aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/net/netfilter/nf_conntrack_l4proto.h8
-rw-r--r--include/net/netns/conntrack.h8
-rw-r--r--net/ipv4/netfilter/Kconfig11
-rw-r--r--net/ipv4/netfilter/Makefile5
-rw-r--r--net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c70
-rw-r--r--net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c491
-rw-r--r--net/ipv4/netfilter/nf_conntrack_proto_icmp.c39
-rw-r--r--net/netfilter/nf_conntrack_core.c3
-rw-r--r--net/netfilter/nf_conntrack_proto.c81
-rw-r--r--net/netfilter/nf_conntrack_proto_generic.c39
-rw-r--r--net/netfilter/nf_conntrack_proto_sctp.c85
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c127
-rw-r--r--net/netfilter/nf_conntrack_proto_udp.c49
13 files changed, 7 insertions, 1009 deletions
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index 1a5fb36f165f..de629f1520df 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -134,14 +134,6 @@ void nf_ct_l4proto_pernet_unregister(struct net *net,
134int nf_ct_l4proto_register(struct nf_conntrack_l4proto *proto); 134int nf_ct_l4proto_register(struct nf_conntrack_l4proto *proto);
135void nf_ct_l4proto_unregister(struct nf_conntrack_l4proto *proto); 135void nf_ct_l4proto_unregister(struct nf_conntrack_l4proto *proto);
136 136
137static inline void nf_ct_kfree_compat_sysctl_table(struct nf_proto_net *pn)
138{
139#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
140 kfree(pn->ctl_compat_table);
141 pn->ctl_compat_table = NULL;
142#endif
143}
144
145/* Generic netlink helpers */ 137/* Generic netlink helpers */
146int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb, 138int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
147 const struct nf_conntrack_tuple *tuple); 139 const struct nf_conntrack_tuple *tuple);
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 38b1a80517f0..e469e85de3f9 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -15,10 +15,6 @@ struct nf_proto_net {
15#ifdef CONFIG_SYSCTL 15#ifdef CONFIG_SYSCTL
16 struct ctl_table_header *ctl_table_header; 16 struct ctl_table_header *ctl_table_header;
17 struct ctl_table *ctl_table; 17 struct ctl_table *ctl_table;
18#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
19 struct ctl_table_header *ctl_compat_header;
20 struct ctl_table *ctl_compat_table;
21#endif
22#endif 18#endif
23 unsigned int users; 19 unsigned int users;
24}; 20};
@@ -58,10 +54,6 @@ struct nf_ip_net {
58 struct nf_udp_net udp; 54 struct nf_udp_net udp;
59 struct nf_icmp_net icmp; 55 struct nf_icmp_net icmp;
60 struct nf_icmp_net icmpv6; 56 struct nf_icmp_net icmpv6;
61#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
62 struct ctl_table_header *ctl_table_header;
63 struct ctl_table *ctl_table;
64#endif
65}; 57};
66 58
67struct ct_pcpu { 59struct ct_pcpu {
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index c187c60e3e0c..d613309e3e5d 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -25,17 +25,6 @@ config NF_CONNTRACK_IPV4
25 25
26 To compile it as a module, choose M here. If unsure, say N. 26 To compile it as a module, choose M here. If unsure, say N.
27 27
28config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
31 default y
32 help
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
36
37 If unsure, say Y.
38
39if NF_TABLES 28if NF_TABLES
40 29
41config NF_TABLES_IPV4 30config NF_TABLES_IPV4
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 87b073da14c9..853328f8fd05 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -4,11 +4,6 @@
4 4
5# objects for l3 independent conntrack 5# objects for l3 independent conntrack
6nf_conntrack_ipv4-y := nf_conntrack_l3proto_ipv4.o nf_conntrack_proto_icmp.o 6nf_conntrack_ipv4-y := nf_conntrack_l3proto_ipv4.o nf_conntrack_proto_icmp.o
7ifeq ($(CONFIG_NF_CONNTRACK_PROC_COMPAT),y)
8ifeq ($(CONFIG_PROC_FS),y)
9nf_conntrack_ipv4-objs += nf_conntrack_l3proto_ipv4_compat.o
10endif
11endif
12 7
13# connection tracking 8# connection tracking
14obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o 9obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index ae1a71a97132..870aebda2932 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -202,47 +202,6 @@ static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = {
202 }, 202 },
203}; 203};
204 204
205#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
206static int log_invalid_proto_min = 0;
207static int log_invalid_proto_max = 255;
208
209static struct ctl_table ip_ct_sysctl_table[] = {
210 {
211 .procname = "ip_conntrack_max",
212 .maxlen = sizeof(int),
213 .mode = 0644,
214 .proc_handler = proc_dointvec,
215 },
216 {
217 .procname = "ip_conntrack_count",
218 .maxlen = sizeof(int),
219 .mode = 0444,
220 .proc_handler = proc_dointvec,
221 },
222 {
223 .procname = "ip_conntrack_buckets",
224 .maxlen = sizeof(unsigned int),
225 .mode = 0444,
226 .proc_handler = proc_dointvec,
227 },
228 {
229 .procname = "ip_conntrack_checksum",
230 .maxlen = sizeof(int),
231 .mode = 0644,
232 .proc_handler = proc_dointvec,
233 },
234 {
235 .procname = "ip_conntrack_log_invalid",
236 .maxlen = sizeof(unsigned int),
237 .mode = 0644,
238 .proc_handler = proc_dointvec_minmax,
239 .extra1 = &log_invalid_proto_min,
240 .extra2 = &log_invalid_proto_max,
241 },
242 { }
243};
