tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: nf_ct_ext: add timeout extension
This patch adds the timeout extension, which allows you to attach
specific timeout policies to flows.
This extension is only used by the template conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+160
-10
+4
include/net/netfilter/nf_conntrack_extend.h
+4
include/net/netfilter/nf_conntrack_extend.h
···
20
20
#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
21
21
NF_CT_EXT_TSTAMP,
22
22
#endif
23
+
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
24
+
NF_CT_EXT_TIMEOUT,
25
+
#endif
23
26
NF_CT_EXT_NUM,
24
27
};
25
28
···
32
29
#define NF_CT_EXT_ECACHE_TYPE struct nf_conntrack_ecache
33
30
#define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone
34
31
#define NF_CT_EXT_TSTAMP_TYPE struct nf_conn_tstamp
32
+
#define NF_CT_EXT_TIMEOUT_TYPE struct nf_conn_timeout
35
33
36
34
/* Extensions: optional stuff which isn't permanently in struct. */
37
35
struct nf_ct_ext {
+78
include/net/netfilter/nf_conntrack_timeout.h
+78
include/net/netfilter/nf_conntrack_timeout.h
···
1
+
#ifndef _NF_CONNTRACK_TIMEOUT_H
2
+
#define _NF_CONNTRACK_TIMEOUT_H
3
+
4
+
#include <net/net_namespace.h>
5
+
#include <linux/netfilter/nf_conntrack_common.h>
6
+
#include <linux/netfilter/nf_conntrack_tuple_common.h>
7
+
#include <net/netfilter/nf_conntrack.h>
8
+
#include <net/netfilter/nf_conntrack_extend.h>
9
+
10
+
#define CTNL_TIMEOUT_NAME_MAX 32
11
+
12
+
struct ctnl_timeout {
13
+
struct list_head head;
14
+
struct rcu_head rcu_head;
15
+
atomic_t refcnt;
16
+
char name[CTNL_TIMEOUT_NAME_MAX];
17
+
__u16 l3num;
18
+
__u8 l4num;
19
+
char data[0];
20
+
};
21
+
22
+
struct nf_conn_timeout {
23
+
struct ctnl_timeout *timeout;
24
+
};
25
+
26
+
#define NF_CT_TIMEOUT_EXT_DATA(__t) (unsigned int *) &((__t)->timeout->data)
27
+
28
+
static inline
29
+
struct nf_conn_timeout *nf_ct_timeout_find(const struct nf_conn *ct)
30
+
{
31
+
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
32
+
return nf_ct_ext_find(ct, NF_CT_EXT_TIMEOUT);
33
+
#else
34
+
return NULL;
35
+
#endif
36
+
}
37
+
38
+
static inline
39
+
struct nf_conn_timeout *nf_ct_timeout_ext_add(struct nf_conn *ct,
40
+
struct ctnl_timeout *timeout,
41
+
gfp_t gfp)
42
+
{
43
+
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
44
+
struct nf_conn_timeout *timeout_ext;
45
+
46
+
timeout_ext = nf_ct_ext_add(ct, NF_CT_EXT_TIMEOUT, gfp);
47
+
if (timeout_ext == NULL)
48
+
return NULL;
49
+
50
+
timeout_ext->timeout = timeout;
51
+
52
+
return timeout_ext;
53
+
#else
54
+
return NULL;
55
+
#endif
56
+
};
57
+
58
+
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
59
+
extern int nf_conntrack_timeout_init(struct net *net);
60
+
extern void nf_conntrack_timeout_fini(struct net *net);
61
+
#else
62
+
static inline int nf_conntrack_timeout_init(struct net *net)
63
+
{
64
+
return 0;
65
+
}
66
+
67
+
static inline void nf_conntrack_timeout_fini(struct net *net)
68
+
{
69
+
return;
70
+
}
71
+
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
72
+
73
+
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
74
+
extern struct ctnl_timeout *(*nf_ct_timeout_find_get_hook)(const char *name);
75
+
extern void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout);
76
+
#endif
77
+
78
+
#endif /* _NF_CONNTRACK_TIMEOUT_H */
+10
net/netfilter/Kconfig
+10
net/netfilter/Kconfig
···
103
103
104
104
If unsure, say `N'.
105
105
106
+
config NF_CONNTRACK_TIMEOUT
107
+
bool 'Connection tracking timeout'
108
+
depends on NETFILTER_ADVANCED
109
+
help
110
+
This option enables support for connection tracking timeout
111
+
extension. This allows you to attach timeout policies to flow
112
+
via the CT target.
113
+
114
+
If unsure, say `N'.
