tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: add cttimeout infrastructure for fine timeout tuning
This patch adds the infrastructure to add fine timeout tuning
over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT
subsystem to create/delete/dump timeout objects that contain some
specific timeout policy for one flow.
The follow up patches will allow you attach timeout policy object
to conntrack via the CT target and the conntrack extension
infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+1131
-1
+1
include/linux/netfilter/Kbuild
+1
include/linux/netfilter/Kbuild
+2
-1
include/linux/netfilter/nfnetlink.h
+2
-1
include/linux/netfilter/nfnetlink.h
+114
include/linux/netfilter/nfnetlink_cttimeout.h
+114
include/linux/netfilter/nfnetlink_cttimeout.h
···
1
+
#ifndef _CTTIMEOUT_NETLINK_H
2
+
#define _CTTIMEOUT_NETLINK_H
3
+
#include <linux/netfilter/nfnetlink.h>
4
+
5
+
enum ctnl_timeout_msg_types {
6
+
IPCTNL_MSG_TIMEOUT_NEW,
7
+
IPCTNL_MSG_TIMEOUT_GET,
8
+
IPCTNL_MSG_TIMEOUT_DELETE,
9
+
10
+
IPCTNL_MSG_TIMEOUT_MAX
11
+
};
12
+
13
+
enum ctattr_timeout {
14
+
CTA_TIMEOUT_UNSPEC,
15
+
CTA_TIMEOUT_NAME,
16
+
CTA_TIMEOUT_L3PROTO,
17
+
CTA_TIMEOUT_L4PROTO,
18
+
CTA_TIMEOUT_DATA,
19
+
CTA_TIMEOUT_USE,
20
+
__CTA_TIMEOUT_MAX
21
+
};
22
+
#define CTA_TIMEOUT_MAX (__CTA_TIMEOUT_MAX - 1)
23
+
24
+
enum ctattr_timeout_generic {
25
+
CTA_TIMEOUT_GENERIC_UNSPEC,
26
+
CTA_TIMEOUT_GENERIC_TIMEOUT,
27
+
__CTA_TIMEOUT_GENERIC_MAX
28
+
};
29
+
#define CTA_TIMEOUT_GENERIC_MAX (__CTA_TIMEOUT_GENERIC_MAX - 1)
30
+
31
+
enum ctattr_timeout_tcp {
32
+
CTA_TIMEOUT_TCP_UNSPEC,
33
+
CTA_TIMEOUT_TCP_SYN_SENT,
34
+
CTA_TIMEOUT_TCP_SYN_RECV,
35
+
CTA_TIMEOUT_TCP_ESTABLISHED,
36
+
CTA_TIMEOUT_TCP_FIN_WAIT,
37
+
CTA_TIMEOUT_TCP_CLOSE_WAIT,
38
+
CTA_TIMEOUT_TCP_LAST_ACK,
39
+
CTA_TIMEOUT_TCP_TIME_WAIT,
40
+
CTA_TIMEOUT_TCP_CLOSE,
41
+
CTA_TIMEOUT_TCP_SYN_SENT2,
42
+
CTA_TIMEOUT_TCP_RETRANS,
43
+
CTA_TIMEOUT_TCP_UNACK,
44
+
__CTA_TIMEOUT_TCP_MAX
45
+
};
46
+
#define CTA_TIMEOUT_TCP_MAX (__CTA_TIMEOUT_TCP_MAX - 1)
47
+
48
+
enum ctattr_timeout_udp {
49
+
CTA_TIMEOUT_UDP_UNSPEC,
50
+
CTA_TIMEOUT_UDP_UNREPLIED,
51
+
CTA_TIMEOUT_UDP_REPLIED,
52
+
__CTA_TIMEOUT_UDP_MAX
53
+
};
54
+
#define CTA_TIMEOUT_UDP_MAX (__CTA_TIMEOUT_UDP_MAX - 1)
55
+
56
+
enum ctattr_timeout_udplite {
57
+
CTA_TIMEOUT_UDPLITE_UNSPEC,
58
+
CTA_TIMEOUT_UDPLITE_UNREPLIED,
59
+
CTA_TIMEOUT_UDPLITE_REPLIED,
60
+
__CTA_TIMEOUT_UDPLITE_MAX
61
+
};
62
+
#define CTA_TIMEOUT_UDPLITE_MAX (__CTA_TIMEOUT_UDPLITE_MAX - 1)
63
+
64
+
enum ctattr_timeout_icmp {
65
+
CTA_TIMEOUT_ICMP_UNSPEC,
66
+
CTA_TIMEOUT_ICMP_TIMEOUT,
67
+
__CTA_TIMEOUT_ICMP_MAX
68
+
};
69
+
#define CTA_TIMEOUT_ICMP_MAX (__CTA_TIMEOUT_ICMP_MAX - 1)
70
+
71
+
enum ctattr_timeout_dccp {
72
+
CTA_TIMEOUT_DCCP_UNSPEC,
73
+
CTA_TIMEOUT_DCCP_REQUEST,
74
+
CTA_TIMEOUT_DCCP_RESPOND,
75
+
CTA_TIMEOUT_DCCP_PARTOPEN,
76
+
CTA_TIMEOUT_DCCP_OPEN,
77
+
CTA_TIMEOUT_DCCP_CLOSEREQ,
78
+
CTA_TIMEOUT_DCCP_CLOSING,
79
+
CTA_TIMEOUT_DCCP_TIMEWAIT,
80
+
__CTA_TIMEOUT_DCCP_MAX
81
+
};
82
+
#define CTA_TIMEOUT_DCCP_MAX (__CTA_TIMEOUT_DCCP_MAX - 1)
83
+
84
+
enum ctattr_timeout_sctp {
85
+
CTA_TIMEOUT_SCTP_UNSPEC,
86
+
CTA_TIMEOUT_SCTP_CLOSED,
87
+
CTA_TIMEOUT_SCTP_COOKIE_WAIT,
88
+
CTA_TIMEOUT_SCTP_COOKIE_ECHOED,
89
+
CTA_TIMEOUT_SCTP_ESTABLISHED,
90
+
CTA_TIMEOUT_SCTP_SHUTDOWN_SENT,
91
+
CTA_TIMEOUT_SCTP_SHUTDOWN_RECD,
92
+
CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
93
+
__CTA_TIMEOUT_SCTP_MAX
94
+
};
95
+
#define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1)
96
+
97
+
enum ctattr_timeout_icmpv6 {
98
+
CTA_TIMEOUT_ICMPV6_UNSPEC,
99
+
CTA_TIMEOUT_ICMPV6_TIMEOUT,
100
+
__CTA_TIMEOUT_ICMPV6_MAX
101
+
};
102
+
#define CTA_TIMEOUT_ICMPV6_MAX (__CTA_TIMEOUT_ICMPV6_MAX - 1)
103
+
104
+
enum ctattr_timeout_gre {
105
+
CTA_TIMEOUT_GRE_UNSPEC,
106
+
CTA_TIMEOUT_GRE_UNREPLIED,
107
+
CTA_TIMEOUT_GRE_REPLIED,
108
+
__CTA_TIMEOUT_GRE_MAX
109
+
};
110
+
#define CTA_TIMEOUT_GRE_MAX (__CTA_TIMEOUT_GRE_MAX - 1)
111
+
112
+
#define CTNL_TIMEOUT_NAME_MAX 32
113
+
114
+
#endif
+11
include/net/netfilter/nf_conntrack_l4proto.h
+11
include/net/netfilter/nf_conntrack_l4proto.h
···
83
83
84
84
size_t nla_size;
85
85
86
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
87
+
struct {
88
+
size_t obj_size;
89
+
int (*nlattr_to_obj)(struct nlattr *tb[], void *data);
90
+
int (*obj_to_nlattr)(struct sk_buff *skb, const void *data);
91
+
92
+
unsigned int nlattr_max;
93
+
const struct nla_policy *nla_policy;
94
+
} ctnl_timeout;
95
+
#endif
96
+
86
97
#ifdef CONFIG_SYSCTL
87
98
struct ctl_table_header **ctl_table_header;
88
99
struct ctl_table *ctl_table;