244#endif /* CONFIG_SYSCTL && CONFIG_NF_CONNTRACK_PROC_COMPAT */
245
246/* Fast function for those who don't want to parse /proc (and I don't 205/* Fast function for those who don't want to parse /proc (and I don't
247 blame them). */ 206 blame them). */
248/* Reversing the socket's dst/src point of view gives us the reply 207/* Reversing the socket's dst/src point of view gives us the reply
@@ -350,20 +309,6 @@ static struct nf_sockopt_ops so_getorigdst = {
350 309
351static int ipv4_init_net(struct net *net) 310static int ipv4_init_net(struct net *net)
352{ 311{
353#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
354 struct nf_ip_net *in = &net->ct.nf_ct_proto;
355 in->ctl_table = kmemdup(ip_ct_sysctl_table,
356 sizeof(ip_ct_sysctl_table),
357 GFP_KERNEL);
358 if (!in->ctl_table)
359 return -ENOMEM;
360
361 in->ctl_table[0].data = &nf_conntrack_max;
362 in->ctl_table[1].data = &net->ct.count;
363 in->ctl_table[2].data = &nf_conntrack_htable_size;
364 in->ctl_table[3].data = &net->ct.sysctl_checksum;
365 in->ctl_table[4].data = &net->ct.sysctl_log_invalid;
366#endif
367 return 0; 312 return 0;
368} 313}
369 314
@@ -380,9 +325,6 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
380 .nlattr_to_tuple = ipv4_nlattr_to_tuple, 325 .nlattr_to_tuple = ipv4_nlattr_to_tuple,
381 .nla_policy = ipv4_nla_policy, 326 .nla_policy = ipv4_nla_policy,
382#endif 327#endif
383#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
384 .ctl_table_path = "net/ipv4/netfilter",
385#endif
386 .init_net = ipv4_init_net, 328 .init_net = ipv4_init_net,
387 .me = THIS_MODULE, 329 .me = THIS_MODULE,
388}; 330};
@@ -492,16 +434,7 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
492 goto cleanup_icmpv4; 434 goto cleanup_icmpv4;
493 } 435 }
494 436
495#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
496 ret = nf_conntrack_ipv4_compat_init();
497 if (ret < 0)
498 goto cleanup_proto;
499#endif
500 return ret; 437 return ret;
501#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
502 cleanup_proto:
503 nf_ct_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
504#endif
505 cleanup_icmpv4: 438 cleanup_icmpv4:
506 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_icmp); 439 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_icmp);
507 cleanup_udp4: 440 cleanup_udp4:
@@ -520,9 +453,6 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
520static void __exit nf_conntrack_l3proto_ipv4_fini(void) 453static void __exit nf_conntrack_l3proto_ipv4_fini(void)
521{ 454{
522 synchronize_net(); 455 synchronize_net();
523#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
524 nf_conntrack_ipv4_compat_fini();
525#endif
526 nf_ct_l3proto_unregister(&nf_conntrack_l3proto_ipv4); 456 nf_ct_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
527 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_icmp); 457 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_icmp);
528 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udp4); 458 nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udp4);
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
deleted file mode 100644
index 67bfc69e00bc..000000000000
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ /dev/null
@@ -1,491 +0,0 @@
1/* ip_conntrack proc compat - based on ip_conntrack_standalone.c
2 *
3 * (C) 1999-2001 Paul `Rusty' Russell
4 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
5 * (C) 2006-2010 Patrick McHardy <kaber@trash.net>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
10 */
11#include <linux/types.h>
12#include <linux/proc_fs.h>
13#include <linux/seq_file.h>
14#include <linux/percpu.h>
15#include <linux/security.h>
16#include <net/net_namespace.h>
17
18#include <linux/netfilter.h>
19#include <net/netfilter/nf_conntrack_core.h>
20#include <net/netfilter/nf_conntrack_l3proto.h>
21#include <net/netfilter/nf_conntrack_l4proto.h>
22#include <net/netfilter/nf_conntrack_expect.h>
23#include <net/netfilter/nf_conntrack_acct.h>
24#include <linux/rculist_nulls.h>
25#include <linux/export.h>
26
27struct ct_iter_state {
28 struct seq_net_private p;
29 struct hlist_nulls_head *hash;
30 unsigned int htable_size;
31 unsigned int bucket;
32};
33
34static struct hlist_nulls_node *ct_get_first(struct seq_file *seq)
35{
36 struct ct_iter_state *st = seq->private;
37 struct hlist_nulls_node *n;
38
39 for (st->bucket = 0;
40 st->bucket < st->htable_size;
41 st->bucket++) {
42 n = rcu_dereference(
43 hlist_nulls_first_rcu(&st->hash[st->bucket]));
44 if (!is_a_nulls(n))
45 return n;
46 }
47 return NULL;
48}
49
50static struct hlist_nulls_node *ct_get_next(struct seq_file *seq,
51 struct hlist_nulls_node *head)
52{
53 struct ct_iter_state *st = seq->private;
54
55 head = rcu_dereference(hlist_nulls_next_rcu(head));
56 while (is_a_nulls(head)) {
57 if (likely(get_nulls_value(head) == st->bucket)) {
58 if (++st->bucket >= st->htable_size)
59 return NULL;
60 }
61 head = rcu_dereference(
62 hlist_nulls_first_rcu(&st->hash[st->bucket]));
63 }
64 return head;
65}
66
67static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos)
68{
69 struct hlist_nulls_node *head = ct_get_first(seq);
70
71 if (head)
72 while (pos && (head = ct_get_next(seq, head)))
73 pos--;
74 return pos ? NULL : head;
75}
76
77static void *ct_seq_start(struct seq_file *seq, loff_t *pos)
