net/netfilter/nfnetlink_cttimeout.c at v4.8-rc5

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / net / netfilter / nfnetlink_cttimeout.c
at v4.8-rc5 647 lines 16 kB view raw
wrap content
  1/*
  2 * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
  3 * (C) 2012 by Vyatta Inc. <http://www.vyatta.com>
  4 *
  5 * This program is free software; you can redistribute it and/or modify
  6 * it under the terms of the GNU General Public License version 2 as
  7 * published by the Free Software Foundation (or any later at your option).
  8 */
  9#include <linux/init.h>
 10#include <linux/module.h>
 11#include <linux/kernel.h>
 12#include <linux/rculist.h>
 13#include <linux/rculist_nulls.h>
 14#include <linux/types.h>
 15#include <linux/timer.h>
 16#include <linux/security.h>
 17#include <linux/skbuff.h>
 18#include <linux/errno.h>
 19#include <linux/netlink.h>
 20#include <linux/spinlock.h>
 21#include <linux/interrupt.h>
 22#include <linux/slab.h>
 23
 24#include <linux/netfilter.h>
 25#include <net/netlink.h>
 26#include <net/sock.h>
 27#include <net/netfilter/nf_conntrack.h>
 28#include <net/netfilter/nf_conntrack_core.h>
 29#include <net/netfilter/nf_conntrack_l3proto.h>
 30#include <net/netfilter/nf_conntrack_l4proto.h>
 31#include <net/netfilter/nf_conntrack_tuple.h>
 32#include <net/netfilter/nf_conntrack_timeout.h>
 33
 34#include <linux/netfilter/nfnetlink.h>
 35#include <linux/netfilter/nfnetlink_cttimeout.h>
 36
 37MODULE_LICENSE("GPL");
 38MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
 39MODULE_DESCRIPTION("cttimeout: Extended Netfilter Connection Tracking timeout tuning");
 40
 41static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = {
 42	[CTA_TIMEOUT_NAME]	= { .type = NLA_NUL_STRING,
 43				    .len  = CTNL_TIMEOUT_NAME_MAX - 1},
 44	[CTA_TIMEOUT_L3PROTO]	= { .type = NLA_U16 },
 45	[CTA_TIMEOUT_L4PROTO]	= { .type = NLA_U8 },
 46	[CTA_TIMEOUT_DATA]	= { .type = NLA_NESTED },
 47};
 48
 49static int
 50ctnl_timeout_parse_policy(void *timeouts, struct nf_conntrack_l4proto *l4proto,
 51			  struct net *net, const struct nlattr *attr)
 52{
 53	int ret = 0;
 54
 55	if (likely(l4proto->ctnl_timeout.nlattr_to_obj)) {
 56		struct nlattr *tb[l4proto->ctnl_timeout.nlattr_max+1];
 57
 58		ret = nla_parse_nested(tb, l4proto->ctnl_timeout.nlattr_max,
 59				       attr, l4proto->ctnl_timeout.nla_policy);
 60		if (ret < 0)
 61			return ret;
 62
 63		ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, net, timeouts);
 64	}
 65	return ret;
 66}
 67
 68static int cttimeout_new_timeout(struct net *net, struct sock *ctnl,
 69				 struct sk_buff *skb,
 70				 const struct nlmsghdr *nlh,
 71				 const struct nlattr * const cda[])
 72{
 73	__u16 l3num;
 74	__u8 l4num;
 75	struct nf_conntrack_l4proto *l4proto;
 76	struct ctnl_timeout *timeout, *matching = NULL;
 77	char *name;
 78	int ret;
 79
 80	if (!cda[CTA_TIMEOUT_NAME] ||
 81	    !cda[CTA_TIMEOUT_L3PROTO] ||
 82	    !cda[CTA_TIMEOUT_L4PROTO] ||
 83	    !cda[CTA_TIMEOUT_DATA])
 84		return -EINVAL;
 85
 86	name = nla_data(cda[CTA_TIMEOUT_NAME]);
 87	l3num = ntohs(nla_get_be16(cda[CTA_TIMEOUT_L3PROTO]));
 88	l4num = nla_get_u8(cda[CTA_TIMEOUT_L4PROTO]);
 89
 90	list_for_each_entry(timeout, &net->nfct_timeout_list, head) {
 91		if (strncmp(timeout->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
 92			continue;
 93
 94		if (nlh->nlmsg_flags & NLM_F_EXCL)
 95			return -EEXIST;
 96
 97		matching = timeout;
 98		break;
 99	}
100
101	l4proto = nf_ct_l4proto_find_get(l3num, l4num);
102
103	/* This protocol is not supportted, skip. */
104	if (l4proto->l4proto != l4num) {
105		ret = -EOPNOTSUPP;
106		goto err_proto_put;
107	}
108
109	if (matching) {
110		if (nlh->nlmsg_flags & NLM_F_REPLACE) {
111			/* You cannot replace one timeout policy by another of
112			 * different kind, sorry.
