diff options
author | Alexey Dobriyan <adobriyan@gmail.com> | 2008-10-08 05:35:09 -0400 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2008-10-08 05:35:09 -0400 |
commit | d716a4dfbbdf0d4731d596a96e5f4b0d892ac168 (patch) | |
tree | 6131d86efdcebf7da50ded77e437223df9f41f7c | |
parent | c2a2c7e0cc39e7f9336cd67e8307a110bdba82f3 (diff) |
netfilter: netns nf_conntrack: per-netns conntrack accounting
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r-- | include/net/netfilter/nf_conntrack_acct.h | 10 | ||||
-rw-r--r-- | include/net/netns/conntrack.h | 2 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_acct.c | 100 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_core.c | 4 |
4 files changed, 81 insertions, 35 deletions
diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h index 5d5ae55d54c4..03e218f0be43 100644 --- a/include/net/netfilter/nf_conntrack_acct.h +++ b/include/net/netfilter/nf_conntrack_acct.h | |||
@@ -8,6 +8,7 @@ | |||
8 | 8 | ||
9 | #ifndef _NF_CONNTRACK_ACCT_H | 9 | #ifndef _NF_CONNTRACK_ACCT_H |
10 | #define _NF_CONNTRACK_ACCT_H | 10 | #define _NF_CONNTRACK_ACCT_H |
11 | #include <net/net_namespace.h> | ||
11 | #include <linux/netfilter/nf_conntrack_common.h> | 12 | #include <linux/netfilter/nf_conntrack_common.h> |
12 | #include <linux/netfilter/nf_conntrack_tuple_common.h> | 13 | #include <linux/netfilter/nf_conntrack_tuple_common.h> |
13 | #include <net/netfilter/nf_conntrack.h> | 14 | #include <net/netfilter/nf_conntrack.h> |
@@ -18,8 +19,6 @@ struct nf_conn_counter { | |||
18 | u_int64_t bytes; | 19 | u_int64_t bytes; |
19 | }; | 20 | }; |
20 | 21 | ||
21 | extern int nf_ct_acct; | ||
22 | |||
23 | static inline | 22 | static inline |
24 | struct nf_conn_counter *nf_conn_acct_find(const struct nf_conn *ct) | 23 | struct nf_conn_counter *nf_conn_acct_find(const struct nf_conn *ct) |
25 | { | 24 | { |
@@ -29,9 +28,10 @@ struct nf_conn_counter *nf_conn_acct_find(const struct nf_conn *ct) | |||
29 | static inline | 28 | static inline |
30 | struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) | 29 | struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) |
31 | { | 30 | { |
31 | struct net *net = nf_ct_net(ct); | ||
32 | struct nf_conn_counter *acct; | 32 | struct nf_conn_counter *acct; |
33 | 33 | ||
34 | if (!nf_ct_acct) | 34 | if (!net->ct.sysctl_acct) |
35 | return NULL; | 35 | return NULL; |
36 | 36 | ||
37 | acct = nf_ct_ext_add(ct, NF_CT_EXT_ACCT, gfp); | 37 | acct = nf_ct_ext_add(ct, NF_CT_EXT_ACCT, gfp); |
@@ -45,7 +45,7 @@ struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) | |||
45 | extern unsigned int | 45 | extern unsigned int |
46 | seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir); | 46 | seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir); |
47 | 47 | ||
48 | extern int nf_conntrack_acct_init(void); | 48 | extern int nf_conntrack_acct_init(struct net *net); |
49 | extern void nf_conntrack_acct_fini(void); | 49 | extern void nf_conntrack_acct_fini(struct net *net); |
50 | 50 | ||
51 | #endif /* _NF_CONNTRACK_ACCT_H */ | 51 | #endif /* _NF_CONNTRACK_ACCT_H */ |
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index 503e37551b17..f4498a62881b 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h | |||
@@ -17,10 +17,12 @@ struct netns_ct { | |||
17 | #ifdef CONFIG_NF_CONNTRACK_EVENTS | 17 | #ifdef CONFIG_NF_CONNTRACK_EVENTS |
18 | struct nf_conntrack_ecache *ecache; | 18 | struct nf_conntrack_ecache *ecache; |
19 | #endif | 19 | #endif |