78 __acquires(RCU)
79{
80 struct ct_iter_state *st = seq->private;
81
82 rcu_read_lock();
83
84 nf_conntrack_get_ht(&st->hash, &st->htable_size);
85 return ct_get_idx(seq, *pos);
86}
87
88static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos)
89{
90 (*pos)++;
91 return ct_get_next(s, v);
92}
93
94static void ct_seq_stop(struct seq_file *s, void *v)
95 __releases(RCU)
96{
97 rcu_read_unlock();
98}
99
100#ifdef CONFIG_NF_CONNTRACK_SECMARK
101static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
102{
103 int ret;
104 u32 len;
105 char *secctx;
106
107 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
108 if (ret)
109 return;
110
111 seq_printf(s, "secctx=%s ", secctx);
112
113 security_release_secctx(secctx, len);
114}
115#else
116static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
117{
118}
119#endif
120
121static bool ct_seq_should_skip(const struct nf_conn *ct,
122 const struct net *net,
123 const struct nf_conntrack_tuple_hash *hash)
124{
125 /* we only want to print DIR_ORIGINAL */
126 if (NF_CT_DIRECTION(hash))
127 return true;
128
129 if (nf_ct_l3num(ct) != AF_INET)
130 return true;
131
132 if (!net_eq(nf_ct_net(ct), net))
133 return true;
134
135 return false;
136}
137
138static int ct_seq_show(struct seq_file *s, void *v)
139{
140 struct nf_conntrack_tuple_hash *hash = v;
141 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash);
142 const struct nf_conntrack_l3proto *l3proto;
143 const struct nf_conntrack_l4proto *l4proto;
144 int ret = 0;
145
146 NF_CT_ASSERT(ct);
147 if (ct_seq_should_skip(ct, seq_file_net(s), hash))
148 return 0;
149
150 if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
151 return 0;
152
153 /* check if we raced w. object reuse */
154 if (!nf_ct_is_confirmed(ct) ||
155 ct_seq_should_skip(ct, seq_file_net(s), hash))
156 goto release;
157
158 l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
159 NF_CT_ASSERT(l3proto);
160 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
161 NF_CT_ASSERT(l4proto);
162
163 ret = -ENOSPC;
164 seq_printf(s, "%-8s %u %ld ",
165 l4proto->name, nf_ct_protonum(ct),
166 nf_ct_expires(ct) / HZ);
167
168 if (l4proto->print_conntrack)
169 l4proto->print_conntrack(s, ct);
170
171 if (seq_has_overflowed(s))
172 goto release;
173
174 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
175 l3proto, l4proto);
176
177 if (seq_has_overflowed(s))
178 goto release;
179
180 if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL))
181 goto release;
182
183 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status)))
184 seq_printf(s, "[UNREPLIED] ");
185
186 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple,
187 l3proto, l4proto);
188
189 if (seq_has_overflowed(s))
190 goto release;
191
192 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY))
193 goto release;
194
195 if (test_bit(IPS_ASSURED_BIT, &ct->status))
196 seq_printf(s, "[ASSURED] ");
197
198#ifdef CONFIG_NF_CONNTRACK_MARK
199 seq_printf(s, "mark=%u ", ct->mark);
200#endif
201
202 ct_show_secctx(s, ct);
203
204 seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use));
205
206 if (seq_has_overflowed(s))
207 goto release;
208
209 ret = 0;
210release:
211 nf_ct_put(ct);
212 return ret;
213}
214
215static const struct seq_operations ct_seq_ops = {
216 .start = ct_seq_start,
217 .next = ct_seq_next,
218 .stop = ct_seq_stop,
219 .show = ct_seq_show
220};
221
222static int ct_open(struct inode *inode, struct file *file)
223{
224 return seq_open_net(inode, file, &ct_seq_ops,
225 sizeof(struct ct_iter_state));
226}
227
228static const struct file_operations ct_file_ops = {
229 .owner = THIS_MODULE,
230 .open = ct_open,
231 .read = seq_read,
232 .llseek = seq_lseek,
233 .release = seq_release_net,
234};
235
236/* expects */
237struct ct_expect_iter_state {
238 struct seq_net_private p;
239 unsigned int bucket;
240};
241
242static struct hlist_node *ct_expect_get_first(struct seq_file *seq)
243{
244 struct ct_expect_iter_state *st = seq->private;
245 struct hlist_node *n;
246
247 for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) {
248 n = rcu_dereference(
249 hlist_first_rcu(&nf_ct_expect_hash[st->bucket]));
250 if (n)
251 return n;
252 }
253 return NULL;
254}
255
256static struct hlist_node *ct_expect_get_next(struct seq_file *seq,
257 struct hlist_node *head)
258{
259 struct ct_expect_iter_state *st = seq->private;
260
261 head = rcu_dereference(hlist_next_rcu(head));
262 while (head == NULL) {
263 if (++st->bucket >= nf_ct_expect_hsize)
264 return NULL;
265 head = rcu_dereference(
266 hlist_first_rcu(&nf_ct_expect_hash[st->bucket]));
267 }
268 return head;
269}
270
271static struct hlist_node *ct_expect_get_idx(struct seq_file *seq, loff_t pos)
272{
273 struct hlist_node *head = ct_expect_get_first(seq);
274
275 if (head)
276 while (pos && (head = ct_expect_get_next(seq, head)))
277 pos--;
278 return pos ? NULL : head;
279}
280
281static void *exp_seq_start(struct seq_file *seq, loff_t *pos)
282 __acquires(RCU)
283{
284 rcu_read_lock();
285 return ct_expect_get_idx(seq, *pos);
286}
287
288static void *exp_seq_next(struct seq_file *seq, void *v, loff_t *pos)
289{
290 (*pos)++;
291 return ct_expect_get_next(seq, v);
292}
293
294static void exp_seq_stop(struct seq_file *seq, void *v)
