diff options
| -rw-r--r-- | include/net/netfilter/nf_conntrack_expect.h | 20 | ||||
| -rw-r--r-- | include/net/netns/conntrack.h | 3 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | 6 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_nat_pptp.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_core.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_expect.c | 55 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_h323_main.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_helper.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 13 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_pptp.c | 4 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_sip.c | 2 |
11 files changed, 66 insertions, 51 deletions
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 4c4d894cb9b5..37a7fc1164b0 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h | |||
| @@ -6,7 +6,6 @@ | |||
| 6 | #define _NF_CONNTRACK_EXPECT_H | 6 | #define _NF_CONNTRACK_EXPECT_H |
| 7 | #include <net/netfilter/nf_conntrack.h> | 7 | #include <net/netfilter/nf_conntrack.h> |
| 8 | 8 | ||
| 9 | extern struct hlist_head *nf_ct_expect_hash; | ||
| 10 | extern unsigned int nf_ct_expect_hsize; | 9 | extern unsigned int nf_ct_expect_hsize; |
| 11 | extern unsigned int nf_ct_expect_max; | 10 | extern unsigned int nf_ct_expect_max; |
| 12 | 11 | ||
| @@ -56,6 +55,15 @@ struct nf_conntrack_expect | |||
| 56 | struct rcu_head rcu; | 55 | struct rcu_head rcu; |
| 57 | }; | 56 | }; |
| 58 | 57 | ||
| 58 | static inline struct net *nf_ct_exp_net(struct nf_conntrack_expect *exp) | ||
| 59 | { | ||
| 60 | #ifdef CONFIG_NET_NS | ||
| 61 | return exp->master->ct_net; /* by definition */ | ||
| 62 | #else | ||
| 63 | return &init_net; | ||
| 64 | #endif | ||
| 65 | } | ||
| 66 | |||
| 59 | struct nf_conntrack_expect_policy | 67 | struct nf_conntrack_expect_policy |
| 60 | { | 68 | { |
| 61 | unsigned int max_expected; | 69 | unsigned int max_expected; |
| @@ -67,17 +75,17 @@ struct nf_conntrack_expect_policy | |||
| 67 | #define NF_CT_EXPECT_PERMANENT 0x1 | 75 | #define NF_CT_EXPECT_PERMANENT 0x1 |
| 68 | #define NF_CT_EXPECT_INACTIVE 0x2 | 76 | #define NF_CT_EXPECT_INACTIVE 0x2 |
| 69 | 77 | ||
| 70 | int nf_conntrack_expect_init(void); | 78 | int nf_conntrack_expect_init(struct net *net); |
| 71 | void nf_conntrack_expect_fini(void); | 79 | void nf_conntrack_expect_fini(struct net *net); |
| 72 | 80 | ||
| 73 | struct nf_conntrack_expect * | 81 | struct nf_conntrack_expect * |
| 74 | __nf_ct_expect_find(const struct nf_conntrack_tuple *tuple); | 82 | __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple); |
| 75 | 83 | ||
| 76 | struct nf_conntrack_expect * | 84 | struct nf_conntrack_expect * |
| 77 | nf_ct_expect_find_get(const struct nf_conntrack_tuple *tuple); | 85 | nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple); |
| 78 | 86 | ||
| 79 | struct nf_conntrack_expect * | 87 | struct nf_conntrack_expect * |
| 80 | nf_ct_find_expectation(const struct nf_conntrack_tuple *tuple); | 88 | nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple); |
| 81 | 89 | ||
| 82 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp); | 90 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp); |
| 83 | void nf_ct_remove_expectations(struct nf_conn *ct); | 91 | void nf_ct_remove_expectations(struct nf_conn *ct); |
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index b767683f112b..e453a33f3e93 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h | |||
| @@ -5,7 +5,10 @@ | |||
| 5 | 5 | ||
| 6 | struct netns_ct { | 6 | struct netns_ct { |
| 7 | atomic_t count; | 7 | atomic_t count; |
| 8 | unsigned int expect_count; | ||
