mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-22 07:53:11 -05:00
netfilter: move nf_ct_netns_get out of nf_conncount_init
This patch is to move nf_ct_netns_get() out of nf_conncount_init() and let the consumers of nf_conncount decide if they want to turn on netfilter conntrack. It makes nf_conncount more flexible to be used in other places and avoids netfilter conntrack turned on when using it in openvswitch conntrack. Signed-off-by: Xin Long <lucien.xin@gmail.com> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
c9526aeb49
commit
d5283b47e2
4 changed files with 20 additions and 21 deletions
|
@ -15,10 +15,8 @@ struct nf_conncount_list {
|
|||
unsigned int count; /* length of list */
|
||||
};
|
||||
|
||||
struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
|
||||
unsigned int keylen);
|
||||
void nf_conncount_destroy(struct net *net, unsigned int family,
|
||||
struct nf_conncount_data *data);
|
||||
struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen);
|
||||
void nf_conncount_destroy(struct net *net, struct nf_conncount_data *data);
|
||||
|
||||
unsigned int nf_conncount_count(struct net *net,
|
||||
struct nf_conncount_data *data,
|
||||
|
|
|
@ -522,11 +522,10 @@ unsigned int nf_conncount_count(struct net *net,
|
|||
}
|
||||
EXPORT_SYMBOL_GPL(nf_conncount_count);
|
||||
|
||||
struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
|
||||
unsigned int keylen)
|
||||
struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen)
|
||||
{
|
||||
struct nf_conncount_data *data;
|
||||
int ret, i;
|
||||
int i;
|
||||
|
||||
if (keylen % sizeof(u32) ||
|
||||
keylen / sizeof(u32) > MAX_KEYLEN ||
|
||||
|
@ -539,12 +538,6 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family
|
|||
if (!data)
|
||||
return ERR_PTR(-ENOMEM);
|
||||
|
||||
ret = nf_ct_netns_get(net, family);
|
||||
if (ret < 0) {
|
||||
kfree(data);
|
||||
return ERR_PTR(ret);
|
||||
}
|
||||
|
||||
for (i = 0; i < ARRAY_SIZE(data->root); ++i)
|
||||
data->root[i] = RB_ROOT;
|
||||
|
||||
|
@ -581,13 +574,11 @@ static void destroy_tree(struct rb_root *r)
|
|||
}
|
||||
}
|
||||
|
||||
void nf_conncount_destroy(struct net *net, unsigned int family,
|
||||
struct nf_conncount_data *data)
|
||||
void nf_conncount_destroy(struct net *net, struct nf_conncount_data *data)
|
||||
{
|
||||
unsigned int i;
|
||||
|
||||
cancel_work_sync(&data->gc_work);
|
||||
nf_ct_netns_put(net, family);
|
||||
|
||||
for (i = 0; i < ARRAY_SIZE(data->root); ++i)
|
||||
destroy_tree(&data->root[i]);
|
||||
|
|
|
@ -86,6 +86,7 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
|
|||
{
|
||||
struct xt_connlimit_info *info = par->matchinfo;
|
||||
unsigned int keylen;
|
||||
int ret;
|
||||
|
||||
keylen = sizeof(u32);
|
||||
if (par->family == NFPROTO_IPV6)
|
||||
|
@ -93,8 +94,17 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
|
|||
else
|
||||
keylen += sizeof(struct in_addr);
|
||||
|
||||
ret = nf_ct_netns_get(par->net, par->family);
|
||||
if (ret < 0) {
|
||||
pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
|
||||
par->family);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* init private data */
|
||||
info->data = nf_conncount_init(par->net, par->family, keylen);
|
||||
info->data = nf_conncount_init(par->net, keylen);
|
||||
if (IS_ERR(info->data))
|
||||
nf_ct_netns_put(par->net, par->family);
|
||||
|
||||
return PTR_ERR_OR_ZERO(info->data);
|
||||
}
|
||||
|
@ -103,7 +113,8 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
|
|||
{
|
||||
const struct xt_connlimit_info *info = par->matchinfo;
|
||||
|
||||
nf_conncount_destroy(par->net, par->family, info->data);
|
||||
nf_conncount_destroy(par->net, info->data);
|
||||
nf_ct_netns_put(par->net, par->family);
|
||||
}
|
||||
|
||||
static struct xt_match connlimit_mt_reg __read_mostly = {
|
||||
|
|
|
@ -1608,8 +1608,7 @@ static int ovs_ct_limit_init(struct net *net, struct ovs_net *ovs_net)
|
|||
for (i = 0; i < CT_LIMIT_HASH_BUCKETS; i++)
|
||||
INIT_HLIST_HEAD(&ovs_net->ct_limit_info->limits[i]);
|
||||
|
||||
ovs_net->ct_limit_info->data =
|
||||
nf_conncount_init(net, NFPROTO_INET, sizeof(u32));
|
||||
ovs_net->ct_limit_info->data = nf_conncount_init(net, sizeof(u32));
|
||||
|
||||
if (IS_ERR(ovs_net->ct_limit_info->data)) {
|
||||
err = PTR_ERR(ovs_net->ct_limit_info->data);
|
||||
|
@ -1626,7 +1625,7 @@ static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net)
|
|||
const struct ovs_ct_limit_info *info = ovs_net->ct_limit_info;
|
||||
int i;
|
||||
|
||||
nf_conncount_destroy(net, NFPROTO_INET, info->data);
|
||||
nf_conncount_destroy(net, info->data);
|
||||
for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) {
|
||||
struct hlist_head *head = &info->limits[i];
|
||||
struct ovs_ct_limit *ct_limit;
|
||||
|
|
Loading…
Reference in a new issue