diff options
| author | Florian Westphal <fw@strlen.de> | 2016-11-15 15:36:45 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-12-06 15:42:00 -0500 |
| commit | 834184b1f3a4635efbdfdae5fb437f109f6605fa (patch) | |
| tree | 6ea25a837123c698a7feead4ee5e2d0f2e74cda4 /include/net | |
| parent | 481fa3734769b67f00ed09a42f2a6a8cbd00b869 (diff) | |
netfilter: defrag: only register defrag functionality if needed
nf_defrag modules for ipv4 and ipv6 export an empty stub function.
Any module that needs the defragmentation hooks registered simply 'calls'
this empty function to create a phony module dependency -- modprobe will
then load the defrag module too.
This extends netfilter ipv4/ipv6 defragmentation modules to delay the hook
registration until the functionality is requested within a network namespace
instead of module load time for all namespaces.
Hooks are only un-registered on module unload or when a namespace that used
such defrag functionality exits.
We have to use struct net for this as the register hooks can be called
before netns initialization here from the ipv4/ipv6 conntrack module
init path.
There is no unregister functionality support, defrag will always be
active once it was requested inside a net namespace.
The reason is that defrag has impact on nft and iptables rulesets
(without defrag we might see framents).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/netfilter/ipv4/nf_defrag_ipv4.h | 3 | ||||
| -rw-r--r-- | include/net/netfilter/ipv6/nf_defrag_ipv6.h | 3 | ||||
| -rw-r--r-- | include/net/netns/netfilter.h | 6 |
3 files changed, 10 insertions, 2 deletions
diff --git a/include/net/netfilter/ipv4/nf_defrag_ipv4.h b/include/net/netfilter/ipv4/nf_defrag_ipv4.h index f01ef208dff6..db405f70e538 100644 --- a/include/net/netfilter/ipv4/nf_defrag_ipv4.h +++ b/include/net/netfilter/ipv4/nf_defrag_ipv4.h | |||
| @@ -1,6 +1,7 @@ | |||
| 1 | #ifndef _NF_DEFRAG_IPV4_H | 1 | #ifndef _NF_DEFRAG_IPV4_H |
| 2 | #define _NF_DEFRAG_IPV4_H | 2 | #define _NF_DEFRAG_IPV4_H |
| 3 | 3 | ||
| 4 | void nf_defrag_ipv4_enable(void); | 4 | struct net; |
| 5 | int nf_defrag_ipv4_enable(struct net *); | ||
| 5 | 6 | ||
| 6 | #endif /* _NF_DEFRAG_IPV4_H */ | 7 | #endif /* _NF_DEFRAG_IPV4_H */ |
diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h index ddf162f7966f..7664efe37974 100644 --- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h +++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h | |||
| @@ -1,7 +1,8 @@ | |||
| 1 | #ifndef _NF_DEFRAG_IPV6_H | 1 | #ifndef _NF_DEFRAG_IPV6_H |
| 2 | #define _NF_DEFRAG_IPV6_H | 2 | #define _NF_DEFRAG_IPV6_H |
| 3 | 3 | ||
| 4 | void nf_defrag_ipv6_enable(void); | 4 | struct net; |
| 5 | int nf_defrag_ipv6_enable(struct net *); | ||
| 5 | 6 | ||
| 6 | int nf_ct_frag6_init(void); | 7 | int nf_ct_frag6_init(void); |
| 7 | void nf_ct_frag6_cleanup(void); | 8 | void nf_ct_frag6_cleanup(void); |
diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h index 58487b1cc99a..cea396b53a60 100644 --- a/include/net/netns/netfilter.h +++ b/include/net/netns/netfilter.h | |||
| @@ -17,5 +17,11 @@ struct netns_nf { | |||
| 17 | struct ctl_table_header *nf_log_dir_header; | 17 | struct ctl_table_header *nf_log_dir_header; |
| 18 | #endif | 18 | #endif |
| 19 | struct nf_hook_entry __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; | 19 | struct nf_hook_entry __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; |
| 20 | #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) | ||
| 21 | bool defrag_ipv4; | ||
| 22 | #endif | ||
| 23 | #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) | ||
| 24 | bool defrag_ipv6; | ||
| 25 | #endif | ||
| 20 | }; | 26 | }; |
| 21 | #endif | 27 | #endif |