[NETFILTER]: nf_conntrack: automatic sysctl registation for conntrack protocols
Add helper functions for sysctl registration with optional instantiating of common path elements (like net/netfilter) and use it for support for automatic registation of conntrack protocol sysctls. Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
f8eb24a89a
commit
d62f9ed4a4
@ -117,6 +117,16 @@ void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n);
|
|||||||
int nf_register_sockopt(struct nf_sockopt_ops *reg);
|
int nf_register_sockopt(struct nf_sockopt_ops *reg);
|
||||||
void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
|
void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
|
||||||
|
|
||||||
|
#ifdef CONFIG_SYSCTL
|
||||||
|
/* Sysctl registration */
|
||||||
|
struct ctl_table_header *nf_register_sysctl_table(struct ctl_table *path,
|
||||||
|
struct ctl_table *table);
|
||||||
|
void nf_unregister_sysctl_table(struct ctl_table_header *header,
|
||||||
|
struct ctl_table *table);
|
||||||
|
extern struct ctl_table nf_net_netfilter_sysctl_path[];
|
||||||
|
extern struct ctl_table nf_net_ipv4_netfilter_sysctl_path[];
|
||||||
|
#endif /* CONFIG_SYSCTL */
|
||||||
|
|
||||||
extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
|
extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
|
||||||
|
|
||||||
/* those NF_LOG_* defines and struct nf_loginfo are legacy definitios that will
|
/* those NF_LOG_* defines and struct nf_loginfo are legacy definitios that will
|
||||||
|
@ -75,6 +75,12 @@ struct nf_conntrack_l3proto
|
|||||||
int (*nfattr_to_tuple)(struct nfattr *tb[],
|
int (*nfattr_to_tuple)(struct nfattr *tb[],
|
||||||
struct nf_conntrack_tuple *t);
|
struct nf_conntrack_tuple *t);
|
||||||
|
|
||||||
|
#ifdef CONFIG_SYSCTL
|
||||||
|
struct ctl_table_header *ctl_table_header;
|
||||||
|
struct ctl_table *ctl_table_path;
|
||||||
|
struct ctl_table *ctl_table;
|
||||||
|
#endif /* CONFIG_SYSCTL */
|
||||||
|
|
||||||
/* Module (if any) which this is connected to. */
|
/* Module (if any) which this is connected to. */
|
||||||
struct module *me;
|
struct module *me;
|
||||||
};
|
};
|
||||||
|
@ -76,6 +76,12 @@ struct nf_conntrack_l4proto
|
|||||||
int (*nfattr_to_tuple)(struct nfattr *tb[],
|
int (*nfattr_to_tuple)(struct nfattr *tb[],
|
||||||
struct nf_conntrack_tuple *t);
|
struct nf_conntrack_tuple *t);
|
||||||
|
|
||||||
|
#ifdef CONFIG_SYSCTL
|
||||||
|
struct ctl_table_header **ctl_table_header;
|
||||||
|
struct ctl_table *ctl_table;
|
||||||
|
unsigned int *ctl_table_users;
|
||||||
|
#endif /* CONFIG_SYSCTL */
|
||||||
|
|
||||||
/* Module (if any) which this is connected to. */
|
/* Module (if any) which this is connected to. */
|
||||||
struct module *me;
|
struct module *me;
|
||||||
};
|
};
|
||||||
|
@ -4,6 +4,7 @@ nf_conntrack-y := nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_exp
|
|||||||
nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
|
nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
|
||||||
|
|
||||||
obj-$(CONFIG_NETFILTER) = netfilter.o
|
obj-$(CONFIG_NETFILTER) = netfilter.o
|
||||||
|
obj-$(CONFIG_SYSCTL) += nf_sysctl.o
|
||||||
|
|
||||||
obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o
|
obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o
|
||||||
obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o
|
obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
#include <linux/types.h>
|
#include <linux/types.h>
|
||||||
#include <linux/netfilter.h>
|
#include <linux/netfilter.h>
