aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPavel Emelyanov <xemul@openvz.org>2007-10-15 05:33:45 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-10-15 15:26:40 -0400
commit04128f233f2b344f3438cde09723e9946463a573 (patch)
tree04f4518ef51c74de4d318d7ea908b3215a6aa9c8
parent7eb95156d9dce2f59794264db336ce007d71638b (diff)
[INET]: Collect common frag sysctl variables together
Some sysctl variables are used to tune the frag queues management and it will be useful to work with them in a common way in the future, so move them into one structure, moreover they are the same for all the frag management codes. I don't place them in the existing inet_frags object, introduced in the previous patch for two reasons: 1. to keep them in the __read_mostly section; 2. not to export the whole inet_frags objects outside. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/inet_frag.h8
-rw-r--r--include/net/ip.h6
-rw-r--r--include/net/ipv6.h6
-rw-r--r--include/net/netfilter/ipv6/nf_conntrack_ipv6.h5
-rw-r--r--net/ipv4/ip_fragment.c47
-rw-r--r--net/ipv4/sysctl_net_ipv4.c9
-rw-r--r--net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c7
-rw-r--r--net/ipv6/netfilter/nf_conntrack_reasm.c29
-rw-r--r--net/ipv6/reassembly.c25
-rw-r--r--net/ipv6/sysctl_net_ipv6.c9
10 files changed, 82 insertions, 69 deletions
diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h
index d51f23873da9..ada03ba3b341 100644
--- a/include/net/inet_frag.h
+++ b/include/net/inet_frag.h
@@ -20,6 +20,13 @@ struct inet_frag_queue {
20 20
21#define INETFRAGS_HASHSZ 64 21#define INETFRAGS_HASHSZ 64
22 22
23struct inet_frags_ctl {
24 int high_thresh;
25 int low_thresh;
26 int timeout;
27 int secret_interval;
28};
29
23struct inet_frags { 30struct inet_frags {
24 struct list_head lru_list; 31 struct list_head lru_list;
25 struct hlist_head hash[INETFRAGS_HASHSZ]; 32 struct hlist_head hash[INETFRAGS_HASHSZ];
@@ -28,6 +35,7 @@ struct inet_frags {
28 int nqueues; 35 int nqueues;
29 atomic_t mem; 36 atomic_t mem;
30 struct timer_list secret_timer; 37 struct timer_list secret_timer;
38 struct inet_frags_ctl *ctl;
31}; 39};
32 40
33void inet_frags_init(struct inet_frags *); 41void inet_frags_init(struct inet_frags *);
diff --git a/include/net/ip.h b/include/net/ip.h
index c08c59e2384c..e6aa955e241c 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -177,10 +177,8 @@ extern int sysctl_ip_default_ttl;
177extern int sysctl_ip_nonlocal_bind; 177extern int sysctl_ip_nonlocal_bind;
178 178
179/* From ip_fragment.c */ 179/* From ip_fragment.c */
180extern int sysctl_ipfrag_high_thresh; 180struct inet_frags_ctl;
181extern int sysctl_ipfrag_low_thresh; 181extern struct inet_frags_ctl ip4_frags_ctl;
182extern int sysctl_ipfrag_time;
183extern int sysctl_ipfrag_secret_interval;
184extern int sysctl_ipfrag_max_dist; 182extern int sysctl_ipfrag_max_dist;
185 183
186/* From inetpeer.c */ 184/* From inetpeer.c */
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 77cdab3ce160..b29d76c715d2 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -565,10 +565,8 @@ extern int inet6_hash_connect(struct inet_timewait_death_row *death_row,
565/* 565/*
566 * reassembly.c 566 * reassembly.c
567 */ 567 */
568extern int sysctl_ip6frag_high_thresh; 568struct inet_frags_ctl;
569extern int sysctl_ip6frag_low_thresh; 569extern struct inet_frags_ctl ip6_frags_ctl;
570extern int sysctl_ip6frag_time;
571extern int sysctl_ip6frag_secret_interval;
572 570
573extern const struct proto_ops inet6_stream_ops; 571extern const struct proto_ops inet6_stream_ops;
574extern const struct proto_ops inet6_dgram_ops; 572extern const struct proto_ops inet6_dgram_ops;
diff --git a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
index 070d12cb4634..f703533fb4db 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
@@ -15,8 +15,7 @@ extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
15 struct net_device *out, 15 struct net_device *out,
16 int (*okfn)(struct sk_buff *)); 16 int (*okfn)(struct sk_buff *));
17 17
18extern unsigned int nf_ct_frag6_timeout; 18struct inet_frags_ctl;
19extern unsigned int nf_ct_frag6_low_thresh; 19extern struct inet_frags_ctl nf_frags_ctl;
20extern unsigned int nf_ct_frag6_high_thresh;
21 20
22#endif /* _NF_CONNTRACK_IPV6_H*/ 21#endif /* _NF_CONNTRACK_IPV6_H*/
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 321e694b72e8..0dd9a31df212 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -50,21 +50,8 @@
50 * as well. Or notify me, at least. --ANK 50 * as well. Or notify me, at least. --ANK
51 */ 51 */
52 52
53/* Fragment cache limits. We will commit 256K at one time. Should we
54 * cross that limit we will prune down to 192K. This should cope with
55 * even the most extreme cases without allowing an attacker to measurably
56 * harm machine performance.
