netfilter: cttimeout: decouple timeout policy from nfnetlink_cttimeout object

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The timeout policy is currently embedded into the nfnetlink_cttimeout
object, move the policy into an independent object. This allows us to
reuse part of the existing conntrack timeout extension from nf_tables
without adding dependencies with the nfnetlink_cttimeout object layout.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 7 years ago 6c1fd7dc 4e665afb

+41 -32

4 changed files

expand all

include

net

netfilter

nf_conntrack_timeout.h

net

netfilter

nf_conntrack_timeout.c

nfnetlink_cttimeout.c

xt_CT.c

+15 -11

include/net/netfilter/nf_conntrack_timeout.h

··· 11 11 12 12 #define CTNL_TIMEOUT_NAME_MAX 32 13 13 14 - struct ctnl_timeout { 15 - struct list_head head; 16 - struct rcu_head rcu_head; 17 - refcount_t refcnt; 18 - char name[CTNL_TIMEOUT_NAME_MAX]; 14 + struct nf_ct_timeout { 19 15 __u16 l3num; 20 16 const struct nf_conntrack_l4proto *l4proto; 21 17 char data[0]; 22 18 }; 23 19 20 + struct ctnl_timeout { 21 + struct list_head head; 22 + struct rcu_head rcu_head; 23 + refcount_t refcnt; 24 + char name[CTNL_TIMEOUT_NAME_MAX]; 25 + struct nf_ct_timeout timeout; 26 + }; 27 + 24 28 struct nf_conn_timeout { 25 - struct ctnl_timeout __rcu *timeout; 29 + struct nf_ct_timeout __rcu *timeout; 26 30 }; 27 31 28 32 static inline unsigned int * 29 33 nf_ct_timeout_data(struct nf_conn_timeout *t) 30 34 { 31 - struct ctnl_timeout *timeout; 35 + struct nf_ct_timeout *timeout; 32 36 33 37 timeout = rcu_dereference(t->timeout); 34 38 if (timeout == NULL) ··· 53 49 54 50 static inline 55 51 struct nf_conn_timeout *nf_ct_timeout_ext_add(struct nf_conn *ct, 56 - struct ctnl_timeout *timeout, 52 + struct nf_ct_timeout *timeout, 57 53 gfp_t gfp) 58 54 { 59 55 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT ··· 87 83 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 88 84 int nf_conntrack_timeout_init(void); 89 85 void nf_conntrack_timeout_fini(void); 90 - void nf_ct_untimeout(struct net *net, struct ctnl_timeout *timeout); 86 + void nf_ct_untimeout(struct net *net, struct nf_ct_timeout *timeout); 91 87 #else 92 88 static inline int nf_conntrack_timeout_init(void) 93 89 { ··· 101 97 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 102 98 103 99 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 104 - extern struct ctnl_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, const char *name); 105 - extern void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout); 100 + extern struct nf_ct_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, const char *name); 101 + extern void (*nf_ct_timeout_put_hook)(struct nf_ct_timeout *timeout); 106 102 #endif 107 103 108 104 #endif /* _NF_CONNTRACK_TIMEOUT_H */

+3 -3

net/netfilter/nf_conntrack_timeout.c

··· 24 24 #include <net/netfilter/nf_conntrack_extend.h> 25 25 #include <net/netfilter/nf_conntrack_timeout.h> 26 26 27 - struct ctnl_timeout * 27 + struct nf_ct_timeout * 28 28 (*nf_ct_timeout_find_get_hook)(struct net *net, const char *name) __read_mostly; 29 29 EXPORT_SYMBOL_GPL(nf_ct_timeout_find_get_hook); 30 30 31 - void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout) __read_mostly; 31 + void (*nf_ct_timeout_put_hook)(struct nf_ct_timeout *timeout) __read_mostly; 32 32 EXPORT_SYMBOL_GPL(nf_ct_timeout_put_hook); 33 33 34 34 static int untimeout(struct nf_conn *ct, void *timeout) ··· 42 42 return 0; 43 43 } 44 44 45 - void nf_ct_untimeout(struct net *net, struct ctnl_timeout *timeout) 45 + void nf_ct_untimeout(struct net *net, struct nf_ct_timeout *timeout) 46 46 { 47 47 nf_ct_iterate_cleanup_net(net, untimeout, timeout, 0, 0); 48 48 }