| 8 | struct hlist_head *hash; | 9 | struct hlist_head *hash; |
| 10 | struct hlist_head *expect_hash; | ||
| 9 | int hash_vmalloc; | 11 | int hash_vmalloc; |
| 12 | int expect_vmalloc; | ||
| 10 | }; | 13 | }; |
| 11 | #endif | 14 | #endif |
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c index 8e0afdc2b134..f8636a57e8cc 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | |||
| @@ -177,11 +177,12 @@ struct ct_expect_iter_state { | |||
| 177 | 177 | ||
| 178 | static struct hlist_node *ct_expect_get_first(struct seq_file *seq) | 178 | static struct hlist_node *ct_expect_get_first(struct seq_file *seq) |
| 179 | { | 179 | { |
| 180 | struct net *net = &init_net; | ||
| 180 | struct ct_expect_iter_state *st = seq->private; | 181 | struct ct_expect_iter_state *st = seq->private; |
| 181 | struct hlist_node *n; | 182 | struct hlist_node *n; |
| 182 | 183 | ||
| 183 | for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) { | 184 | for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) { |
| 184 | n = rcu_dereference(nf_ct_expect_hash[st->bucket].first); | 185 | n = rcu_dereference(net->ct.expect_hash[st->bucket].first); |
| 185 | if (n) | 186 | if (n) |
| 186 | return n; | 187 | return n; |
| 187 | } | 188 | } |
| @@ -191,13 +192,14 @@ static struct hlist_node *ct_expect_get_first(struct seq_file *seq) | |||
| 191 | static struct hlist_node *ct_expect_get_next(struct seq_file *seq, | 192 | static struct hlist_node *ct_expect_get_next(struct seq_file *seq, |
| 192 | struct hlist_node *head) | 193 | struct hlist_node *head) |
| 193 | { | 194 | { |
| 195 | struct net *net = &init_net; | ||
| 194 | struct ct_expect_iter_state *st = seq->private; | 196 | struct ct_expect_iter_state *st = seq->private; |
| 195 | 197 | ||
| 196 | head = rcu_dereference(head->next); | 198 | head = rcu_dereference(head->next); |
| 197 | while (head == NULL) { | 199 | while (head == NULL) { |
| 198 | if (++st->bucket >= nf_ct_expect_hsize) | 200 | if (++st->bucket >= nf_ct_expect_hsize) |
| 199 | return NULL; | 201 | return NULL; |
| 200 | head = rcu_dereference(nf_ct_expect_hash[st->bucket].first); | 202 | head = rcu_dereference(net->ct.expect_hash[st->bucket].first); |
| 201 | } | 203 | } |
| 202 | return head; | 204 | return head; |
| 203 | } | 205 | } |
diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c index da3d91a5ef5c..e4bdddc60343 100644 --- a/net/ipv4/netfilter/nf_nat_pptp.c +++ b/net/ipv4/netfilter/nf_nat_pptp.c | |||
| @@ -73,7 +73,7 @@ static void pptp_nat_expected(struct nf_conn *ct, | |||
| 73 | 73 | ||
| 74 | pr_debug("trying to unexpect other dir: "); | 74 | pr_debug("trying to unexpect other dir: "); |
| 75 | nf_ct_dump_tuple_ip(&t); | 75 | nf_ct_dump_tuple_ip(&t); |
| 76 | other_exp = nf_ct_expect_find_get(&t); | 76 | other_exp = nf_ct_expect_find_get(&init_net, &t); |
| 77 | if (other_exp) { | 77 | if (other_exp) { |
| 78 | nf_ct_unexpect_related(other_exp); | 78 | nf_ct_unexpect_related(other_exp); |
| 79 | nf_ct_expect_put(other_exp); | 79 | nf_ct_expect_put(other_exp); |
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index da56b2605529..c188edea2492 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
| @@ -562,7 +562,7 @@ init_conntrack(struct net *net, | |||
| 562 | nf_ct_acct_ext_add(ct, GFP_ATOMIC); | 562 | nf_ct_acct_ext_add(ct, GFP_ATOMIC); |
| 563 | 563 | ||
| 564 | spin_lock_bh(&nf_conntrack_lock); | 564 | spin_lock_bh(&nf_conntrack_lock); |
| 565 | exp = nf_ct_find_expectation(tuple); | 565 | exp = nf_ct_find_expectation(net, tuple); |
| 566 | if (exp) { | 566 | if (exp) { |
| 567 | pr_debug("conntrack: expectation arrives ct=%p exp=%p\n", | 567 | pr_debug("conntrack: expectation arrives ct=%p exp=%p\n", |
