tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: remove ip_conntrack* sysctl compat code

This backward compatibility has been around for more than ten years,
since Yasuyuki Kozakai introduced IPv6 in conntrack. These days, we have
alternate /proc/net/nf_conntrack* entries, the ctnetlink interface and
the conntrack utility got adopted by many people in the user community
according to what I observed on the netfilter user mailing list.

So let's get rid of this.

Note that nf_conntrack_htable_size and unsigned int nf_conntrack_max do
not need to be exported as symbol anymore.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso adf05168 cb1b69b0

+7 -1009
-8
include/net/netfilter/nf_conntrack_l4proto.h
··· 134 134 int nf_ct_l4proto_register(struct nf_conntrack_l4proto *proto); 135 135 void nf_ct_l4proto_unregister(struct nf_conntrack_l4proto *proto); 136 136 137 - static inline void nf_ct_kfree_compat_sysctl_table(struct nf_proto_net *pn) 138 - { 139 - #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) 140 - kfree(pn->ctl_compat_table); 141 - pn->ctl_compat_table = NULL; 142 - #endif 143 - } 144 - 145 137 /* Generic netlink helpers */ 146 138 int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb, 147 139 const struct nf_conntrack_tuple *tuple);
-8
include/net/netns/conntrack.h
··· 15 15 #ifdef CONFIG_SYSCTL 16 16 struct ctl_table_header *ctl_table_header; 17 17 struct ctl_table *ctl_table; 18 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 19 - struct ctl_table_header *ctl_compat_header; 20 - struct ctl_table *ctl_compat_table; 21 - #endif 22 18 #endif 23 19 unsigned int users; 24 20 }; ··· 54 58 struct nf_udp_net udp; 55 59 struct nf_icmp_net icmp; 56 60 struct nf_icmp_net icmpv6; 57 - #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) 58 - struct ctl_table_header *ctl_table_header; 59 - struct ctl_table *ctl_table; 60 - #endif 61 61 }; 62 62 63 63 struct ct_pcpu {
-11
net/ipv4/netfilter/Kconfig
··· 25 25 26 26 To compile it as a module, choose M here. If unsure, say N. 27 27 28 - config NF_CONNTRACK_PROC_COMPAT 29 - bool "proc/sysctl compatibility with old connection tracking" 30 - depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 - default y 32 - help 33 - This option enables /proc and sysctl compatibility with the old 34 - layer 3 dependent connection tracking. This is needed to keep 35 - old programs that have not been adapted to the new names working. 36 - 37 - If unsure, say Y. 38 - 39 28 if NF_TABLES 40 29 41 30 config NF_TABLES_IPV4
-5
net/ipv4/netfilter/Makefile
··· 4 4 5 5 # objects for l3 independent conntrack 6 6 nf_conntrack_ipv4-y := nf_conntrack_l3proto_ipv4.o nf_conntrack_proto_icmp.o 7 - ifeq ($(CONFIG_NF_CONNTRACK_PROC_COMPAT),y) 8 - ifeq ($(CONFIG_PROC_FS),y) 9 - nf_conntrack_ipv4-objs += nf_conntrack_l3proto_ipv4_compat.o 10 - endif 11 - endif 12 7 13 8 # connection tracking 14 9 obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o
-70
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
··· 202 202 }, 203 203 }; 204 204 205 - #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) 206 - static int log_invalid_proto_min = 0; 207 - static int log_invalid_proto_max = 255; 208 - 209 - static struct ctl_table ip_ct_sysctl_table[] = { 210 - { 211 - .procname = "ip_conntrack_max", 212 - .maxlen = sizeof(int), 213 - .mode = 0644, 214 - .proc_handler = proc_dointvec, 215 - }, 216 - { 217 - .procname = "ip_conntrack_count", 218 - .maxlen = sizeof(int), 219 - .mode = 0444, 220 - .proc_handler = proc_dointvec, 221 - }, 222 - { 223 - .procname = "ip_conntrack_buckets", 224 - .maxlen = sizeof(unsigned int), 225 - .mode = 0444, 226 - .proc_handler = proc_dointvec, 227 - }, 228 - { 229 - .procname = "ip_conntrack_checksum", 230 - .maxlen = sizeof(int), 231 - .mode = 0644, 232 - .proc_handler = proc_dointvec, 233 - }, 234 - { 235 - .procname = "ip_conntrack_log_invalid", 236 - .maxlen = sizeof(unsigned int), 237 - .mode = 0644, 238 - .proc_handler = proc_dointvec_minmax, 239 - .extra1 = &log_invalid_proto_min, 240 - .extra2 = &log_invalid_proto_max, 241 - }, 242 - { } 243 - }; 244 - #endif /* CONFIG_SYSCTL && CONFIG_NF_CONNTRACK_PROC_COMPAT */ 245 - 246 205 /* Fast function for those who don't want to parse /proc (and I don't 247 206 blame them). */ 248 207 /* Reversing the socket's dst/src point of view gives us the reply ··· 309 350 310 351 static int ipv4_init_net(struct net *net) 311 352 { 312 - #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) 313 - struct nf_ip_net *in = &net->ct.nf_ct_proto; 314 - in->ctl_table = kmemdup(ip_ct_sysctl_table, 315 - sizeof(ip_ct_sysctl_table), 316 - GFP_KERNEL); 317 - if (!in->ctl_table) 318 - return -ENOMEM; 319 - 320 - in->ctl_table[0].data = &nf_conntrack_max; 321 - in->ctl_table[1].data = &net->ct.count; 322 - in->ctl_table[2].data = &nf_conntrack_htable_size; 323 - in->ctl_table[3].data = &net->ct.sysctl_checksum; 324 - in->ctl_table[4].data = &net->ct.sysctl_log_invalid; 325 - #endif 326 353 return 0; 327 354 } 328 355 ··· 324 379 .nlattr_tuple_size = ipv4_nlattr_tuple_size, 325 380 .nlattr_to_tuple = ipv4_nlattr_to_tuple, 326 381 .nla_policy = ipv4_nla_policy, 327 - #endif 328 - #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) 329 - .ctl_table_path = "net/ipv4/netfilter", 330 382 #endif 331 383 .init_net = ipv4_init_net, 332 384 .me = THIS_MODULE, ··· 434 492 goto cleanup_icmpv4; 435 493 } 436 494 437 - #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) 438 - ret = nf_conntrack_ipv4_compat_init(); 439 - if (ret < 0) 440 - goto cleanup_proto; 441 - #endif 442 495 return ret; 443 - #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) 444 - cleanup_proto: 445 - nf_ct_l3proto_unregister(&nf_conntrack_l3proto_ipv4); 446 - #endif 447 496 cleanup_icmpv4: 448 497 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_icmp); 449 498 cleanup_udp4: ··· 453 520 static void __exit nf_conntrack_l3proto_ipv4_fini(void) 454 521 { 455 522 synchronize_net(); 456 - #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) 457 - nf_conntrack_ipv4_compat_fini(); 458 - #endif 459 523 nf_ct_l3proto_unregister(&nf_conntrack_l3proto_ipv4); 460 524 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_icmp); 461 525 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udp4);
-491
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
··· 1 - /* ip_conntrack proc compat - based on ip_conntrack_standalone.c 2 - * 3 - * (C) 1999-2001 Paul `Rusty' Russell 4 - * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org> 5 - * (C) 2006-2010 Patrick McHardy <kaber@trash.net> 6 - * 7 - * This program is free software; you can redistribute it and/or modify 8 - * it under the terms of the GNU General Public License version 2 as 9 - * published by the Free Software Foundation. 10 - */ 11 - #include <linux/types.h> 12 - #include <linux/proc_fs.h> 13 - #include <linux/seq_file.h> 14 - #include <linux/percpu.h> 15 - #include <linux/security.h> 16 - #include <net/net_namespace.h> 17 - 18 - #include <linux/netfilter.h> 19 - #include <net/netfilter/nf_conntrack_core.h> 20 - #include <net/netfilter/nf_conntrack_l3proto.h> 21 - #include <net/netfilter/nf_conntrack_l4proto.h> 22 - #include <net/netfilter/nf_conntrack_expect.h> 23 - #include <net/netfilter/nf_conntrack_acct.h> 24 - #include <linux/rculist_nulls.h> 25 - #include <linux/export.h> 26 - 27 - struct ct_iter_state { 28 - struct seq_net_private p; 29 - struct hlist_nulls_head *hash; 30 - unsigned int htable_size; 31 - unsigned int bucket; 32 - }; 33 - 34 - static struct hlist_nulls_node *ct_get_first(struct seq_file *seq) 35 - { 36 - struct ct_iter_state *st = seq->private; 37 - struct hlist_nulls_node *n; 38 - 39 - for (st->bucket = 0; 40 - st->bucket < st->htable_size; 41 - st->bucket++) { 42 - n = rcu_dereference( 43 - hlist_nulls_first_rcu(&st->hash[st->bucket])); 44 - if (!is_a_nulls(n)) 45 - return n; 46 - } 47 - return NULL; 48 - } 49 - 50 - static struct hlist_nulls_node *ct_get_next(struct seq_file *seq, 51 - struct hlist_nulls_node *head) 52 - { 53 - struct ct_iter_state *st = seq->private; 54 - 55 - head = rcu_dereference(hlist_nulls_next_rcu(head)); 56 - while (is_a_nulls(head)) { 57 - if (likely(get_nulls_value(head) == st->bucket)) { 58 - if (++st->bucket >= st->htable_size) 59 - return NULL; 60 - } 61 - head = rcu_dereference( 62 - hlist_nulls_first_rcu(&st->hash[st->bucket])); 63 - } 64 - return head; 65 - } 66 - 67 - static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos) 68 - { 69 - struct hlist_nulls_node *head = ct_get_first(seq); 70 - 71 - if (head) 72 - while (pos && (head = ct_get_next(seq, head))) 73 - pos--; 74 - return pos ? NULL : head; 75 - } 76 - 77 - static void *ct_seq_start(struct seq_file *seq, loff_t *pos) 78 - __acquires(RCU) 79 - { 80 - struct ct_iter_state *st = seq->private; 81 - 82 - rcu_read_lock(); 83 - 84 - nf_conntrack_get_ht(&st->hash, &st->htable_size); 85 - return ct_get_idx(seq, *pos); 86 - } 87 - 88 - static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos) 89 - { 90 - (*pos)++; 91 - return ct_get_next(s, v); 92 - } 93 - 94 - static void ct_seq_stop(struct seq_file *s, void *v) 95 - __releases(RCU) 96 - { 97 - rcu_read_unlock(); 98 - } 99 - 100 - #ifdef CONFIG_NF_CONNTRACK_SECMARK 101 - static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 102 - { 103 - int ret; 104 - u32 len; 105 - char *secctx; 106 - 107 - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 108 - if (ret) 109 - return; 110 - 111 - seq_printf(s, "secctx=%s ", secctx); 112 - 113 - security_release_secctx(secctx, len); 114 - } 115 - #else 116 - static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) 117 - { 118 - } 119 - #endif 120 - 121 - static bool ct_seq_should_skip(const struct nf_conn *ct, 122 - const struct net *net, 123 - const struct nf_conntrack_tuple_hash *hash) 124 - { 125 - /* we only want to print DIR_ORIGINAL */ 126 - if (NF_CT_DIRECTION(hash)) 127 - return true; 128 - 129 - if (nf_ct_l3num(ct) != AF_INET) 130 - return true; 131 - 132 - if (!net_eq(nf_ct_net(ct), net)) 133 - return true; 134 - 135 - return false; 136 - } 137 - 138 - static int ct_seq_show(struct seq_file *s, void *v) 139 - { 140 - struct nf_conntrack_tuple_hash *hash = v; 141 - struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); 142 - const struct nf_conntrack_l3proto *l3proto; 143 - const struct nf_conntrack_l4proto *l4proto; 144 - int ret = 0; 145 - 146 - NF_CT_ASSERT(ct); 147 - if (ct_seq_should_skip(ct, seq_file_net(s), hash)) 148 - return 0; 149 - 150 - if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use))) 151 - return 0; 152 - 153 - /* check if we raced w. object reuse */ 154 - if (!nf_ct_is_confirmed(ct) || 155 - ct_seq_should_skip(ct, seq_file_net(s), hash)) 156 - goto release; 157 - 158 - l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct)); 159 - NF_CT_ASSERT(l3proto); 160 - l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 161 - NF_CT_ASSERT(l4proto); 162 - 163 - ret = -ENOSPC; 164 - seq_printf(s, "%-8s %u %ld ", 165 - l4proto->name, nf_ct_protonum(ct), 166 - nf_ct_expires(ct) / HZ); 167 - 168 - if (l4proto->print_conntrack) 169 - l4proto->print_conntrack(s, ct); 170 - 171 - if (seq_has_overflowed(s)) 172 - goto release; 173 - 174 - print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 175 - l3proto, l4proto); 176 - 177 - if (seq_has_overflowed(s)) 178 - goto release; 179 - 180 - if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL)) 181 - goto release; 182 - 183 - if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) 184 - seq_printf(s, "[UNREPLIED] "); 185 - 186 - print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, 187 - l3proto, l4proto); 188 - 189 - if (seq_has_overflowed(s)) 190 - goto release; 191 - 192 - if (seq_print_acct(s, ct, IP_CT_DIR_REPLY)) 193 - goto release; 194 - 195 - if (test_bit(IPS_ASSURED_BIT, &ct->status)) 196 - seq_printf(s, "[ASSURED] "); 197 - 198 - #ifdef CONFIG_NF_CONNTRACK_MARK 199 - seq_printf(s, "mark=%u ", ct->mark); 200 - #endif 201 - 202 - ct_show_secctx(s, ct); 203 - 204 - seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)); 205 - 206 - if (seq_has_overflowed(s)) 207 - goto release; 208 - 209 - ret = 0; 210 - release: 211 - nf_ct_put(ct); 212 - return ret; 213 - } 214 - 215 - static const struct seq_operations ct_seq_ops = { 216 - .start = ct_seq_start, 217 - .next = ct_seq_next, 218 - .stop = ct_seq_stop, 219 - .show = ct_seq_show 220 - }; 221 - 222 - static int ct_open(struct inode *inode, struct file *file) 223 - { 224 - return seq_open_net(inode, file, &ct_seq_ops, 225 - sizeof(struct ct_iter_state)); 226 - } 227 - 228 - static const struct file_operations ct_file_ops = { 229 - .owner = THIS_MODULE, 230 - .open = ct_open, 231 - .read = seq_read, 232 - .llseek = seq_lseek, 233 - .release = seq_release_net, 234 - }; 235 - 236 - /* expects */ 237 - struct ct_expect_iter_state { 238 - struct seq_net_private p; 239 - unsigned int bucket; 240 - }; 241 - 242 - static struct hlist_node *ct_expect_get_first(struct seq_file *seq) 243 - { 244 - struct ct_expect_iter_state *st = seq->private; 245 - struct hlist_node *n; 246 - 247 - for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) { 248 - n = rcu_dereference( 249 - hlist_first_rcu(&nf_ct_expect_hash[st->bucket])); 250 - if (n) 251 - return n; 252 - } 253 - return NULL; 254 - } 255 - 256 - static struct hlist_node *ct_expect_get_next(struct seq_file *seq, 257 - struct hlist_node *head) 258 - { 259 - struct ct_expect_iter_state *st = seq->private; 260 - 261 - head = rcu_dereference(hlist_next_rcu(head)); 262 - while (head == NULL) { 263 - if (++st->bucket >= nf_ct_expect_hsize) 264 - return NULL; 265 - head = rcu_dereference( 266 - hlist_first_rcu(&nf_ct_expect_hash[st->bucket])); 267 - } 268 - return head; 269 - } 270 - 271 - static struct hlist_node *ct_expect_get_idx(struct seq_file *seq, loff_t pos) 272 - { 273 - struct hlist_node *head = ct_expect_get_first(seq); 274 - 275 - if (head) 276 - while (pos && (head = ct_expect_get_next(seq, head))) 277 - pos--; 278 - return pos ? NULL : head; 279 - } 280 - 