57 */
58int sysctl_ipfrag_high_thresh __read_mostly = 256*1024;
59int sysctl_ipfrag_low_thresh __read_mostly = 192*1024;
60
61int sysctl_ipfrag_max_dist __read_mostly = 64; 53int sysctl_ipfrag_max_dist __read_mostly = 64;
62 54
63/* Important NOTE! Fragment queue must be destroyed before MSL expires.
64 * RFC791 is wrong proposing to prolongate timer each fragment arrival by TTL.
65 */
66int sysctl_ipfrag_time __read_mostly = IP_FRAG_TIME;
67
68struct ipfrag_skb_cb 55struct ipfrag_skb_cb
69{ 56{
70 struct inet_skb_parm h; 57 struct inet_skb_parm h;
@@ -87,6 +74,25 @@ struct ipq {
87 struct inet_peer *peer; 74 struct inet_peer *peer;
88}; 75};
89 76
77struct inet_frags_ctl ip4_frags_ctl __read_mostly = {
78 /*
79 * Fragment cache limits. We will commit 256K at one time. Should we
80 * cross that limit we will prune down to 192K. This should cope with
81 * even the most extreme cases without allowing an attacker to
82 * measurably harm machine performance.
83 */
84 .high_thresh = 256 * 1024,
85 .low_thresh = 192 * 1024,
86
87 /*
88 * Important NOTE! Fragment queue must be destroyed before MSL expires.
89 * RFC791 is wrong proposing to prolongate timer each fragment arrival
90 * by TTL.
91 */
92 .timeout = IP_FRAG_TIME,
93 .secret_interval = 10 * 60 * HZ,
94};
95
90static struct inet_frags ip4_frags; 96static struct inet_frags ip4_frags;
91 97
92int ip_frag_nqueues(void) 98int ip_frag_nqueues(void)
@@ -123,8 +129,6 @@ static unsigned int ipqhashfn(__be16 id, __be32 saddr, __be32 daddr, u8 prot)
123 ip4_frags.rnd) & (INETFRAGS_HASHSZ - 1); 129 ip4_frags.rnd) & (INETFRAGS_HASHSZ - 1);
124} 130}
125 131
126int sysctl_ipfrag_secret_interval __read_mostly = 10 * 60 * HZ;
127
128static void ipfrag_secret_rebuild(unsigned long dummy) 132static void ipfrag_secret_rebuild(unsigned long dummy)
129{ 133{
130 unsigned long now = jiffies; 134 unsigned long now = jiffies;
@@ -150,7 +154,7 @@ static void ipfrag_secret_rebuild(unsigned long dummy)
150 } 154 }
151 write_unlock(&ip4_frags.lock); 155 write_unlock(&ip4_frags.lock);
152 156
153 mod_timer(&ip4_frags.secret_timer, now + sysctl_ipfrag_secret_interval); 157 mod_timer(&ip4_frags.secret_timer, now + ip4_frags_ctl.secret_interval);
154} 158}
155 159
156/* Memory Tracking Functions. */ 160/* Memory Tracking Functions. */
@@ -237,7 +241,7 @@ static void ip_evictor(void)
237 struct list_head *tmp; 241 struct list_head *tmp;
238 int work; 242 int work;
239 243
240 work = atomic_read(&ip4_frags.mem) - sysctl_ipfrag_low_thresh; 244 work = atomic_read(&ip4_frags.mem) - ip4_frags_ctl.low_thresh;
241 if (work <= 0) 245 if (work <= 0)
242 return; 246 return;
243 247
@@ -326,7 +330,7 @@ static struct ipq *ip_frag_intern(struct ipq *qp_in)
326#endif 330#endif
327 qp = qp_in; 331 qp = qp_in;
328 332