+47
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+47
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
···
269
269
}
270
270
#endif
271
271
272
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
273
+
274
+
#include <linux/netfilter/nfnetlink.h>
275
+
#include <linux/netfilter/nfnetlink_cttimeout.h>
276
+
277
+
static int icmp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
278
+
{
279
+
unsigned int *timeout = data;
280
+
281
+
if (tb[CTA_TIMEOUT_ICMP_TIMEOUT]) {
282
+
*timeout =
283
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMP_TIMEOUT])) * HZ;
284
+
} else {
285
+
/* Set default ICMP timeout. */
286
+
*timeout = nf_ct_icmp_timeout;
287
+
}
288
+
return 0;
289
+
}
290
+
291
+
static int
292
+
icmp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
293
+
{
294
+
const unsigned int *timeout = data;
295
+
296
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_ICMP_TIMEOUT, htonl(*timeout / HZ));
297
+
298
+
return 0;
299
+
300
+
nla_put_failure:
301
+
return -ENOSPC;
302
+
}
303
+
304
+
static const struct nla_policy
305
+
icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = {
306
+
[CTA_TIMEOUT_ICMP_TIMEOUT] = { .type = NLA_U32 },
307
+
};
308
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
309
+
272
310
#ifdef CONFIG_SYSCTL
273
311
static struct ctl_table_header *icmp_sysctl_header;
274
312
static struct ctl_table icmp_sysctl_table[] = {
···
353
315
.nlattr_to_tuple = icmp_nlattr_to_tuple,
354
316
.nla_policy = icmp_nla_policy,
355
317
#endif
318
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
319
+
.ctnl_timeout = {
320
+
.nlattr_to_obj = icmp_timeout_nlattr_to_obj,
321
+
.obj_to_nlattr = icmp_timeout_obj_to_nlattr,
322
+
.nlattr_max = CTA_TIMEOUT_ICMP_MAX,
323
+
.obj_size = sizeof(unsigned int),
324
+
.nla_policy = icmp_timeout_nla_policy,
325
+
},
326
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
356
327
#ifdef CONFIG_SYSCTL
357
328
.ctl_table_header = &icmp_sysctl_header,
358
329
.ctl_table = icmp_sysctl_table,
+47
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+47
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
···
276
276
}
277
277
#endif
278
278
279
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
280
+
281
+
#include <linux/netfilter/nfnetlink.h>
282
+
#include <linux/netfilter/nfnetlink_cttimeout.h>
283
+
284
+
static int icmpv6_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
285
+
{
286
+
unsigned int *timeout = data;
287
+
288
+
if (tb[CTA_TIMEOUT_ICMPV6_TIMEOUT]) {
289
+
*timeout =
290
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMPV6_TIMEOUT])) * HZ;
291
+
} else {
292
+
/* Set default ICMPv6 timeout. */
293
+
*timeout = nf_ct_icmpv6_timeout;
294
+
}
295
+
return 0;
296
+
}
297
+
298
+
static int
299
+
icmpv6_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
300
+
{
301
+
const unsigned int *timeout = data;
302
+
303
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_ICMPV6_TIMEOUT, htonl(*timeout / HZ));
304
+
305
+
return 0;
306
+
307
+
nla_put_failure:
308
+
return -ENOSPC;
309
+
}
310
+
311
+
static const struct nla_policy
312
+
icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = {
313
+
[CTA_TIMEOUT_ICMPV6_TIMEOUT] = { .type = NLA_U32 },
314
+
};
315
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
316
+
279
317
#ifdef CONFIG_SYSCTL
280
318
static struct ctl_table_header *icmpv6_sysctl_header;
281
319
static struct ctl_table icmpv6_sysctl_table[] = {
···
346
308
.nlattr_to_tuple = icmpv6_nlattr_to_tuple,
347
309
.nla_policy = icmpv6_nla_policy,
348
310
#endif
311
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
312
+
.ctnl_timeout = {
313
+
.nlattr_to_obj = icmpv6_timeout_nlattr_to_obj,
314
+
.obj_to_nlattr = icmpv6_timeout_obj_to_nlattr,
315
+
.nlattr_max = CTA_TIMEOUT_ICMP_MAX,
316
+
.obj_size = sizeof(unsigned int),
317
+
.nla_policy = icmpv6_timeout_nla_policy,
318
+
},
319
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
349
320
#ifdef CONFIG_SYSCTL
350
321
.ctl_table_header = &icmpv6_sysctl_header,
351
322
.ctl_table = icmpv6_sysctl_table,
+11
net/netfilter/Kconfig
+11
net/netfilter/Kconfig
···
314
314
help
315
315
This option enables support for a netlink-based userspace interface
316
316
317
+
config NF_CT_NETLINK_TIMEOUT
318
+
tristate 'Connection tracking timeout tuning via Netlink'
319
+
select NETFILTER_NETLINK
320
+
depends on NETFILTER_ADVANCED
321
+
help
322
+
This option enables support for connection tracking timeout
323
+
fine-grain tuning. This allows you to attach specific timeout
324
+
policies to flows, instead of using the global timeout policy.
325
+
326
+
If unsure, say `N'.