281 - static void *exp_seq_start(struct seq_file *seq, loff_t *pos) 282 - __acquires(RCU) 283 - { 284 - rcu_read_lock(); 285 - return ct_expect_get_idx(seq, *pos); 286 - } 287 - 288 - static void *exp_seq_next(struct seq_file *seq, void *v, loff_t *pos) 289 - { 290 - (*pos)++; 291 - return ct_expect_get_next(seq, v); 292 - } 293 - 294 - static void exp_seq_stop(struct seq_file *seq, void *v) 295 - __releases(RCU) 296 - { 297 - rcu_read_unlock(); 298 - } 299 - 300 - static int exp_seq_show(struct seq_file *s, void *v) 301 - { 302 - struct nf_conntrack_expect *exp; 303 - const struct hlist_node *n = v; 304 - 305 - exp = hlist_entry(n, struct nf_conntrack_expect, hnode); 306 - 307 - if (!net_eq(nf_ct_net(exp->master), seq_file_net(s))) 308 - return 0; 309 - 310 - if (exp->tuple.src.l3num != AF_INET) 311 - return 0; 312 - 313 - if (exp->timeout.function) 314 - seq_printf(s, "%ld ", timer_pending(&exp->timeout) 315 - ? (long)(exp->timeout.expires - jiffies)/HZ : 0); 316 - else 317 - seq_printf(s, "- "); 318 - 319 - seq_printf(s, "proto=%u ", exp->tuple.dst.protonum); 320 - 321 - print_tuple(s, &exp->tuple, 322 - __nf_ct_l3proto_find(exp->tuple.src.l3num), 323 - __nf_ct_l4proto_find(exp->tuple.src.l3num, 324 - exp->tuple.dst.protonum)); 325 - seq_putc(s, '\n'); 326 - 327 - return 0; 328 - } 329 - 330 - static const struct seq_operations exp_seq_ops = { 331 - .start = exp_seq_start, 332 - .next = exp_seq_next, 333 - .stop = exp_seq_stop, 334 - .show = exp_seq_show 335 - }; 336 - 337 - static int exp_open(struct inode *inode, struct file *file) 338 - { 339 - return seq_open_net(inode, file, &exp_seq_ops, 340 - sizeof(struct ct_expect_iter_state)); 341 - } 342 - 343 - static const struct file_operations ip_exp_file_ops = { 344 - .owner = THIS_MODULE, 345 - .open = exp_open, 346 - .read = seq_read, 347 - .llseek = seq_lseek, 348 - .release = seq_release_net, 349 - }; 350 - 351 - static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos) 352 - { 353 - struct net *net = seq_file_net(seq); 354 - int cpu; 355 - 356 - if (*pos == 0) 357 - return SEQ_START_TOKEN; 358 - 359 - for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) { 360 - if (!cpu_possible(cpu)) 361 - continue; 362 - *pos = cpu+1; 363 - return per_cpu_ptr(net->ct.stat, cpu); 364 - } 365 - 366 - return NULL; 367 - } 368 - 369 - static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) 370 - { 371 - struct net *net = seq_file_net(seq); 372 - int cpu; 373 - 374 - for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) { 375 - if (!cpu_possible(cpu)) 376 - continue; 377 - *pos = cpu+1; 378 - return per_cpu_ptr(net->ct.stat, cpu); 379 - } 380 - 381 - return NULL; 382 - } 383 - 384 - static void ct_cpu_seq_stop(struct seq_file *seq, void *v) 385 - { 386 - } 387 - 388 - static int ct_cpu_seq_show(struct seq_file *seq, void *v) 389 - { 390 - struct net *net = seq_file_net(seq); 391 - unsigned int nr_conntracks = atomic_read(&net->ct.count); 392 - const struct ip_conntrack_stat *st = v; 393 - 394 - if (v == SEQ_START_TOKEN) { 395 - seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); 396 - return 0; 397 - } 398 - 399 - seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 400 - "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", 401 - nr_conntracks, 402 - st->searched, 403 - st->found, 404 - st->new, 405 - st->invalid, 406 - st->ignore, 407 - st->delete, 408 - st->delete_list, 409 - st->insert, 410 - st->insert_failed, 411 - st->drop, 412 - st->early_drop, 413 - st->error, 414 - 415 - st->expect_new, 416 - st->expect_create, 417 - st->expect_delete, 418 - st->search_restart 419 - ); 420 - return 0; 421 - } 422 - 423 - static const struct seq_operations ct_cpu_seq_ops = { 424 - .start = ct_cpu_seq_start, 425 - .next = ct_cpu_seq_next, 426 - .stop = ct_cpu_seq_stop, 427 - .show = ct_cpu_seq_show, 428 - }; 429 - 430 - static int ct_cpu_seq_open(struct inode *inode, struct file *file) 431 - { 432 - return seq_open_net(inode, file, &ct_cpu_seq_ops, 433 - sizeof(struct seq_net_private)); 434 - } 435 - 436 - static const struct file_operations ct_cpu_seq_fops = { 437 - .owner = THIS_MODULE, 438 - .open = ct_cpu_seq_open, 439 - .read = seq_read, 440 - .llseek = seq_lseek, 441 - .release = seq_release_net, 442 - }; 443 - 444 - static int __net_init ip_conntrack_net_init(struct net *net) 445 - { 446 - struct proc_dir_entry *proc, *proc_exp, *proc_stat; 447 - 448 - proc = proc_create("ip_conntrack", 0440, net->proc_net, &ct_file_ops); 449 - if (!proc) 450 - goto err1; 451 - 452 - proc_exp = proc_create("ip_conntrack_expect", 0440, net->proc_net, 453 - &ip_exp_file_ops); 454 - if (!proc_exp) 455 - goto err2; 456 - 457 - proc_stat = proc_create("ip_conntrack", S_IRUGO, 458 - net->proc_net_stat, &ct_cpu_seq_fops); 459 - if (!proc_stat) 460 - goto err3; 461 - return 0; 462 - 463 - err3: 464 - remove_proc_entry("ip_conntrack_expect", net->proc_net); 465 - err2: 466 - remove_proc_entry("ip_conntrack", net->proc_net); 467 - err1: 468 - return -ENOMEM; 469 - } 470 - 471 - static void __net_exit ip_conntrack_net_exit(struct net *net) 472 - { 473 - remove_proc_entry("ip_conntrack", net->proc_net_stat); 474 - remove_proc_entry("ip_conntrack_expect", net->proc_net); 475 - remove_proc_entry("ip_conntrack", net->proc_net); 476 - } 477 - 478 - static struct pernet_operations ip_conntrack_net_ops = { 479 - .init = ip_conntrack_net_init, 480 - .exit = ip_conntrack_net_exit, 481 - }; 482 - 483 - int __init nf_conntrack_ipv4_compat_init(void) 484 - { 485 - return register_pernet_subsys(&ip_conntrack_net_ops); 486 - } 487 - 488 - void __exit nf_conntrack_ipv4_compat_fini(void) 489 - { 490 - unregister_pernet_subsys(&ip_conntrack_net_ops); 491 - }
+1 -38
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
··· 327 327 }, 328 328 { } 329 329 }; 330 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 331 - static struct ctl_table icmp_compat_sysctl_table[] = { 332 - { 333 - .procname = "ip_conntrack_icmp_timeout", 334 - .maxlen = sizeof(unsigned int), 335 - .mode = 0644, 336 - .proc_handler = proc_dointvec_jiffies, 337 - }, 338 - { } 339 - }; 340 - #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */ 341 330 #endif /* CONFIG_SYSCTL */ 342 331 343 332 static int icmp_kmemdup_sysctl_table(struct nf_proto_net *pn, ··· 344 355 return 0; 345 356 } 346 357 347 - static int icmp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn, 348 - struct nf_icmp_net *in) 349 - { 350 - #ifdef CONFIG_SYSCTL 351 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 352 - pn->ctl_compat_table = kmemdup(icmp_compat_sysctl_table, 353 - sizeof(icmp_compat_sysctl_table), 354 - GFP_KERNEL); 355 - if (!pn->ctl_compat_table) 356 - return -ENOMEM; 357 - 358 - pn->ctl_compat_table[0].data = &in->timeout; 359 - #endif 360 - #endif 361 - return 0; 362 - } 363 - 364 358 static int icmp_init_net(struct net *net, u_int16_t proto) 365 359 { 366 - int ret; 367 360 struct nf_icmp_net *in = icmp_pernet(net); 368 361 struct nf_proto_net *pn = &in->pn; 369 362 370 363 in->timeout = nf_ct_icmp_timeout; 371 364 372 - ret = icmp_kmemdup_compat_sysctl_table(pn, in); 373 - if (ret < 0) 374 - return ret; 375 - 376 - ret = icmp_kmemdup_sysctl_table(pn, in); 377 - if (ret < 0) 378 - nf_ct_kfree_compat_sysctl_table(pn); 379 - 380 - return ret; 365 + return icmp_kmemdup_sysctl_table(pn, in); 381 366 } 382 367 383 368 static struct nf_proto_net *icmp_get_net_proto(struct net *net)
-3
net/netfilter/nf_conntrack_core.c
··· 161 161 } 162 162 163 163 unsigned int nf_conntrack_htable_size __read_mostly; 164 - EXPORT_SYMBOL_GPL(nf_conntrack_htable_size); 165 - 166 164 unsigned int nf_conntrack_max __read_mostly; 167 - EXPORT_SYMBOL_GPL(nf_conntrack_max); 168 165 169 166 DEFINE_PER_CPU(struct nf_conn, nf_conntrack_untracked); 170 167 EXPORT_PER_CPU_SYMBOL(nf_conntrack_untracked);
+2 -79
net/netfilter/nf_conntrack_proto.c
··· 159 159 nf_ct_l3num(i) == l4proto->l3proto; 160 160 } 161 161 162 - static struct nf_ip_net *nf_ct_l3proto_net(struct net *net, 163 - struct nf_conntrack_l3proto *l3proto) 164 - { 165 - if (l3proto->l3proto == PF_INET) 166 - return &net->ct.nf_ct_proto; 167 - else 168 - return NULL; 169 - } 170 - 171 - static int nf_ct_l3proto_register_sysctl(struct net *net, 172 - struct nf_conntrack_l3proto *l3proto) 173 - { 174 - int err = 0; 175 - struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto); 176 - /* nf_conntrack_l3proto_ipv6 doesn't support sysctl */ 177 - if (in == NULL) 178 - return 0; 179 - 180 - #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) 181 - if (in->ctl_table != NULL) { 182 - err = nf_ct_register_sysctl(net, 183 - &in->ctl_table_header, 184 - l3proto->ctl_table_path, 185 - in->ctl_table); 186 - if (err < 0) { 187 - kfree(in->ctl_table); 188 - in->ctl_table = NULL; 189 - } 190 - } 191 - #endif 192 - return err; 193 - } 194 - 195 - static void nf_ct_l3proto_unregister_sysctl(struct net *net, 196 - struct nf_conntrack_l3proto *l3proto) 197 - { 198 - struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto); 199 - 200 - if (in == NULL) 201 - return; 202 - #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) 203 - if (in->ctl_table_header != NULL) 204 - nf_ct_unregister_sysctl(&in->ctl_table_header, 205 - &in->ctl_table, 206 - 0); 207 - #endif 208 - } 209 - 210 162 int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto) 211 163 { 212 164 int ret = 0; ··· 193 241 int