329 if (!mod_timer(&qp->q.timer, jiffies + sysctl_ipfrag_time)) 333 if (!mod_timer(&qp->q.timer, jiffies + ip4_frags_ctl.timeout))
330 atomic_inc(&qp->q.refcnt); 334 atomic_inc(&qp->q.refcnt);
331 335
332 atomic_inc(&qp->q.refcnt); 336 atomic_inc(&qp->q.refcnt);
@@ -432,7 +436,7 @@ static int ip_frag_reinit(struct ipq *qp)
432{ 436{
433 struct sk_buff *fp; 437 struct sk_buff *fp;
434 438
435 if (!mod_timer(&qp->q.timer, jiffies + sysctl_ipfrag_time)) { 439 if (!mod_timer(&qp->q.timer, jiffies + ip4_frags_ctl.timeout)) {
436 atomic_inc(&qp->q.refcnt); 440 atomic_inc(&qp->q.refcnt);
437 return -ETIMEDOUT; 441 return -ETIMEDOUT;
438 } 442 }
@@ -733,7 +737,7 @@ int ip_defrag(struct sk_buff *skb, u32 user)
733 IP_INC_STATS_BH(IPSTATS_MIB_REASMREQDS); 737 IP_INC_STATS_BH(IPSTATS_MIB_REASMREQDS);
734 738
735 /* Start by cleaning up the memory. */ 739 /* Start by cleaning up the memory. */
736 if (atomic_read(&ip4_frags.mem) > sysctl_ipfrag_high_thresh) 740 if (atomic_read(&ip4_frags.mem) > ip4_frags_ctl.high_thresh)
737 ip_evictor(); 741 ip_evictor();
738 742
739 /* Lookup (or create) queue header */ 743 /* Lookup (or create) queue header */
@@ -758,9 +762,10 @@ void __init ipfrag_init(void)
758{ 762{
759 init_timer(&ip4_frags.secret_timer); 763 init_timer(&ip4_frags.secret_timer);
760 ip4_frags.secret_timer.function = ipfrag_secret_rebuild; 764 ip4_frags.secret_timer.function = ipfrag_secret_rebuild;
761 ip4_frags.secret_timer.expires = jiffies + sysctl_ipfrag_secret_interval; 765 ip4_frags.secret_timer.expires = jiffies + ip4_frags_ctl.secret_interval;
762 add_timer(&ip4_frags.secret_timer); 766 add_timer(&ip4_frags.secret_timer);
763 767
768 ip4_frags.ctl = &ip4_frags_ctl;
764 inet_frags_init(&ip4_frags); 769 inet_frags_init(&ip4_frags);
765} 770}
766 771
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index eb286abcf5dc..c98ef16effd2 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -19,6 +19,7 @@
19#include <net/route.h> 19#include <net/route.h>
20#include <net/tcp.h> 20#include <net/tcp.h>
21#include <net/cipso_ipv4.h> 21#include <net/cipso_ipv4.h>
22#include <net/inet_frag.h>
22 23
23/* From af_inet.c */ 24/* From af_inet.c */
24extern int sysctl_ip_nonlocal_bind; 25extern int sysctl_ip_nonlocal_bind;
@@ -357,7 +358,7 @@ ctl_table ipv4_table[] = {
357 { 358 {
358 .ctl_name = NET_IPV4_IPFRAG_HIGH_THRESH, 359 .ctl_name = NET_IPV4_IPFRAG_HIGH_THRESH,
359 .procname = "ipfrag_high_thresh", 360 .procname = "ipfrag_high_thresh",
360 .data = &sysctl_ipfrag_high_thresh, 361 .data = &ip4_frags_ctl.high_thresh,
361 .maxlen = sizeof(int), 362 .maxlen = sizeof(int),
362 .mode = 0644, 363 .mode = 0644,
363 .proc_handler = &proc_dointvec 364 .proc_handler = &proc_dointvec
@@ -365,7 +366,7 @@ ctl_table ipv4_table[] = {
365 { 366 {
366 .ctl_name = NET_IPV4_IPFRAG_LOW_THRESH, 367 .ctl_name = NET_IPV4_IPFRAG_LOW_THRESH,