295 __releases(RCU)
296{
297 rcu_read_unlock();
298}
299
300static int exp_seq_show(struct seq_file *s, void *v)
301{
302 struct nf_conntrack_expect *exp;
303 const struct hlist_node *n = v;
304
305 exp = hlist_entry(n, struct nf_conntrack_expect, hnode);
306
307 if (!net_eq(nf_ct_net(exp->master), seq_file_net(s)))
308 return 0;
309
310 if (exp->tuple.src.l3num != AF_INET)
311 return 0;
312
313 if (exp->timeout.function)
314 seq_printf(s, "%ld ", timer_pending(&exp->timeout)
315 ? (long)(exp->timeout.expires - jiffies)/HZ : 0);
316 else
317 seq_printf(s, "- ");
318
319 seq_printf(s, "proto=%u ", exp->tuple.dst.protonum);
320
321 print_tuple(s, &exp->tuple,
322 __nf_ct_l3proto_find(exp->tuple.src.l3num),
323 __nf_ct_l4proto_find(exp->tuple.src.l3num,
324 exp->tuple.dst.protonum));
325 seq_putc(s, '\n');
326
327 return 0;
328}
329
330static const struct seq_operations exp_seq_ops = {
331 .start = exp_seq_start,
332 .next = exp_seq_next,
333 .stop = exp_seq_stop,
334 .show = exp_seq_show
335};
336
337static int exp_open(struct inode *inode, struct file *file)
338{
339 return seq_open_net(inode, file, &exp_seq_ops,
340 sizeof(struct ct_expect_iter_state));
341}
342
343static const struct file_operations ip_exp_file_ops = {
344 .owner = THIS_MODULE,
345 .open = exp_open,
346 .read = seq_read,
347 .llseek = seq_lseek,
348 .release = seq_release_net,
349};
350
351static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos)
352{
353 struct net *net = seq_file_net(seq);
354 int cpu;
355
356 if (*pos == 0)
357 return SEQ_START_TOKEN;
358
359 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) {
360 if (!cpu_possible(cpu))
361 continue;
362 *pos = cpu+1;
363 return per_cpu_ptr(net->ct.stat, cpu);
364 }
365
366 return NULL;
367}
368
369static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
370{
371 struct net *net = seq_file_net(seq);
372 int cpu;
373
374 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) {
375 if (!cpu_possible(cpu))
376 continue;
377 *pos = cpu+1;
378 return per_cpu_ptr(net->ct.stat, cpu);
379 }
380
381 return NULL;
382}
383
384static void ct_cpu_seq_stop(struct seq_file *seq, void *v)
385{
386}
387
388static int ct_cpu_seq_show(struct seq_file *seq, void *v)
389{
390 struct net *net = seq_file_net(seq);
391 unsigned int nr_conntracks = atomic_read(&net->ct.count);
392 const struct ip_conntrack_stat *st = v;
393
394 if (v == SEQ_START_TOKEN) {
395 seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n");
396 return 0;
397 }
398
399 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x "
400 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n",
401 nr_conntracks,
402 st->searched,
403 st->found,
404 st->new,
405 st->invalid,
406 st->ignore,
407 st->delete,
408 st->delete_list,
409 st->insert,
410 st->insert_failed,
411 st->drop,
412 st->early_drop,
413 st->error,
414
415 st->expect_new,
416 st->expect_create,
417 st->expect_delete,
418 st->search_restart
419 );
420 return 0;
421}
422
423static const struct seq_operations ct_cpu_seq_ops = {
424 .start = ct_cpu_seq_start,
425 .next = ct_cpu_seq_next,
426 .stop = ct_cpu_seq_stop,
427 .show = ct_cpu_seq_show,
428};
429
430static int ct_cpu_seq_open(struct inode *inode, struct file *file)
431{
432 return seq_open_net(inode, file, &ct_cpu_seq_ops,
433 sizeof(struct seq_net_private));
434}
435
436static const struct file_operations ct_cpu_seq_fops = {
437 .owner = THIS_MODULE,
438 .open = ct_cpu_seq_open,
439 .read = seq_read,
440 .llseek = seq_lseek,
441 .release = seq_release_net,
442};
443
444static int __net_init ip_conntrack_net_init(struct net *net)
445{
446 struct proc_dir_entry *proc, *proc_exp, *proc_stat;
447
448 proc = proc_create("ip_conntrack", 0440, net->proc_net, &ct_file_ops);
449 if (!proc)
450 goto err1;
451
452 proc_exp = proc_create("ip_conntrack_expect", 0440, net->proc_net,
453 &ip_exp_file_ops);
454 if (!proc_exp)
455 goto err2;
456
457 proc_stat = proc_create("ip_conntrack", S_IRUGO,
458 net->proc_net_stat, &ct_cpu_seq_fops);
459 if (!proc_stat)
460 goto err3;
461 return 0;
462
463err3:
464 remove_proc_entry("ip_conntrack_expect", net->proc_net);
465err2:
466 remove_proc_entry("ip_conntrack", net->proc_net);
467err1:
468 return -ENOMEM;
469}
470
471static void __net_exit ip_conntrack_net_exit(struct net *net)
472{
473 remove_proc_entry("ip_conntrack", net->proc_net_stat);
474 remove_proc_entry("ip_conntrack_expect", net->proc_net);
475 remove_proc_entry("ip_conntrack", net->proc_net);
476}
477
478static struct pernet_operations ip_conntrack_net_ops = {
479 .init = ip_conntrack_net_init,
480 .exit = ip_conntrack_net_exit,
481};
482
483int __init nf_conntrack_ipv4_compat_init(void)
484{
485 return register_pernet_subsys(&ip_conntrack_net_ops);
486}
487
488void __exit nf_conntrack_ipv4_compat_fini(void)
489{
490 unregister_pernet_subsys(&ip_conntrack_net_ops);
491}
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index c567e1b5d799..4b5904bc2614 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -327,17 +327,6 @@ static struct ctl_table icmp_sysctl_table[] = {
327 }, 327 },
328 { } 328 { }
329}; 329};
330#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
331static struct ctl_table icmp_compat_sysctl_table[] = {
332 {