nf_ct_l3proto_pernet_register(struct net *net, 194 242 struct nf_conntrack_l3proto *proto) 195 243 { 196 - int ret = 0; 244 + int ret; 197 245 198 246 if (proto->init_net) { 199 247 ret = proto->init_net(net); ··· 201 249 return ret; 202 250 } 203 251 204 - return nf_ct_l3proto_register_sysctl(net, proto); 252 + return 0; 205 253 } 206 254 EXPORT_SYMBOL_GPL(nf_ct_l3proto_pernet_register); 207 255 ··· 224 272 void nf_ct_l3proto_pernet_unregister(struct net *net, 225 273 struct nf_conntrack_l3proto *proto) 226 274 { 227 - nf_ct_l3proto_unregister_sysctl(net, proto); 228 - 229 275 /* Remove all contrack entries for this protocol */ 230 276 nf_ct_iterate_cleanup(net, kill_l3proto, proto, 0, 0); 231 277 } ··· 262 312 } 263 313 } 264 314 } 265 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 266 - if (l4proto->l3proto != AF_INET6 && pn->ctl_compat_table != NULL) { 267 - if (err < 0) { 268 - nf_ct_kfree_compat_sysctl_table(pn); 269 - goto out; 270 - } 271 - err = nf_ct_register_sysctl(net, 272 - &pn->ctl_compat_header, 273 - "net/ipv4/netfilter", 274 - pn->ctl_compat_table); 275 - if (err == 0) 276 - goto out; 277 - 278 - nf_ct_kfree_compat_sysctl_table(pn); 279 - nf_ct_unregister_sysctl(&pn->ctl_table_header, 280 - &pn->ctl_table, 281 - pn->users); 282 - } 283 - out: 284 - #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */ 285 315 #endif /* CONFIG_SYSCTL */ 286 316 return err; 287 317 } ··· 276 346 nf_ct_unregister_sysctl(&pn->ctl_table_header, 277 347 &pn->ctl_table, 278 348 pn->users); 279 - 280 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 281 - if (l4proto->l3proto != AF_INET6 && pn->ctl_compat_header != NULL) 282 - nf_ct_unregister_sysctl(&pn->ctl_compat_header, 283 - &pn->ctl_compat_table, 284 - 0); 285 - #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */ 286 349 #endif /* CONFIG_SYSCTL */ 287 350 } 288 351
+1 -38
net/netfilter/nf_conntrack_proto_generic.c
··· 151 151 }, 152 152 { } 153 153 }; 154 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 155 - static struct ctl_table generic_compat_sysctl_table[] = { 156 - { 157 - .procname = "ip_conntrack_generic_timeout", 158 - .maxlen = sizeof(unsigned int), 159 - .mode = 0644, 160 - .proc_handler = proc_dointvec_jiffies, 161 - }, 162 - { } 163 - }; 164 - #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */ 165 154 #endif /* CONFIG_SYSCTL */ 166 155 167 156 static int generic_kmemdup_sysctl_table(struct nf_proto_net *pn, ··· 168 179 return 0; 169 180 } 170 181 171 - static int generic_kmemdup_compat_sysctl_table(struct nf_proto_net *pn, 172 - struct nf_generic_net *gn) 173 - { 174 - #ifdef CONFIG_SYSCTL 175 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 176 - pn->ctl_compat_table = kmemdup(generic_compat_sysctl_table, 177 - sizeof(generic_compat_sysctl_table), 178 - GFP_KERNEL); 179 - if (!pn->ctl_compat_table) 180 - return -ENOMEM; 181 - 182 - pn->ctl_compat_table[0].data = &gn->timeout; 183 - #endif 184 - #endif 185 - return 0; 186 - } 187 - 188 182 static int generic_init_net(struct net *net, u_int16_t proto) 189 183 { 190 - int ret; 191 184 struct nf_generic_net *gn = generic_pernet(net); 192 185 struct nf_proto_net *pn = &gn->pn; 193 186 194 187 gn->timeout = nf_ct_generic_timeout; 195 188 196 - ret = generic_kmemdup_compat_sysctl_table(pn, gn); 197 - if (ret < 0) 198 - return ret; 199 - 200 - ret = generic_kmemdup_sysctl_table(pn, gn); 201 - if (ret < 0) 202 - nf_ct_kfree_compat_sysctl_table(pn); 203 - 204 - return ret; 189 + return generic_kmemdup_sysctl_table(pn, gn); 205 190 } 206 191 207 192 static struct nf_proto_net *generic_get_net_proto(struct net *net)
+1 -84
net/netfilter/nf_conntrack_proto_sctp.c
··· 705 705 }, 706 706 { } 707 707 }; 708 - 709 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 710 - static struct ctl_table sctp_compat_sysctl_table[] = { 711 - { 712 - .procname = "ip_conntrack_sctp_timeout_closed", 713 - .maxlen = sizeof(unsigned int), 714 - .mode = 0644, 715 - .proc_handler = proc_dointvec_jiffies, 716 - }, 717 - { 718 - .procname = "ip_conntrack_sctp_timeout_cookie_wait", 719 - .maxlen = sizeof(unsigned int), 720 - .mode = 0644, 721 - .proc_handler = proc_dointvec_jiffies, 722 - }, 723 - { 724 - .procname = "ip_conntrack_sctp_timeout_cookie_echoed", 725 - .maxlen = sizeof(unsigned int), 726 - .mode = 0644, 727 - .proc_handler = proc_dointvec_jiffies, 728 - }, 729 - { 730 - .procname = "ip_conntrack_sctp_timeout_established", 731 - .maxlen = sizeof(unsigned int), 732 - .mode = 0644, 733 - .proc_handler = proc_dointvec_jiffies, 734 - }, 735 - { 736 - .procname = "ip_conntrack_sctp_timeout_shutdown_sent", 737 - .maxlen = sizeof(unsigned int), 738 - .mode = 0644, 739 - .proc_handler = proc_dointvec_jiffies, 740 - }, 741 - { 742 - .procname = "ip_conntrack_sctp_timeout_shutdown_recd", 743 - .maxlen = sizeof(unsigned int), 744 - .mode = 0644, 745 - .proc_handler = proc_dointvec_jiffies, 746 - }, 747 - { 748 - .procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent", 749 - .maxlen = sizeof(unsigned int), 750 - .mode = 0644, 751 - .proc_handler = proc_dointvec_jiffies, 752 - }, 753 - { } 754 - }; 755 - #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */ 756 708 #endif 757 709 758 710 static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn, ··· 733 781 return 0; 734 782 } 735 783 736 - static int sctp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn, 737 - struct sctp_net *sn) 738 - { 739 - #ifdef CONFIG_SYSCTL 740 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 741 - pn->ctl_compat_table = kmemdup(sctp_compat_sysctl_table, 742 - sizeof(sctp_compat_sysctl_table), 743 - GFP_KERNEL); 744 - if (!pn->ctl_compat_table) 745 - return -ENOMEM; 746 - 747 - pn->ctl_compat_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED]; 748 - pn->ctl_compat_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT]; 749 - pn->ctl_compat_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED]; 750 - pn->ctl_compat_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED]; 751 - pn->ctl_compat_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT]; 752 - pn->ctl_compat_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD]; 753 - pn->ctl_compat_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT]; 754 - #endif 755 - #endif 756 - return 0; 757 - } 758 - 759 784 static int sctp_init_net(struct net *net, u_int16_t proto) 760 785 { 761 - int ret; 762 786 struct sctp_net *sn = sctp_pernet(net); 763 787 struct nf_proto_net *pn = &sn->pn; 764 788 ··· 745 817 sn->timeouts[i] = sctp_timeouts[i]; 746 818 } 747 819 748 - if (proto == AF_INET) { 749 - ret = sctp_kmemdup_compat_sysctl_table(pn, sn); 750 - if (ret < 0) 751 - return ret; 752 - 753 - ret = sctp_kmemdup_sysctl_table(pn, sn); 754 - if (ret < 0) 755 - nf_ct_kfree_compat_sysctl_table(pn); 756 - } else 757 - ret = sctp_kmemdup_sysctl_table(pn, sn); 758 - 759 - return ret; 820 + return sctp_kmemdup_sysctl_table(pn, sn); 760 821 } 761 822 762 823 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
+1 -126
net/netfilter/nf_conntrack_proto_tcp.c
··· 1481 1481 }, 1482 1482 { } 1483 1483 }; 1484 - 1485 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 1486 - static struct ctl_table tcp_compat_sysctl_table[] = { 1487 - { 1488 - .procname = "ip_conntrack_tcp_timeout_syn_sent", 1489 - .maxlen = sizeof(unsigned int), 1490 - .mode = 0644, 1491 - .proc_handler = proc_dointvec_jiffies, 1492 - }, 1493 - { 1494 - .procname = "ip_conntrack_tcp_timeout_syn_sent2", 1495 - .maxlen = sizeof(unsigned int), 1496 - .mode = 0644, 1497 - .proc_handler = proc_dointvec_jiffies, 1498 - }, 1499 - { 1500 - .procname = "ip_conntrack_tcp_timeout_syn_recv", 1501 - .maxlen = sizeof(unsigned int), 1502 - .mode = 0644, 1503 - .proc_handler = proc_dointvec_jiffies, 1504 - }, 1505 - { 1506 - .procname = "ip_conntrack_tcp_timeout_established", 1507 - .maxlen = sizeof(unsigned int), 1508 - .mode = 0644, 1509 - .proc_handler = proc_dointvec_jiffies, 1510 - }, 1511 - { 1512 - .procname = "ip_conntrack_tcp_timeout_fin_wait", 1513 - .maxlen = sizeof(unsigned int), 1514 - .mode = 0644, 1515 - .proc_handler = proc_dointvec_jiffies, 1516 - }, 1517 - { 1518 - .procname = "ip_conntrack_tcp_timeout_close_wait", 1519 - .maxlen = sizeof(unsigned int), 1520 - .mode = 0644, 1521 - .proc_handler = proc_dointvec_jiffies, 1522 - }, 1523 - { 1524 - .procname = "ip_conntrack_tcp_timeout_last_ack", 1525 - .maxlen = sizeof(unsigned int), 1526 - .mode = 0644, 1527 - .proc_handler = proc_dointvec_jiffies, 1528 - }, 1529 - { 1530 - .procname = "ip_conntrack_tcp_timeout_time_wait", 1531 - .maxlen = sizeof(unsigned int), 1532 - .mode = 0644, 1533 - .proc_handler = proc_dointvec_jiffies, 1534 - }, 1535 - { 1536 - .procname = "ip_conntrack_tcp_timeout_close", 1537 - .maxlen = sizeof(unsigned int), 1538 - .mode = 0644, 1539 - .proc_handler = proc_dointvec_jiffies, 1540 - }, 1541 - { 1542 - .procname = "ip_conntrack_tcp_timeout_max_retrans", 1543 - .maxlen = sizeof(unsigned int), 1544 - .mode = 0644, 1545 - .proc_handler = proc_dointvec_jiffies, 1546 - }, 1547 - { 1548 - .procname = "ip_conntrack_tcp_loose", 1549 - .maxlen = sizeof(unsigned int), 1550 - .mode = 0644, 1551 - .proc_handler = proc_dointvec, 1552 - }, 1553 - { 1554 - .procname = "ip_conntrack_tcp_be_liberal", 1555 - .maxlen = sizeof(unsigned int), 1556 - .mode = 0644, 1557 - .proc_handler = proc_dointvec, 1558 - }, 1559 - { 