mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-22 16:06:04 -05:00
netfilter: move nf_ct_netns_get out of nf_conncount_init
This patch is to move nf_ct_netns_get() out of nf_conncount_init() and let the consumers of nf_conncount decide if they want to turn on netfilter conntrack. It makes nf_conncount more flexible to be used in other places and avoids netfilter conntrack turned on when using it in openvswitch conntrack. Signed-off-by: Xin Long <lucien.xin@gmail.com> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
c9526aeb49
commit
d5283b47e2
4 changed files with 20 additions and 21 deletions
|
@ -15,10 +15,8 @@ struct nf_conncount_list {
|
||||||
unsigned int count; /* length of list */
|
unsigned int count; /* length of list */
|
||||||
};
|
};
|
||||||
|
|
||||||
struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
|
struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen);
|
||||||
unsigned int keylen);
|
void nf_conncount_destroy(struct net *net, struct nf_conncount_data *data);
|
||||||
void nf_conncount_destroy(struct net *net, unsigned int family,
|
|
||||||
struct nf_conncount_data *data);
|
|
||||||
|
|
||||||
unsigned int nf_conncount_count(struct net *net,
|
unsigned int nf_conncount_count(struct net *net,
|
||||||
struct nf_conncount_data *data,
|
struct nf_conncount_data *data,
|
||||||
|
|
|
@ -522,11 +522,10 @@ unsigned int nf_conncount_count(struct net *net,
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(nf_conncount_count);
|
EXPORT_SYMBOL_GPL(nf_conncount_count);
|
||||||
|
|
||||||
struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
|
struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen)
|
||||||
unsigned int keylen)
|
|
||||||
{
|
{
|
||||||
struct nf_conncount_data *data;
|
struct nf_conncount_data *data;
|
||||||
int ret, i;
|
int i;
|
||||||
|
|
||||||
if (keylen % sizeof(u32) ||
|
if (keylen % sizeof(u32) ||
|
||||||
keylen / sizeof(u32) > MAX_KEYLEN ||
|
keylen / sizeof(u32) > MAX_KEYLEN ||
|
||||||
|
@ -539,12 +538,6 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family
|
||||||
if (!data)
|
if (!data)
|
||||||
return ERR_PTR(-ENOMEM);
|
return ERR_PTR(-ENOMEM);
|
||||||
|
|
||||||
ret = nf_ct_netns_get(net, family);
|
|
||||||
if (ret < 0) {
|
|
||||||
kfree(data);
|
|
||||||
return ERR_PTR(ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < ARRAY_SIZE(data->root); ++i)
|
for (i = 0; i < ARRAY_SIZE(data->root); ++i)
|
||||||
data->root[i] = RB_ROOT;
|
data->root[i] = RB_ROOT;
|
||||||
|
|
||||||
|
@ -581,13 +574,11 @@ static void destroy_tree(struct rb_root *r)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void nf_conncount_destroy(struct net *net, unsigned int family,
|
void nf_conncount_destroy(struct net *net, struct nf_conncount_data *data)
|
||||||
struct nf_conncount_data *data)
|
|
||||||
{
|
{
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
cancel_work_sync(&data->gc_work);
|
cancel_work_sync(&data->gc_work);
|
||||||
nf_ct_netns_put(net, family);
|
|
||||||
|
|
||||||
for (i = 0; i < ARRAY_SIZE(data->root); ++i)
|
for (i = 0; i < ARRAY_SIZE(data->root); ++i)
|
||||||
destroy_tree(&data->root[i]);
|
destroy_tree(&data->root[i]);
|
||||||
|
|
|
@ -86,6 +86,7 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
|
||||||
{
|
{
|
||||||
struct xt_connlimit_info *info = par->matchinfo;
|
struct xt_connlimit_info *info = par->matchinfo;
|
||||||
unsigned int keylen;
|
unsigned int keylen;
|
||||||
|
int ret;
|
||||||
|
|
||||||
keylen = sizeof(u32);
|
keylen = sizeof(u32);
|
||||||
if (par->family == NFPROTO_IPV6)
|
if (par->family == NFPROTO_IPV6)
|
||||||
|
@ -93,8 +94,17 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
|
||||||
else
|
else
|
||||||
keylen += sizeof(struct in_addr);
|
keylen += sizeof(struct in_addr);
|
||||||
|
|
||||||
|
ret = nf_ct_netns_get(par->net, par->family);
|
||||||
|
if (ret < 0) {
|
||||||
|
pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
|
||||||
|
par->family);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
/* init private data */
|
/* init private data */
|
||||||
info->data = nf_conncount_init(par->net, par->family, keylen);
|
info->data = nf_conncount_init(par->net, keylen);
|
||||||
|
if (IS_ERR(info->data))
|
||||||
|
nf_ct_netns_put(par->net, par->family);
|
||||||
|
|
||||||
return PTR_ERR_OR_ZERO(info->data);
|
return PTR_ERR_OR_ZERO(info->data);
|
||||||
}
|
}
|
||||||
|
@ -103,7 +113,8 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_connlimit_info *info = par->matchinfo;
|
const struct xt_connlimit_info *info = par->matchinfo;
|
||||||
|
|
||||||
nf_conncount_destroy(par->net, par->family, info->data);
|
nf_conncount_destroy(par->net, info->data);
|
||||||
|
nf_ct_netns_put(par->net, par->family);
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct xt_match connlimit_mt_reg __read_mostly = {
|
static struct xt_match connlimit_mt_reg __read_mostly = {
|
||||||
|
|
|
@ -1608,8 +1608,7 @@ static int ovs_ct_limit_init(struct net *net, struct ovs_net *ovs_net)
|
||||||
for (i = 0; i < CT_LIMIT_HASH_BUCKETS; i++)
|
for (i = 0; i < CT_LIMIT_HASH_BUCKETS; i++)
|
||||||
INIT_HLIST_HEAD(&ovs_net->ct_limit_info->limits[i]);
|
INIT_HLIST_HEAD(&ovs_net->ct_limit_info->limits[i]);
|
||||||
|
|
||||||
ovs_net->ct_limit_info->data =
|
ovs_net->ct_limit_info->data = nf_conncount_init(net, sizeof(u32));
|
||||||
nf_conncount_init(net, NFPROTO_INET, sizeof(u32));
|
|
||||||
|
|
||||||
if (IS_ERR(ovs_net->ct_limit_info->data)) {
|
if (IS_ERR(ovs_net->ct_limit_info->data)) {
|
||||||
err = PTR_ERR(ovs_net->ct_limit_info->data);
|
err = PTR_ERR(ovs_net->ct_limit_info->data);
|
||||||
|
@ -1626,7 +1625,7 @@ static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net)
|
||||||
const struct ovs_ct_limit_info *info = ovs_net->ct_limit_info;
|
const struct ovs_ct_limit_info *info = ovs_net->ct_limit_info;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
nf_conncount_destroy(net, NFPROTO_INET, info->data);
|
nf_conncount_destroy(net, info->data);
|
||||||
for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) {
|
for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) {
|
||||||
struct hlist_head *head = &info->limits[i];
|
struct hlist_head *head = &info->limits[i];
|
||||||
struct ovs_ct_limit *ct_limit;
|
struct ovs_ct_limit *ct_limit;
|
||||||
|
|
Loading…
Reference in a new issue