113			 */
114			if (matching->l3num != l3num ||
115			    matching->l4proto->l4proto != l4num) {
116				ret = -EINVAL;
117				goto err_proto_put;
118			}
119
120			ret = ctnl_timeout_parse_policy(&matching->data,
121							l4proto, net,
122							cda[CTA_TIMEOUT_DATA]);
123			return ret;
124		}
125		ret = -EBUSY;
126		goto err_proto_put;
127	}
128
129	timeout = kzalloc(sizeof(struct ctnl_timeout) +
130			  l4proto->ctnl_timeout.obj_size, GFP_KERNEL);
131	if (timeout == NULL) {
132		ret = -ENOMEM;
133		goto err_proto_put;
134	}
135
136	ret = ctnl_timeout_parse_policy(&timeout->data, l4proto, net,
137					cda[CTA_TIMEOUT_DATA]);
138	if (ret < 0)
139		goto err;
140
141	strcpy(timeout->name, nla_data(cda[CTA_TIMEOUT_NAME]));
142	timeout->l3num = l3num;
143	timeout->l4proto = l4proto;
144	atomic_set(&timeout->refcnt, 1);
145	list_add_tail_rcu(&timeout->head, &net->nfct_timeout_list);
146
147	return 0;
148err:
149	kfree(timeout);
150err_proto_put:
151	nf_ct_l4proto_put(l4proto);
152	return ret;
153}
154
155static int
156ctnl_timeout_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
157		       int event, struct ctnl_timeout *timeout)
158{
159	struct nlmsghdr *nlh;
160	struct nfgenmsg *nfmsg;
161	unsigned int flags = portid ? NLM_F_MULTI : 0;
162	struct nf_conntrack_l4proto *l4proto = timeout->l4proto;
163
164	event |= NFNL_SUBSYS_CTNETLINK_TIMEOUT << 8;
165	nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
166	if (nlh == NULL)
167		goto nlmsg_failure;
168
169	nfmsg = nlmsg_data(nlh);
170	nfmsg->nfgen_family = AF_UNSPEC;
171	nfmsg->version = NFNETLINK_V0;
172	nfmsg->res_id = 0;
173
174	if (nla_put_string(skb, CTA_TIMEOUT_NAME, timeout->name) ||
175	    nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(timeout->l3num)) ||
176	    nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, timeout->l4proto->l4proto) ||
177	    nla_put_be32(skb, CTA_TIMEOUT_USE,
178			 htonl(atomic_read(&timeout->refcnt))))
179		goto nla_put_failure;
180
181	if (likely(l4proto->ctnl_timeout.obj_to_nlattr)) {
182		struct nlattr *nest_parms;
183		int ret;
184
185		nest_parms = nla_nest_start(skb,
186					    CTA_TIMEOUT_DATA | NLA_F_NESTED);
187		if (!nest_parms)
188			goto nla_put_failure;
189
190		ret = l4proto->ctnl_timeout.obj_to_nlattr(skb, &timeout->data);
191		if (ret < 0)
192			goto nla_put_failure;
193
194		nla_nest_end(skb, nest_parms);
195	}
196
197	nlmsg_end(skb, nlh);
198	return skb->len;
199
200nlmsg_failure:
201nla_put_failure:
202	nlmsg_cancel(skb, nlh);
203	return -1;
204}
205
206static int
207ctnl_timeout_dump(struct sk_buff *skb, struct netlink_callback *cb)
208{
209	struct net *net = sock_net(skb->sk);
210	struct ctnl_timeout *cur, *last;
211
212	if (cb->args[2])
213		return 0;
214
215	last = (struct ctnl_timeout *)cb->args[1];
216	if (cb->args[1])
217		cb->args[1] = 0;
218
219	rcu_read_lock();
220	list_for_each_entry_rcu(cur, &net->nfct_timeout_list, head) {
221		if (last) {
222			if (cur != last)
223				continue;
224
225			last = NULL;
226		}
227		if (ctnl_timeout_fill_info(skb, NETLINK_CB(cb->skb).portid,