| 568 | ct, exp); | 568 | ct, exp); |
| @@ -1038,7 +1038,7 @@ void nf_conntrack_cleanup(struct net *net) | |||
| 1038 | nf_conntrack_htable_size); | 1038 | nf_conntrack_htable_size); |
| 1039 | 1039 | ||
| 1040 | nf_conntrack_acct_fini(); | 1040 | nf_conntrack_acct_fini(); |
| 1041 | nf_conntrack_expect_fini(); | 1041 | nf_conntrack_expect_fini(net); |
| 1042 | nf_conntrack_helper_fini(); | 1042 | nf_conntrack_helper_fini(); |
| 1043 | nf_conntrack_proto_fini(); | 1043 | nf_conntrack_proto_fini(); |
| 1044 | } | 1044 | } |
| @@ -1173,7 +1173,7 @@ int nf_conntrack_init(struct net *net) | |||
| 1173 | if (ret < 0) | 1173 | if (ret < 0) |
| 1174 | goto err_free_conntrack_slab; | 1174 | goto err_free_conntrack_slab; |
| 1175 | 1175 | ||
| 1176 | ret = nf_conntrack_expect_init(); | 1176 | ret = nf_conntrack_expect_init(net); |
| 1177 | if (ret < 0) | 1177 | if (ret < 0) |
| 1178 | goto out_fini_proto; | 1178 | goto out_fini_proto; |
| 1179 | 1179 | ||
| @@ -1203,7 +1203,7 @@ int nf_conntrack_init(struct net *net) | |||
| 1203 | out_fini_helper: | 1203 | out_fini_helper: |
| 1204 | nf_conntrack_helper_fini(); | 1204 | nf_conntrack_helper_fini(); |
| 1205 | out_fini_expect: | 1205 | out_fini_expect: |
| 1206 | nf_conntrack_expect_fini(); | 1206 | nf_conntrack_expect_fini(net); |
| 1207 | out_fini_proto: | 1207 | out_fini_proto: |
| 1208 | nf_conntrack_proto_fini(); | 1208 | nf_conntrack_proto_fini(); |
| 1209 | err_free_conntrack_slab: | 1209 | err_free_conntrack_slab: |
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index e6a79f2a7c53..5307316356ea 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c | |||
| @@ -28,17 +28,12 @@ | |||
| 28 | #include <net/netfilter/nf_conntrack_helper.h> | 28 | #include <net/netfilter/nf_conntrack_helper.h> |
| 29 | #include <net/netfilter/nf_conntrack_tuple.h> | 29 | #include <net/netfilter/nf_conntrack_tuple.h> |
| 30 | 30 | ||
| 31 | struct hlist_head *nf_ct_expect_hash __read_mostly; | ||
| 32 | EXPORT_SYMBOL_GPL(nf_ct_expect_hash); | ||
| 33 | |||
| 34 | unsigned int nf_ct_expect_hsize __read_mostly; | 31 | unsigned int nf_ct_expect_hsize __read_mostly; |
| 35 | EXPORT_SYMBOL_GPL(nf_ct_expect_hsize); | 32 | EXPORT_SYMBOL_GPL(nf_ct_expect_hsize); |
| 36 | 33 | ||
| 37 | static unsigned int nf_ct_expect_hash_rnd __read_mostly; | 34 | static unsigned int nf_ct_expect_hash_rnd __read_mostly; |
| 38 | static unsigned int nf_ct_expect_count; | ||
| 39 | unsigned int nf_ct_expect_max __read_mostly; | 35 | unsigned int nf_ct_expect_max __read_mostly; |
| 40 | static int nf_ct_expect_hash_rnd_initted __read_mostly; | 36 | static int nf_ct_expect_hash_rnd_initted __read_mostly; |
| 41 | static int nf_ct_expect_vmalloc; | ||
| 42 | 37 | ||
| 43 | static struct kmem_cache *nf_ct_expect_cachep __read_mostly; | 38 | static struct kmem_cache *nf_ct_expect_cachep __read_mostly; |
| 44 | 39 | ||
| @@ -46,12 +41,13 @@ static struct kmem_cache *nf_ct_expect_cachep __read_mostly; | |||
| 46 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp) | 41 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp) |
| 47 | { | 42 | { |
| 48 | struct nf_conn_help *master_help = nfct_help(exp->master); | 43 | struct nf_conn_help *master_help = nfct_help(exp->master); |
| 44 | struct net *net = nf_ct_exp_net(exp); | ||
| 49 | 45 | ||
| 50 | NF_CT_ASSERT(master_help); | 46 | NF_CT_ASSERT(master_help); |
| 51 | NF_CT_ASSERT(!timer_pending(&exp->timeout)); | 47 | NF_CT_ASSERT(!timer_pending(&exp->timeout)); |
| 52 | 48 | ||
| 53 | hlist_del_rcu(&exp->hnode); | 49 | hlist_del_rcu(&exp->hnode); |
| 54 | nf_ct_expect_count--; | 50 | net->ct.expect_count--; |
| 55 | 51 | ||
| 56 | hlist_del(&exp->lnode); | 52 | hlist_del(&exp->lnode); |