327
+
317
328
endif # NF_CONNTRACK
318
329
319
330
# transparent proxy support
+1
net/netfilter/Makefile
+1
net/netfilter/Makefile
···
22
22
23
23
# netlink interface for nf_conntrack
24
24
obj-$(CONFIG_NF_CT_NETLINK) += nf_conntrack_netlink.o
25
+
obj-$(CONFIG_NF_CT_NETLINK_TIMEOUT) += nfnetlink_cttimeout.o
25
26
26
27
# connection tracking helpers
27
28
nf_conntrack_h323-objs := nf_conntrack_h323_main.o nf_conntrack_h323_asn1.o
+70
net/netfilter/nf_conntrack_proto_dccp.c
+70
net/netfilter/nf_conntrack_proto_dccp.c
···
706
706
return nla_total_size(0) /* CTA_PROTOINFO_DCCP */
707
707
+ nla_policy_len(dccp_nla_policy, CTA_PROTOINFO_DCCP_MAX + 1);
708
708
}
709
+
709
710
#endif
711
+
712
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
713
+
714
+
#include <linux/netfilter/nfnetlink.h>
715
+
#include <linux/netfilter/nfnetlink_cttimeout.h>
716
+
717
+
static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
718
+
{
719
+
struct dccp_net *dn = dccp_pernet(&init_net);
720
+
unsigned int *timeouts = data;
721
+
int i;
722
+
723
+
/* set default DCCP timeouts. */
724
+
for (i=0; i<CT_DCCP_MAX; i++)
725
+
timeouts[i] = dn->dccp_timeout[i];
726
+
727
+
/* there's a 1:1 mapping between attributes and protocol states. */
728
+
for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++) {
729
+
if (tb[i]) {
730
+
timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
731
+
}
732
+
}
733
+
return 0;
734
+
}
735
+
736
+
static int
737
+
dccp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
738
+
{
739
+
const unsigned int *timeouts = data;
740
+
int i;
741
+
742
+
for (i=CTA_TIMEOUT_DCCP_UNSPEC+1; i<CTA_TIMEOUT_DCCP_MAX+1; i++)
743
+
NLA_PUT_BE32(skb, i, htonl(timeouts[i] / HZ));
744
+
745
+
return 0;
746
+
747
+
nla_put_failure:
748
+
return -ENOSPC;
749
+
}
750
+
751
+
static const struct nla_policy
752
+
dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP_MAX+1] = {
753
+
[CTA_TIMEOUT_DCCP_REQUEST] = { .type = NLA_U32 },
754
+
[CTA_TIMEOUT_DCCP_RESPOND] = { .type = NLA_U32 },
755
+
[CTA_TIMEOUT_DCCP_PARTOPEN] = { .type = NLA_U32 },
756
+
[CTA_TIMEOUT_DCCP_OPEN] = { .type = NLA_U32 },
757
+
[CTA_TIMEOUT_DCCP_CLOSEREQ] = { .type = NLA_U32 },
758
+
[CTA_TIMEOUT_DCCP_CLOSING] = { .type = NLA_U32 },
759
+
[CTA_TIMEOUT_DCCP_TIMEWAIT] = { .type = NLA_U32 },
760
+
};
761
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
710
762
711
763
#ifdef CONFIG_SYSCTL
712
764
/* template, data assigned later */
···
836
784
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
837
785
.nla_policy = nf_ct_port_nla_policy,
838
786
#endif
787
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
788
+
.ctnl_timeout = {
789
+
.nlattr_to_obj = dccp_timeout_nlattr_to_obj,
790
+
.obj_to_nlattr = dccp_timeout_obj_to_nlattr,
791
+
.nlattr_max = CTA_TIMEOUT_DCCP_MAX,
792
+
.obj_size = sizeof(unsigned int) * CT_DCCP_MAX,
793
+
.nla_policy = dccp_timeout_nla_policy,
794
+
},
795
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
839
796
};
840
797
841
798
static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
···
868
807
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
869
808
.nla_policy = nf_ct_port_nla_policy,
870
809
#endif
810
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
811
+
.ctnl_timeout = {
812
+
.nlattr_to_obj = dccp_timeout_nlattr_to_obj,
813
+
.obj_to_nlattr = dccp_timeout_obj_to_nlattr,
814
+
.nlattr_max = CTA_TIMEOUT_DCCP_MAX,
815
+
.obj_size = sizeof(unsigned int) * CT_DCCP_MAX,
816
+
.nla_policy = dccp_timeout_nla_policy,
817
+
},
818
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
871
819
};
872
820
873
821
static __net_init int dccp_net_init(struct net *net)
+48
net/netfilter/nf_conntrack_proto_generic.c
+48
net/netfilter/nf_conntrack_proto_generic.c
···
65
65
return true;
66
66
}
67
67
68
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
69
+
70
+
#include <linux/netfilter/nfnetlink.h>
71
+
#include <linux/netfilter/nfnetlink_cttimeout.h>
72
+
73
+
static int generic_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
74
+
{
75
+
unsigned int *timeout = data;
76
+
77
+
if (tb[CTA_TIMEOUT_GENERIC_TIMEOUT])
78
+
*timeout =
79
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_GENERIC_TIMEOUT])) * HZ;
80
+
else {
81
+
/* Set default generic timeout. */
82
+
*timeout = nf_ct_generic_timeout;
83
+
}
84
+
85
+
return 0;
86
+
}
87
+
88
+
static int
89
+
generic_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
90
+
{
91
+
const unsigned int *timeout = data;
92
+
93
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_GENERIC_TIMEOUT, htonl(*timeout / HZ));
94
+
95
+
return 0;
96
+
97
+
nla_put_failure:
98
+
return -ENOSPC;
99
+
}
100
+
101
+
static const struct nla_policy
102
+
generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
103
+
[CTA_TIMEOUT_GENERIC_TIMEOUT] = { .type = NLA_U32 },
104
+
};
105
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
106
+
68
107
#ifdef CONFIG_SYSCTL
69
108
static struct ctl_table_header *generic_sysctl_header;
70
109
static struct ctl_table generic_sysctl_table[] = {
···
141
102
.packet = generic_packet,
142
103
.get_timeouts = generic_get_timeouts,
143
104
.new = generic_new,
105
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
106
+
.ctnl_timeout = {
107
+
.nlattr_to_obj = generic_timeout_nlattr_to_obj,
108
+
.obj_to_nlattr = generic_timeout_obj_to_nlattr,
109
+
.nlattr_max = CTA_TIMEOUT_GENERIC_MAX,
110
+
.obj_size = sizeof(unsigned int),
111
+
.nla_policy = generic_timeout_nla_policy,
112
+
},
113
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
144
114
#ifdef CONFIG_SYSCTL
145
115
.ctl_table_header = &generic_sysctl_header,
146
116
.ctl_table = generic_sysctl_table,
+55
net/netfilter/nf_conntrack_proto_gre.c
+55
net/netfilter/nf_conntrack_proto_gre.c
···
292
292
nf_ct_gre_keymap_destroy(master);
293
293
}
294
294
295
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
296
+
297
+
#include <linux/netfilter/nfnetlink.h>
298
+
#include <linux/netfilter/nfnetlink_cttimeout.h>
299
+
300
+
static int gre_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
301
+
{
302
+
unsigned int *timeouts = data;
303
+
304
+