367 .procname = "ipfrag_low_thresh", 368 .procname = "ipfrag_low_thresh",
368 .data = &sysctl_ipfrag_low_thresh, 369 .data = &ip4_frags_ctl.low_thresh,
369 .maxlen = sizeof(int), 370 .maxlen = sizeof(int),
370 .mode = 0644, 371 .mode = 0644,
371 .proc_handler = &proc_dointvec 372 .proc_handler = &proc_dointvec
@@ -381,7 +382,7 @@ ctl_table ipv4_table[] = {
381 { 382 {
382 .ctl_name = NET_IPV4_IPFRAG_TIME, 383 .ctl_name = NET_IPV4_IPFRAG_TIME,
383 .procname = "ipfrag_time", 384 .procname = "ipfrag_time",
384 .data = &sysctl_ipfrag_time, 385 .data = &ip4_frags_ctl.timeout,
385 .maxlen = sizeof(int), 386 .maxlen = sizeof(int),
386 .mode = 0644, 387 .mode = 0644,
387 .proc_handler = &proc_dointvec_jiffies, 388 .proc_handler = &proc_dointvec_jiffies,
@@ -732,7 +733,7 @@ ctl_table ipv4_table[] = {
732 { 733 {
733 .ctl_name = NET_IPV4_IPFRAG_SECRET_INTERVAL, 734 .ctl_name = NET_IPV4_IPFRAG_SECRET_INTERVAL,
734 .procname = "ipfrag_secret_interval", 735 .procname = "ipfrag_secret_interval",
735 .data = &sysctl_ipfrag_secret_interval, 736 .data = &ip4_frags_ctl.secret_interval,
736 .maxlen = sizeof(int), 737 .maxlen = sizeof(int),
737 .mode = 0644, 738 .mode = 0644,
738 .proc_handler = &proc_dointvec_jiffies, 739 .proc_handler = &proc_dointvec_jiffies,
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index e9369dc02381..0e40948f4fc6 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -18,6 +18,7 @@
18#include <linux/icmp.h> 18#include <linux/icmp.h>
19#include <linux/sysctl.h> 19#include <linux/sysctl.h>
20#include <net/ipv6.h> 20#include <net/ipv6.h>
21#include <net/inet_frag.h>
21 22
22#include <linux/netfilter_ipv6.h> 23#include <linux/netfilter_ipv6.h>
23#include <net/netfilter/nf_conntrack.h> 24#include <net/netfilter/nf_conntrack.h>
@@ -307,7 +308,7 @@ static ctl_table nf_ct_ipv6_sysctl_table[] = {
307 { 308 {
308 .ctl_name = NET_NF_CONNTRACK_FRAG6_TIMEOUT, 309 .ctl_name = NET_NF_CONNTRACK_FRAG6_TIMEOUT,
309 .procname = "nf_conntrack_frag6_timeout", 310 .procname = "nf_conntrack_frag6_timeout",
310 .data = &nf_ct_frag6_timeout, 311 .data = &nf_frags_ctl.timeout,
311 .maxlen = sizeof(unsigned int), 312 .maxlen = sizeof(unsigned int),
312 .mode = 0644, 313 .mode = 0644,
313 .proc_handler = &proc_dointvec_jiffies, 314 .proc_handler = &proc_dointvec_jiffies,
@@ -315,7 +316,7 @@ static ctl_table nf_ct_ipv6_sysctl_table[] = {
315 { 316 {
316 .ctl_name = NET_NF_CONNTRACK_FRAG6_LOW_THRESH, 317 .ctl_name = NET_NF_CONNTRACK_FRAG6_LOW_THRESH,
317 .procname = "nf_conntrack_frag6_low_thresh", 318 .procname = "nf_conntrack_frag6_low_thresh",
318 .data = &nf_ct_frag6_low_thresh, 319 .data = &nf_frags_ctl.low_thresh,
319 .maxlen = sizeof(unsigned int), 320 .maxlen = sizeof(unsigned int),
320 .mode = 0644, 321 .mode = 0644,
321 .proc_handler = &proc_dointvec, 322 .proc_handler = &proc_dointvec,