| 57 | master_help->expecting[exp->class]--; | 53 | master_help->expecting[exp->class]--; |
| @@ -87,17 +83,17 @@ static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple | |||
| 87 | } | 83 | } |
| 88 | 84 | ||
| 89 | struct nf_conntrack_expect * | 85 | struct nf_conntrack_expect * |
| 90 | __nf_ct_expect_find(const struct nf_conntrack_tuple *tuple) | 86 | __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple) |
| 91 | { | 87 | { |
| 92 | struct nf_conntrack_expect *i; | 88 | struct nf_conntrack_expect *i; |
| 93 | struct hlist_node *n; | 89 | struct hlist_node *n; |
| 94 | unsigned int h; | 90 | unsigned int h; |
| 95 | 91 | ||
| 96 | if (!nf_ct_expect_count) | 92 | if (!net->ct.expect_count) |
| 97 | return NULL; | 93 | return NULL; |
| 98 | 94 | ||
| 99 | h = nf_ct_expect_dst_hash(tuple); | 95 | h = nf_ct_expect_dst_hash(tuple); |
| 100 | hlist_for_each_entry_rcu(i, n, &nf_ct_expect_hash[h], hnode) { | 96 | hlist_for_each_entry_rcu(i, n, &net->ct.expect_hash[h], hnode) { |
| 101 | if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) | 97 | if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) |
| 102 | return i; | 98 | return i; |
| 103 | } | 99 | } |
| @@ -107,12 +103,12 @@ EXPORT_SYMBOL_GPL(__nf_ct_expect_find); | |||
| 107 | 103 | ||
| 108 | /* Just find a expectation corresponding to a tuple. */ | 104 | /* Just find a expectation corresponding to a tuple. */ |
| 109 | struct nf_conntrack_expect * | 105 | struct nf_conntrack_expect * |
| 110 | nf_ct_expect_find_get(const struct nf_conntrack_tuple *tuple) | 106 | nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple) |
| 111 | { | 107 | { |
| 112 | struct nf_conntrack_expect *i; | 108 | struct nf_conntrack_expect *i; |
| 113 | 109 | ||
| 114 | rcu_read_lock(); | 110 | rcu_read_lock(); |
| 115 | i = __nf_ct_expect_find(tuple); | 111 | i = __nf_ct_expect_find(net, tuple); |
| 116 | if (i && !atomic_inc_not_zero(&i->use)) | 112 | if (i && !atomic_inc_not_zero(&i->use)) |
| 117 | i = NULL; | 113 | i = NULL; |
| 118 | rcu_read_unlock(); | 114 | rcu_read_unlock(); |
| @@ -124,17 +120,17 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_find_get); | |||
| 124 | /* If an expectation for this connection is found, it gets delete from | 120 | /* If an expectation for this connection is found, it gets delete from |
| 125 | * global list then returned. */ | 121 | * global list then returned. */ |
| 126 | struct nf_conntrack_expect * | 122 | struct nf_conntrack_expect * |
| 127 | nf_ct_find_expectation(const struct nf_conntrack_tuple *tuple) | 123 | nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple) |
| 128 | { | 124 | { |
| 129 | struct nf_conntrack_expect *i, *exp = NULL; | 125 | struct nf_conntrack_expect *i, *exp = NULL; |
| 130 | struct hlist_node *n; | 126 | struct hlist_node *n; |
| 131 | unsigned int h; | 127 | unsigned int h; |
| 132 | 128 | ||
| 133 | if (!nf_ct_expect_count) | 129 | if (!net->ct.expect_count) |
| 134 | return NULL; | 130 | return NULL; |
| 135 | 131 | ||
| 136 | h = nf_ct_expect_dst_hash(tuple); | 132 | h = nf_ct_expect_dst_hash(tuple); |
| 137 | hlist_for_each_entry(i, n, &nf_ct_expect_hash[h], hnode) { | 133 | hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) { |
| 138 | if (!(i->flags & NF_CT_EXPECT_INACTIVE) && | 134 | if (!(i->flags & NF_CT_EXPECT_INACTIVE) && |
| 139 | nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) { | 135 | nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) { |
| 140 | exp = i; | 136 | exp = i; |
| @@ -311,6 +307,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_put); | |||