333 .procname = "ip_conntrack_icmp_timeout",
334 .maxlen = sizeof(unsigned int),
335 .mode = 0644,
336 .proc_handler = proc_dointvec_jiffies,
337 },
338 { }
339};
340#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
341#endif /* CONFIG_SYSCTL */ 330#endif /* CONFIG_SYSCTL */
342 331
343static int icmp_kmemdup_sysctl_table(struct nf_proto_net *pn, 332static int icmp_kmemdup_sysctl_table(struct nf_proto_net *pn,
@@ -355,40 +344,14 @@ static int icmp_kmemdup_sysctl_table(struct nf_proto_net *pn,
355 return 0; 344 return 0;
356} 345}
357 346
358static int icmp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
359 struct nf_icmp_net *in)
360{
361#ifdef CONFIG_SYSCTL
362#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
363 pn->ctl_compat_table = kmemdup(icmp_compat_sysctl_table,
364 sizeof(icmp_compat_sysctl_table),
365 GFP_KERNEL);
366 if (!pn->ctl_compat_table)
367 return -ENOMEM;
368
369 pn->ctl_compat_table[0].data = &in->timeout;
370#endif
371#endif
372 return 0;
373}
374
375static int icmp_init_net(struct net *net, u_int16_t proto) 347static int icmp_init_net(struct net *net, u_int16_t proto)
376{ 348{
377 int ret;
378 struct nf_icmp_net *in = icmp_pernet(net); 349 struct nf_icmp_net *in = icmp_pernet(net);
379 struct nf_proto_net *pn = &in->pn; 350 struct nf_proto_net *pn = &in->pn;
380 351
381 in->timeout = nf_ct_icmp_timeout; 352 in->timeout = nf_ct_icmp_timeout;
382 353
383 ret = icmp_kmemdup_compat_sysctl_table(pn, in); 354 return icmp_kmemdup_sysctl_table(pn, in);
384 if (ret < 0)
385 return ret;
386
387 ret = icmp_kmemdup_sysctl_table(pn, in);
388 if (ret < 0)
389 nf_ct_kfree_compat_sysctl_table(pn);
390
391 return ret;
392} 355}
393 356
394static struct nf_proto_net *icmp_get_net_proto(struct net *net) 357static struct nf_proto_net *icmp_get_net_proto(struct net *net)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index dd2c43abf9e2..22558b7ff7cd 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -161,10 +161,7 @@ static void nf_conntrack_all_unlock(void)
161} 161}
162 162
163unsigned int nf_conntrack_htable_size __read_mostly; 163unsigned int nf_conntrack_htable_size __read_mostly;
164EXPORT_SYMBOL_GPL(nf_conntrack_htable_size);
165
166unsigned int nf_conntrack_max __read_mostly; 164unsigned int nf_conntrack_max __read_mostly;
167EXPORT_SYMBOL_GPL(nf_conntrack_max);
168 165
169DEFINE_PER_CPU(struct nf_conn, nf_conntrack_untracked); 166DEFINE_PER_CPU(struct nf_conn, nf_conntrack_untracked);
170EXPORT_PER_CPU_SYMBOL(nf_conntrack_untracked); 167EXPORT_PER_CPU_SYMBOL(nf_conntrack_untracked);
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index b65d5864b6d9..8d2c7d8c666a 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -159,54 +159,6 @@ static int kill_l4proto(struct nf_conn *i, void *data)
159 nf_ct_l3num(i) == l4proto->l3proto; 159 nf_ct_l3num(i) == l4proto->l3proto;
160} 160}
161 161
162static struct nf_ip_net *nf_ct_l3proto_net(struct net *net,
163 struct nf_conntrack_l3proto *l3proto)
164{
165 if (l3proto->l3proto == PF_INET)
166 return &net->ct.nf_ct_proto;
167 else
168 return NULL;
169}
170
171static int nf_ct_l3proto_register_sysctl(struct net *net,
172 struct nf_conntrack_l3proto *l3proto)
173{
174 int err = 0;
175 struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto);
176 /* nf_conntrack_l3proto_ipv6 doesn't support sysctl */
177 if (in == NULL)
178 return 0;
179
180#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
181 if (in->ctl_table != NULL) {
182 err = nf_ct_register_sysctl(net,
183 &in->ctl_table_header,
184 l3proto->ctl_table_path,
185 in->ctl_table);
186 if (err < 0) {
187 kfree(in->ctl_table);
188 in->ctl_table = NULL;
189 }
190 }
191#endif
192 return err;
193}
194
195static void nf_ct_l3proto_unregister_sysctl(struct net *net,
196 struct nf_conntrack_l3proto *l3proto)
197{
198 struct nf_ip_net *in = nf_ct_l3proto_net(net, l3proto);
199
200 if (in == NULL)
201 return;
202#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
203 if (in->ctl_table_header != NULL)
204 nf_ct_unregister_sysctl(&in->ctl_table_header,
205 &in->ctl_table,
206 0);
207#endif
208}
209
210int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto) 162int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto)
211{ 163{
212 int ret = 0; 164 int ret = 0;
@@ -241,7 +193,7 @@ EXPORT_SYMBOL_GPL(nf_ct_l3proto_register);
241int nf_ct_l3proto_pernet_register(struct net *net, 193int nf_ct_l3proto_pernet_register(struct net *net,
242 struct nf_conntrack_l3proto *proto) 194 struct nf_conntrack_l3proto *proto)
243{ 195{
244 int ret = 0; 196 int ret;
245 197
246 if (proto->init_net) { 198 if (proto->init_net) {
247 ret = proto->init_net(net); 199 ret = proto->init_net(net);
@@ -249,7 +201,7 @@ int nf_ct_l3proto_pernet_register(struct net *net,
249 return ret; 201 return ret;
250 } 202 }
251 203
252 return nf_ct_l3proto_register_sysctl(net, proto); 204 return 0;
253} 205}
254EXPORT_SYMBOL_GPL(nf_ct_l3proto_pernet_register); 206EXPORT_SYMBOL_GPL(nf_ct_l3proto_pernet_register);
255 207
@@ -272,8 +224,6 @@ EXPORT_SYMBOL_GPL(nf_ct_l3proto_unregister);
272void nf_ct_l3proto_pernet_unregister(struct net *net, 224void nf_ct_l3proto_pernet_unregister(struct net *net,
273 struct nf_conntrack_l3proto *proto) 225 struct nf_conntrack_l3proto *proto)
274{ 226{
275 nf_ct_l3proto_unregister_sysctl(net, proto);
276
277 /* Remove all contrack entries for this protocol */ 227 /* Remove all contrack entries for this protocol */
278 nf_ct_iterate_cleanup(net, kill_l3proto, proto, 0, 0); 228 nf_ct_iterate_cleanup(net, kill_l3proto, proto, 0, 0);
279} 229}
@@ -312,26 +262,6 @@ int nf_ct_l4proto_register_sysctl(struct net *net,
312 } 262 }
313 } 263 }
314 } 264 }
315#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
316 if (l4proto->l3proto != AF_INET6 && pn->ctl_compat_table != NULL) {
317 if (err < 0) {
318 nf_ct_kfree_compat_sysctl_table(pn);
319 goto out;
320 }
321 err = nf_ct_register_sysctl(net,
322 &pn->ctl_compat_header,
323 "net/ipv4/netfilter",
324 pn->ctl_compat_table);
325 if (err == 0)
326 goto out;
327
328 nf_ct_kfree_compat_sysctl_table(pn);
329 nf_ct_unregister_sysctl(&pn->ctl_table_header,
330 &pn->ctl_table,
331 pn->users);
332 }
333out:
334#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
335#endif /* CONFIG_SYSCTL */ 265#endif /* CONFIG_SYSCTL */
336 return err; 266 return err;
337} 267}
@@ -346,13 +276,6 @@ void nf_ct_l4proto_unregister_sysctl(struct net *net,
346 nf_ct_unregister_sysctl(&pn->ctl_table_header, 276 nf_ct_unregister_sysctl(&pn->ctl_table_header,
347 &pn->ctl_table, 277 &pn->ctl_table,
348 pn->users); 278 pn->users);
349
350#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
351 if (l4proto->l3proto != AF_INET6 && pn->ctl_compat_header != NULL)
352 nf_ct_unregister_sysctl(&pn->ctl_compat_header,
353 &pn->ctl_compat_table,
354 0);
355#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
356#endif /* CONFIG_SYSCTL */ 279#endif /* CONFIG_SYSCTL */
357} 280}
358 281
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 86dc752e5349..d5868bad33a7 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -151,17 +151,6 @@ static struct ctl_table generic_sysctl_table[] = {
151 }, 151 },
152 { } 152 { }
153}; 153};
154#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
155static struct ctl_table generic_compat_sysctl_table[] = {
156 {
157 .procname = "ip_conntrack_generic_timeout",
158 .maxlen = sizeof(unsigned int),
159 .mode = 0644,
160 .proc_handler = proc_dointvec_jiffies,
161 },
162 { }
163};
164#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
165#endif /* CONFIG_SYSCTL */ 154#endif /* CONFIG_SYSCTL */
166 155
167static int generic_kmemdup_sysctl_table(struct nf_proto_net *pn, 156static int generic_kmemdup_sysctl_table(struct nf_proto_net *pn,
@@ -179,40 +168,14 @@ static int generic_kmemdup_sysctl_table(struct nf_proto_net *pn,
179 return 0; 168 return 0;
180} 169}
181 170
182static int generic_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
183 struct nf_generic_net *gn)
184{
185#ifdef CONFIG_SYSCTL
186#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
187 pn->ctl_compat_table = kmemdup(generic_compat_sysctl_table,
188 sizeof(generic_compat_sysctl_table),
189 GFP_KERNEL);
190 if (!pn->ctl_compat_table)
191 return -ENOMEM;
192
193 pn->ctl_compat_table[0].data = &gn->timeout;
194#endif
195#endif
196 return 0;
197}
198
199static int generic_init_net(struct net *net, u_int16_t proto) 171static int generic_init_net(struct net *net, u_int16_t proto)
200{ 172{
201 int ret;
202 struct nf_generic_net *gn = generic_pernet(net); 173 struct nf_generic_net *gn = generic_pernet(net);
203 struct nf_proto_net *pn = &gn->pn; 174 struct nf_proto_net *pn = &gn->pn;
204 175
205 gn->timeout = nf_ct_generic_timeout; 176 gn->timeout = nf_ct_generic_timeout;
206 177
207 ret = generic_kmemdup_compat_sysctl_table(pn, gn); 178 return generic_kmemdup_sysctl_table(pn, gn);
208 if (ret < 0)
209 return ret;
210
211 ret = generic_kmemdup_sysctl_table(pn, gn);
212 if (ret < 0)
213 nf_ct_kfree_compat_sysctl_table(pn);
214
215 return ret;
216} 179}
217 180
218static struct nf_proto_net *generic_get_net_proto(struct net *net) 181static struct nf_proto_net *generic_get_net_proto(struct net *net)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index e769f0561621..982ea62606c7 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -705,54 +705,6 @@ static struct ctl_table sctp_sysctl_table[] = {
705 }, 705 },
706 { } 706 { }
707}; 707};
708
709#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
710static struct ctl_table sctp_compat_sysctl_table[] = {
711 {
712 .procname = "ip_conntrack_sctp_timeout_closed",
713 .maxlen = sizeof(unsigned int),
714 .mode = 0644,
715 .proc_handler = proc_dointvec_jiffies,
716 },
717 {
718 .procname = "ip_conntrack_sctp_timeout_cookie_wait",
719 .maxlen = sizeof(unsigned int),
720 .mode = 0644,
721 .proc_handler = proc_dointvec_jiffies,
722 },
723 {
724 .procname = "ip_conntrack_sctp_timeout_cookie_echoed",
725 .maxlen = sizeof(unsigned int),
726 .mode = 0644,
727 .proc_handler = proc_dointvec_jiffies,
728 },
729 {
730 .procname = "ip_conntrack_sctp_timeout_established",
731 .maxlen = sizeof(unsigned int),
732 .mode = 0644,
733 .proc_handler = proc_dointvec_jiffies,
734 },
735 {
736 .procname = "ip_conntrack_sctp_timeout_shutdown_sent",
737 .maxlen = sizeof(unsigned int),
738 .mode = 0644,
739 .proc_handler = proc_dointvec_jiffies,
740 },
741 {
742 .procname = "ip_conntrack_sctp_timeout_shutdown_recd",
743 .maxlen = sizeof(unsigned int),