|
||||||
#include <linux/module.h>
|
#include <linux/module.h>
|
||||||
|
#include <linux/mutex.h>
|
||||||
#include <linux/skbuff.h>
|
#include <linux/skbuff.h>
|
||||||
#include <linux/vmalloc.h>
|
#include <linux/vmalloc.h>
|
||||||
#include <linux/stddef.h>
|
#include <linux/stddef.h>
|
||||||
@ -30,6 +31,34 @@
|
|||||||
struct nf_conntrack_l4proto **nf_ct_protos[PF_MAX] __read_mostly;
|
struct nf_conntrack_l4proto **nf_ct_protos[PF_MAX] __read_mostly;
|
||||||
struct nf_conntrack_l3proto *nf_ct_l3protos[AF_MAX] __read_mostly;
|
struct nf_conntrack_l3proto *nf_ct_l3protos[AF_MAX] __read_mostly;
|
||||||
|
|
||||||
|
#ifdef CONFIG_SYSCTL
|
||||||
|
static DEFINE_MUTEX(nf_ct_proto_sysctl_mutex);
|
||||||
|
|
||||||
|
static int
|
||||||
|
nf_ct_register_sysctl(struct ctl_table_header **header, struct ctl_table *path,
|
||||||
|
struct ctl_table *table, unsigned int *users)
|
||||||
|
{
|
||||||
|
if (*header == NULL) {
|
||||||
|
*header = nf_register_sysctl_table(path, table);
|
||||||
|
if (*header == NULL)
|
||||||
|
return -ENOMEM;
|
||||||
|
}
|
||||||
|
if (users != NULL)
|
||||||
|
(*users)++;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
nf_ct_unregister_sysctl(struct ctl_table_header **header,
|
||||||
|
struct ctl_table *table, unsigned int *users)
|
||||||
|
{
|
||||||
|
if (users != NULL && --*users > 0)
|
||||||
|
return;
|
||||||
|
nf_unregister_sysctl_table(*header, table);
|
||||||
|
*header = NULL;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
struct nf_conntrack_l4proto *
|
struct nf_conntrack_l4proto *
|
||||||
__nf_ct_l4proto_find(u_int16_t l3proto, u_int8_t l4proto)
|
__nf_ct_l4proto_find(u_int16_t l3proto, u_int8_t l4proto)
|
||||||
{
|
{
|
||||||
@ -124,6 +153,33 @@ static int kill_l4proto(struct nf_conn *i, void *data)
|
|||||||
l4proto->l3proto);
|
l4proto->l3proto);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
|
||||||
|
{
|
||||||
|
int err = 0;
|
||||||
|
|
||||||
|
#ifdef CONFIG_SYSCTL
|
||||||
|
mutex_lock(&nf_ct_proto_sysctl_mutex);
|
||||||
|
if (l3proto->ctl_table != NULL) {
|
||||||
|
err = nf_ct_register_sysctl(&l3proto->ctl_table_header,
|
||||||
|
l3proto->ctl_table_path,
|
||||||
|
l3proto->ctl_table, NULL);
|
||||||
|
}
|
||||||
|
mutex_unlock(&nf_ct_proto_sysctl_mutex);
|
||||||
|
#endif
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto)
|
||||||
|
{
|
||||||
|
#ifdef CONFIG_SYSCTL
|
||||||
|
mutex_lock(&nf_ct_proto_sysctl_mutex);
|
||||||
|
if (l3proto->ctl_table_header != NULL)
|
||||||
|
nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
|
||||||
|
l3proto->ctl_table, NULL);
|
||||||
|
mutex_unlock(&nf_ct_proto_sysctl_mutex);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
|
int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
|
||||||
{
|
{
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
@ -139,6 +195,12 @@ int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
|
|||||||
goto out_unlock;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
nf_ct_l3protos[proto->l3proto] = proto;
|
nf_ct_l3protos[proto->l3proto] = proto;
|
||||||
|
write_unlock_bh(&nf_conntrack_lock);
|
||||||
|
|
||||||
|
ret = nf_ct_l3proto_register_sysctl(proto);
|
||||||
|
if (ret < 0)
|
||||||
|
nf_conntrack_l3proto_unregister(proto);
|
||||||
|
return ret;
|
||||||
|
|
||||||
out_unlock:
|
out_unlock:
|
||||||
write_unlock_bh(&nf_conntrack_lock);
|
write_unlock_bh(&nf_conntrack_lock);
|
||||||
@ -165,6 +227,8 @@ int nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
|
|||||||