1560 - .procname = "ip_conntrack_tcp_max_retrans", 1561 - .maxlen = sizeof(unsigned int), 1562 - .mode = 0644, 1563 - .proc_handler = proc_dointvec, 1564 - }, 1565 - { } 1566 - }; 1567 - #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */ 1568 1484 #endif /* CONFIG_SYSCTL */ 1569 1485 1570 1486 static int tcp_kmemdup_sysctl_table(struct nf_proto_net *pn, ··· 1513 1597 return 0; 1514 1598 } 1515 1599 1516 - static int tcp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn, 1517 - struct nf_tcp_net *tn) 1518 - { 1519 - #ifdef CONFIG_SYSCTL 1520 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 1521 - pn->ctl_compat_table = kmemdup(tcp_compat_sysctl_table, 1522 - sizeof(tcp_compat_sysctl_table), 1523 - GFP_KERNEL); 1524 - if (!pn->ctl_compat_table) 1525 - return -ENOMEM; 1526 - 1527 - pn->ctl_compat_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT]; 1528 - pn->ctl_compat_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT2]; 1529 - pn->ctl_compat_table[2].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV]; 1530 - pn->ctl_compat_table[3].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED]; 1531 - pn->ctl_compat_table[4].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT]; 1532 - pn->ctl_compat_table[5].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT]; 1533 - pn->ctl_compat_table[6].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK]; 1534 - pn->ctl_compat_table[7].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT]; 1535 - pn->ctl_compat_table[8].data = &tn->timeouts[TCP_CONNTRACK_CLOSE]; 1536 - pn->ctl_compat_table[9].data = &tn->timeouts[TCP_CONNTRACK_RETRANS]; 1537 - pn->ctl_compat_table[10].data = &tn->tcp_loose; 1538 - pn->ctl_compat_table[11].data = &tn->tcp_be_liberal; 1539 - pn->ctl_compat_table[12].data = &tn->tcp_max_retrans; 1540 - #endif 1541 - #endif 1542 - return 0; 1543 - } 1544 - 1545 1600 static int tcp_init_net(struct net *net, u_int16_t proto) 1546 1601 { 1547 - int ret; 1548 1602 struct nf_tcp_net *tn = tcp_pernet(net); 1549 1603 struct nf_proto_net *pn = &tn->pn; 1550 1604 ··· 1529 1643 tn->tcp_max_retrans = nf_ct_tcp_max_retrans; 1530 1644 } 1531 1645 1532 - if (proto == AF_INET) { 1533 - ret = tcp_kmemdup_compat_sysctl_table(pn, tn); 1534 - if (ret < 0) 1535 - return ret; 1536 - 1537 - ret = tcp_kmemdup_sysctl_table(pn, tn); 1538 - if (ret < 0) 1539 - nf_ct_kfree_compat_sysctl_table(pn); 1540 - } else 1541 - ret = tcp_kmemdup_sysctl_table(pn, tn); 1542 - 1543 - return ret; 1646 + return tcp_kmemdup_sysctl_table(pn, tn); 1544 1647 } 1545 1648 1546 1649 static struct nf_proto_net *tcp_get_net_proto(struct net *net)
+1 -48
net/netfilter/nf_conntrack_proto_udp.c
··· 218 218 }, 219 219 { } 220 220 }; 221 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 222 - static struct ctl_table udp_compat_sysctl_table[] = { 223 - { 224 - .procname = "ip_conntrack_udp_timeout", 225 - .maxlen = sizeof(unsigned int), 226 - .mode = 0644, 227 - .proc_handler = proc_dointvec_jiffies, 228 - }, 229 - { 230 - .procname = "ip_conntrack_udp_timeout_stream", 231 - .maxlen = sizeof(unsigned int), 232 - .mode = 0644, 233 - .proc_handler = proc_dointvec_jiffies, 234 - }, 235 - { } 236 - }; 237 - #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */ 238 221 #endif /* CONFIG_SYSCTL */ 239 222 240 223 static int udp_kmemdup_sysctl_table(struct nf_proto_net *pn, ··· 237 254 return 0; 238 255 } 239 256 240 - static int udp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn, 241 - struct nf_udp_net *un) 242 - { 243 - #ifdef CONFIG_SYSCTL 244 - #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 245 - pn->ctl_compat_table = kmemdup(udp_compat_sysctl_table, 246 - sizeof(udp_compat_sysctl_table), 247 - GFP_KERNEL); 248 - if (!pn->ctl_compat_table) 249 - return -ENOMEM; 250 - 251 - pn->ctl_compat_table[0].data = &un->timeouts[UDP_CT_UNREPLIED]; 252 - pn->ctl_compat_table[1].data = &un->timeouts[UDP_CT_REPLIED]; 253 - #endif 254 - #endif 255 - return 0; 256 - } 257 - 258 257 static int udp_init_net(struct net *net, u_int16_t proto) 259 258 { 260 - int ret; 261 259 struct nf_udp_net *un = udp_pernet(net); 262 260 struct nf_proto_net *pn = &un->pn; 263 261 ··· 249 285 un->timeouts[i] = udp_timeouts[i]; 250 286 } 251 287 252 - if (proto == AF_INET) { 253 - ret = udp_kmemdup_compat_sysctl_table(pn, un); 254 - if (ret < 0) 255 - return ret; 256 - 257 - ret = udp_kmemdup_sysctl_table(pn, un); 258 - if (ret < 0) 259 - nf_ct_kfree_compat_sysctl_table(pn); 260 - } else 261 - ret = udp_kmemdup_sysctl_table(pn, un); 262 - 263 - return ret; 288 + return udp_kmemdup_sysctl_table(pn, un); 264 289 } 265 290 266 291 static struct nf_proto_net *udp_get_net_proto(struct net *net)