228					   cb->nlh->nlmsg_seq,
229					   NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
230					   IPCTNL_MSG_TIMEOUT_NEW, cur) < 0) {
231			cb->args[1] = (unsigned long)cur;
232			break;
233		}
234	}
235	if (!cb->args[1])
236		cb->args[2] = 1;
237	rcu_read_unlock();
238	return skb->len;
239}
240
241static int cttimeout_get_timeout(struct net *net, struct sock *ctnl,
242				 struct sk_buff *skb,
243				 const struct nlmsghdr *nlh,
244				 const struct nlattr * const cda[])
245{
246	int ret = -ENOENT;
247	char *name;
248	struct ctnl_timeout *cur;
249
250	if (nlh->nlmsg_flags & NLM_F_DUMP) {
251		struct netlink_dump_control c = {
252			.dump = ctnl_timeout_dump,
253		};
254		return netlink_dump_start(ctnl, skb, nlh, &c);
255	}
256
257	if (!cda[CTA_TIMEOUT_NAME])
258		return -EINVAL;
259	name = nla_data(cda[CTA_TIMEOUT_NAME]);
260
261	list_for_each_entry(cur, &net->nfct_timeout_list, head) {
262		struct sk_buff *skb2;
263
264		if (strncmp(cur->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
265			continue;
266
267		skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
268		if (skb2 == NULL) {
269			ret = -ENOMEM;
270			break;
271		}
272
273		ret = ctnl_timeout_fill_info(skb2, NETLINK_CB(skb).portid,
274					     nlh->nlmsg_seq,
275					     NFNL_MSG_TYPE(nlh->nlmsg_type),
276					     IPCTNL_MSG_TIMEOUT_NEW, cur);
277		if (ret <= 0) {
278			kfree_skb(skb2);
279			break;
280		}
281		ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid,
282					MSG_DONTWAIT);
283		if (ret > 0)
284			ret = 0;
285
286		/* this avoids a loop in nfnetlink. */
287		return ret == -EAGAIN ? -ENOBUFS : ret;
288	}
289	return ret;
290}
291
292static void untimeout(struct nf_conntrack_tuple_hash *i,
293		      struct ctnl_timeout *timeout)
294{
295	struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(i);
296	struct nf_conn_timeout *timeout_ext = nf_ct_timeout_find(ct);
297
298	if (timeout_ext && (!timeout || timeout_ext->timeout == timeout))
299		RCU_INIT_POINTER(timeout_ext->timeout, NULL);
300}
301
302static void ctnl_untimeout(struct net *net, struct ctnl_timeout *timeout)
303{
304	struct nf_conntrack_tuple_hash *h;
305	const struct hlist_nulls_node *nn;
306	unsigned int last_hsize;
307	spinlock_t *lock;
308	int i;
309
310	local_bh_disable();
311restart:
312	last_hsize = nf_conntrack_htable_size;
313	for (i = 0; i < last_hsize; i++) {
314		lock = &nf_conntrack_locks[i % CONNTRACK_LOCKS];
315		nf_conntrack_lock(lock);
316		if (last_hsize != nf_conntrack_htable_size) {
317			spin_unlock(lock);
318			goto restart;
319		}
320
321		hlist_nulls_for_each_entry(h, nn, &nf_conntrack_hash[i], hnnode)
322			untimeout(h, timeout);
323		spin_unlock(lock);
324	}
325	local_bh_enable();
326}
327
328/* try to delete object, fail if it is still in use. */
329static int ctnl_timeout_try_del(struct net *net, struct ctnl_timeout *timeout)
330{
331	int ret = 0;
332
333	/* We want to avoid races with ctnl_timeout_put. So only when the
334	 * current refcnt is 1, we decrease it to 0.