| 311 | static void nf_ct_expect_insert(struct nf_conntrack_expect *exp) | 307 | static void nf_ct_expect_insert(struct nf_conntrack_expect *exp) |
| 312 | { | 308 | { |
| 313 | struct nf_conn_help *master_help = nfct_help(exp->master); | 309 | struct nf_conn_help *master_help = nfct_help(exp->master); |
| 310 | struct net *net = nf_ct_exp_net(exp); | ||
| 314 | const struct nf_conntrack_expect_policy *p; | 311 | const struct nf_conntrack_expect_policy *p; |
| 315 | unsigned int h = nf_ct_expect_dst_hash(&exp->tuple); | 312 | unsigned int h = nf_ct_expect_dst_hash(&exp->tuple); |
| 316 | 313 | ||
| @@ -319,8 +316,8 @@ static void nf_ct_expect_insert(struct nf_conntrack_expect *exp) | |||
| 319 | hlist_add_head(&exp->lnode, &master_help->expectations); | 316 | hlist_add_head(&exp->lnode, &master_help->expectations); |
| 320 | master_help->expecting[exp->class]++; | 317 | master_help->expecting[exp->class]++; |
| 321 | 318 | ||
| 322 | hlist_add_head_rcu(&exp->hnode, &nf_ct_expect_hash[h]); | 319 | hlist_add_head_rcu(&exp->hnode, &net->ct.expect_hash[h]); |
| 323 | nf_ct_expect_count++; | 320 | net->ct.expect_count++; |
| 324 | 321 | ||
| 325 | setup_timer(&exp->timeout, nf_ct_expectation_timed_out, | 322 | setup_timer(&exp->timeout, nf_ct_expectation_timed_out, |
| 326 | (unsigned long)exp); | 323 | (unsigned long)exp); |
| @@ -371,6 +368,7 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect) | |||
| 371 | struct nf_conntrack_expect *i; | 368 | struct nf_conntrack_expect *i; |
| 372 | struct nf_conn *master = expect->master; | 369 | struct nf_conn *master = expect->master; |
| 373 | struct nf_conn_help *master_help = nfct_help(master); | 370 | struct nf_conn_help *master_help = nfct_help(master); |
| 371 | struct net *net = nf_ct_exp_net(expect); | ||
| 374 | struct hlist_node *n; | 372 | struct hlist_node *n; |
| 375 | unsigned int h; | 373 | unsigned int h; |
| 376 | int ret; | 374 | int ret; |
| @@ -383,7 +381,7 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect) | |||
| 383 | goto out; | 381 | goto out; |
| 384 | } | 382 | } |
| 385 | h = nf_ct_expect_dst_hash(&expect->tuple); | 383 | h = nf_ct_expect_dst_hash(&expect->tuple); |
| 386 | hlist_for_each_entry(i, n, &nf_ct_expect_hash[h], hnode) { | 384 | hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) { |
| 387 | if (expect_matches(i, expect)) { | 385 | if (expect_matches(i, expect)) { |
| 388 | /* Refresh timer: if it's dying, ignore.. */ | 386 | /* Refresh timer: if it's dying, ignore.. */ |
| 389 | if (refresh_timer(i)) { | 387 | if (refresh_timer(i)) { |
| @@ -406,7 +404,7 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect) | |||
| 406 | } | 404 | } |
| 407 | } | 405 | } |
| 408 | 406 | ||
| 409 | if (nf_ct_expect_count >= nf_ct_expect_max) { | 407 | if (net->ct.expect_count >= nf_ct_expect_max) { |
| 410 | if (net_ratelimit()) | 408 | if (net_ratelimit()) |
| 411 | printk(KERN_WARNING | 409 | printk(KERN_WARNING |
| 412 | "nf_conntrack: expectation table full\n"); | 410 | "nf_conntrack: expectation table full\n"); |
| @@ -430,11 +428,12 @@ struct ct_expect_iter_state { | |||
| 430 | 428 | ||
| 431 | static struct hlist_node *ct_expect_get_first(struct seq_file *seq) | 429 | static struct hlist_node *ct_expect_get_first(struct seq_file *seq) |
| 432 | { | 430 | { |
| 431 | struct net *net = &init_net; | ||
| 433 | struct ct_expect_iter_state *st = seq->private; | 432 | struct ct_expect_iter_state *st = seq->private; |
| 434 | struct hlist_node *n; | 433 | struct hlist_node *n; |
| 435 | 434 | ||
| 436 | for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) { | 435 | for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) { |