+21 -16

net/netfilter/nfnetlink_cttimeout.c

··· 113 113 /* You cannot replace one timeout policy by another of 114 114 * different kind, sorry. 115 115 */ 116 - if (matching->l3num != l3num || 117 - matching->l4proto->l4proto != l4num) 116 + if (matching->timeout.l3num != l3num || 117 + matching->timeout.l4proto->l4proto != l4num) 118 118 return -EINVAL; 119 119 120 - return ctnl_timeout_parse_policy(&matching->data, 121 - matching->l4proto, net, 122 - cda[CTA_TIMEOUT_DATA]); 120 + return ctnl_timeout_parse_policy(&matching->timeout.data, 121 + matching->timeout.l4proto, 122 + net, cda[CTA_TIMEOUT_DATA]); 123 123 } 124 124 125 125 return -EBUSY; ··· 140 140 goto err_proto_put; 141 141 } 142 142 143 - ret = ctnl_timeout_parse_policy(&timeout->data, l4proto, net, 143 + ret = ctnl_timeout_parse_policy(&timeout->timeout.data, l4proto, net, 144 144 cda[CTA_TIMEOUT_DATA]); 145 145 if (ret < 0) 146 146 goto err; 147 147 148 148 strcpy(timeout->name, nla_data(cda[CTA_TIMEOUT_NAME])); 149 - timeout->l3num = l3num; 150 - timeout->l4proto = l4proto; 149 + timeout->timeout.l3num = l3num; 150 + timeout->timeout.l4proto = l4proto; 151 151 refcount_set(&timeout->refcnt, 1); 152 152 list_add_tail_rcu(&timeout->head, &net->nfct_timeout_list); 153 153 ··· 166 166 struct nlmsghdr *nlh; 167 167 struct nfgenmsg *nfmsg; 168 168 unsigned int flags = portid ? NLM_F_MULTI : 0; 169 - const struct nf_conntrack_l4proto *l4proto = timeout->l4proto; 169 + const struct nf_conntrack_l4proto *l4proto = timeout->timeout.l4proto; 170 170 171 171 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event); 172 172 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); ··· 179 179 nfmsg->res_id = 0; 180 180 181 181 if (nla_put_string(skb, CTA_TIMEOUT_NAME, timeout->name) || 182 - nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(timeout->l3num)) || 183 - nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, timeout->l4proto->l4proto) || 182 + nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, 183 + htons(timeout->timeout.l3num)) || 184 + nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, l4proto->l4proto) || 184 185 nla_put_be32(skb, CTA_TIMEOUT_USE, 185 186 htonl(refcount_read(&timeout->refcnt)))) 186 187 goto nla_put_failure; ··· 195 194 if (!nest_parms) 196 195 goto nla_put_failure; 197 196 198 - ret = l4proto->ctnl_timeout.obj_to_nlattr(skb, &timeout->data); 197 + ret = l4proto->ctnl_timeout.obj_to_nlattr(skb, 198 + &timeout->timeout.data); 199 199 if (ret < 0) 200 200 goto nla_put_failure; 201 201 ··· 310 308 if (refcount_dec_if_one(&timeout->refcnt)) { 311 309 /* We are protected by nfnl mutex. */ 312 310 list_del_rcu(&timeout->head); 313 - nf_ct_l4proto_put(timeout->l4proto); 314 - nf_ct_untimeout(net, timeout); 311 + nf_ct_l4proto_put(timeout->timeout.l4proto); 312 + nf_ct_untimeout(net, &timeout->timeout); 315 313 kfree_rcu(timeout, rcu_head); 316 314 } else { 317 315 ret = -EBUSY; ··· 512 510 return matching; 513 511 } 514 512 515 - static void ctnl_timeout_put(struct ctnl_timeout *timeout) 513 + static void ctnl_timeout_put(struct nf_ct_timeout *t) 516 514 { 515 + struct ctnl_timeout *timeout = 516 + container_of(t, struct ctnl_timeout, timeout); 517 + 517 518 if (refcount_dec_and_test(&timeout->refcnt)) 518 519 kfree_rcu(timeout, rcu_head); 519 520 ··· 566 561 567 562 list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list, head) { 568 563 list_del_rcu(&cur->head); 569 - nf_ct_l4proto_put(cur->l4proto); 564 + nf_ct_l4proto_put(cur->timeout.l4proto); 570 565 571 566 if (refcount_dec_and_test(&cur->refcnt)) 572 567 kfree_rcu(cur, rcu_head);

+2 -2

net/netfilter/xt_CT.c

··· 104 104 } 105 105 106 106 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 107 - static void __xt_ct_tg_timeout_put(struct ctnl_timeout *timeout) 107 + static void __xt_ct_tg_timeout_put(struct nf_ct_timeout *timeout) 108 108 { 109 109 typeof(nf_ct_timeout_put_hook) timeout_put; 110 110 ··· 121 121 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 122 122 typeof(nf_ct_timeout_find_get_hook) timeout_find_get; 123 123 const struct nf_conntrack_l4proto *l4proto; 124 - struct ctnl_timeout *timeout; 124 + struct nf_ct_timeout *timeout; 125 125 struct nf_conn_timeout *timeout_ext; 126 126 const char *errmsg = NULL; 127 127 int ret = 0;