335	 */
336	if (atomic_cmpxchg(&timeout->refcnt, 1, 0) == 1) {
337		/* We are protected by nfnl mutex. */
338		list_del_rcu(&timeout->head);
339		nf_ct_l4proto_put(timeout->l4proto);
340		ctnl_untimeout(net, timeout);
341		kfree_rcu(timeout, rcu_head);
342	} else {
343		ret = -EBUSY;
344	}
345	return ret;
346}
347
348static int cttimeout_del_timeout(struct net *net, struct sock *ctnl,
349				 struct sk_buff *skb,
350				 const struct nlmsghdr *nlh,
351				 const struct nlattr * const cda[])
352{
353	struct ctnl_timeout *cur;
354	int ret = -ENOENT;
355	char *name;
356
357	if (!cda[CTA_TIMEOUT_NAME]) {
358		list_for_each_entry(cur, &net->nfct_timeout_list, head)
359			ctnl_timeout_try_del(net, cur);
360
361		return 0;
362	}
363	name = nla_data(cda[CTA_TIMEOUT_NAME]);
364
365	list_for_each_entry(cur, &net->nfct_timeout_list, head) {
366		if (strncmp(cur->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
367			continue;
368
369		ret = ctnl_timeout_try_del(net, cur);
370		if (ret < 0)
371			return ret;
372
373		break;
374	}
375	return ret;
376}
377
378static int cttimeout_default_set(struct net *net, struct sock *ctnl,
379				 struct sk_buff *skb,
380				 const struct nlmsghdr *nlh,
381				 const struct nlattr * const cda[])
382{
383	__u16 l3num;
384	__u8 l4num;
385	struct nf_conntrack_l4proto *l4proto;
386	unsigned int *timeouts;
387	int ret;
388
389	if (!cda[CTA_TIMEOUT_L3PROTO] ||
390	    !cda[CTA_TIMEOUT_L4PROTO] ||
391	    !cda[CTA_TIMEOUT_DATA])
392		return -EINVAL;
393
394	l3num = ntohs(nla_get_be16(cda[CTA_TIMEOUT_L3PROTO]));
395	l4num = nla_get_u8(cda[CTA_TIMEOUT_L4PROTO]);
396	l4proto = nf_ct_l4proto_find_get(l3num, l4num);
397
398	/* This protocol is not supported, skip. */
399	if (l4proto->l4proto != l4num) {
400		ret = -EOPNOTSUPP;
401		goto err;
402	}
403
404	timeouts = l4proto->get_timeouts(net);
405
406	ret = ctnl_timeout_parse_policy(timeouts, l4proto, net,
407					cda[CTA_TIMEOUT_DATA]);
408	if (ret < 0)
409		goto err;
410
411	nf_ct_l4proto_put(l4proto);
412	return 0;
413err:
414	nf_ct_l4proto_put(l4proto);
415	return ret;
416}
417
418static int
419cttimeout_default_fill_info(struct net *net, struct sk_buff *skb, u32 portid,
420			    u32 seq, u32 type, int event,
421			    struct nf_conntrack_l4proto *l4proto)
422{
423	struct nlmsghdr *nlh;
424	struct nfgenmsg *nfmsg;
425	unsigned int flags = portid ? NLM_F_MULTI : 0;
426
427	event |= NFNL_SUBSYS_CTNETLINK_TIMEOUT << 8;
428	nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
429	if (nlh == NULL)
430		goto nlmsg_failure;
431
432	nfmsg = nlmsg_data(nlh);
433	nfmsg->nfgen_family = AF_UNSPEC;
434	nfmsg->version = NFNETLINK_V0;
435	nfmsg->res_id = 0;
436
437	if (nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(l4proto->l3proto)) ||
438	    nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, l4proto->l4proto))
439		goto nla_put_failure;
440
441	if (likely(l4proto->ctnl_timeout.obj_to_nlattr)) {