| 437 | n = rcu_dereference(nf_ct_expect_hash[st->bucket].first); | 436 | n = rcu_dereference(net->ct.expect_hash[st->bucket].first); |
| 438 | if (n) | 437 | if (n) |
| 439 | return n; | 438 | return n; |
| 440 | } | 439 | } |
| @@ -444,13 +443,14 @@ static struct hlist_node *ct_expect_get_first(struct seq_file *seq) | |||
| 444 | static struct hlist_node *ct_expect_get_next(struct seq_file *seq, | 443 | static struct hlist_node *ct_expect_get_next(struct seq_file *seq, |
| 445 | struct hlist_node *head) | 444 | struct hlist_node *head) |
| 446 | { | 445 | { |
| 446 | struct net *net = &init_net; | ||
| 447 | struct ct_expect_iter_state *st = seq->private; | 447 | struct ct_expect_iter_state *st = seq->private; |
| 448 | 448 | ||
| 449 | head = rcu_dereference(head->next); | 449 | head = rcu_dereference(head->next); |
| 450 | while (head == NULL) { | 450 | while (head == NULL) { |
| 451 | if (++st->bucket >= nf_ct_expect_hsize) | 451 | if (++st->bucket >= nf_ct_expect_hsize) |
| 452 | return NULL; | 452 | return NULL; |
| 453 | head = rcu_dereference(nf_ct_expect_hash[st->bucket].first); | 453 | head = rcu_dereference(net->ct.expect_hash[st->bucket].first); |
| 454 | } | 454 | } |
| 455 | return head; | 455 | return head; |
| 456 | } | 456 | } |
| @@ -558,7 +558,7 @@ static void exp_proc_remove(void) | |||
| 558 | 558 | ||
| 559 | module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600); | 559 | module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600); |
| 560 | 560 | ||
| 561 | int nf_conntrack_expect_init(void) | 561 | int nf_conntrack_expect_init(struct net *net) |
| 562 | { | 562 | { |
| 563 | int err = -ENOMEM; | 563 | int err = -ENOMEM; |
| 564 | 564 | ||
| @@ -569,9 +569,10 @@ int nf_conntrack_expect_init(void) | |||
| 569 | } | 569 | } |
| 570 | nf_ct_expect_max = nf_ct_expect_hsize * 4; | 570 | nf_ct_expect_max = nf_ct_expect_hsize * 4; |
| 571 | 571 | ||
| 572 | nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, | 572 | net->ct.expect_count = 0; |
| 573 | &nf_ct_expect_vmalloc); | 573 | net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, |
| 574 | if (nf_ct_expect_hash == NULL) | 574 | &net->ct.expect_vmalloc); |
| 575 | if (net->ct.expect_hash == NULL) | ||
| 575 | goto err1; | 576 | goto err1; |
| 576 | 577 | ||
| 577 | nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect", | 578 | nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect", |
| @@ -589,16 +590,16 @@ int nf_conntrack_expect_init(void) | |||
| 589 | err3: | 590 | err3: |
| 590 | kmem_cache_destroy(nf_ct_expect_cachep); | 591 | kmem_cache_destroy(nf_ct_expect_cachep); |
| 591 | err2: | 592 | err2: |
| 592 | nf_ct_free_hashtable(nf_ct_expect_hash, nf_ct_expect_vmalloc, | 593 | nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc, |
| 593 | nf_ct_expect_hsize); | 594 | nf_ct_expect_hsize); |
| 594 | err1: | 595 | err1: |
| 595 | return err; | 596 | return err; |
| 596 | } | 597 | } |
| 597 | 598 | ||
| 598 | void nf_conntrack_expect_fini(void) | 599 | void nf_conntrack_expect_fini(struct net *net) |
| 599 | { | 600 | { |
| 600 | exp_proc_remove(); | 601 | exp_proc_remove(); |
| 601 | kmem_cache_destroy(nf_ct_expect_cachep); | 602 | kmem_cache_destroy(nf_ct_expect_cachep); |
| 602 | nf_ct_free_hashtable(nf_ct_expect_hash, nf_ct_expect_vmalloc, | 603 | nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc, |
| 603 | nf_ct_expect_hsize); | 604 | nf_ct_expect_hsize); |
| 604 | } | 605 | } |
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c index 5dc0478108ae..dfb826c973d9 100644 --- a/net/netfilter/nf_conntrack_h323_main.c +++ b/net/netfilter/nf_conntrack_h323_main.c | |||
| @@ -1219,7 +1219,7 @@ static struct nf_conntrack_expect *find_expect(struct nf_conn *ct, | |||