20 | int sysctl_acct; | ||
20 | int sysctl_checksum; | 21 | int sysctl_checksum; |
21 | unsigned int sysctl_log_invalid; /* Log invalid packets */ | 22 | unsigned int sysctl_log_invalid; /* Log invalid packets */ |
22 | #ifdef CONFIG_SYSCTL | 23 | #ifdef CONFIG_SYSCTL |
23 | struct ctl_table_header *sysctl_header; | 24 | struct ctl_table_header *sysctl_header; |
25 | struct ctl_table_header *acct_sysctl_header; | ||
24 | #endif | 26 | #endif |
25 | int hash_vmalloc; | 27 | int hash_vmalloc; |
26 | int expect_vmalloc; | 28 | int expect_vmalloc; |
diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c index 59bd8b903a19..03591d37b9cc 100644 --- a/net/netfilter/nf_conntrack_acct.c +++ b/net/netfilter/nf_conntrack_acct.c | |||
@@ -22,19 +22,17 @@ | |||
22 | #define NF_CT_ACCT_DEFAULT 0 | 22 | #define NF_CT_ACCT_DEFAULT 0 |
23 | #endif | 23 | #endif |
24 | 24 | ||
25 | int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT; | 25 | static int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT; |
26 | EXPORT_SYMBOL_GPL(nf_ct_acct); | ||
27 | 26 | ||
28 | module_param_named(acct, nf_ct_acct, bool, 0644); | 27 | module_param_named(acct, nf_ct_acct, bool, 0644); |
29 | MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting."); | 28 | MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting."); |
30 | 29 | ||
31 | #ifdef CONFIG_SYSCTL | 30 | #ifdef CONFIG_SYSCTL |
32 | static struct ctl_table_header *acct_sysctl_header; | ||
33 | static struct ctl_table acct_sysctl_table[] = { | 31 | static struct ctl_table acct_sysctl_table[] = { |
34 | { | 32 | { |
35 | .ctl_name = CTL_UNNUMBERED, | 33 | .ctl_name = CTL_UNNUMBERED, |
36 | .procname = "nf_conntrack_acct", | 34 | .procname = "nf_conntrack_acct", |
37 | .data = &nf_ct_acct, | 35 | .data = &init_net.ct.sysctl_acct, |
38 | .maxlen = sizeof(unsigned int), | 36 | .maxlen = sizeof(unsigned int), |
39 | .mode = 0644, | 37 | .mode = 0644, |
40 | .proc_handler = &proc_dointvec, | 38 | .proc_handler = &proc_dointvec, |
@@ -64,41 +62,87 @@ static struct nf_ct_ext_type acct_extend __read_mostly = { | |||
64 | .id = NF_CT_EXT_ACCT, | 62 | .id = NF_CT_EXT_ACCT, |
65 | }; | 63 | }; |
66 | 64 | ||
67 | int nf_conntrack_acct_init(void) | 65 | #ifdef CONFIG_SYSCTL |
66 | static int nf_conntrack_acct_init_sysctl(struct net *net) | ||
68 | { | 67 | { |
69 | int ret; | 68 | struct ctl_table *table; |
70 | 69 | ||
71 | #ifdef CONFIG_NF_CT_ACCT | 70 | table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table), |
72 | printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Plase use\n"); | 71 | GFP_KERNEL); |
73 | printk(KERN_WARNING "nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or\n"); | 72 | if (!table) |
74 | printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n"); | 73 | goto out; |
75 | #endif | 74 | |
75 | table[0].data = &net->ct.sysctl_acct; | ||
76 | 76 | ||
77 | ret = nf_ct_extend_register(&acct_extend); | 77 | net->ct.acct_sysctl_header = register_net_sysctl_table(net, |
78 | if (ret < 0) { | 78 | nf_net_netfilter_sysctl_path, table); |
79 | printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n"); | 79 | if (!net->ct.acct_sysctl_header) { |
80 | return ret; | 80 | printk(KERN_ERR "nf_conntrack_acct: can't register to sysctl.\n"); |
81 | goto out_register; | ||
81 | } | 82 | } |
83 | return 0; | ||
82 | 84 | ||
83 | #ifdef CONFIG_SYSCTL | 85 | out_register: |
84 | acct_sysctl_header = register_sysctl_paths(nf_net_netfilter_sysctl_path, | 86 | kfree(table); |