nf_ct_l3protos[proto->l3proto] = &nf_conntrack_l3proto_generic;
|
nf_ct_l3protos[proto->l3proto] = &nf_conntrack_l3proto_generic;
|
||||||
write_unlock_bh(&nf_conntrack_lock);
|
write_unlock_bh(&nf_conntrack_lock);
|
||||||
|
|
||||||
|
nf_ct_l3proto_unregister_sysctl(proto);
|
||||||
|
|
||||||
/* Somebody could be still looking at the proto in bh. */
|
/* Somebody could be still looking at the proto in bh. */
|
||||||
synchronize_net();
|
synchronize_net();
|
||||||
|
|
||||||
@ -175,6 +239,36 @@ out:
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
|
||||||
|
{
|
||||||
|
int err = 0;
|
||||||
|
|
||||||
|
#ifdef CONFIG_SYSCTL
|
||||||
|
mutex_lock(&nf_ct_proto_sysctl_mutex);
|
||||||
|
if (l4proto->ctl_table != NULL) {
|
||||||
|
err = nf_ct_register_sysctl(l4proto->ctl_table_header,
|
||||||
|
nf_net_netfilter_sysctl_path,
|
||||||
|
l4proto->ctl_table,
|
||||||
|
l4proto->ctl_table_users);
|
||||||
|
}
|
||||||
|
mutex_unlock(&nf_ct_proto_sysctl_mutex);
|
||||||
|
#endif
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto)
|
||||||
|
{
|
||||||
|
#ifdef CONFIG_SYSCTL
|
||||||
|
mutex_lock(&nf_ct_proto_sysctl_mutex);
|
||||||
|
if (l4proto->ctl_table_header != NULL &&
|
||||||
|
*l4proto->ctl_table_header != NULL)
|
||||||
|
nf_ct_unregister_sysctl(l4proto->ctl_table_header,
|
||||||
|
l4proto->ctl_table,
|
||||||
|
l4proto->ctl_table_users);
|
||||||
|
mutex_unlock(&nf_ct_proto_sysctl_mutex);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
/* FIXME: Allow NULL functions and sub in pointers to generic for
|
/* FIXME: Allow NULL functions and sub in pointers to generic for
|
||||||
them. --RR */
|
them. --RR */
|
||||||
int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
|
int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
|
||||||
@ -230,6 +324,12 @@ retry:
|
|||||||
}
|
}
|
||||||
|
|
||||||
nf_ct_protos[l4proto->l3proto][l4proto->l4proto] = l4proto;
|
nf_ct_protos[l4proto->l3proto][l4proto->l4proto] = l4proto;
|
||||||
|
write_unlock_bh(&nf_conntrack_lock);
|
||||||
|
|
||||||
|
ret = nf_ct_l4proto_register_sysctl(l4proto);
|
||||||
|
if (ret < 0)
|
||||||
|
nf_conntrack_l4proto_unregister(l4proto);
|
||||||
|
return ret;
|
||||||
|
|
||||||
out_unlock:
|
out_unlock:
|
||||||
write_unlock_bh(&nf_conntrack_lock);
|
write_unlock_bh(&nf_conntrack_lock);
|
||||||
@ -257,6 +357,8 @@ int nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)
|
|||||||
= &nf_conntrack_l4proto_generic;
|
= &nf_conntrack_l4proto_generic;
|
||||||
write_unlock_bh(&nf_conntrack_lock);
|
write_unlock_bh(&nf_conntrack_lock);
|
||||||
|
|
||||||
|
nf_ct_l4proto_unregister_sysctl(l4proto);
|
||||||
|
|
||||||
/* Somebody could be still looking at the proto in bh. */
|
/* Somebody could be still looking at the proto in bh. */
|
||||||
synchronize_net();
|
synchronize_net();
|
||||||
|
|
||||||
|
134
net/netfilter/nf_sysctl.c
Normal file
134
net/netfilter/nf_sysctl.c
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
/* nf_sysctl.c netfilter sysctl registration/unregistation
|
||||||
|
*
|
||||||
|
* Copyright (c) 2006 Patrick McHardy <kaber@trash.net>
|
||||||
|
*/
|
||||||
|
#include <linux/module.h>
|
||||||
|
#include <linux/sysctl.h>
|
||||||
|
#include <linux/string.h>
|
||||||
|
#include <linux/slab.h>
|
||||||
|
|
||||||
|
static void
|
||||||
|
path_free(struct ctl_table *path, struct ctl_table *table)
|
||||||
|
{
|
||||||
|
struct ctl_table *t, *next;
|
||||||
|
|
||||||
|
for (t = path; t != NULL && t != table; t = next) {
|
||||||
|
next = t->child;
