalid, 636 .maxlen = sizeof(unsigned int), 637 .mode = 0644, 638 .proc_handler = proc_dointvec_minmax, 639 .extra1 = &log_invalid_proto_min, 640 .extra2 = &log_invalid_proto_max, 641 }, 642 [NF_SYSCTL_CT_EXPECT_MAX] = { 643 .procname = "nf_conntrack_expect_max", 644 .data = &nf_ct_expect_max, 645 .maxlen = sizeof(int), 646 .mode = 0644, 647 .proc_handler = proc_dointvec, 648 }, 649 [NF_SYSCTL_CT_ACCT] = { 650 .procname = "nf_conntrack_acct", 651 .data = &init_net.ct.sysctl_acct, 652 .maxlen = sizeof(int), 653 .mode = 0644, 654 .proc_handler = proc_dointvec_minmax, 655 .extra1 = SYSCTL_ZERO, 656 .extra2 = SYSCTL_ONE, 657 }, 658 [NF_SYSCTL_CT_HELPER] = { 659 .procname = "nf_conntrack_helper", 660 .data = &init_net.ct.sysctl_auto_assign_helper, 661 .maxlen = sizeof(int), 662 .mode = 0644, 663 .proc_handler = proc_dointvec_minmax, 664 .extra1 = SYSCTL_ZERO, 665 .extra2 = SYSCTL_ONE, 666 }, 667#ifdef CONFIG_NF_CONNTRACK_EVENTS 668 [NF_SYSCTL_CT_EVENTS] = { 669 .procname = "nf_conntrack_events", 670 .data = &init_net.ct.sysctl_events, 671 .maxlen = sizeof(int), 672 .mode = 0644, 673 .proc_handler = proc_dointvec_minmax, 674 .extra1 = SYSCTL_ZERO, 675 .extra2 = SYSCTL_ONE, 676 }, 677#endif 678#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 679 [NF_SYSCTL_CT_TIMESTAMP] = { 680 .procname = "nf_conntrack_timestamp", 681 .data = &init_net.ct.sysctl_tstamp, 682 .maxlen = sizeof(int), 683 .mode = 0644, 684 .proc_handler = proc_dointvec_minmax, 685 .extra1 = SYSCTL_ZERO, 686 .extra2 = SYSCTL_ONE, 687 }, 688#endif 689 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { 690 .procname = "nf_conntrack_generic_timeout", 691 .maxlen = sizeof(unsigned int), 692 .mode = 0644, 693 .proc_handler = proc_dointvec_jiffies, 694 }, 695 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = { 696 .procname = "nf_conntrack_tcp_timeout_syn_sent", 697 .maxlen = sizeof(unsigned int), 698 .mode = 0644, 699 .proc_handler = proc_dointvec_jiffies, 700 }, 701 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = { 702 .procname = "nf_conntrack_tcp_timeout_syn_recv", 703 .maxlen = sizeof(unsigned int), 704 .mode = 0644, 705 .proc_handler = proc_dointvec_jiffies, 706 }, 707 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = { 708 .procname = "nf_conntrack_tcp_timeout_established", 709 .maxlen = sizeof(unsigned int), 710 .mode = 0644, 711 .proc_handler = proc_dointvec_jiffies, 712 }, 713 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = { 714 .procname = "nf_conntrack_tcp_timeout_fin_wait", 715 .maxlen = sizeof(unsigned int), 716 .mode = 0644, 717 .proc_handler = proc_dointvec_jiffies, 718 }, 719 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = { 720 .procname = "nf_conntrack_tcp_timeout_close_wait", 721 .maxlen = sizeof(unsigned int), 722 .mode = 0644, 723 .proc_handler = proc_dointvec_jiffies, 724 }, 725 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = { 726 .procname = "nf_conntrack_tcp_timeout_last_ack", 727 .maxlen = sizeof(unsigned int), 728 .mode = 0644, 729 .proc_handler = proc_dointvec_jiffies, 730 }, 731 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = { 732 .procname = "nf_conntrack_tcp_timeout_time_wait", 733 .maxlen = sizeof(unsigned int), 734 .mode = 0644, 735 .proc_handler = proc_dointvec_jiffies, 736 }, 737 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = { 738 .procname = "nf_conntrack_tcp_timeout_close", 739 .maxlen = sizeof(unsigned int), 740 .mode = 0644, 741 .proc_handler = proc_dointvec_jiffies, 742 }, 743 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = { 744 .procname = "nf_conntrack_tcp_timeout_max_retrans", 745 .maxlen = sizeof(unsigned int), 746 .mode = 0644, 747 .proc_handler = proc_dointvec_jiffies, 748 }, 749 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = { 750 .procname = "nf_conntrack_tcp_timeout_unacknowledged", 751 .maxlen = sizeof(unsigned int), 752 .mode = 0644, 753 .proc_handler = proc_dointvec_jiffies, 754 }, 755 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { 756 .procname = "nf_conntrack_tcp_loose", 757 .maxlen = sizeof(int), 758 .mode = 0644, 759 .proc_handler = proc_dointvec_minmax, 760 .extra1 = SYSCTL_ZERO, 761 .extra2 = SYSCTL_ONE, 762 }, 763 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { 764 .procname = "nf_conntrack_tcp_be_liberal", 765 .maxlen = sizeof(int), 766 .mode = 0644, 767 .proc_handler = proc_dointvec_minmax, 768 .extra1 = SYSCTL_ZERO, 769 .extra2 = SYSCTL_ONE, 770 }, 771 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { 772 .procname = "nf_conntrack_tcp_max_retrans", 773 .maxlen = sizeof(unsigned int), 774 .mode = 0644, 775 .proc_handler = proc_dointvec, 776 }, 777 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = { 778 .procname = "nf_conntrack_udp_timeout", 779 .maxlen = sizeof(unsigned int), 780 .mode = 0644, 781 .proc_handler = proc_dointvec_jiffies, 782 }, 783 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = { 784 .procname = "nf_conntrack_udp_timeout_stream", 785 .maxlen = sizeof(unsigned int), 786 .mode = 0644, 787 .proc_handler = proc_dointvec_jiffies, 788 }, 789 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = { 790 .procname = "nf_conntrack_icmp_timeout", 791 .maxlen = sizeof(unsigned int), 792 .mode = 0644, 793 .proc_handler = proc_dointvec_jiffies, 794 }, 795 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = { 796 .procname = "nf_conntrack_icmpv6_timeout", 797 .maxlen = sizeof(unsigned int), 798 .mode = 0644, 799 .proc_handler = proc_dointvec_jiffies, 800 }, 801#ifdef CONFIG_NF_CT_PROTO_SCTP 802 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = { 803 .procname = "nf_conntrack_sctp_timeout_closed", 804 .maxlen = sizeof(unsigned int), 805 .mode = 0644, 806 .proc_handler = proc_dointvec_jiffies, 807 }, 808 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = { 809 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 810 .maxlen = sizeof(unsigned int), 811 .mode = 0644, 812 .proc_handler = proc_dointvec_jiffies, 813 }, 814 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = { 815 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 816 .maxlen = sizeof(unsigned int), 817 .mode = 0644, 818 .proc_handler = proc_dointvec_jiffies, 819 }, 820 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = { 821 .procname = "nf_conntrack_sctp_timeout_established", 822 .maxlen = sizeof(unsigned int), 823 .mode = 0644, 824 .proc_handler = proc_dointvec_jiffies, 825 }, 826 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = { 827 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 828 .maxlen = sizeof(unsigned int), 829 .mode = 0644, 830 .proc_handler = proc_dointvec_jiffies, 831 }, 832 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = { 833 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 834 .maxlen = sizeof(unsigned int), 835 .mode = 0644, 836 .proc_handler = proc_dointvec_jiffies, 837 }, 838 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { 839 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 840 .maxlen = sizeof(unsigned int), 841 .mode = 0644, 842 .proc_handler = proc_dointvec_jiffies, 843 }, 844 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = { 845 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent", 846 .maxlen = sizeof(unsigned