| 1219 | tuple.dst.u.tcp.port = port; | 1219 | tuple.dst.u.tcp.port = port; |
| 1220 | tuple.dst.protonum = IPPROTO_TCP; | 1220 | tuple.dst.protonum = IPPROTO_TCP; |
| 1221 | 1221 | ||
| 1222 | exp = __nf_ct_expect_find(&tuple); | 1222 | exp = __nf_ct_expect_find(&init_net, &tuple); |
| 1223 | if (exp && exp->master == ct) | 1223 | if (exp && exp->master == ct) |
| 1224 | return exp; | 1224 | return exp; |
| 1225 | return NULL; | 1225 | return NULL; |
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index d91278dfdafd..c793db810cd5 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c | |||
| @@ -145,7 +145,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me) | |||
| 145 | /* Get rid of expectations */ | 145 | /* Get rid of expectations */ |
| 146 | for (i = 0; i < nf_ct_expect_hsize; i++) { | 146 | for (i = 0; i < nf_ct_expect_hsize; i++) { |
| 147 | hlist_for_each_entry_safe(exp, n, next, | 147 | hlist_for_each_entry_safe(exp, n, next, |
| 148 | &nf_ct_expect_hash[i], hnode) { | 148 | &init_net.ct.expect_hash[i], hnode) { |
| 149 | struct nf_conn_help *help = nfct_help(exp->master); | 149 | struct nf_conn_help *help = nfct_help(exp->master); |
| 150 | if ((help->helper == me || exp->helper == me) && | 150 | if ((help->helper == me || exp->helper == me) && |
| 151 | del_timer(&exp->timeout)) { | 151 | del_timer(&exp->timeout)) { |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 918a3358a126..cadfd15b44f6 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
| @@ -1458,6 +1458,7 @@ static int ctnetlink_exp_done(struct netlink_callback *cb) | |||
| 1458 | static int | 1458 | static int |
| 1459 | ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) | 1459 | ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) |
| 1460 | { | 1460 | { |
| 1461 | struct net *net = &init_net; | ||
| 1461 | struct nf_conntrack_expect *exp, *last; | 1462 | struct nf_conntrack_expect *exp, *last; |
| 1462 | struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh); | 1463 | struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh); |
| 1463 | struct hlist_node *n; | 1464 | struct hlist_node *n; |
| @@ -1467,7 +1468,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 1467 | last = (struct nf_conntrack_expect *)cb->args[1]; | 1468 | last = (struct nf_conntrack_expect *)cb->args[1]; |
| 1468 | for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { | 1469 | for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { |
| 1469 | restart: | 1470 | restart: |
| 1470 | hlist_for_each_entry(exp, n, &nf_ct_expect_hash[cb->args[0]], | 1471 | hlist_for_each_entry(exp, n, &net->ct.expect_hash[cb->args[0]], |
| 1471 | hnode) { | 1472 | hnode) { |
| 1472 | if (l3proto && exp->tuple.src.l3num != l3proto) | 1473 | if (l3proto && exp->tuple.src.l3num != l3proto) |
| 1473 | continue; | 1474 | continue; |
| @@ -1529,7 +1530,7 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, | |||
| 1529 | if (err < 0) | 1530 | if (err < 0) |
| 1530 | return err; | 1531 | return err; |
| 1531 | 1532 | ||
| 1532 | exp = nf_ct_expect_find_get(&tuple); | 1533 | exp = nf_ct_expect_find_get(&init_net, &tuple); |
| 1533 | if (!exp) | 1534 | if (!exp) |
| 1534 | return -ENOENT; | 1535 | return -ENOENT; |
| 1535 | 1536 | ||
| @@ -1583,7 +1584,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, | |||
| 1583 | return err; | 1584 | return err; |
| 1584 | 1585 | ||
| 1585 | /* bump usage count to 2 */ | 1586 | /* bump usage count to 2 */ |
| 1586 | exp = nf_ct_expect_find_get(&tuple); | 1587 | exp = nf_ct_expect_find_get(&init_net, &tuple); |
| 1587 | if (!exp) | 1588 | if (!exp) |
| 1588 | return -ENOENT; | 1589 | return -ENOENT; |
| 1589 | 1590 | ||
