leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

netfilter: conntrack: built-in support for SCTP

Browse Source 
CONFIG_NF_CT_PROTO_SCTP is no more a tristate. When set to y, connection
tracking support for SCTP protocol is built-in into nf_conntrack.ko.

footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_sctp,}.ko \
        net/ipv4/netfilter/nf_conntrack_ipv4.ko \
        net/ipv6/netfilter/nf_conntrack_ipv6.ko

(builtin)||  sctp  |  ipv4  |  ipv6  | nf_conntrack
---------++--------+--------+--------+--------------
none     || 498243 | 828755 | 828676 | 6141434
SCTP     ||   -    | 829254 | 829175 | 6547872

Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Davide Caratti 2016-11-15 15:08:26 +01:00 committed by Pablo Neira Ayuso
parent c51d39010a
commit a85406afeb
8 changed files with 38 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/net/netfilter/ipv4/nf_conntrack_ipv4.h
View File

@ -18,6 +18,9 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
#ifdef CONFIG_NF_CT_PROTO_DCCP #ifdef CONFIG_NF_CT_PROTO_DCCP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4; extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4;
#endif #endif
#ifdef CONFIG_NF_CT_PROTO_SCTP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4;
#endif
int nf_conntrack_ipv4_compat_init(void); int nf_conntrack_ipv4_compat_init(void);
void nf_conntrack_ipv4_compat_fini(void); void nf_conntrack_ipv4_compat_fini(void);

3
include/net/netfilter/ipv6/nf_conntrack_ipv6.h
View File

@ -9,6 +9,9 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;
#ifdef CONFIG_NF_CT_PROTO_DCCP #ifdef CONFIG_NF_CT_PROTO_DCCP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6; extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6;
#endif #endif
#ifdef CONFIG_NF_CT_PROTO_SCTP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6;
#endif
#include <linux/sysctl.h> #include <linux/sysctl.h>
extern struct ctl_table nf_ct_ipv6_sysctl_table[]; extern struct ctl_table nf_ct_ipv6_sysctl_table[];

13
include/net/netns/conntrack.h
View File

@ -9,6 +9,9 @@
#ifdef CONFIG_NF_CT_PROTO_DCCP #ifdef CONFIG_NF_CT_PROTO_DCCP
#include <linux/netfilter/nf_conntrack_dccp.h> #include <linux/netfilter/nf_conntrack_dccp.h>
#endif #endif
#ifdef CONFIG_NF_CT_PROTO_SCTP
#include <linux/netfilter/nf_conntrack_sctp.h>
#endif
#include <linux/seqlock.h> #include <linux/seqlock.h>
struct ctl_table_header; struct ctl_table_header;
@ -59,6 +62,13 @@ struct nf_dccp_net {
}; };
#endif #endif
#ifdef CONFIG_NF_CT_PROTO_SCTP
struct nf_sctp_net {
struct nf_proto_net pn;
unsigned int timeouts[SCTP_CONNTRACK_MAX];
};
#endif
struct nf_ip_net { struct nf_ip_net {
struct nf_generic_net generic; struct nf_generic_net generic;
struct nf_tcp_net tcp; struct nf_tcp_net tcp;
@ -68,6 +78,9 @@ struct nf_ip_net {
#ifdef CONFIG_NF_CT_PROTO_DCCP #ifdef CONFIG_NF_CT_PROTO_DCCP
struct nf_dccp_net dccp; struct nf_dccp_net dccp;
#endif #endif
#ifdef CONFIG_NF_CT_PROTO_SCTP
struct nf_sctp_net sctp;
#endif
}; };
struct ct_pcpu { struct ct_pcpu {

