tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: add and use nf_ct_netns_get/put

currently aliased to try_module_get/_put.
Will be changed in next patch when we add functions to make use of ->net
argument to store usercount per l3proto tracker.

This is needed to avoid registering the conntrack hooks in all netns and
later only enable connection tracking in those that need conntrack.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso ecb2421b a379854d

+58 -42
+4
include/net/netfilter/nf_conntrack.h
··· 181 181 int nf_ct_l3proto_try_module_get(unsigned short l3proto); 182 182 void nf_ct_l3proto_module_put(unsigned short l3proto); 183 183 184 + /* load module; enable/disable conntrack in this namespace */ 185 + int nf_ct_netns_get(struct net *net, u8 nfproto); 186 + void nf_ct_netns_put(struct net *net, u8 nfproto); 187 + 184 188 /* 185 189 * Allocate a hashtable of hlist_head (if nulls == 0), 186 190 * or hlist_nulls_head (if nulls == 1)
+2 -2
net/ipv4/netfilter/ipt_CLUSTERIP.c
··· 419 419 } 420 420 cipinfo->config = config; 421 421 422 - ret = nf_ct_l3proto_try_module_get(par->family); 422 + ret = nf_ct_netns_get(par->net, par->family); 423 423 if (ret < 0) 424 424 pr_info("cannot load conntrack support for proto=%u\n", 425 425 par->family); ··· 444 444 445 445 clusterip_config_put(cipinfo->config); 446 446 447 - nf_ct_l3proto_module_put(par->family); 447 + nf_ct_netns_get(par->net, par->family); 448 448 } 449 449 450 450 #ifdef CONFIG_COMPAT
+2 -2
net/ipv4/netfilter/ipt_SYNPROXY.c
··· 418 418 e->ip.invflags & XT_INV_PROTO) 419 419 return -EINVAL; 420 420 421 - return nf_ct_l3proto_try_module_get(par->family); 421 + return nf_ct_netns_get(par->net, par->family); 422 422 } 423 423 424 424 static void synproxy_tg4_destroy(const struct xt_tgdtor_param *par) 425 425 { 426 - nf_ct_l3proto_module_put(par->family); 426 + nf_ct_netns_put(par->net, par->family); 427 427 } 428 428 429 429 static struct xt_target synproxy_tg4_reg __read_mostly = {
+2 -2
net/ipv6/netfilter/ip6t_SYNPROXY.c
··· 440 440 e->ipv6.invflags & XT_INV_PROTO) 441 441 return -EINVAL; 442 442 443 - return nf_ct_l3proto_try_module_get(par->family); 443 + return nf_ct_netns_get(par->net, par->family); 444 444 } 445 445 446 446 static void synproxy_tg6_destroy(const struct xt_tgdtor_param *par) 447 447 { 448 - nf_ct_l3proto_module_put(par->family); 448 + nf_ct_netns_put(par->net, par->family); 449 449 } 450 450 451 451 static struct xt_target synproxy_tg6_reg __read_mostly = {
+12
net/netfilter/nf_conntrack_proto.c
··· 125 125 } 126 126 EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put); 127 127 128 + int nf_ct_netns_get(struct net *net, u8 nfproto) 129 + { 130 + return nf_ct_l3proto_try_module_get(nfproto); 131 + } 132 + EXPORT_SYMBOL_GPL(nf_ct_netns_get); 133 + 134 + void nf_ct_netns_put(struct net *net, u8 nfproto) 135 + { 136 + nf_ct_l3proto_module_put(nfproto); 137 + } 138 + EXPORT_SYMBOL_GPL(nf_ct_netns_put); 139 + 128 140 struct nf_conntrack_l4proto * 129 141 nf_ct_l4proto_find_get(u_int16_t l3num, u_int8_t l4num) 130 142 {
+13 -13
net/netfilter/nft_ct.c
··· 208 208 [NFTA_CT_SREG] = { .type = NLA_U32 }, 209 209 }; 210 210 211 - static int nft_ct_l3proto_try_module_get(uint8_t family) 211 + static int nft_ct_netns_get(struct net *net, uint8_t family) 212 212 { 213 213 int err; 214 214 215 215 if (family == NFPROTO_INET) { 216 - err = nf_ct_l3proto_try_module_get(NFPROTO_IPV4); 216 + err = nf_ct_netns_get(net, NFPROTO_IPV4); 217 217 if (err < 0) 218 218 goto err1; 219 - err = nf_ct_l3proto_try_module_get(NFPROTO_IPV6); 219 + err = nf_ct_netns_get(net, NFPROTO_IPV6); 220 220 if (err < 0) 221 221 goto err2; 222 222 } else { 223 - err = nf_ct_l3proto_try_module_get(family); 223 + err = nf_ct_netns_get(net, family); 224 224 if (err < 0) 225 225 goto err1; 226 226 } 227 227 return 0; 228 228 229 229 err2: 230 - nf_ct_l3proto_module_put(NFPROTO_IPV4); 