442		struct nlattr *nest_parms;
443		unsigned int *timeouts = l4proto->get_timeouts(net);
444		int ret;
445
446		nest_parms = nla_nest_start(skb,
447					    CTA_TIMEOUT_DATA | NLA_F_NESTED);
448		if (!nest_parms)
449			goto nla_put_failure;
450
451		ret = l4proto->ctnl_timeout.obj_to_nlattr(skb, timeouts);
452		if (ret < 0)
453			goto nla_put_failure;
454
455		nla_nest_end(skb, nest_parms);
456	}
457
458	nlmsg_end(skb, nlh);
459	return skb->len;
460
461nlmsg_failure:
462nla_put_failure:
463	nlmsg_cancel(skb, nlh);
464	return -1;
465}
466
467static int cttimeout_default_get(struct net *net, struct sock *ctnl,
468				 struct sk_buff *skb,
469				 const struct nlmsghdr *nlh,
470				 const struct nlattr * const cda[])
471{
472	__u16 l3num;
473	__u8 l4num;
474	struct nf_conntrack_l4proto *l4proto;
475	struct sk_buff *skb2;
476	int ret, err;
477
478	if (!cda[CTA_TIMEOUT_L3PROTO] || !cda[CTA_TIMEOUT_L4PROTO])
479		return -EINVAL;
480
481	l3num = ntohs(nla_get_be16(cda[CTA_TIMEOUT_L3PROTO]));
482	l4num = nla_get_u8(cda[CTA_TIMEOUT_L4PROTO]);
483	l4proto = nf_ct_l4proto_find_get(l3num, l4num);
484
485	/* This protocol is not supported, skip. */
486	if (l4proto->l4proto != l4num) {
487		err = -EOPNOTSUPP;
488		goto err;
489	}
490
491	skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
492	if (skb2 == NULL) {
493		err = -ENOMEM;
494		goto err;
495	}
496
497	ret = cttimeout_default_fill_info(net, skb2, NETLINK_CB(skb).portid,
498					  nlh->nlmsg_seq,
499					  NFNL_MSG_TYPE(nlh->nlmsg_type),
500					  IPCTNL_MSG_TIMEOUT_DEFAULT_SET,
501					  l4proto);
502	if (ret <= 0) {
503		kfree_skb(skb2);
504		err = -ENOMEM;
505		goto err;
506	}
507	ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
508	if (ret > 0)
509		ret = 0;
510
511	/* this avoids a loop in nfnetlink. */
512	return ret == -EAGAIN ? -ENOBUFS : ret;
513err:
514	nf_ct_l4proto_put(l4proto);
515	return err;
516}
517
518#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
519static struct ctnl_timeout *
520ctnl_timeout_find_get(struct net *net, const char *name)
521{
522	struct ctnl_timeout *timeout, *matching = NULL;
523
524	rcu_read_lock();
525	list_for_each_entry_rcu(timeout, &net->nfct_timeout_list, head) {
526		if (strncmp(timeout->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
527			continue;
528
529		if (!try_module_get(THIS_MODULE))
530			goto err;
531
532		if (!atomic_inc_not_zero(&timeout->refcnt)) {
533			module_put(THIS_MODULE);
534			goto err;
535		}
536		matching = timeout;
537		break;
538	}
539err:
540	rcu_read_unlock();
541	return matching;
542}
543
544static void ctnl_timeout_put(struct ctnl_timeout *timeout)
545{
546	if (atomic_dec_and_test(&timeout->refcnt))
547		kfree_rcu(timeout, rcu_head);
548
549	module_put(THIS_MODULE);
550}
551#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
552
553static const struct nfnl_callback cttimeout_cb[IPCTNL_MSG_TIMEOUT_MAX] = {
554	[IPCTNL_MSG_TIMEOUT_NEW]	= { .call = cttimeout_new_timeout,