744 .mode = 0644,
745 .proc_handler = proc_dointvec_jiffies,
746 },
747 {
748 .procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
749 .maxlen = sizeof(unsigned int),
750 .mode = 0644,
751 .proc_handler = proc_dointvec_jiffies,
752 },
753 { }
754};
755#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
756#endif 708#endif
757 709
758static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn, 710static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
@@ -781,32 +733,8 @@ static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
781 return 0; 733 return 0;
782} 734}
783 735
784static int sctp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
785 struct sctp_net *sn)
786{
787#ifdef CONFIG_SYSCTL
788#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
789 pn->ctl_compat_table = kmemdup(sctp_compat_sysctl_table,
790 sizeof(sctp_compat_sysctl_table),
791 GFP_KERNEL);
792 if (!pn->ctl_compat_table)
793 return -ENOMEM;
794
795 pn->ctl_compat_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
796 pn->ctl_compat_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
797 pn->ctl_compat_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
798 pn->ctl_compat_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
799 pn->ctl_compat_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
800 pn->ctl_compat_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
801 pn->ctl_compat_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
802#endif
803#endif
804 return 0;
805}
806
807static int sctp_init_net(struct net *net, u_int16_t proto) 736static int sctp_init_net(struct net *net, u_int16_t proto)
808{ 737{
809 int ret;
810 struct sctp_net *sn = sctp_pernet(net); 738 struct sctp_net *sn = sctp_pernet(net);
811 struct nf_proto_net *pn = &sn->pn; 739 struct nf_proto_net *pn = &sn->pn;
812 740
@@ -817,18 +745,7 @@ static int sctp_init_net(struct net *net, u_int16_t proto)
817 sn->timeouts[i] = sctp_timeouts[i]; 745 sn->timeouts[i] = sctp_timeouts[i];
818 } 746 }
819 747
820 if (proto == AF_INET) { 748 return sctp_kmemdup_sysctl_table(pn, sn);
821 ret = sctp_kmemdup_compat_sysctl_table(pn, sn);
822 if (ret < 0)
823 return ret;
824
825 ret = sctp_kmemdup_sysctl_table(pn, sn);
826 if (ret < 0)
827 nf_ct_kfree_compat_sysctl_table(pn);
828 } else
829 ret = sctp_kmemdup_sysctl_table(pn, sn);
830
831 return ret;
832} 749}
833 750
834static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = { 751static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 4abe9e1f8909..69f687740c76 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1481,90 +1481,6 @@ static struct ctl_table tcp_sysctl_table[] = {
1481 }, 1481 },
1482 { } 1482 { }
1483}; 1483};
1484
1485#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
1486static struct ctl_table tcp_compat_sysctl_table[] = {
1487 {
1488 .procname = "ip_conntrack_tcp_timeout_syn_sent",
1489 .maxlen = sizeof(unsigned int),
1490 .mode = 0644,
1491 .proc_handler = proc_dointvec_jiffies,
1492 },
1493 {
1494 .procname = "ip_conntrack_tcp_timeout_syn_sent2",
1495 .maxlen = sizeof(unsigned int),
1496 .mode = 0644,
1497 .proc_handler = proc_dointvec_jiffies,
1498 },
1499 {
1500 .procname = "ip_conntrack_tcp_timeout_syn_recv",
1501 .maxlen = sizeof(unsigned int),
1502 .mode = 0644,
1503 .proc_handler = proc_dointvec_jiffies,
1504 },
1505 {
1506 .procname = "ip_conntrack_tcp_timeout_established",
1507 .maxlen = sizeof(unsigned int),
1508 .mode = 0644,
1509 .proc_handler = proc_dointvec_jiffies,
1510 },
1511 {
1512 .procname = "ip_conntrack_tcp_timeout_fin_wait",
1513 .maxlen = sizeof(unsigned int),
1514 .mode = 0644,
1515 .proc_handler = proc_dointvec_jiffies,
1516 },
1517 {
1518 .procname = "ip_conntrack_tcp_timeout_close_wait",
1519 .maxlen = sizeof(unsigned int),
1520 .mode = 0644,
1521 .proc_handler = proc_dointvec_jiffies,
1522 },
1523 {
1524 .procname = "ip_conntrack_tcp_timeout_last_ack",
1525 .maxlen = sizeof(unsigned int),
1526 .mode = 0644,
1527 .proc_handler = proc_dointvec_jiffies,
1528 },
1529 {
1530 .procname = "ip_conntrack_tcp_timeout_time_wait",
1531 .maxlen = sizeof(unsigned int),
1532 .mode = 0644,
1533 .proc_handler = proc_dointvec_jiffies,
1534 },
1535 {
1536 .procname = "ip_conntrack_tcp_timeout_close",
1537 .maxlen = sizeof(unsigned int),
1538 .mode = 0644,
1539 .proc_handler = proc_dointvec_jiffies,
1540 },
1541 {
1542 .procname = "ip_conntrack_tcp_timeout_max_retrans",
1543 .maxlen = sizeof(unsigned int),
1544 .mode = 0644,
1545 .proc_handler = proc_dointvec_jiffies,
1546 },
1547 {
1548 .procname = "ip_conntrack_tcp_loose",
1549 .maxlen = sizeof(unsigned int),
1550 .mode = 0644,
1551 .proc_handler = proc_dointvec,
1552 },
1553 {
1554 .procname = "ip_conntrack_tcp_be_liberal",
1555 .maxlen = sizeof(unsigned int),
1556 .mode = 0644,
1557 .proc_handler = proc_dointvec,
1558 },
1559 {
1560 .procname = "ip_conntrack_tcp_max_retrans",
1561 .maxlen = sizeof(unsigned int),
1562 .mode = 0644,
1563 .proc_handler = proc_dointvec,
1564 },
1565 { }
1566};
1567#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
1568#endif /* CONFIG_SYSCTL */ 1484#endif /* CONFIG_SYSCTL */
1569 1485
1570static int tcp_kmemdup_sysctl_table(struct nf_proto_net *pn, 1486static int tcp_kmemdup_sysctl_table(struct nf_proto_net *pn,