3
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
View File

@ -343,6 +343,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto4[] = {
#ifdef CONFIG_NF_CT_PROTO_DCCP #ifdef CONFIG_NF_CT_PROTO_DCCP
&nf_conntrack_l4proto_dccp4, &nf_conntrack_l4proto_dccp4,
#endif #endif
#ifdef CONFIG_NF_CT_PROTO_SCTP
&nf_conntrack_l4proto_sctp4,
#endif
}; };
static int ipv4_net_init(struct net *net) static int ipv4_net_init(struct net *net)

3
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
View File

@ -343,6 +343,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto6[] = {
#ifdef CONFIG_NF_CT_PROTO_DCCP #ifdef CONFIG_NF_CT_PROTO_DCCP
&nf_conntrack_l4proto_dccp6, &nf_conntrack_l4proto_dccp6,
#endif #endif
#ifdef CONFIG_NF_CT_PROTO_SCTP
&nf_conntrack_l4proto_sctp6,
#endif
}; };
static int ipv6_net_init(struct net *net) static int ipv6_net_init(struct net *net)

7
net/netfilter/Kconfig
View File

@ -159,15 +159,14 @@ config NF_CT_PROTO_GRE
tristate tristate
config NF_CT_PROTO_SCTP config NF_CT_PROTO_SCTP
tristate 'SCTP protocol connection tracking support' bool 'SCTP protocol connection tracking support'
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
default IP_SCTP default y
help help
With this option enabled, the layer 3 independent connection With this option enabled, the layer 3 independent connection
tracking code will be able to do state tracking on SCTP connections. tracking code will be able to do state tracking on SCTP connections.
If you want to compile it as a module, say M here and read If unsure, say Y.
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
config NF_CT_PROTO_UDPLITE config NF_CT_PROTO_UDPLITE
tristate 'UDP-Lite protocol connection tracking support' tristate 'UDP-Lite protocol connection tracking support'

2
net/netfilter/Makefile
View File

@ -6,6 +6,7 @@ nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMESTAMP) += nf_conntrack_timestamp.o
nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
nf_conntrack-$(CONFIG_NF_CONNTRACK_LABELS) += nf_conntrack_labels.o nf_conntrack-$(CONFIG_NF_CONNTRACK_LABELS) += nf_conntrack_labels.o
nf_conntrack-$(CONFIG_NF_CT_PROTO_DCCP) += nf_conntrack_proto_dccp.o nf_conntrack-$(CONFIG_NF_CT_PROTO_DCCP) += nf_conntrack_proto_dccp.o
nf_conntrack-$(CONFIG_NF_CT_PROTO_SCTP) += nf_conntrack_proto_sctp.o
obj-$(CONFIG_NETFILTER) = netfilter.o obj-$(CONFIG_NETFILTER) = netfilter.o
@ -18,7 +19,6 @@ obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o
obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o
obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o
obj-$(CONFIG_NF_CT_PROTO_SCTP) += nf_conntrack_proto_sctp.o
obj-$(CONFIG_NF_CT_PROTO_UDPLITE) += nf_conntrack_proto_udplite.o obj-$(CONFIG_NF_CT_PROTO_UDPLITE) += nf_conntrack_proto_udplite.o
# netlink interface for nf_conntrack # netlink interface for nf_conntrack