115
+
106
116
config NF_CONNTRACK_TIMESTAMP
107
117
bool 'Connection tracking timestamping'
108
118
depends on NETFILTER_ADVANCED
+1
net/netfilter/Makefile
+1
net/netfilter/Makefile
···
1
1
netfilter-objs := core.o nf_log.o nf_queue.o nf_sockopt.o
2
2
3
3
nf_conntrack-y := nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_expect.o nf_conntrack_helper.o nf_conntrack_proto.o nf_conntrack_l3proto_generic.o nf_conntrack_proto_generic.o nf_conntrack_proto_tcp.o nf_conntrack_proto_udp.o nf_conntrack_extend.o nf_conntrack_acct.o
4
+
nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMEOUT) += nf_conntrack_timeout.o
4
5
nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMESTAMP) += nf_conntrack_timestamp.o
5
6
nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
6
7
+7
net/netfilter/nf_conntrack_core.c
+7
net/netfilter/nf_conntrack_core.c
···
44
44
#include <net/netfilter/nf_conntrack_ecache.h>
45
45
#include <net/netfilter/nf_conntrack_zones.h>
46
46
#include <net/netfilter/nf_conntrack_timestamp.h>
47
+
#include <net/netfilter/nf_conntrack_timeout.h>
47
48
#include <net/netfilter/nf_nat.h>
48
49
#include <net/netfilter/nf_nat_core.h>
49
50
···
1334
1333
}
1335
1334
1336
1335
nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
1336
+
nf_conntrack_timeout_fini(net);
1337
1337
nf_conntrack_ecache_fini(net);
1338
1338
nf_conntrack_tstamp_fini(net);
1339
1339
nf_conntrack_acct_fini(net);
···
1566
1564
ret = nf_conntrack_ecache_init(net);
1567
1565
if (ret < 0)
1568
1566
goto err_ecache;
1567
+
ret = nf_conntrack_timeout_init(net);
1568
+
if (ret < 0)
1569
+
goto err_timeout;
1569
1570
1570
1571
return 0;
1571
1572
1573
+
err_timeout:
1574
+
nf_conntrack_timeout_fini(net);
1572
1575
err_ecache:
1573
1576
nf_conntrack_tstamp_fini(net);
1574
1577
err_tstamp:
+60
net/netfilter/nf_conntrack_timeout.c
+60
net/netfilter/nf_conntrack_timeout.c
···
1
+
/*
2
+
* (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
3
+
* (C) 2012 by Vyatta Inc. <http://www.vyatta.com>
4
+
*
5
+
* This program is free software; you can redistribute it and/or modify
6
+
* it under the terms of the GNU General Public License version 2 as
7
+
* published by the Free Software Foundation (or any later at your option).
8
+
*/
9
+
10
+
#include <linux/types.h>
11
+
#include <linux/netfilter.h>
12
+
#include <linux/skbuff.h>
13
+
#include <linux/vmalloc.h>
14
+
#include <linux/stddef.h>
15
+
#include <linux/err.h>
16
+
#include <linux/percpu.h>
17
+
#include <linux/kernel.h>
18
+
#include <linux/netdevice.h>
19
+
#include <linux/slab.h>
20
+
#include <linux/export.h>
21
+
22
+
#include <net/netfilter/nf_conntrack.h>
23
+
#include <net/netfilter/nf_conntrack_core.h>
24
+
#include <net/netfilter/nf_conntrack_extend.h>
25
+
#include <net/netfilter/nf_conntrack_timeout.h>
26
+
27
+
struct ctnl_timeout *
28
+
(*nf_ct_timeout_find_get_hook)(const char *name) __read_mostly;
29
+
EXPORT_SYMBOL_GPL(nf_ct_timeout_find_get_hook);
30
+
31
+
void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout) __read_mostly;
32
+
EXPORT_SYMBOL_GPL(nf_ct_timeout_put_hook);
33
+
34
+
static struct nf_ct_ext_type timeout_extend __read_mostly = {
35
+
.len = sizeof(struct nf_conn_timeout),
36
+
.align = __alignof__(struct nf_conn_timeout),
37
+
.id = NF_CT_EXT_TIMEOUT,
38
+
};
39
+
40
+
int nf_conntrack_timeout_init(struct net *net)
41
+
{
42
+
int ret = 0;
43
+
44
+
if (net_eq(net, &init_net)) {
45
+
ret = nf_ct_extend_register(&timeout_extend);
46
+
if (ret < 0) {
47
+
printk(KERN_ERR "nf_ct_timeout: Unable to register "
48
+
"timeout extension.\n");
49
+
return ret;
50
+
}
51
+
}
52
+
53
+
return 0;
54
+
}
55
+
56
+
void nf_conntrack_timeout_fini(struct net *net)
57
+
{
58
+
if (net_eq(net, &init_net))
59
+
nf_ct_extend_unregister(&timeout_extend);
60
+
}
-10
net/netfilter/nfnetlink_cttimeout.c
-10
net/netfilter/nfnetlink_cttimeout.c
···
37
37
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
38
38
MODULE_DESCRIPTION("cttimeout: Extended Netfilter Connection Tracking timeout tuning");
39
39
40
-
struct ctnl_timeout {
41
-
struct list_head head;
42
-
struct rcu_head rcu_head;
43
-
atomic_t refcnt;
44
-
char name[CTNL_TIMEOUT_NAME_MAX];
45
-
__u16 l3num;
46
-
__u8 l4num;
47
-
char data[0];
48
-
};
49
-
50
40
static LIST_HEAD(cttimeout_list);
51
41
52
42
static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = {