netfilter: nfacct: per network namespace support

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

- Move the nfnl_acct_list into the network namespace, initialize
and destroy it per namespace
- Keep track of refcnt on nfacct objects, the old logic does not
longer work with a per namespace list
- Adjust xt_nfacct to pass the namespace when registring objects

Signed-off-by: Andreas Schultz <aschultz@tpip.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Andreas Schultz and committed by

Pablo Neira Ayuso 10 years ago 3499abb2 d2168e84

+56 -23

4 changed files

expand all

include

linux

netfilter

nfnetlink_acct.h

net

net_namespace.h

net

netfilter

nfnetlink_acct.c

xt_nfacct.c

+2 -1

include/linux/netfilter/nfnetlink_acct.h

··· 2 2 #define _NFNL_ACCT_H_ 3 3 4 4 #include <uapi/linux/netfilter/nfnetlink_acct.h> 5 + #include <net/net_namespace.h> 5 6 6 7 enum { 7 8 NFACCT_NO_QUOTA = -1, ··· 12 11 13 12 struct nf_acct; 14 13 15 - struct nf_acct *nfnl_acct_find_get(const char *filter_name); 14 + struct nf_acct *nfnl_acct_find_get(struct net *net, const char *filter_name); 16 15 void nfnl_acct_put(struct nf_acct *acct); 17 16 void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct); 18 17 extern int nfnl_acct_overquota(const struct sk_buff *skb,

include/net/net_namespace.h

··· 118 118 #endif 119 119 struct sock *nfnl; 120 120 struct sock *nfnl_stash; 121 + #if IS_ENABLED(CONFIG_NETFILTER_NETLINK_ACCT) 122 + struct list_head nfnl_acct_list; 123 + #endif 121 124 #endif 122 125 #ifdef CONFIG_WEXT_CORE 123 126 struct sk_buff_head wext_nlevents;

+50 -21

net/netfilter/nfnetlink_acct.c

··· 27 27 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 28 28 MODULE_DESCRIPTION("nfacct: Extended Netfilter accounting infrastructure"); 29 29 30 - static LIST_HEAD(nfnl_acct_list); 31 - 32 30 struct nf_acct { 33 31 atomic64_t pkts; 34 32 atomic64_t bytes; ··· 51 53 const struct nlmsghdr *nlh, const struct nlattr * const tb[]) 52 54 { 53 55 struct nf_acct *nfacct, *matching = NULL; 56 + struct net *net = sock_net(nfnl); 54 57 char *acct_name; 55 58 unsigned int size = 0; 56 59 u32 flags = 0; ··· 63 64 if (strlen(acct_name) == 0) 64 65 return -EINVAL; 65 66 66 - list_for_each_entry(nfacct, &nfnl_acct_list, head) { 67 + list_for_each_entry(nfacct, &net->nfnl_acct_list, head) { 67 68 if (strncmp(nfacct->name, acct_name, NFACCT_NAME_MAX) != 0) 68 69 continue; 69 70 ··· 123 124 be64_to_cpu(nla_get_be64(tb[NFACCT_PKTS]))); 124 125 } 125 126 atomic_set(&nfacct->refcnt, 1); 126 - list_add_tail_rcu(&nfacct->head, &nfnl_acct_list); 127 + list_add_tail_rcu(&nfacct->head, &net->nfnl_acct_list); 127 128 return 0; 128 129 } 129 130 ··· 184 185 static int 185 186 nfnl_acct_dump(struct sk_buff *skb, struct netlink_callback *cb) 186 187 { 188 + struct net *net = sock_net(skb->sk); 187 189 struct nf_acct *cur, *last; 188 190 const struct nfacct_filter *filter = cb->data; 189 191 ··· 196 196 cb->args[1] = 0; 197 197 198 198 rcu_read_lock(); 199 - list_for_each_entry_rcu(cur, &nfnl_acct_list, head) { 199 + list_for_each_entry_rcu(cur, &net->nfnl_acct_list, head) { 200 200 if (last) { 201 201 if (cur != last) 202 202 continue; ··· 257 257 nfnl_acct_get(struct sock *nfnl, struct sk_buff *skb, 258 258 const struct nlmsghdr *nlh, const struct nlattr * const tb[]) 259 259 { 260 + struct net *net = sock_net(nfnl); 260 261 int ret = -ENOENT; 261 262 struct nf_acct *cur; 262 263 char *acct_name; ··· 284 283 return -EINVAL; 285 284 acct_name = nla_data(tb[NFACCT_NAME]); 286 285 287 - list_for_each_entry(cur, &nfnl_acct_list, head) { 286 + list_for_each_entry(cur, &net->nfnl_acct_list, head) { 288 287 struct sk_buff *skb2; 289 288 290 289 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0) ··· 337 336 nfnl_acct_del(struct sock *nfnl, struct sk_buff *skb, 338 337 const struct nlmsghdr *nlh, const struct nlattr * const tb[]) 339 338 { 339 + struct net *net = sock_net(nfnl); 340 340 char *acct_name; 341 341 struct nf_acct *cur; 342 342 int ret = -ENOENT; 343 343 344 344 if (!tb[NFACCT_NAME]) { 345 - list_for_each_entry(cur, &nfnl_acct_list, head) 345 + list_for_each_entry(cur, &net->nfnl_acct_list, head) 346 346 nfnl_acct_try_del(cur); 347 347 348 348 return 0; 349 349 } 350 350 acct_name = nla_data(tb[NFACCT_NAME]); 351 351 352 - list_for_each_entry(cur, &nfnl_acct_list, head) { 352 + list_for_each_entry(cur, &net->nfnl_acct_list, head) { 353 353 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX) != 0) 354 354 continue; 355 355 ··· 396 394 397 395 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ACCT); 398 396 399 - struct nf_acct *nfnl_acct_find_get(const char *acct_name) 397 + struct nf_acct *nfnl_acct_find_get(struct net *net, const char *acct_name) 400 398 { 401 399 struct nf_acct *cur, *acct = NULL; 402 400 403 401 rcu_read_lock(); 404 - list_for_each_entry_rcu(cur, &nfnl_acct_list, head) { 402 + list_for_each_entry_rcu(cur, &net->nfnl_acct_list, head) { 405 403 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0) 406 404 continue; 407 405 ··· 424 422 425 423 void nfnl_acct_put(struct nf_acct *acct) 426 424 { 427 - atomic_dec(&acct->refcnt); 425 + if (atomic_dec_and_test(&acct->refcnt)) 426 + kfree_rcu(acct, rcu_head); 427 + 428 428 module_put(THIS_MODULE); 429 429 } 430 430 EXPORT_SYMBOL_GPL(nfnl_acct_put); ··· 482 478 } 483 479 EXPORT_SYMBOL_GPL(nfnl_acct_overquota); 484 480 481 + static int __net_init nfnl_acct_net_init(struct net *net) 482 + { 483 + INIT_LIST_HEAD(&net->nfnl_acct_list); 484 + 485 + return 0; 486 + } 487 + 488 + static void __net_exit nfnl_acct_net_exit(struct net *net) 489 + { 490 + struct nf_acct *cur, *tmp; 491 + 492 + list_for_each_entry_safe(cur, tmp, &net->nfnl_acct_list, head) { 493 + list_del_rcu(&cur->head); 494 + 495 + if (atomic_dec_and_test(&cur->refcnt)) 496 + kfree_rcu(cur, rcu_head); 497 + } 498 + } 499 + 500 + static struct pernet_operations nfnl_acct_ops = { 501 + .init = nfnl_acct_net_init, 502 + .exit = nfnl_acct_net_exit, 503 + }; 504 + 485 505 static int __init nfnl_acct_init(void) 486 506 { 487 507 int ret; 508 + 509 + ret = register_pernet_subsys(&nfnl_acct_ops); 510 + if (ret < 0) { 511 + pr_err("nfnl_acct_init: failed to register pernet ops\n"); 512 + goto err_out; 513 + } 488 514 489 515 pr_info("nfnl_acct: registering with nfnetlink.\n"); 490 516 ret = nfnetlink_subsys_register(&nfnl_acct_subsys); 491 517 if (ret < 0) { 492 518 pr_err("nfnl_acct_init: cannot register with nfnetlink.\n"); 493 - goto err_out; 519 + goto cleanup_pernet; 494 520 } 495 521 return 0; 522 + 523 + cleanup_pernet: 524 + unregister_pernet_subsys(&nfnl_acct_ops); 496 525 err_out: 497 526 return ret; 498 527 } 499 528 500 529 static void __exit nfnl_acct_exit(void) 501 530 { 502 - struct nf_acct *cur, *tmp; 503 - 504 531 pr_info("nfnl_acct: unregistering from nfnetlink.\n"); 505 532 nfnetlink_subsys_unregister(&nfnl_acct_subsys); 506 - 507 - list_for_each_entry_safe(cur, tmp, &nfnl_acct_list, head) { 508 - list_del_rcu(&cur->head); 509 - /* We are sure that our objects have no clients at this point, 510 - * it's safe to release them all without checking refcnt. */ 511 - kfree_rcu(cur, rcu_head); 512 - } 533 + unregister_pernet_subsys(&nfnl_acct_ops); 513 534 } 514 535 515 536 module_init(nfnl_acct_init);

+1 -1

net/netfilter/xt_nfacct.c

··· 37 37 struct xt_nfacct_match_info *info = par->matchinfo; 38 38 struct nf_acct *nfacct; 39 39 40 - nfacct = nfnl_acct_find_get(info->name); 40 + nfacct = nfnl_acct_find_get(par->net, info->name); 41 41 if (nfacct == NULL) { 42 42 pr_info("xt_nfacct: accounting object with name `%s' " 43 43 "does not exists\n", info->name);