230 + nf_ct_netns_put(net, NFPROTO_IPV4); 231 231 err1: 232 232 return err; 233 233 } 234 234 235 - static void nft_ct_l3proto_module_put(uint8_t family) 235 + static void nft_ct_netns_put(struct net *net, uint8_t family) 236 236 { 237 237 if (family == NFPROTO_INET) { 238 - nf_ct_l3proto_module_put(NFPROTO_IPV4); 239 - nf_ct_l3proto_module_put(NFPROTO_IPV6); 238 + nf_ct_netns_put(net, NFPROTO_IPV4); 239 + nf_ct_netns_put(net, NFPROTO_IPV6); 240 240 } else 241 - nf_ct_l3proto_module_put(family); 241 + nf_ct_netns_put(net, family); 242 242 } 243 243 244 244 static int nft_ct_get_init(const struct nft_ctx *ctx, ··· 342 342 if (err < 0) 343 343 return err; 344 344 345 - err = nft_ct_l3proto_try_module_get(ctx->afi->family); 345 + err = nft_ct_netns_get(ctx->net, ctx->afi->family); 346 346 if (err < 0) 347 347 return err; 348 348 ··· 390 390 if (err < 0) 391 391 goto err1; 392 392 393 - err = nft_ct_l3proto_try_module_get(ctx->afi->family); 393 + err = nft_ct_netns_get(ctx->net, ctx->afi->family); 394 394 if (err < 0) 395 395 goto err1; 396 396 ··· 405 405 static void nft_ct_get_destroy(const struct nft_ctx *ctx, 406 406 const struct nft_expr *expr) 407 407 { 408 - nft_ct_l3proto_module_put(ctx->afi->family); 408 + nf_ct_netns_put(ctx->net, ctx->afi->family); 409 409 } 410 410 411 411 static void nft_ct_set_destroy(const struct nft_ctx *ctx, ··· 423 423 break; 424 424 } 425 425 426 - nft_ct_l3proto_module_put(ctx->afi->family); 426 + nft_ct_netns_put(ctx->net, ctx->afi->family); 427 427 } 428 428 429 429 static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
+2 -2
net/netfilter/xt_CONNSECMARK.c
··· 106 106 return -EINVAL; 107 107 } 108 108 109 - ret = nf_ct_l3proto_try_module_get(par->family); 109 + ret = nf_ct_netns_get(par->net, par->family); 110 110 if (ret < 0) 111 111 pr_info("cannot load conntrack support for proto=%u\n", 112 112 par->family); ··· 115 115 116 116 static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par) 117 117 { 118 - nf_ct_l3proto_module_put(par->family); 118 + nf_ct_netns_put(par->net, par->family); 119 119 } 120 120 121 121 static struct xt_target connsecmark_tg_reg __read_mostly = {
+3 -3
net/netfilter/xt_CT.c
··· 216 216 goto err1; 217 217 #endif 218 218 219 - ret = nf_ct_l3proto_try_module_get(par->family); 219 + ret = nf_ct_netns_get(par->net, par->family); 220 220 if (ret < 0) 221 221 goto err1; 222 222 ··· 260 260 err3: 261 261 nf_ct_tmpl_free(ct); 262 262 err2: 263 - nf_ct_l3proto_module_put(par->family); 263 + nf_ct_netns_put(par->net, par->family); 264 264 err1: 265 265 return ret; 266 266 } ··· 341 341 if (help) 342 342 module_put(help->helper->me); 343 343 344 - nf_ct_l3proto_module_put(par->family); 344 + nf_ct_netns_put(par->net, par->family); 345 345 346 346 xt_ct_destroy_timeout(ct); 347 347 nf_ct_put(info->ct);
+2 -2
net/netfilter/xt_connbytes.c
··· 110 110 sinfo->direction != XT_CONNBYTES_DIR_BOTH) 111 111 return -EINVAL; 112 112 113 - ret = nf_ct_l3proto_try_module_get(par->family); 113 + ret = nf_ct_netns_get(par->net, par->family); 114 114 if (ret < 0) 115 115 pr_info("cannot load conntrack support for proto=%u\n", 116 116 par->family); ··· 129 129 130 130 static void connbytes_mt_destroy(const struct xt_mtdtor_param *par) 131 131 { 132 - nf_ct_l3proto_module_put(par->family); 132 + nf_ct_netns_put(par->net, par->family); 133 133 } 134 134 135 135 static struct xt_match connbytes_mt_reg __read_mostly = {
+3 -3
net/netfilter/xt_connlabel.c
··· 61 61 return -EINVAL; 62 62 } 63 63 64 - ret = nf_ct_l3proto_try_module_get(par->family); 64 + ret = nf_ct_netns_get(par->net, par->family); 65 65 if (ret < 0) { 66 66 pr_info("cannot load conntrack support for proto=%u\n", 67 67 par->family); ··· 70 70 71 71 ret = nf_connlabels_get(par->net, info->bit); 72 72 if (ret < 0) 73 - nf_ct_l3proto_module_put(par->family); 73 + nf_ct_netns_put(par->net, par->family); 74 74 return ret; 75 75 } 76 76 77 77 static void connlabel_mt_destroy(const struct xt_mtdtor_param *par) 78 78 { 79 79 nf_connlabels_put(par->net); 80 - nf_ct_l3proto_module_put(par->family); 80 + nf_ct_netns_put(par->net, par->family); 81 81 } 82 82 83 83 static struct xt_match connlabels_mt_reg __read_mostly = {