/* set default timeouts for GRE. */
305
+
timeouts[GRE_CT_UNREPLIED] = gre_timeouts[GRE_CT_UNREPLIED];
306
+
timeouts[GRE_CT_REPLIED] = gre_timeouts[GRE_CT_REPLIED];
307
+
308
+
if (tb[CTA_TIMEOUT_GRE_UNREPLIED]) {
309
+
timeouts[GRE_CT_UNREPLIED] =
310
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_GRE_UNREPLIED])) * HZ;
311
+
}
312
+
if (tb[CTA_TIMEOUT_GRE_REPLIED]) {
313
+
timeouts[GRE_CT_REPLIED] =
314
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_GRE_REPLIED])) * HZ;
315
+
}
316
+
return 0;
317
+
}
318
+
319
+
static int
320
+
gre_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
321
+
{
322
+
const unsigned int *timeouts = data;
323
+
324
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_GRE_UNREPLIED,
325
+
htonl(timeouts[GRE_CT_UNREPLIED] / HZ));
326
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_GRE_REPLIED,
327
+
htonl(timeouts[GRE_CT_REPLIED] / HZ));
328
+
return 0;
329
+
330
+
nla_put_failure:
331
+
return -ENOSPC;
332
+
}
333
+
334
+
static const struct nla_policy
335
+
gre_timeout_nla_policy[CTA_TIMEOUT_GRE_MAX+1] = {
336
+
[CTA_TIMEOUT_GRE_UNREPLIED] = { .type = NLA_U32 },
337
+
[CTA_TIMEOUT_GRE_REPLIED] = { .type = NLA_U32 },
338
+
};
339
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
340
+
295
341
/* protocol helper struct */
296
342
static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = {
297
343
.l3proto = AF_INET,
···
358
312
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
359
313
.nla_policy = nf_ct_port_nla_policy,
360
314
#endif
315
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
316
+
.ctnl_timeout = {
317
+
.nlattr_to_obj = gre_timeout_nlattr_to_obj,
318
+
.obj_to_nlattr = gre_timeout_obj_to_nlattr,
319
+
.nlattr_max = CTA_TIMEOUT_GRE_MAX,
320
+
.obj_size = sizeof(unsigned int) * GRE_CT_MAX,
321
+
.nla_policy = gre_timeout_nla_policy,
322
+
},
323
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
361
324
};
362
325
363
326
static int proto_gre_net_init(struct net *net)
+69
net/netfilter/nf_conntrack_proto_sctp.c
+69
net/netfilter/nf_conntrack_proto_sctp.c
···
549
549
}
550
550
#endif
551
551
552
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
553
+
554
+
#include <linux/netfilter/nfnetlink.h>
555
+
#include <linux/netfilter/nfnetlink_cttimeout.h>
556
+
557
+
static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
558
+
{
559
+
unsigned int *timeouts = data;
560
+
int i;
561
+
562
+
/* set default SCTP timeouts. */
563
+
for (i=0; i<SCTP_CONNTRACK_MAX; i++)
564
+
timeouts[i] = sctp_timeouts[i];
565
+
566
+
/* there's a 1:1 mapping between attributes and protocol states. */
567
+
for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
568
+
if (tb[i]) {
569
+
timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
570
+
}
571
+
}
572
+
return 0;
573
+
}
574
+
575
+
static int
576
+
sctp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
577
+
{
578
+
const unsigned int *timeouts = data;
579
+
int i;
580
+
581
+
for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++)
582
+
NLA_PUT_BE32(skb, i, htonl(timeouts[i] / HZ));
583
+
584
+
return 0;
585
+
586
+
nla_put_failure:
587
+
return -ENOSPC;
588
+
}
589
+
590
+
static const struct nla_policy
591
+
sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
592
+
[CTA_TIMEOUT_SCTP_CLOSED] = { .type = NLA_U32 },
593
+
[CTA_TIMEOUT_SCTP_COOKIE_WAIT] = { .type = NLA_U32 },
594
+
[CTA_TIMEOUT_SCTP_COOKIE_ECHOED] = { .type = NLA_U32 },
595
+
[CTA_TIMEOUT_SCTP_ESTABLISHED] = { .type = NLA_U32 },
596
+
[CTA_TIMEOUT_SCTP_SHUTDOWN_SENT] = { .type = NLA_U32 },
597
+
[CTA_TIMEOUT_SCTP_SHUTDOWN_RECD] = { .type = NLA_U32 },
598
+
[CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = { .type = NLA_U32 },
599
+
};
600
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
601
+
602
+
552
603
#ifdef CONFIG_SYSCTL
553
604
static unsigned int sctp_sysctl_table_users;
554
605
static struct ctl_table_header *sctp_sysctl_header;
···
733
682
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
734
683
.nla_policy = nf_ct_port_nla_policy,
735
684
#endif
685
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
686
+
.ctnl_timeout = {
687
+
.nlattr_to_obj = sctp_timeout_nlattr_to_obj,
688
+
.obj_to_nlattr = sctp_timeout_obj_to_nlattr,
689
+
.nlattr_max = CTA_TIMEOUT_SCTP_MAX,
690
+
.obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
691
+
.nla_policy = sctp_timeout_nla_policy,
692
+
},
693
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
736
694
#ifdef CONFIG_SYSCTL
737
695
.ctl_table_users = &sctp_sysctl_table_users,
738
696
.ctl_table_header = &sctp_sysctl_header,
···
772
712
.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
773
713
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
774
714
.nla_policy = nf_ct_port_nla_policy,
715
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
716
+
.ctnl_timeout = {
717
+
.nlattr_to_obj = sctp_timeout_nlattr_to_obj,
718
+
.obj_to_nlattr = sctp_timeout_obj_to_nlattr,
719
+
.nlattr_max = CTA_TIMEOUT_SCTP_MAX,
720
+
.obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
721
+
.nla_policy = sctp_timeout_nla_policy,
722
+
},
723
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
775
724
#endif
776
725
#ifdef CONFIG_SYSCTL
777
726
.ctl_table_users = &sctp_sysctl_table_users,
+127
net/netfilter/nf_conntrack_proto_tcp.c
+127
net/netfilter/nf_conntrack_proto_tcp.c
···
1244
1244
}
1245
1245
#endif
1246
1246
1247
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
1248
+
1249
+
#include <linux/netfilter/nfnetlink.h>
1250
+
#include <linux/netfilter/nfnetlink_cttimeout.h>
1251
+
1252
+
static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
1253
+
{
1254
+
unsigned int *timeouts = data;
1255
+
int i;
1256
+
1257
+
/* set default TCP timeouts. */
1258
+
for (i=0; i<TCP_CONNTRACK_TIMEOUT_MAX; i++)
1259
+
timeouts[i] = tcp_timeouts[i];
1260
+
1261
+
if (tb[CTA_TIMEOUT_TCP_SYN_SENT]) {
1262
+
timeouts[TCP_CONNTRACK_SYN_SENT] =
1263
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT]))*HZ;
1264
+
}
1265
+
if (tb[CTA_TIMEOUT_TCP_SYN_RECV]) {
1266
+
timeouts[TCP_CONNTRACK_SYN_RECV] =
1267
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_RECV]))*HZ;
1268
+
}
1269
+
if (tb[CTA_TIMEOUT_TCP_ESTABLISHED]) {
1270
+
timeouts[TCP_CONNTRACK_ESTABLISHED] =
1271
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_ESTABLISHED]))*HZ;
1272
+
}
1273
+
if (tb[CTA_TIMEOUT_TCP_FIN_WAIT]) {
1274
+
timeouts[TCP_CONNTRACK_FIN_WAIT] =
1275
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_FIN_WAIT]))*HZ;
1276
+
}
1277
+
if (tb[CTA_TIMEOUT_TCP_CLOSE_WAIT]) {
1278
+
timeouts[TCP_CONNTRACK_CLOSE_WAIT] =
1279
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_CLOSE_WAIT]))*HZ;
1280
+
}
1281
+
if (tb[CTA_TIMEOUT_TCP_LAST_ACK]) {
1282
+
timeouts[TCP_CONNTRACK_LAST_ACK] =
1283
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_LAST_ACK]))*HZ;
1284
+
}
1285
+
if (tb[CTA_TIMEOUT_TCP_TIME_WAIT]) {
1286
+
timeouts[TCP_CONNTRACK_TIME_WAIT] =
1287
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_TIME_WAIT]))*HZ;
1288
+
}
1289
+
if (tb[CTA_TIMEOUT_TCP_CLOSE]) {
1290
+
timeouts[TCP_CONNTRACK_CLOSE] =
1291
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_CLOSE]))*HZ;
1292
+
}
1293
+
if (tb[CTA_TIMEOUT_TCP_SYN_SENT2]) {
1294
+
timeouts[TCP_CONNTRACK_SYN_SENT2] =
1295
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT2]))*HZ;
1296
+
}
1297
+
if (tb[CTA_TIMEOUT_TCP_RETRANS]) {
1298
+
timeouts[TCP_CONNTRACK_RETRANS] =
1299
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_RETRANS]))*HZ;
1300
+
}
1301
+
if (tb[CTA_TIMEOUT_TCP_UNACK]) {
1302
+
timeouts[TCP_CONNTRACK_UNACK] =
1303
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_UNACK]))*HZ;
1304
+
}
1305
+
return 0;
1306
+
}
1307
+
1308
+
static int
1309
+
tcp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
1310
+
{
1311
+
const unsigned int *timeouts = data;
1312
+
1313
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_TCP_SYN_SENT,
1314
+
htonl(timeouts[TCP_CONNTRACK_SYN_SENT] / HZ));
1315
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_TCP_SYN_RECV,
1316
+
htonl(timeouts[TCP_CONNTRACK_SYN_RECV] / HZ));
1317
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_TCP_ESTABLISHED,
1318
+
htonl(timeouts[TCP_CONNTRACK_ESTABLISHED] / HZ));
1319
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_TCP_FIN_WAIT,
1320
+
htonl(timeouts[TCP_CONNTRACK_FIN_WAIT] / HZ));
1321
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_TCP_CLOSE_WAIT,
1322
+
htonl(timeouts[TCP_CONNTRACK_CLOSE_WAIT] / HZ));
1323
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_TCP_LAST_ACK,
1324
+
htonl(timeouts[TCP_CONNTRACK_LAST_ACK] / HZ));
1325
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_TCP_TIME_WAIT,
1326
+
htonl(timeouts[TCP_CONNTRACK_TIME_WAIT] / HZ));
1327
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_TCP_CLOSE,
1328
+
htonl(timeouts[TCP_CONNTRACK_CLOSE] / HZ));
1329
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_TCP_SYN_SENT2,
1330
+
htonl(timeouts[TCP_CONNTRACK_SYN_SENT2] / HZ));
1331
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_TCP_RETRANS,
1332
+
htonl(timeouts[TCP_CONNTRACK_RETRANS] / HZ));
1333
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_TCP_UNACK,
1334
+
htonl(timeouts[TCP_CONNTRACK_UNACK] / HZ));
1335
+
return 0;
1336
+
1337
+
nla_put_failure:
1338
+
return -ENOSPC;
1339
+
}
1340
+
1341
+
static const struct nla_policy tcp_timeout_nla_policy[CTA_TIMEOUT_TCP_MAX+1] = {
1342
+
[CTA_TIMEOUT_TCP_SYN_SENT] = { .type = NLA_U32 },
1343
+
[CTA_TIMEOUT_TCP_SYN_RECV] = { .type = NLA_U32 },
1344
+
[CTA_TIMEOUT_TCP_ESTABLISHED] = { .type = NLA_U32 },
1345
+
[CTA_TIMEOUT_TCP_FIN_WAIT] = { .type = NLA_U32 },
1346
+
[CTA_TIMEOUT_TCP_CLOSE_WAIT] = { .type = NLA_U32 },
1347
+
[CTA_TIMEOUT_TCP_LAST_ACK] = { .type = NLA_U32 },
1348
+
[CTA_TIMEOUT_TCP_TIME_WAIT] = { .type = NLA_U32 },
1349
+
[CTA_TIMEOUT_TCP_CLOSE] = { .type = NLA_U32 },
1350
+
[CTA_TIMEOUT_TCP_SYN_SENT2] = { .type = NLA_U32 },
1351
+
};
1352
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
1353
+
1247
1354
#ifdef CONFIG_SYSCTL
1248
1355
static unsigned int tcp_sysctl_table_users;
1249
1356
static struct ctl_table_header *tcp_sysctl_header;
···
1569
1462
.nlattr_tuple_size = tcp_nlattr_tuple_size,
1570
1463
.nla_policy = nf_ct_port_nla_policy,
1571
1464
#endif
1465
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
1466
+
.ctnl_timeout = {
1467
+
.nlattr_to_obj = tcp_timeout_nlattr_to_obj,
1468
+
.obj_to_nlattr = tcp_timeout_obj_to_nlattr,
1469
+
.nlattr_max = CTA_TIMEOUT_TCP_MAX,
1470
+
.obj_size = sizeof(unsigned int) *
1471
+
TCP_CONNTRACK_TIMEOUT_MAX,
1472
+
.nla_policy = tcp_timeout_nla_policy,
1473
+
},
1474
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
1572
1475
#ifdef CONFIG_SYSCTL
1573
1476
.ctl_table_users = &tcp_sysctl_table_users,
1574
1477
.ctl_table_header = &tcp_sysctl_header,
···
1612
1495
.nlattr_tuple_size = tcp_nlattr_tuple_size,
1613
1496
.nla_policy = nf_ct_port_nla_policy,
1614
1497
#endif
1498
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
1499
+
.ctnl_timeout = {
1500
+
.nlattr_to_obj = tcp_timeout_nlattr_to_obj,
1501
+
.obj_to_nlattr = tcp_timeout_obj_to_nlattr,
1502
+
.nlattr_max = CTA_TIMEOUT_TCP_MAX,
1503
+
.obj_size = sizeof(unsigned int) *
1504
+
TCP_CONNTRACK_TIMEOUT_MAX,
1505
+
.nla_policy = tcp_timeout_nla_policy,
1506
+
},
1507
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
1615
1508
#ifdef CONFIG_SYSCTL
1616
1509
.ctl_table_users = &tcp_sysctl_table_users,
1617
1510
.ctl_table_header = &tcp_sysctl_header,
+64
net/netfilter/nf_conntrack_proto_udp.c
+64
net/netfilter/nf_conntrack_proto_udp.c
···
152
152
return NF_ACCEPT;
153
153
}
154
154
155
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
156
+
157
+
#include <linux/netfilter/nfnetlink.h>
158
+
#include <linux/netfilter/nfnetlink_cttimeout.h>
159
+
160
+
static int udp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
161
+
{
162
+
unsigned int *timeouts = data;
163
+
164
+
/* set default timeouts for UDP. */
165
+
timeouts[UDP_CT_UNREPLIED] = udp_timeouts[UDP_CT_UNREPLIED];
166
+
timeouts[UDP_CT_REPLIED] = udp_timeouts[UDP_CT_REPLIED];
167
+
168
+
if (tb[CTA_TIMEOUT_UDP_UNREPLIED]) {
169
+
timeouts[UDP_CT_UNREPLIED] =
170
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_UNREPLIED])) * HZ;
171
+
}
172
+
if (tb[CTA_TIMEOUT_UDP_REPLIED]) {
173
+
timeouts[UDP_CT_REPLIED] =
174
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDP_REPLIED])) * HZ;
175
+
}
176
+
return 0;
177
+
}
178
+
179
+
static int
180
+
udp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
181
+
{
182
+
const unsigned int *timeouts = data;
183
+
184
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_UDP_UNREPLIED,
185
+
htonl(timeouts[UDP_CT_UNREPLIED] / HZ));
186
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_UDP_REPLIED,
187
+
htonl(timeouts[UDP_CT_REPLIED] / HZ));
188
+
return 0;
189
+
190
+
nla_put_failure:
191
+
return -ENOSPC;
192
+
}
193
+
194
+
static const struct nla_policy
195
+
udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
196
+
[CTA_TIMEOUT_UDP_UNREPLIED] = { .type = NLA_U32 },
197
+
[CTA_TIMEOUT_UDP_REPLIED] = { .type = NLA_U32 },
198
+
};
199
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
200
+
155
201
#ifdef CONFIG_SYSCTL
156
202
static unsigned int udp_sysctl_table_users;
157
203
static struct ctl_table_header *udp_sysctl_header;
···
257
211
.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
258
212
.nla_policy = nf_ct_port_nla_policy,
259
213
#endif
214
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
215
+
.ctnl_timeout = {
216
+
.nlattr_to_obj = udp_timeout_nlattr_to_obj,
217
+
.obj_to_nlattr = udp_timeout_obj_to_nlattr,
218
+
.nlattr_max = CTA_TIMEOUT_UDP_MAX,
219
+
.obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
220
+
.nla_policy = udp_timeout_nla_policy,
221
+
},
222
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
260
223
#ifdef CONFIG_SYSCTL
261
224
.ctl_table_users = &udp_sysctl_table_users,
262
225
.ctl_table_header = &udp_sysctl_header,
···
295
240
.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
296
241
.nla_policy = nf_ct_port_nla_policy,
297
242
#endif
243
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
244
+
.ctnl_timeout = {
245
+
.nlattr_to_obj = udp_timeout_nlattr_to_obj,
246
+
.obj_to_nlattr = udp_timeout_obj_to_nlattr,
247
+
.nlattr_max = CTA_TIMEOUT_UDP_MAX,
248
+
.obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
249
+
.nla_policy = udp_timeout_nla_policy,
250
+
},
251
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
298
252
#ifdef CONFIG_SYSCTL
299
253
.ctl_table_users = &udp_sysctl_table_users,
300
254
.ctl_table_header = &udp_sysctl_header,
+66
net/netfilter/nf_conntrack_proto_udplite.c
+66
net/netfilter/nf_conntrack_proto_udplite.c
···
156
156
return NF_ACCEPT;
157
157
}
158
158
159
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
160
+
161
+
#include <linux/netfilter/nfnetlink.h>
162
+
#include <linux/netfilter/nfnetlink_cttimeout.h>
163
+
164
+
static int udplite_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
165
+
{
166
+
unsigned int *timeouts = data;
167
+
168
+
/* set default timeouts for UDPlite. */
169
+
timeouts[UDPLITE_CT_UNREPLIED] = udplite_timeouts[UDPLITE_CT_UNREPLIED];
170
+
timeouts[UDPLITE_CT_REPLIED] = udplite_timeouts[UDPLITE_CT_REPLIED];
171
+
172
+
if (tb[CTA_TIMEOUT_UDPLITE_UNREPLIED]) {
173
+
timeouts[UDPLITE_CT_UNREPLIED] =
174
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDPLITE_UNREPLIED])) * HZ;
175
+
}
176
+
if (tb[CTA_TIMEOUT_UDPLITE_REPLIED]) {
177
+
timeouts[UDPLITE_CT_REPLIED] =
178
+
ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDPLITE_REPLIED])) * HZ;
179
+
}
180
+
return 0;
181
+
}
182
+
183
+
static int
184
+
udplite_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
185
+
{
186
+
const unsigned int *timeouts = data;
187
+
188
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_UDPLITE_UNREPLIED,
189
+
htonl(timeouts[UDPLITE_CT_UNREPLIED] / HZ));
190
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_UDPLITE_REPLIED,
191
+
htonl(timeouts[UDPLITE_CT_REPLIED] / HZ));
192
+
return 0;
193
+
194
+
nla_put_failure:
195
+
return -ENOSPC;
196
+
}
197
+
198
+
static const struct nla_policy
199
+
udplite_timeout_nla_policy[CTA_TIMEOUT_UDPLITE_MAX+1] = {
200
+
[CTA_TIMEOUT_UDPLITE_UNREPLIED] = { .type = NLA_U32 },
201
+
[CTA_TIMEOUT_UDPLITE_REPLIED] = { .type = NLA_U32 },
202
+
};
203
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
204
+
159
205
#ifdef CONFIG_SYSCTL
160
206
static unsigned int udplite_sysctl_table_users;
161
207
static struct ctl_table_header *udplite_sysctl_header;
···
242
196
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
243
197
.nla_policy = nf_ct_port_nla_policy,
244
198
#endif
199
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
200
+
.ctnl_timeout = {
201
+
.nlattr_to_obj = udplite_timeout_nlattr_to_obj,
202
+
.obj_to_nlattr = udplite_timeout_obj_to_nlattr,
203
+
.nlattr_max = CTA_TIMEOUT_UDPLITE_MAX,
204
+
.obj_size = sizeof(unsigned int) *
205
+
CTA_TIMEOUT_UDPLITE_MAX,
206
+
.nla_policy = udplite_timeout_nla_policy,
207
+
},
208
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
245
209
#ifdef CONFIG_SYSCTL
246
210
.ctl_table_users = &udplite_sysctl_table_users,
247
211
.ctl_table_header = &udplite_sysctl_header,
···
277
221
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
278
222
.nla_policy = nf_ct_port_nla_policy,
279
223
#endif
224
+
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
225
+
.ctnl_timeout = {
226
+
.nlattr_to_obj = udplite_timeout_nlattr_to_obj,
227
+
.obj_to_nlattr = udplite_timeout_obj_to_nlattr,
228
+
.nlattr_max = CTA_TIMEOUT_UDPLITE_MAX,
229
+
.obj_size = sizeof(unsigned int) *
230
+
CTA_TIMEOUT_UDPLITE_MAX,
231
+
.nla_policy = udplite_timeout_nla_policy,
232
+
},
233
+
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
280
234
#ifdef CONFIG_SYSCTL
281
235
.ctl_table_users = &udplite_sysctl_table_users,
282
236
.ctl_table_header = &udplite_sysctl_header,
+398
net/netfilter/nfnetlink_cttimeout.c
+398
net/netfilter/nfnetlink_cttimeout.c
···
1
+
/*
2
+
* (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
3
+
* (C) 2012 by Vyatta Inc. <http://www.vyatta.com>
4
+
*
5
+
* This program is free software; you can redistribute it and/or modify
6
+
* it under the terms of the GNU General Public License version 2 as
7
+
* published by the Free Software Foundation (or any later at your option).