int), 847 .mode = 0644, 848 .proc_handler = proc_dointvec_jiffies, 849 }, 850 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { 851 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked", 852 .maxlen = sizeof(unsigned int), 853 .mode = 0644, 854 .proc_handler = proc_dointvec_jiffies, 855 }, 856#endif 857#ifdef CONFIG_NF_CT_PROTO_DCCP 858 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { 859 .procname = "nf_conntrack_dccp_timeout_request", 860 .maxlen = sizeof(unsigned int), 861 .mode = 0644, 862 .proc_handler = proc_dointvec_jiffies, 863 }, 864 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = { 865 .procname = "nf_conntrack_dccp_timeout_respond", 866 .maxlen = sizeof(unsigned int), 867 .mode = 0644, 868 .proc_handler = proc_dointvec_jiffies, 869 }, 870 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = { 871 .procname = "nf_conntrack_dccp_timeout_partopen", 872 .maxlen = sizeof(unsigned int), 873 .mode = 0644, 874 .proc_handler = proc_dointvec_jiffies, 875 }, 876 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = { 877 .procname = "nf_conntrack_dccp_timeout_open", 878 .maxlen = sizeof(unsigned int), 879 .mode = 0644, 880 .proc_handler = proc_dointvec_jiffies, 881 }, 882 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = { 883 .procname = "nf_conntrack_dccp_timeout_closereq", 884 .maxlen = sizeof(unsigned int), 885 .mode = 0644, 886 .proc_handler = proc_dointvec_jiffies, 887 }, 888 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = { 889 .procname = "nf_conntrack_dccp_timeout_closing", 890 .maxlen = sizeof(unsigned int), 891 .mode = 0644, 892 .proc_handler = proc_dointvec_jiffies, 893 }, 894 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = { 895 .procname = "nf_conntrack_dccp_timeout_timewait", 896 .maxlen = sizeof(unsigned int), 897 .mode = 0644, 898 .proc_handler = proc_dointvec_jiffies, 899 }, 900 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = { 901 .procname = "nf_conntrack_dccp_loose", 902 .maxlen = sizeof(int), 903 .mode = 0644, 904 .proc_handler = proc_dointvec_minmax, 905 .extra1 = SYSCTL_ZERO, 906 .extra2 = SYSCTL_ONE, 907 }, 908#endif 909#ifdef CONFIG_NF_CT_PROTO_GRE 910 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = { 911 .procname = "nf_conntrack_gre_timeout", 912 .maxlen = sizeof(unsigned int), 913 .mode = 0644, 914 .proc_handler = proc_dointvec_jiffies, 915 }, 916 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = { 917 .procname = "nf_conntrack_gre_timeout_stream", 918 .maxlen = sizeof(unsigned int), 919 .mode = 0644, 920 .proc_handler = proc_dointvec_jiffies, 921 }, 922#endif 923 {} 924}; 925 926static struct ctl_table nf_ct_netfilter_table[] = { 927 { 928 .procname = "nf_conntrack_max", 929 .data = &nf_conntrack_max, 930 .maxlen = sizeof(int), 931 .mode = 0644, 932 .proc_handler = proc_dointvec, 933 }, 934 { } 935}; 936 937static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, 938 struct ctl_table *table) 939{ 940 struct nf_tcp_net *tn = nf_tcp_pernet(net); 941 942#define XASSIGN(XNAME, tn) \ 943 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \ 944 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME] 945 946 XASSIGN(SYN_SENT, tn); 947 XASSIGN(SYN_RECV, tn); 948 XASSIGN(ESTABLISHED, tn); 949 XASSIGN(FIN_WAIT, tn); 950 XASSIGN(CLOSE_WAIT, tn); 951 XASSIGN(LAST_ACK, tn); 952 XASSIGN(TIME_WAIT, tn); 953 XASSIGN(CLOSE, tn); 954 XASSIGN(RETRANS, tn); 955 XASSIGN(UNACK, tn); 956#undef XASSIGN 957#define XASSIGN(XNAME, rval) \ 958 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval) 959 960 XASSIGN(LOOSE, &tn->tcp_loose); 961 XASSIGN(LIBERAL, &tn->tcp_be_liberal); 