@@ -1597,38 +1513,8 @@ static int tcp_kmemdup_sysctl_table(struct nf_proto_net *pn,
1597 return 0; 1513 return 0;
1598} 1514}
1599 1515
1600static int tcp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
1601 struct nf_tcp_net *tn)
1602{
1603#ifdef CONFIG_SYSCTL
1604#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
1605 pn->ctl_compat_table = kmemdup(tcp_compat_sysctl_table,
1606 sizeof(tcp_compat_sysctl_table),
1607 GFP_KERNEL);
1608 if (!pn->ctl_compat_table)
1609 return -ENOMEM;
1610
1611 pn->ctl_compat_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
1612 pn->ctl_compat_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT2];
1613 pn->ctl_compat_table[2].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
1614 pn->ctl_compat_table[3].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
1615 pn->ctl_compat_table[4].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
1616 pn->ctl_compat_table[5].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
1617 pn->ctl_compat_table[6].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
1618 pn->ctl_compat_table[7].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
1619 pn->ctl_compat_table[8].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
1620 pn->ctl_compat_table[9].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
1621 pn->ctl_compat_table[10].data = &tn->tcp_loose;
1622 pn->ctl_compat_table[11].data = &tn->tcp_be_liberal;
1623 pn->ctl_compat_table[12].data = &tn->tcp_max_retrans;
1624#endif
1625#endif
1626 return 0;
1627}
1628
1629static int tcp_init_net(struct net *net, u_int16_t proto) 1516static int tcp_init_net(struct net *net, u_int16_t proto)
1630{ 1517{
1631 int ret;
1632 struct nf_tcp_net *tn = tcp_pernet(net); 1518 struct nf_tcp_net *tn = tcp_pernet(net);
1633 struct nf_proto_net *pn = &tn->pn; 1519 struct nf_proto_net *pn = &tn->pn;
1634 1520
@@ -1643,18 +1529,7 @@ static int tcp_init_net(struct net *net, u_int16_t proto)
1643 tn->tcp_max_retrans = nf_ct_tcp_max_retrans; 1529 tn->tcp_max_retrans = nf_ct_tcp_max_retrans;
1644 } 1530 }
1645 1531
1646 if (proto == AF_INET) { 1532 return tcp_kmemdup_sysctl_table(pn, tn);
1647 ret = tcp_kmemdup_compat_sysctl_table(pn, tn);
1648 if (ret < 0)
1649 return ret;
1650
1651 ret = tcp_kmemdup_sysctl_table(pn, tn);
1652 if (ret < 0)
1653 nf_ct_kfree_compat_sysctl_table(pn);
1654 } else
1655 ret = tcp_kmemdup_sysctl_table(pn, tn);
1656
1657 return ret;
1658} 1533}
1659 1534
1660static struct nf_proto_net *tcp_get_net_proto(struct net *net) 1535static struct nf_proto_net *tcp_get_net_proto(struct net *net)
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 8a057e1e1247..20f35ed68030 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -218,23 +218,6 @@ static struct ctl_table udp_sysctl_table[] = {
218 }, 218 },
219 { } 219 { }
220}; 220};
221#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
222static struct ctl_table udp_compat_sysctl_table[] = {
223 {
224 .procname = "ip_conntrack_udp_timeout",
225 .maxlen = sizeof(unsigned int),
226 .mode = 0644,
227 .proc_handler = proc_dointvec_jiffies,
228 },
229 {
230 .procname = "ip_conntrack_udp_timeout_stream",
231 .maxlen = sizeof(unsigned int),
232 .mode = 0644,
233 .proc_handler = proc_dointvec_jiffies,
234 },
235 { }
236};
237#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
238#endif /* CONFIG_SYSCTL */ 221#endif /* CONFIG_SYSCTL */
239 222
240static int udp_kmemdup_sysctl_table(struct nf_proto_net *pn, 223static int udp_kmemdup_sysctl_table(struct nf_proto_net *pn,
@@ -254,27 +237,8 @@ static int udp_kmemdup_sysctl_table(struct nf_proto_net *pn,
254 return 0; 237 return 0;
255} 238}
256 239
257static int udp_kmemdup_compat_sysctl_table(struct nf_proto_net *pn,
258 struct nf_udp_net *un)
259{
260#ifdef CONFIG_SYSCTL
261#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
262 pn->ctl_compat_table = kmemdup(udp_compat_sysctl_table,
263 sizeof(udp_compat_sysctl_table),
264 GFP_KERNEL);
265 if (!pn->ctl_compat_table)
266 return -ENOMEM;
267
268 pn->ctl_compat_table[0].data = &un->timeouts[UDP_CT_UNREPLIED];
269 pn->ctl_compat_table[1].data = &un->timeouts[UDP_CT_REPLIED];
270#endif
271#endif
272 return 0;
273}
274
275static int udp_init_net(struct net *net, u_int16_t proto) 240static int udp_init_net(struct net *net, u_int16_t proto)
276{ 241{
277 int ret;
278 struct nf_udp_net *un = udp_pernet(net); 242 struct nf_udp_net *un = udp_pernet(net);
279 struct nf_proto_net *pn = &un->pn; 243 struct nf_proto_net *pn = &un->pn;
280 244
@@ -285,18 +249,7 @@ static int udp_init_net(struct net *net, u_int16_t proto)
285 un->timeouts[i] = udp_timeouts[i]; 249 un->timeouts[i] = udp_timeouts[i];
286 } 250 }
287 251
288 if (proto == AF_INET) { 252 return udp_kmemdup_sysctl_table(pn, un);
289 ret = udp_kmemdup_compat_sysctl_table(pn, un);
290 if (ret < 0)
291 return ret;
292
293 ret = udp_kmemdup_sysctl_table(pn, un);
294 if (ret < 0)
295 nf_ct_kfree_compat_sysctl_table(pn);
296 } else
297 ret = udp_kmemdup_sysctl_table(pn, un);
298
299 return ret;
300} 253}
301 254
302static struct nf_proto_net *udp_get_net_proto(struct net *net) 255static struct nf_proto_net *udp_get_net_proto(struct net *net)
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-02 21:04:45 -0400