-1

include/net/netfilter/nf_conntrack.h

reviewed

··· 101 101 /* Have we seen traffic both ways yet? (bitset) */ 102 102 unsigned long status; 103 103 104 104 - u16 cpu; 105 104 possible_net_t ct_net; 106 105 107 106 #if IS_ENABLED(CONFIG_NF_NAT)

-6

include/net/netns/conntrack.h

reviewed

··· 93 93 #endif 94 94 }; 95 95 96 96 - struct ct_pcpu { 97 97 - spinlock_t lock; 98 98 - struct hlist_nulls_head unconfirmed; 99 99 - }; 100 100 - 101 96 struct netns_ct { 102 97 #ifdef CONFIG_NF_CONNTRACK_EVENTS 103 98 bool ecache_dwork_pending; ··· 104 109 u8 sysctl_tstamp; 105 110 u8 sysctl_checksum; 106 111 107 107 - struct ct_pcpu __percpu *pcpu_lists; 108 112 struct ip_conntrack_stat __percpu *stat; 109 113 struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb; 110 114 struct nf_ip_net nf_ct_proto;

+2 -55

net/netfilter/nf_conntrack_core.c

reviewed

··· 525 525 nf_ct_remove_expectations(ct); 526 526 } 527 527 528 528 - /* must be called with local_bh_disable */ 529 529 - static void nf_ct_add_to_unconfirmed_list(struct nf_conn *ct) 530 530 - { 531 531 - struct ct_pcpu *pcpu; 532 532 - 533 533 - /* add this conntrack to the (per cpu) unconfirmed list */ 534 534 - ct->cpu = smp_processor_id(); 535 535 - pcpu = per_cpu_ptr(nf_ct_net(ct)->ct.pcpu_lists, ct->cpu); 536 536 - 537 537 - spin_lock(&pcpu->lock); 538 538 - hlist_nulls_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode, 539 539 - &pcpu->unconfirmed); 540 540 - spin_unlock(&pcpu->lock); 541 541 - } 542 542 - 543 543 - /* must be called with local_bh_disable */ 544 544 - static void nf_ct_del_from_unconfirmed_list(struct nf_conn *ct) 545 545 - { 546 546 - struct ct_pcpu *pcpu; 547 547 - 548 548 - /* We overload first tuple to link into unconfirmed list.*/ 549 549 - pcpu = per_cpu_ptr(nf_ct_net(ct)->ct.pcpu_lists, ct->cpu); 550 550 - 551 551 - spin_lock(&pcpu->lock); 552 552 - BUG_ON(hlist_nulls_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode)); 553 553 - hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode); 554 554 - spin_unlock(&pcpu->lock); 555 555 - } 556 556 - 557 528 #define NFCT_ALIGN(len) (((len) + NFCT_INFOMASK) & ~NFCT_INFOMASK) 558 529 559 530 /* Released via nf_ct_destroy() */ ··· 596 625 if (unlikely(nf_ct_protonum(ct) == IPPROTO_GRE)) 597 626 destroy_gre_conntrack(ct); 598 627 599 599 - local_bh_disable(); 600 628 /* Expectations will have been removed in clean_from_lists, 601 629 * except TFTP can create an expectation on the first packet, 602 630 * before connection is in the list, so we need to clean here, 603 631 * too. 604 632 */ 605 633 nf_ct_remove_expectations(ct); 606 606 - 607 607 - if (unlikely(!nf_ct_is_confirmed(ct))) 608 608 - nf_ct_del_from_unconfirmed_list(ct); 609 609 - 610 610 - local_bh_enable(); 611 634 612 635 if (ct->master) 613 636 nf_ct_put(ct->master); ··· 1213 1248 * user context, else we insert an already 'dead' hash, blocking 1214 1249 * further use of that particular connection -JM. 1215 1250 */ 1216 1216 - nf_ct_del_from_unconfirmed_list(ct); 1217 1251 ct->status |= IPS_CONFIRMED; 1218 1252 1219 1253 if (unlikely(nf_ct_is_dying(ct))) { ··· 1767 1803 if (!exp) 1768 1804 __nf_ct_try_assign_helper(ct, tmpl, GFP_ATOMIC); 1769 1805 1770 1770 - /* Now it is inserted into the unconfirmed list, set refcount to 1. */ 1806 1806 + /* Now it is going to be associated with an sk_buff, set refcount to 1. */ 1771 1807 refcount_set(&ct->ct_general.use, 1); 1772 1772 - nf_ct_add_to_unconfirmed_list(ct); 1773 1808 1774 1809 local_bh_enable(); 1775 1810 ··· 2557 2594 nf_conntrack_ecache_pernet_fini(net); 2558 2595 nf_conntrack_expect_pernet_fini(net); 2559 2596 free_percpu(net->ct.stat); 2560 2560 - free_percpu(net->ct.pcpu_lists); 2561 2597 } 2562 2598 } 2563 2599 ··· 2767 2805 { 2768 2806 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 2769 2807 int ret = -ENOMEM; 2770 2770 - int cpu; 2771 2808 2772 2809 BUILD_BUG_ON(IP_CT_UNTRACKED == IP_CT_NUMBER); 2773 2810 BUILD_BUG_ON_NOT_POWER_OF_2(CONNTRACK_LOCKS); 2774 2811 atomic_set(&cnet->count, 0); 2775 2812 2776 2776 - net->ct.pcpu_lists = alloc_percpu(struct ct_pcpu); 2777 2777 - if (!net->ct.pcpu_lists) 2778 2778 - goto err_stat; 2779 2779 - 2780 2780 - for_each_possible_cpu(cpu) { 2781 2781 - struct ct_pcpu *pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu); 2782 2782 - 2783 2783 - spin_lock_init(&pcpu->lock); 2784 2784 - INIT_HLIST_NULLS_HEAD(&pcpu->unconfirmed, UNCONFIRMED_NULLS_VAL); 2785 2785 - } 2786 2786 - 2787 2813 net->ct.stat = alloc_percpu(struct ip_conntrack_stat); 2788 2814 if (!net->ct.stat) 2789 2789 - goto err_pcpu_lists; 2815 2815 + return ret; 2790 2816 2791 2817 ret = nf_conntrack_expect_pernet_init(net); 2792 2818 if (ret < 0) ··· 2790 2840 2791 2841 err_expect: 2792 2842 free_percpu(net->ct.stat); 2793 2793 - err_pcpu_lists: 2794 2794 - free_percpu(net->ct.pcpu_lists); 2795 2795 - err_stat: 2796 2843 return ret; 2797 2844 }