8
+
*/
9
+
#include <linux/init.h>
10
+
#include <linux/module.h>
11
+
#include <linux/kernel.h>
12
+
#include <linux/rculist.h>
13
+
#include <linux/rculist_nulls.h>
14
+
#include <linux/types.h>
15
+
#include <linux/timer.h>
16
+
#include <linux/security.h>
17
+
#include <linux/skbuff.h>
18
+
#include <linux/errno.h>
19
+
#include <linux/netlink.h>
20
+
#include <linux/spinlock.h>
21
+
#include <linux/interrupt.h>
22
+
#include <linux/slab.h>
23
+
24
+
#include <linux/netfilter.h>
25
+
#include <net/netlink.h>
26
+
#include <net/sock.h>
27
+
#include <net/netfilter/nf_conntrack.h>
28
+
#include <net/netfilter/nf_conntrack_core.h>
29
+
#include <net/netfilter/nf_conntrack_l3proto.h>
30
+
#include <net/netfilter/nf_conntrack_l4proto.h>
31
+
#include <net/netfilter/nf_conntrack_tuple.h>
32
+
33
+
#include <linux/netfilter/nfnetlink.h>
34
+
#include <linux/netfilter/nfnetlink_cttimeout.h>
35
+
36
+
MODULE_LICENSE("GPL");
37
+
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
38
+
MODULE_DESCRIPTION("cttimeout: Extended Netfilter Connection Tracking timeout tuning");
39
+
40
+
struct ctnl_timeout {
41
+
struct list_head head;
42
+
struct rcu_head rcu_head;
43
+
atomic_t refcnt;
44
+
char name[CTNL_TIMEOUT_NAME_MAX];
45
+
__u16 l3num;
46
+
__u8 l4num;
47
+
char data[0];
48
+
};
49
+
50
+
static LIST_HEAD(cttimeout_list);
51
+
52
+
static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = {
53
+
[CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING },
54
+
[CTA_TIMEOUT_L3PROTO] = { .type = NLA_U16 },
55
+
[CTA_TIMEOUT_L4PROTO] = { .type = NLA_U8 },
56
+
[CTA_TIMEOUT_DATA] = { .type = NLA_NESTED },
57
+
};
58
+
59
+
static int
60
+
ctnl_timeout_parse_policy(struct ctnl_timeout *timeout,
61
+
struct nf_conntrack_l4proto *l4proto,
62
+
const struct nlattr *attr)
63
+
{
64
+
int ret = 0;
65
+
66
+
if (likely(l4proto->ctnl_timeout.nlattr_to_obj)) {
67
+
struct nlattr *tb[l4proto->ctnl_timeout.nlattr_max+1];
68
+
69
+
nla_parse_nested(tb, l4proto->ctnl_timeout.nlattr_max,
70
+
attr, l4proto->ctnl_timeout.nla_policy);
71
+
72
+
ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, &timeout->data);
73
+
}
74
+
return ret;
75
+
}
76
+
77
+
static int
78
+
cttimeout_new_timeout(struct sock *ctnl, struct sk_buff *skb,
79
+
const struct nlmsghdr *nlh,
80
+
const struct nlattr * const cda[])
81
+
{
82
+
__u16 l3num;
83
+
__u8 l4num;
84
+
struct nf_conntrack_l4proto *l4proto;
85
+
struct ctnl_timeout *timeout, *matching = NULL;
86
+
char *name;
87
+
int ret;
88
+
89
+
if (!cda[CTA_TIMEOUT_NAME] ||
90
+
!cda[CTA_TIMEOUT_L3PROTO] ||
91
+
!cda[CTA_TIMEOUT_L4PROTO] ||
92
+
!cda[CTA_TIMEOUT_DATA])
93
+
return -EINVAL;
94
+
95
+
name = nla_data(cda[CTA_TIMEOUT_NAME]);
96
+
l3num = ntohs(nla_get_be16(cda[CTA_TIMEOUT_L3PROTO]));
97
+
l4num = nla_get_u8(cda[CTA_TIMEOUT_L4PROTO]);
98
+
99
+
list_for_each_entry(timeout, &cttimeout_list, head) {
100
+
if (strncmp(timeout->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
101
+
continue;
102
+
103
+
if (nlh->nlmsg_flags & NLM_F_EXCL)
104
+
return -EEXIST;
105
+
106
+
matching = timeout;
107
+
break;
108
+
}
109
+
110
+
l4proto = __nf_ct_l4proto_find(l3num, l4num);
111
+
112
+
/* This protocol is not supportted, skip. */
113
+
if (l4proto->l4proto != l4num)
114
+
return -EOPNOTSUPP;
115
+
116
+
if (matching) {
117
+
if (nlh->nlmsg_flags & NLM_F_REPLACE) {
118
+
/* You cannot replace one timeout policy by another of
119
+
* different kind, sorry.
120
+
*/
121
+
if (matching->l3num != l3num ||
122
+
matching->l4num != l4num)
123
+
return -EINVAL;
124
+
125
+
ret = ctnl_timeout_parse_policy(matching, l4proto,
126
+
cda[CTA_TIMEOUT_DATA]);
127
+
return ret;
128
+
}
129
+
return -EBUSY;
130
+
}
131
+
132
+
timeout = kzalloc(sizeof(struct ctnl_timeout) +
133
+
l4proto->ctnl_timeout.obj_size, GFP_KERNEL);
134
+
if (timeout == NULL)
135
+
return -ENOMEM;
136
+
137
+
ret = ctnl_timeout_parse_policy(timeout, l4proto,
138
+
cda[CTA_TIMEOUT_DATA]);
139
+
if (ret < 0)
140
+
goto err;
141
+
142
+
strcpy(timeout->name, nla_data(cda[CTA_TIMEOUT_NAME]));
143
+
timeout->l3num = l3num;
144
+
timeout->l4num = l4num;
145
+
atomic_set(&timeout->refcnt, 1);
146
+
list_add_tail_rcu(&timeout->head, &cttimeout_list);
147
+
148
+
return 0;
149
+
err:
150
+
kfree(timeout);
151
+
return ret;
152
+
}
153
+
154
+
static int
155
+
ctnl_timeout_fill_info(struct sk_buff *skb, u32 pid, u32 seq, u32 type,
156
+
int event, struct ctnl_timeout *timeout)
157
+
{
158
+
struct nlmsghdr *nlh;
159
+
struct nfgenmsg *nfmsg;
160
+
unsigned int flags = pid ? NLM_F_MULTI : 0;
161
+
struct nf_conntrack_l4proto *l4proto;
162
+
163
+
event |= NFNL_SUBSYS_CTNETLINK_TIMEOUT << 8;
164
+
nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
165
+
if (nlh == NULL)
166
+
goto nlmsg_failure;
167
+
168
+
nfmsg = nlmsg_data(nlh);
169
+
nfmsg->nfgen_family = AF_UNSPEC;
170
+
nfmsg->version = NFNETLINK_V0;
171
+
nfmsg->res_id = 0;
172
+
173
+
NLA_PUT_STRING(skb, CTA_TIMEOUT_NAME, timeout->name);
174
+
NLA_PUT_BE16(skb, CTA_TIMEOUT_L3PROTO, htons(timeout->l3num));
175
+
NLA_PUT_U8(skb, CTA_TIMEOUT_L4PROTO, timeout->l4num);
176
+
NLA_PUT_BE32(skb, CTA_TIMEOUT_USE,
177
+
htonl(atomic_read(&timeout->refcnt)));
178
+
179
+
l4proto = __nf_ct_l4proto_find(timeout->l3num, timeout->l4num);
180
+
181
+
/* If the timeout object does not match the layer 4 protocol tracker,
182
+
* then skip dumping the data part since we don't know how to
183
+
* interpret it. This may happen for UPDlite, SCTP and DCCP since
184
+
* you can unload the module.