962 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans); 963#undef XASSIGN 964} 965 966static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, 967 struct ctl_table *table) 968{ 969#ifdef CONFIG_NF_CT_PROTO_SCTP 970 struct nf_sctp_net *sn = nf_sctp_pernet(net); 971 972#define XASSIGN(XNAME, sn) \ 973 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \ 974 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME] 975 976 XASSIGN(CLOSED, sn); 977 XASSIGN(COOKIE_WAIT, sn); 978 XASSIGN(COOKIE_ECHOED, sn); 979 XASSIGN(ESTABLISHED, sn); 980 XASSIGN(SHUTDOWN_SENT, sn); 981 XASSIGN(SHUTDOWN_RECD, sn); 982 XASSIGN(SHUTDOWN_ACK_SENT, sn); 983 XASSIGN(HEARTBEAT_SENT, sn); 984 XASSIGN(HEARTBEAT_ACKED, sn); 985#undef XASSIGN 986#endif 987} 988 989static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net, 990 struct ctl_table *table) 991{ 992#ifdef CONFIG_NF_CT_PROTO_DCCP 993 struct nf_dccp_net *dn = nf_dccp_pernet(net); 994 995#define XASSIGN(XNAME, dn) \ 996 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \ 997 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME] 998 999 XASSIGN(REQUEST, dn); 1000 XASSIGN(RESPOND, dn); 1001 XASSIGN(PARTOPEN, dn); 1002 XASSIGN(OPEN, dn); 1003 XASSIGN(CLOSEREQ, dn); 1004 XASSIGN(CLOSING, dn); 1005 XASSIGN(TIMEWAIT, dn); 1006#undef XASSIGN 1007 1008 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose; 1009#endif 1010} 1011 1012static void nf_conntrack_standalone_init_gre_sysctl(struct net *net, 1013 struct ctl_table *table) 1014{ 1015#ifdef CONFIG_NF_CT_PROTO_GRE 1016 struct nf_gre_net *gn = nf_gre_pernet(net); 1017 1018 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED]; 1019 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED]; 1020#endif 1021} 1022 1023static int nf_conntrack_standalone_init_sysctl(struct net *net) 1024{ 1025 struct nf_udp_net *un = nf_udp_pernet(net); 1026 struct ctl_table *table; 1027 1028 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL); 1029 1030 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table), 1031 GFP_KERNEL); 1032 if (!table) 1033 return -ENOMEM; 1034 1035 table[NF_SYSCTL_CT_COUNT].data = &net->ct.count; 1036 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum; 1037 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; 1038 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct; 1039 table[NF_SYSCTL_CT_HELPER].data = &net->ct.sysctl_auto_assign_helper; 1040#ifdef CONFIG_NF_CONNTRACK_EVENTS 1041 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events; 1042#endif 1043#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 1044 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp; 1045#endif 1046 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout; 1047 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout; 1048 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout; 1049 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED]; 1050 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED]; 1051 1052 nf_conntrack_standalone_init_tcp_sysctl(net, table); 1053 nf_conntrack_standalone_init_sctp_sysctl(net, table); 1054 nf_conntrack_standalone_init_dccp_sysctl(net, table); 1055 nf_conntrack_standalone_init_gre_sysctl(net, table); 1056 1057 /* Don't allow unprivileged users to alter certain sysctls */ 1058 if (net->user_ns != &init_user_ns) { 1059 table[NF_SYSCTL_CT_MAX].mode = 0444; 1060 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; 1061 table[NF_SYSCTL_CT_HELPER].mode = 0444; 1062#ifdef CONFIG_NF_CONNTRACK_EVENTS 1063 table[NF_SYSCTL_CT_EVENTS].mode = 0444; 1064#endif 1065 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1066 } else if (!net_eq(&init_net, net)) { 1067 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1068 } 1069 1070 net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table); 1071 if (!net->ct.sysctl_header) 1072 goto out_unregister_netfilter; 1073 1074 return 0; 1075 1076out_unregister_netfilter: 1077 kfree(table); 1078 return -ENOMEM; 1079} 1080 1081static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1082{ 1083 struct ctl_table *table; 1084 1085 table = net->ct.sysctl_header->ctl_table_arg; 1086 unregister_net_sysctl_table(net->ct.sysctl_header); 1087 kfree(table); 1088} 1089#else 1090static int nf_conntrack_standalone_init_sysctl(struct net *net) 1091{ 1092 return 0; 1093} 1094 1095static void nf_conntrack_standalone_fini_sysctl(struct net *net) 1096{ 1097} 1098#endif /* CONFIG_SYSCTL */ 1099 1100static void nf_conntrack_fini_net(struct net *net) 1101{ 1102 if (enable_hooks) 1103 nf_ct_netns_put(net, NFPROTO_INET); 1104 1105 nf_conntrack_standalone_fini_proc(net); 1106 nf_conntrack_standalone_fini_sysctl(net); 1107} 1108 1109static int nf_conntrack_pernet_init(struct net *net) 1110{ 1111 int ret; 1112 1113 net->ct.sysctl_checksum = 1; 1114 1115 ret = nf_conntrack_standalone_init_sysctl(net); 1116 if (ret < 0) 1117 return ret; 1118 1119 ret = nf_conntrack_standalone_init_proc(net); 1120 if (ret < 0) 1121 goto out_proc; 1122 1123 ret = nf_conntrack_init_net(net); 1124 if (ret < 0) 1125 goto out_init_net; 1126 1127 if (enable_hooks) { 1128 ret = nf_ct_netns_get(net, NFPROTO_INET); 1129 if (ret < 0) 1130 goto out_hooks; 1131 } 1132 1133 return 0; 1134 1135out_hooks: 1136 nf_conntrack_cleanup_net(net); 1137out_init_net: 1138 nf_conntrack_standalone_fini_proc(net); 1139out_proc: 1140 nf_conntrack_standalone_fini_sysctl(net); 1141 return ret; 1142} 1143 1144static void nf_conntrack_pernet_exit(struct list_head *net_exit_list) 1145{ 1146 struct net *net; 1147 1148 list_for_each_entry(net, net_exit_list, exit_list) 1149 nf_conntrack_fini_net(net); 1150 1151 nf_conntrack_cleanup_net_list(net_exit_list); 1152} 1153 1154static struct pernet_operations nf_conntrack_net_ops = { 1155 .init = nf_conntrack_pernet_init, 1156 .exit_batch = nf_conntrack_pernet_exit, 1157 .id = &nf_conntrack_net_id, 1158 .size = sizeof(struct nf_conntrack_net), 1159}; 1160 1161static int __init nf_conntrack_standalone_init(void) 1162{ 1163 int ret = nf_conntrack_init_start(); 1164 if (ret < 0) 1165 goto out_start; 1166 1167 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER); 1168 1169#ifdef CONFIG_SYSCTL 1170 nf_ct_netfilter_header = 1171 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); 1172 if (!nf_ct_netfilter_header) { 1173 pr_err("nf_conntrack: can't register to sysctl.\n"); 1174 ret = -ENOMEM; 1175 goto out_sysctl; 1176 } 1177 1178 nf_conntrack_htable_size_user = nf_conntrack_htable_size; 1179#endif 1180 1181 ret = register_pernet_subsys(&nf_conntrack_net_ops); 1182 if (ret < 0) 1183 goto out_pernet; 1184 1185 nf_conntrack_init_end(); 1186 return 0; 1187 1188out_pernet: 1189#ifdef CONFIG_SYSCTL 1190 unregister_net_sysctl_table(nf_ct_netfilter_header); 1191out_sysctl: 1192#endif 1193 nf_conntrack_cleanup_end(); 1194out_start: 1195 return ret; 1196} 1197 1198static void __exit nf_conntrack_standalone_fini(void) 1199{ 1200 nf_conntrack_cleanup_start(); 1201 unregister_pernet_subsys(&nf_conntrack_net_ops); 1202#ifdef CONFIG_SYSCTL 1203 unregister_net_sysctl_table(nf_ct_netfilter_header); 1204#endif 1205 nf_conntrack_cleanup_end(); 1206} 1207 1208module_init(nf_conntrack_standalone_init); 1209module_exit(nf_conntrack_standalone_fini);