| @@ -1613,7 +1614,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, | |||
| 1613 | } | 1614 | } |
| 1614 | for (i = 0; i < nf_ct_expect_hsize; i++) { | 1615 | for (i = 0; i < nf_ct_expect_hsize; i++) { |
| 1615 | hlist_for_each_entry_safe(exp, n, next, | 1616 | hlist_for_each_entry_safe(exp, n, next, |
| 1616 | &nf_ct_expect_hash[i], | 1617 | &init_net.ct.expect_hash[i], |
| 1617 | hnode) { | 1618 | hnode) { |
| 1618 | m_help = nfct_help(exp->master); | 1619 | m_help = nfct_help(exp->master); |
| 1619 | if (m_help->helper == h | 1620 | if (m_help->helper == h |
| @@ -1629,7 +1630,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, | |||
| 1629 | spin_lock_bh(&nf_conntrack_lock); | 1630 | spin_lock_bh(&nf_conntrack_lock); |
| 1630 | for (i = 0; i < nf_ct_expect_hsize; i++) { | 1631 | for (i = 0; i < nf_ct_expect_hsize; i++) { |
| 1631 | hlist_for_each_entry_safe(exp, n, next, | 1632 | hlist_for_each_entry_safe(exp, n, next, |
| 1632 | &nf_ct_expect_hash[i], | 1633 | &init_net.ct.expect_hash[i], |
| 1633 | hnode) { | 1634 | hnode) { |
| 1634 | if (del_timer(&exp->timeout)) { | 1635 | if (del_timer(&exp->timeout)) { |
| 1635 | nf_ct_unlink_expect(exp); | 1636 | nf_ct_unlink_expect(exp); |
| @@ -1724,7 +1725,7 @@ ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb, | |||
| 1724 | return err; | 1725 | return err; |
| 1725 | 1726 | ||
| 1726 | spin_lock_bh(&nf_conntrack_lock); | 1727 | spin_lock_bh(&nf_conntrack_lock); |
| 1727 | exp = __nf_ct_expect_find(&tuple); | 1728 | exp = __nf_ct_expect_find(&init_net, &tuple); |
| 1728 | 1729 | ||
| 1729 | if (!exp) { | 1730 | if (!exp) { |
| 1730 | spin_unlock_bh(&nf_conntrack_lock); | 1731 | spin_unlock_bh(&nf_conntrack_lock); |
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c index 7caf45b59d2c..5db7df5d19b7 100644 --- a/net/netfilter/nf_conntrack_pptp.c +++ b/net/netfilter/nf_conntrack_pptp.c | |||
| @@ -121,7 +121,7 @@ static void pptp_expectfn(struct nf_conn *ct, | |||
| 121 | pr_debug("trying to unexpect other dir: "); | 121 | pr_debug("trying to unexpect other dir: "); |
| 122 | nf_ct_dump_tuple(&inv_t); | 122 | nf_ct_dump_tuple(&inv_t); |
| 123 | 123 | ||
| 124 | exp_other = nf_ct_expect_find_get(&inv_t); | 124 | exp_other = nf_ct_expect_find_get(&init_net, &inv_t); |
| 125 | if (exp_other) { | 125 | if (exp_other) { |
| 126 | /* delete other expectation. */ | 126 | /* delete other expectation. */ |
| 127 | pr_debug("found\n"); | 127 | pr_debug("found\n"); |
| @@ -154,7 +154,7 @@ static int destroy_sibling_or_exp(const struct nf_conntrack_tuple *t) | |||
| 154 | nf_ct_put(sibling); | 154 | nf_ct_put(sibling); |
| 155 | return 1; | 155 | return 1; |
| 156 | } else { | 156 | } else { |
| 157 | exp = nf_ct_expect_find_get(t); | 157 | exp = nf_ct_expect_find_get(&init_net, t); |
| 158 | if (exp) { | 158 | if (exp) { |
| 159 | pr_debug("unexpect_related of expect %p\n", exp); | 159 | pr_debug("unexpect_related of expect %p\n", exp); |
| 160 | nf_ct_unexpect_related(exp); | 160 | nf_ct_unexpect_related(exp); |
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index 1fa306be60fb..a006080eb389 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c | |||
| @@ -775,7 +775,7 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, | |||
| 775 | 775 | ||
| 776 | rcu_read_lock(); | 776 | rcu_read_lock(); |
| 777 | do { | 777 | do { |
| 778 | exp = __nf_ct_expect_find(&tuple); | 778 | exp = __nf_ct_expect_find(&init_net, &tuple); |
| 779 | 779 | ||
| 780 | if (!exp || exp->master == ct || | 780 | if (!exp || exp->master == ct || |
| 781 | nfct_help(exp->master)->helper != nfct_help(ct)->helper || | 781 | nfct_help(exp->master)->helper != nfct_help(ct)->helper || |