185
+
*/
186
+
if (timeout->l4num != l4proto->l4proto)
187
+
goto out;
188
+
189
+
if (likely(l4proto->ctnl_timeout.obj_to_nlattr)) {
190
+
struct nlattr *nest_parms;
191
+
int ret;
192
+
193
+
nest_parms = nla_nest_start(skb,
194
+
CTA_TIMEOUT_DATA | NLA_F_NESTED);
195
+
if (!nest_parms)
196
+
goto nla_put_failure;
197
+
198
+
ret = l4proto->ctnl_timeout.obj_to_nlattr(skb, &timeout->data);
199
+
if (ret < 0)
200
+
goto nla_put_failure;
201
+
202
+
nla_nest_end(skb, nest_parms);
203
+
}
204
+
out:
205
+
nlmsg_end(skb, nlh);
206
+
return skb->len;
207
+
208
+
nlmsg_failure:
209
+
nla_put_failure:
210
+
nlmsg_cancel(skb, nlh);
211
+
return -1;
212
+
}
213
+
214
+
static int
215
+
ctnl_timeout_dump(struct sk_buff *skb, struct netlink_callback *cb)
216
+
{
217
+
struct ctnl_timeout *cur, *last;
218
+
219
+
if (cb->args[2])
220
+
return 0;
221
+
222
+
last = (struct ctnl_timeout *)cb->args[1];
223
+
if (cb->args[1])
224
+
cb->args[1] = 0;
225
+
226
+
rcu_read_lock();
227
+
list_for_each_entry_rcu(cur, &cttimeout_list, head) {
228
+
if (last && cur != last)
229
+
continue;
230
+
231
+
if (ctnl_timeout_fill_info(skb, NETLINK_CB(cb->skb).pid,
232
+
cb->nlh->nlmsg_seq,
233
+
NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
234
+
IPCTNL_MSG_TIMEOUT_NEW, cur) < 0) {
235
+
cb->args[1] = (unsigned long)cur;
236
+
break;
237
+
}
238
+
}
239
+
if (!cb->args[1])
240
+
cb->args[2] = 1;
241
+
rcu_read_unlock();
242
+
return skb->len;
243
+
}
244
+
245
+
static int
246
+
cttimeout_get_timeout(struct sock *ctnl, struct sk_buff *skb,
247
+
const struct nlmsghdr *nlh,
248
+
const struct nlattr * const cda[])
249
+
{
250
+
int ret = -ENOENT;
251
+
char *name;
252
+
struct ctnl_timeout *cur;
253
+
254
+
if (nlh->nlmsg_flags & NLM_F_DUMP) {
255
+
struct netlink_dump_control c = {
256
+
.dump = ctnl_timeout_dump,
257
+
};
258
+
return netlink_dump_start(ctnl, skb, nlh, &c);
259
+
}
260
+
261
+
if (!cda[CTA_TIMEOUT_NAME])
262
+
return -EINVAL;
263
+
name = nla_data(cda[CTA_TIMEOUT_NAME]);
264
+
265
+
list_for_each_entry(cur, &cttimeout_list, head) {
266
+
struct sk_buff *skb2;
267
+
268
+
if (strncmp(cur->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
269
+
continue;
270
+
271
+
skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
272
+
if (skb2 == NULL) {
273
+
ret = -ENOMEM;
274
+
break;
275
+
}
276
+
277
+
ret = ctnl_timeout_fill_info(skb2, NETLINK_CB(skb).pid,
278
+
nlh->nlmsg_seq,
279
+
NFNL_MSG_TYPE(nlh->nlmsg_type),
280
+
IPCTNL_MSG_TIMEOUT_NEW, cur);
281
+
if (ret <= 0) {
282
+
kfree_skb(skb2);
283
+
break;
284
+
}
285
+
ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid,
286
+
MSG_DONTWAIT);
287
+
if (ret > 0)
288
+
ret = 0;
289
+
290
+
/* this avoids a loop in nfnetlink. */
291
+
return ret == -EAGAIN ? -ENOBUFS : ret;
292
+
}
293
+
return ret;
294
+
}
295
+
296
+
/* try to delete object, fail if it is still in use. */
297
+
static int ctnl_timeout_try_del(struct ctnl_timeout *timeout)
298
+
{
299
+
int ret = 0;
300
+
301
+
/* we want to avoid races with nf_ct_timeout_find_get. */
302
+
if (atomic_dec_and_test(&timeout->refcnt)) {
303
+
/* We are protected by nfnl mutex. */
304
+
list_del_rcu(&timeout->head);
305
+
kfree_rcu(timeout, rcu_head);
306
+
} else {
307
+
/* still in use, restore reference counter. */
308
+
atomic_inc(&timeout->refcnt);
309
+
ret = -EBUSY;
310
+
}
311
+
return ret;
312
+
}
313
+
314
+
static int
315
+
cttimeout_del_timeout(struct sock *ctnl, struct sk_buff *skb,
316
+
const struct nlmsghdr *nlh,
317
+
const struct nlattr * const cda[])
318
+
{
319
+
char *name;
320
+
struct ctnl_timeout *cur;
321
+
int ret = -ENOENT;
322
+
323
+
if (!cda[CTA_TIMEOUT_NAME]) {
324
+
list_for_each_entry(cur, &cttimeout_list, head)
325
+
ctnl_timeout_try_del(cur);
326
+
327
+
return 0;
328
+
}
329
+
name = nla_data(cda[CTA_TIMEOUT_NAME]);
330
+
331
+
list_for_each_entry(cur, &cttimeout_list, head) {
332
+
if (strncmp(cur->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
333
+
continue;
334
+
335
+
ret = ctnl_timeout_try_del(cur);
336
+
if (ret < 0)
337
+
return ret;
338
+
339
+
break;
340
+
}
341
+
return ret;
342
+
}
343
+
344
+
static const struct nfnl_callback cttimeout_cb[IPCTNL_MSG_TIMEOUT_MAX] = {
345
+
[IPCTNL_MSG_TIMEOUT_NEW] = { .call = cttimeout_new_timeout,
346
+
.attr_count = CTA_TIMEOUT_MAX,
347
+
.policy = cttimeout_nla_policy },
348
+
[IPCTNL_MSG_TIMEOUT_GET] = { .call = cttimeout_get_timeout,
349
+
.attr_count = CTA_TIMEOUT_MAX,
350
+
.policy = cttimeout_nla_policy },
351
+
[IPCTNL_MSG_TIMEOUT_DELETE] = { .call = cttimeout_del_timeout,
352
+
.attr_count = CTA_TIMEOUT_MAX,
353
+
.policy = cttimeout_nla_policy },
354
+
};
355
+
356
+
static const struct nfnetlink_subsystem cttimeout_subsys = {
357
+
.name = "conntrack_timeout",
358
+
.subsys_id = NFNL_SUBSYS_CTNETLINK_TIMEOUT,
359
+
.cb_count = IPCTNL_MSG_TIMEOUT_MAX,
360
+
.cb = cttimeout_cb,
361
+
};
362
+
363
+
MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_TIMEOUT);
364
+
365
+
static int __init cttimeout_init(void)
366
+
{
367
+
int ret;
368
+
369
+
ret = nfnetlink_subsys_register(&cttimeout_subsys);
370
+
if (ret < 0) {
371
+
pr_err("cttimeout_init: cannot register cttimeout with "
372
+
"nfnetlink.\n");
373
+
goto err_out;
374
+
}
375
+
return 0;
376
+
377
+
err_out:
378
+
return ret;
379
+
}
380
+
381
+
static void __exit cttimeout_exit(void)
382
+
{
383
+
struct ctnl_timeout *cur, *tmp;
384
+
385
+
pr_info("cttimeout: unregistering from nfnetlink.\n");
386
+
387
+
nfnetlink_subsys_unregister(&cttimeout_subsys);
388
+
list_for_each_entry_safe(cur, tmp, &cttimeout_list, head) {
389
+
list_del_rcu(&cur->head);
390
+
/* We are sure that our objects have no clients at this point,
391
+
* it's safe to release them all without checking refcnt.
392
+
*/
393
+
kfree_rcu(cur, rcu_head);
394
+
}
395
+
}
396
+
397
+
module_init(cttimeout_init);
398
+
module_exit(cttimeout_exit);