+3 -3
net/netfilter/xt_connlimit.c
··· 368 368 369 369 net_get_random_once(&connlimit_rnd, sizeof(connlimit_rnd)); 370 370 371 - ret = nf_ct_l3proto_try_module_get(par->family); 371 + ret = nf_ct_netns_get(par->net, par->family); 372 372 if (ret < 0) { 373 373 pr_info("cannot load conntrack support for " 374 374 "address family %u\n", par->family); ··· 378 378 /* init private data */ 379 379 info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL); 380 380 if (info->data == NULL) { 381 - nf_ct_l3proto_module_put(par->family); 381 + nf_ct_netns_put(par->net, par->family); 382 382 return -ENOMEM; 383 383 } 384 384 ··· 414 414 const struct xt_connlimit_info *info = par->matchinfo; 415 415 unsigned int i; 416 416 417 - nf_ct_l3proto_module_put(par->family); 417 + nf_ct_netns_put(par->net, par->family); 418 418 419 419 for (i = 0; i < ARRAY_SIZE(info->data->climit_root4); ++i) 420 420 destroy_tree(&info->data->climit_root4[i]);
+4 -4
net/netfilter/xt_connmark.c
··· 77 77 { 78 78 int ret; 79 79 80 - ret = nf_ct_l3proto_try_module_get(par->family); 80 + ret = nf_ct_netns_get(par->net, par->family); 81 81 if (ret < 0) 82 82 pr_info("cannot load conntrack support for proto=%u\n", 83 83 par->family); ··· 86 86 87 87 static void connmark_tg_destroy(const struct xt_tgdtor_param *par) 88 88 { 89 - nf_ct_l3proto_module_put(par->family); 89 + nf_ct_netns_put(par->net, par->family); 90 90 } 91 91 92 92 static bool ··· 107 107 { 108 108 int ret; 109 109 110 - ret = nf_ct_l3proto_try_module_get(par->family); 110 + ret = nf_ct_netns_get(par->net, par->family); 111 111 if (ret < 0) 112 112 pr_info("cannot load conntrack support for proto=%u\n", 113 113 par->family); ··· 116 116 117 117 static void connmark_mt_destroy(const struct xt_mtdtor_param *par) 118 118 { 119 - nf_ct_l3proto_module_put(par->family); 119 + nf_ct_netns_put(par->net, par->family); 120 120 } 121 121 122 122 static struct xt_target connmark_tg_reg __read_mostly = {
+2 -2
net/netfilter/xt_conntrack.c
··· 271 271 { 272 272 int ret; 273 273 274 - ret = nf_ct_l3proto_try_module_get(par->family); 274 + ret = nf_ct_netns_get(par->net, par->family); 275 275 if (ret < 0) 276 276 pr_info("cannot load conntrack support for proto=%u\n", 277 277 par->family); ··· 280 280 281 281 static void conntrack_mt_destroy(const struct xt_mtdtor_param *par) 282 282 { 283 - nf_ct_l3proto_module_put(par->family); 283 + nf_ct_netns_put(par->net, par->family); 284 284 } 285 285 286 286 static struct xt_match conntrack_mt_reg[] __read_mostly = {
+2 -2
net/netfilter/xt_helper.c
··· 59 59 struct xt_helper_info *info = par->matchinfo; 60 60 int ret; 61 61 62 - ret = nf_ct_l3proto_try_module_get(par->family); 62 + ret = nf_ct_netns_get(par->net, par->family); 63 63 if (ret < 0) { 64 64 pr_info("cannot load conntrack support for proto=%u\n", 65 65 par->family); ··· 71 71 72 72 static void helper_mt_destroy(const struct xt_mtdtor_param *par) 73 73 { 74 - nf_ct_l3proto_module_put(par->family); 74 + nf_ct_netns_put(par->net, par->family); 75 75 } 76 76 77 77 static struct xt_match helper_mt_reg __read_mostly = {
+2 -2
net/netfilter/xt_state.c
··· 43 43 { 44 44 int ret; 45 45 46 - ret = nf_ct_l3proto_try_module_get(par->family); 46 + ret = nf_ct_netns_get(par->net, par->family); 47 47 if (ret < 0) 48 48 pr_info("cannot load conntrack support for proto=%u\n", 49 49 par->family); ··· 52 52 53 53 static void state_mt_destroy(const struct xt_mtdtor_param *par) 54 54 { 55 - nf_ct_l3proto_module_put(par->family); 55 + nf_ct_netns_put(par->net, par->family); 56 56 } 57 57 58 58 static struct xt_match state_mt_reg __read_mostly = {