@@ -323,7 +324,7 @@ static ctl_table nf_ct_ipv6_sysctl_table[] = {
323 { 324 {
324 .ctl_name = NET_NF_CONNTRACK_FRAG6_HIGH_THRESH, 325 .ctl_name = NET_NF_CONNTRACK_FRAG6_HIGH_THRESH,
325 .procname = "nf_conntrack_frag6_high_thresh", 326 .procname = "nf_conntrack_frag6_high_thresh",
326 .data = &nf_ct_frag6_high_thresh, 327 .data = &nf_frags_ctl.high_thresh,
327 .maxlen = sizeof(unsigned int), 328 .maxlen = sizeof(unsigned int),
328 .mode = 0644, 329 .mode = 0644,
329 .proc_handler = &proc_dointvec, 330 .proc_handler = &proc_dointvec,
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index eb2ca1b7ddab..966a88848406 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -49,10 +49,6 @@
49#define NF_CT_FRAG6_LOW_THRESH 196608 /* == 192*1024 */ 49#define NF_CT_FRAG6_LOW_THRESH 196608 /* == 192*1024 */
50#define NF_CT_FRAG6_TIMEOUT IPV6_FRAG_TIMEOUT 50#define NF_CT_FRAG6_TIMEOUT IPV6_FRAG_TIMEOUT
51 51
52unsigned int nf_ct_frag6_high_thresh __read_mostly = 256*1024;
53unsigned int nf_ct_frag6_low_thresh __read_mostly = 192*1024;
54unsigned long nf_ct_frag6_timeout __read_mostly = IPV6_FRAG_TIMEOUT;
55
56struct nf_ct_frag6_skb_cb 52struct nf_ct_frag6_skb_cb
57{ 53{
58 struct inet6_skb_parm h; 54 struct inet6_skb_parm h;
@@ -74,6 +70,13 @@ struct nf_ct_frag6_queue
74 __u16 nhoffset; 70 __u16 nhoffset;
75}; 71};
76 72
73struct inet_frags_ctl nf_frags_ctl __read_mostly = {
74 .high_thresh = 256 * 1024,
75 .low_thresh = 192 * 1024,
76 .timeout = IPV6_FRAG_TIMEOUT,
77 .secret_interval = 10 * 60 * HZ,
78};
79
77static struct inet_frags nf_frags; 80static struct inet_frags nf_frags;
78 81
79static __inline__ void __fq_unlink(struct nf_ct_frag6_queue *fq) 82static __inline__ void __fq_unlink(struct nf_ct_frag6_queue *fq)
@@ -117,8 +120,6 @@ static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
117 return c & (INETFRAGS_HASHSZ - 1); 120 return c & (INETFRAGS_HASHSZ - 1);
118} 121}
119 122
120int nf_ct_frag6_secret_interval = 10 * 60 * HZ;
121
122static void nf_ct_frag6_secret_rebuild(unsigned long dummy) 123static void nf_ct_frag6_secret_rebuild(unsigned long dummy)
123{ 124{
124 unsigned long now = jiffies; 125 unsigned long now = jiffies;
@@ -144,7 +145,7 @@ static void nf_ct_frag6_secret_rebuild(unsigned long dummy)
144 } 145 }
145 write_unlock(&nf_frags.lock); 146 write_unlock(&nf_frags.lock);
146 147
147 mod_timer(&nf_frags.secret_timer, now + nf_ct_frag6_secret_interval); 148 mod_timer(&nf_frags.secret_timer, now + nf_frags_ctl.secret_interval);
148} 149}
149 150
150/* Memory Tracking Functions. */ 151/* Memory Tracking Functions. */
@@ -229,10 +230,10 @@ static void nf_ct_frag6_evictor(void)
229 unsigned int work; 230 unsigned int work;
230 231
231 work = atomic_read(&nf_frags.mem); 232 work = atomic_read(&nf_frags.mem);
232 if (work <= nf_ct_frag6_low_thresh) 233 if (work <= nf_frags_ctl.low_thresh)