555					    .attr_count = CTA_TIMEOUT_MAX,
556					    .policy = cttimeout_nla_policy },
557	[IPCTNL_MSG_TIMEOUT_GET]	= { .call = cttimeout_get_timeout,
558					    .attr_count = CTA_TIMEOUT_MAX,
559					    .policy = cttimeout_nla_policy },
560	[IPCTNL_MSG_TIMEOUT_DELETE]	= { .call = cttimeout_del_timeout,
561					    .attr_count = CTA_TIMEOUT_MAX,
562					    .policy = cttimeout_nla_policy },
563	[IPCTNL_MSG_TIMEOUT_DEFAULT_SET]= { .call = cttimeout_default_set,
564					    .attr_count = CTA_TIMEOUT_MAX,
565					    .policy = cttimeout_nla_policy },
566	[IPCTNL_MSG_TIMEOUT_DEFAULT_GET]= { .call = cttimeout_default_get,
567					    .attr_count = CTA_TIMEOUT_MAX,
568					    .policy = cttimeout_nla_policy },
569};
570
571static const struct nfnetlink_subsystem cttimeout_subsys = {
572	.name				= "conntrack_timeout",
573	.subsys_id			= NFNL_SUBSYS_CTNETLINK_TIMEOUT,
574	.cb_count			= IPCTNL_MSG_TIMEOUT_MAX,
575	.cb				= cttimeout_cb,
576};
577
578MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_TIMEOUT);
579
580static int __net_init cttimeout_net_init(struct net *net)
581{
582	INIT_LIST_HEAD(&net->nfct_timeout_list);
583
584	return 0;
585}
586
587static void __net_exit cttimeout_net_exit(struct net *net)
588{
589	struct ctnl_timeout *cur, *tmp;
590
591	ctnl_untimeout(net, NULL);
592
593	list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list, head) {
594		list_del_rcu(&cur->head);
595		nf_ct_l4proto_put(cur->l4proto);
596
597		if (atomic_dec_and_test(&cur->refcnt))
598			kfree_rcu(cur, rcu_head);
599	}
600}
601
602static struct pernet_operations cttimeout_ops = {
603	.init	= cttimeout_net_init,
604	.exit	= cttimeout_net_exit,
605};
606
607static int __init cttimeout_init(void)
608{
609	int ret;
610
611	ret = register_pernet_subsys(&cttimeout_ops);
612	if (ret < 0)
613		return ret;
614
615	ret = nfnetlink_subsys_register(&cttimeout_subsys);
616	if (ret < 0) {
617		pr_err("cttimeout_init: cannot register cttimeout with "
618			"nfnetlink.\n");
619		goto err_out;
620	}
621#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
622	RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, ctnl_timeout_find_get);
623	RCU_INIT_POINTER(nf_ct_timeout_put_hook, ctnl_timeout_put);
624#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
625	return 0;
626
627err_out:
628	unregister_pernet_subsys(&cttimeout_ops);
629	return ret;
630}
631
632static void __exit cttimeout_exit(void)
633{
634	pr_info("cttimeout: unregistering from nfnetlink.\n");
635
636	nfnetlink_subsys_unregister(&cttimeout_subsys);
637
638	unregister_pernet_subsys(&cttimeout_ops);
639#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
640	RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL);
641	RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL);
642#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
643	rcu_barrier();
644}
645
646module_init(cttimeout_init);
647module_exit(cttimeout_exit);