|
||||||
|
kfree(t);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static struct ctl_table *
|
||||||
|
path_dup(struct ctl_table *path, struct ctl_table *table)
|
||||||
|
{
|
||||||
|
struct ctl_table *t, *last = NULL, *tmp;
|
||||||
|
|
||||||
|
for (t = path; t != NULL; t = t->child) {
|
||||||
|
/* twice the size since path elements are terminated by an
|
||||||
|
* empty element */
|
||||||
|
tmp = kmemdup(t, 2 * sizeof(*t), GFP_KERNEL);
|
||||||
|
if (tmp == NULL) {
|
||||||
|
if (last != NULL)
|
||||||
|
path_free(path, table);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (last != NULL)
|
||||||
|
last->child = tmp;
|
||||||
|
else
|
||||||
|
path = tmp;
|
||||||
|
last = tmp;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (last != NULL)
|
||||||
|
last->child = table;
|
||||||
|
else
|
||||||
|
path = table;
|
||||||
|
|
||||||
|
return path;
|
||||||
|
}
|
||||||
|
|
||||||
|
struct ctl_table_header *
|
||||||
|
nf_register_sysctl_table(struct ctl_table *path, struct ctl_table *table)
|
||||||
|
{
|
||||||
|
struct ctl_table_header *header;
|
||||||
|
|
||||||
|
path = path_dup(path, table);
|
||||||
|
if (path == NULL)
|
||||||
|
return NULL;
|
||||||
|
header = register_sysctl_table(path, 0);
|
||||||
|
if (header == NULL)
|
||||||
|
path_free(path, table);
|
||||||
|
return header;
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL_GPL(nf_register_sysctl_table);
|
||||||
|
|
||||||
|
void
|
||||||
|
nf_unregister_sysctl_table(struct ctl_table_header *header,
|
||||||
|
struct ctl_table *table)
|
||||||
|
{
|
||||||
|
struct ctl_table *path = header->ctl_table;
|
||||||
|
|
||||||
|
unregister_sysctl_table(header);
|
||||||
|
path_free(path, table);
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL_GPL(nf_unregister_sysctl_table);
|
||||||
|
|
||||||
|
/* net/netfilter */
|
||||||
|
static struct ctl_table nf_net_netfilter_table[] = {
|
||||||
|
{
|
||||||
|
.ctl_name = NET_NETFILTER,
|
||||||
|
.procname = "netfilter",
|
||||||
|
.mode = 0555,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
.ctl_name = 0
|
||||||
|
}
|
||||||
|
};
|
||||||
|
struct ctl_table nf_net_netfilter_sysctl_path[] = {
|
||||||
|
{
|
||||||
|
.ctl_name = CTL_NET,
|
||||||
|
.procname = "net",
|
||||||
|
.mode = 0555,
|
||||||
|
.child = nf_net_netfilter_table,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
.ctl_name = 0
|
||||||
|
}
|
||||||
|
};
|
||||||
|
EXPORT_SYMBOL_GPL(nf_net_netfilter_sysctl_path);
|
||||||
|
|
||||||
|
/* net/ipv4/netfilter */
|
||||||
|
static struct ctl_table nf_net_ipv4_netfilter_table[] = {
|
||||||
|
{
|
||||||
|
.ctl_name = NET_IPV4_NETFILTER,
|
||||||
|
.procname = "netfilter",
|
||||||
|
.mode = 0555,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
.ctl_name = 0
|
||||||
|
}
|
||||||
|
};
|
||||||
|
static struct ctl_table nf_net_ipv4_table[] = {
|
||||||
|
{
|
||||||
|
.ctl_name = NET_IPV4,
|
||||||
|
.procname = "ipv4",
|
||||||
|
.mode = 0555,
|
||||||
|
.child = nf_net_ipv4_netfilter_table,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
.ctl_name = 0
|
||||||
|
}
|
||||||
|
};
|
||||||
|
struct ctl_table nf_net_ipv4_netfilter_sysctl_path[] = {
|
||||||
|
{
|
||||||
|
.ctl_name = CTL_NET,
|
||||||
|
.procname = "net",
|
||||||
|
.mode = 0555,
|
||||||
|
.child = nf_net_ipv4_table,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
.ctl_name = 0
|
||||||
|
}
|
||||||
|
};
|
||||||
|
EXPORT_SYMBOL_GPL(nf_net_ipv4_netfilter_sysctl_path);
|
Loading…
Reference in New Issue
Block a user