+1 -43

net/netfilter/nf_conntrack_netlink.c

reviewed

··· 1752 1752 static int 1753 1753 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb) 1754 1754 { 1755 1755 - struct ctnetlink_list_dump_ctx *ctx = (void *)cb->ctx; 1756 1756 - struct nf_conn *ct, *last; 1757 1757 - struct nf_conntrack_tuple_hash *h; 1758 1758 - struct hlist_nulls_node *n; 1759 1759 - struct net *net = sock_net(skb->sk); 1760 1760 - int res, cpu; 1761 1761 - 1762 1762 - if (ctx->done) 1763 1763 - return 0; 1764 1764 - 1765 1765 - last = ctx->last; 1766 1766 - 1767 1767 - for (cpu = ctx->cpu; cpu < nr_cpu_ids; cpu++) { 1768 1768 - struct ct_pcpu *pcpu; 1769 1769 - 1770 1770 - if (!cpu_possible(cpu)) 1771 1771 - continue; 1772 1772 - 1773 1773 - pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu); 1774 1774 - spin_lock_bh(&pcpu->lock); 1775 1775 - restart: 1776 1776 - hlist_nulls_for_each_entry(h, n, &pcpu->unconfirmed, hnnode) { 1777 1777 - ct = nf_ct_tuplehash_to_ctrack(h); 1778 1778 - 1779 1779 - res = ctnetlink_dump_one_entry(skb, cb, ct, false); 1780 1780 - if (res < 0) { 1781 1781 - ctx->cpu = cpu; 1782 1782 - spin_unlock_bh(&pcpu->lock); 1783 1783 - goto out; 1784 1784 - } 1785 1785 - } 1786 1786 - if (ctx->last) { 1787 1787 - ctx->last = NULL; 1788 1788 - goto restart; 1789 1789 - } 1790 1790 - spin_unlock_bh(&pcpu->lock); 1791 1791 - } 1792 1792 - ctx->done = true; 1793 1793 - out: 1794 1794 - if (last) 1795 1795 - nf_ct_put(last); 1796 1796 - 1797 1797 - return skb->len; 1755 1755 + return 0; 1798 1756 } 1799 1757 1800 1758 static int