76
net/netfilter/nf_conntrack_proto_sctp.c
View File

@ -15,7 +15,6 @@
#include <linux/types.h> #include <linux/types.h>
#include <linux/timer.h> #include <linux/timer.h>
#include <linux/netfilter.h> #include <linux/netfilter.h>
#include <linux/module.h>
#include <linux/in.h> #include <linux/in.h>
#include <linux/ip.h> #include <linux/ip.h>
#include <linux/sctp.h> #include <linux/sctp.h>
@ -144,15 +143,9 @@ static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
} }
}; };
static unsigned int sctp_net_id __read_mostly; static inline struct nf_sctp_net *sctp_pernet(struct net *net)
struct sctp_net {
struct nf_proto_net pn;
unsigned int timeouts[SCTP_CONNTRACK_MAX];
};
static inline struct sctp_net *sctp_pernet(struct net *net)
{ {
return net_generic(net, sctp_net_id); return &net->ct.nf_ct_proto.sctp;
} }
static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
@ -600,7 +593,7 @@ static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data) struct net *net, void *data)
{ {
unsigned int *timeouts = data; unsigned int *timeouts = data;
struct sctp_net *sn = sctp_pernet(net); struct nf_sctp_net *sn = sctp_pernet(net);
int i; int i;
/* set default SCTP timeouts. */ /* set default SCTP timeouts. */
@ -708,7 +701,7 @@ static struct ctl_table sctp_sysctl_table[] = {
#endif #endif
static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn, static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
struct sctp_net *sn) struct nf_sctp_net *sn)
{ {
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
if (pn->ctl_table) if (pn->ctl_table)
@ -735,7 +728,7 @@ static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
static int sctp_init_net(struct net *net, u_int16_t proto) static int sctp_init_net(struct net *net, u_int16_t proto)
{ {
struct sctp_net *sn = sctp_pernet(net); struct nf_sctp_net *sn = sctp_pernet(net);
struct nf_proto_net *pn = &sn->pn; struct nf_proto_net *pn = &sn->pn;
if (!pn->users) { if (!pn->users) {
@ -748,7 +741,7 @@ static int sctp_init_net(struct net *net, u_int16_t proto)
return sctp_kmemdup_sysctl_table(pn, sn); return sctp_kmemdup_sysctl_table(pn, sn);
} }
static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = { struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
.l3proto = PF_INET, .l3proto = PF_INET,
.l4proto = IPPROTO_SCTP, .l4proto = IPPROTO_SCTP,
.name = "sctp", .name = "sctp",
@ -778,11 +771,11 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
.nla_policy = sctp_timeout_nla_policy, .nla_policy = sctp_timeout_nla_policy,
}, },
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
.net_id = &sctp_net_id,
.init_net = sctp_init_net, .init_net = sctp_init_net,
}; };
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = { struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
.l3proto = PF_INET6, .l3proto = PF_INET6,
.l4proto = IPPROTO_SCTP, .l4proto = IPPROTO_SCTP,
.name = "sctp", .name = "sctp",
@ -812,57 +805,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
}, },
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#endif #endif
.net_id = &sctp_net_id,
.init_net = sctp_init_net, .init_net = sctp_init_net,
}; };
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
static struct nf_conntrack_l4proto *sctp_proto[] = {
&nf_conntrack_l4proto_sctp4,
&nf_conntrack_l4proto_sctp6,
};
static int sctp_net_init(struct net *net)
{
return nf_ct_l4proto_pernet_register(net, sctp_proto,
ARRAY_SIZE(sctp_proto));
}
static void sctp_net_exit(struct net *net)
{
nf_ct_l4proto_pernet_unregister(net, sctp_proto,
ARRAY_SIZE(sctp_proto));
}
static struct pernet_operations sctp_net_ops = {
.init = sctp_net_init,
.exit = sctp_net_exit,
.id = &sctp_net_id,
.size = sizeof(struct sctp_net),
};
static int __init nf_conntrack_proto_sctp_init(void)
{
int ret;
ret = register_pernet_subsys(&sctp_net_ops);
if (ret < 0)
return ret;
ret = nf_ct_l4proto_register(sctp_proto, ARRAY_SIZE(sctp_proto));
if (ret < 0)
unregister_pernet_subsys(&sctp_net_ops);
return ret;
}
static void __exit nf_conntrack_proto_sctp_fini(void)
{
nf_ct_l4proto_unregister(sctp_proto, ARRAY_SIZE(sctp_proto));
unregister_pernet_subsys(&sctp_net_ops);
}
module_init(nf_conntrack_proto_sctp_init);
module_exit(nf_conntrack_proto_sctp_fini);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Kiran Kumar Immidi");
MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP");
MODULE_ALIAS("ip_conntrack_proto_sctp");