tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: xt_connbytes: Force CT accounting to be enabled

Check at rule install time that CT accounting is enabled. Force it
to be enabled if not while also emitting a warning since this is not
the default state.

This is in preparation for deprecating CONFIG_NF_CT_ACCT upon which
CONFIG_NETFILTER_XT_MATCH_CONNBYTES depended being set.

Added 2 CT accounting support functions:

nf_ct_acct_enabled() - Get CT accounting state.
nf_ct_set_acct() - Enable/disable CT accountuing.

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

authored by

Tim Gardner and committed by
Patrick McHardy a8756201 fe6fb552

+22
+12
include/net/netfilter/nf_conntrack_acct.h
··· 45 45 extern unsigned int 46 46 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir); 47 47 48 + /* Check if connection tracking accounting is enabled */ 49 + static inline bool nf_ct_acct_enabled(struct net *net) 50 + { 51 + return net->ct.sysctl_acct != 0; 52 + } 53 + 54 + /* Enable/disable connection tracking accounting */ 55 + static inline void nf_ct_set_acct(struct net *net, bool enable) 56 + { 57 + net->ct.sysctl_acct = enable; 58 + } 59 + 48 60 extern int nf_conntrack_acct_init(struct net *net); 49 61 extern void nf_conntrack_acct_fini(struct net *net); 50 62
+10
net/netfilter/xt_connbytes.c
··· 112 112 if (ret < 0) 113 113 pr_info("cannot load conntrack support for proto=%u\n", 114 114 par->family); 115 + 116 + /* 117 + * This filter cannot function correctly unless connection tracking 118 + * accounting is enabled, so complain in the hope that someone notices. 119 + */ 120 + if (!nf_ct_acct_enabled(par->net)) { 121 + pr_warning("Forcing CT accounting to be enabled\n"); 122 + nf_ct_set_acct(par->net, true); 123 + } 124 + 115 125 return ret; 116 126 } 117 127