85 | acct_sysctl_table); | 87 | out: |
88 | return -ENOMEM; | ||
89 | } | ||
86 | 90 | ||
87 | if (!acct_sysctl_header) { | 91 | static void nf_conntrack_acct_fini_sysctl(struct net *net) |
88 | nf_ct_extend_unregister(&acct_extend); | 92 | { |
93 | struct ctl_table *table; | ||
89 | 94 | ||
90 | printk(KERN_ERR "nf_conntrack_acct: can't register to sysctl.\n"); | 95 | table = net->ct.acct_sysctl_header->ctl_table_arg; |
91 | return -ENOMEM; | 96 | unregister_net_sysctl_table(net->ct.acct_sysctl_header); |
92 | } | 97 | kfree(table); |
98 | } | ||
99 | #else | ||
100 | static int nf_conntrack_acct_init_sysctl(struct net *net) | ||
101 | { | ||
102 | return 0; | ||
103 | } | ||
104 | |||
105 | static void nf_conntrack_acct_fini_sysctl(struct net *net) | ||
106 | { | ||
107 | } | ||
108 | #endif | ||
109 | |||
110 | int nf_conntrack_acct_init(struct net *net) | ||
111 | { | ||
112 | int ret; | ||
113 | |||
114 | net->ct.sysctl_acct = nf_ct_acct; | ||
115 | |||
116 | if (net_eq(net, &init_net)) { | ||
117 | #ifdef CONFIG_NF_CT_ACCT | ||
118 | printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Plase use\n"); | ||
119 | printk(KERN_WARNING "nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or\n"); | ||
120 | printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n"); | ||
93 | #endif | 121 | #endif |
94 | 122 | ||
123 | ret = nf_ct_extend_register(&acct_extend); | ||
124 | if (ret < 0) { | ||
125 | printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n"); | ||
126 | goto out_extend_register; | ||
127 | } | ||
128 | } | ||
129 | |||
130 | ret = nf_conntrack_acct_init_sysctl(net); | ||
131 | if (ret < 0) | ||
132 | goto out_sysctl; | ||
133 | |||
95 | return 0; | 134 | return 0; |
135 | |||
136 | out_sysctl: | ||
137 | if (net_eq(net, &init_net)) | ||
138 | nf_ct_extend_unregister(&acct_extend); | ||
139 | out_extend_register: | ||
140 | return ret; | ||
96 | } | 141 | } |
97 | 142 | ||
98 | void nf_conntrack_acct_fini(void) | 143 | void nf_conntrack_acct_fini(struct net *net) |
99 | { | 144 | { |
100 | #ifdef CONFIG_SYSCTL | 145 | nf_conntrack_acct_fini_sysctl(net); |
101 | unregister_sysctl_table(acct_sysctl_header); | 146 | if (net_eq(net, &init_net)) |
102 | #endif | 147 | nf_ct_extend_unregister(&acct_extend); |
103 | nf_ct_extend_unregister(&acct_extend); | ||
104 | } | 148 | } |
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index ade0bb3ab2e3..bb26460d897c 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
@@ -1039,7 +1039,7 @@ void nf_conntrack_cleanup(struct net *net) | |||
1039 | nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc, | 1039 | nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc, |
1040 | nf_conntrack_htable_size); | 1040 | nf_conntrack_htable_size); |
1041 | 1041 | ||
1042 | nf_conntrack_acct_fini(); | 1042 | nf_conntrack_acct_fini(net); |
1043 | nf_conntrack_expect_fini(net); | 1043 | nf_conntrack_expect_fini(net); |
1044 | free_percpu(net->ct.stat); | 1044 | free_percpu(net->ct.stat); |
1045 | nf_conntrack_helper_fini(); | 1045 | nf_conntrack_helper_fini(); |
@@ -1191,7 +1191,7 @@ int nf_conntrack_init(struct net *net) | |||
1191 | if (ret < 0) | 1191 | if (ret < 0) |
1192 | goto out_fini_expect; | 1192 | goto out_fini_expect; |
1193 | 1193 | ||
1194 | ret = nf_conntrack_acct_init(); | 1194 | ret = nf_conntrack_acct_init(net); |
1195 | if (ret < 0) | 1195 | if (ret < 0) |
1196 | goto out_fini_helper; | 1196 | goto out_fini_helper; |
1197 | 1197 | ||