233 return; 234 return;
234 235
235 work -= nf_ct_frag6_low_thresh; 236 work -= nf_frags_ctl.low_thresh;
236 while (work > 0) { 237 while (work > 0) {
237 read_lock(&nf_frags.lock); 238 read_lock(&nf_frags.lock);
238 if (list_empty(&nf_frags.lru_list)) { 239 if (list_empty(&nf_frags.lru_list)) {
@@ -296,7 +297,7 @@ static struct nf_ct_frag6_queue *nf_ct_frag6_intern(unsigned int hash,
296#endif 297#endif
297 fq = fq_in; 298 fq = fq_in;
298 299
299 if (!mod_timer(&fq->q.timer, jiffies + nf_ct_frag6_timeout)) 300 if (!mod_timer(&fq->q.timer, jiffies + nf_frags_ctl.timeout))
300 atomic_inc(&fq->q.refcnt); 301 atomic_inc(&fq->q.refcnt);
301 302
302 atomic_inc(&fq->q.refcnt); 303 atomic_inc(&fq->q.refcnt);
@@ -766,7 +767,7 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb)
766 goto ret_orig; 767 goto ret_orig;
767 } 768 }
768 769
769 if (atomic_read(&nf_frags.mem) > nf_ct_frag6_high_thresh) 770 if (atomic_read(&nf_frags.mem) > nf_frags_ctl.high_thresh)
770 nf_ct_frag6_evictor(); 771 nf_ct_frag6_evictor();
771 772
772 fq = fq_find(fhdr->identification, &hdr->saddr, &hdr->daddr); 773 fq = fq_find(fhdr->identification, &hdr->saddr, &hdr->daddr);
@@ -838,10 +839,10 @@ int nf_ct_frag6_kfree_frags(struct sk_buff *skb)
838int nf_ct_frag6_init(void) 839int nf_ct_frag6_init(void)
839{ 840{
840 setup_timer(&nf_frags.secret_timer, nf_ct_frag6_secret_rebuild, 0); 841 setup_timer(&nf_frags.secret_timer, nf_ct_frag6_secret_rebuild, 0);
841 nf_frags.secret_timer.expires = jiffies 842 nf_frags.secret_timer.expires = jiffies + nf_frags_ctl.secret_interval;
842 + nf_ct_frag6_secret_interval;
843 add_timer(&nf_frags.secret_timer); 843 add_timer(&nf_frags.secret_timer);
844 844
845 nf_frags.ctl = &nf_frags_ctl;
845 inet_frags_init(&nf_frags); 846 inet_frags_init(&nf_frags);
846 847
847 return 0; 848 return 0;
@@ -852,6 +853,6 @@ void nf_ct_frag6_cleanup(void)
852 inet_frags_fini(&nf_frags); 853 inet_frags_fini(&nf_frags);
853 854
854 del_timer(&nf_frags.secret_timer); 855 del_timer(&nf_frags.secret_timer);
855 nf_ct_frag6_low_thresh = 0; 856 nf_frags_ctl.low_thresh = 0;
856 nf_ct_frag6_evictor(); 857 nf_ct_frag6_evictor();
857} 858}
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index ecf340047cde..ced1a5f5b776 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -56,11 +56,6 @@
56#include <net/addrconf.h> 56#include <net/addrconf.h>
57#include <net/inet_frag.h> 57#include <net/inet_frag.h>
58 58
59int sysctl_ip6frag_high_thresh __read_mostly = 256*1024;
60int sysctl_ip6frag_low_thresh __read_mostly = 192*1024;
61
62int sysctl_ip6frag_time __read_mostly = IPV6_FRAG_TIMEOUT;
63
64struct ip6frag_skb_cb 59struct ip6frag_skb_cb
65{ 60{
66 struct inet6_skb_parm h; 61 struct inet6_skb_parm h;
@@ -87,6 +82,13 @@ struct frag_queue
87 __u16 nhoffset; 82 __u16 nhoffset;
88}; 83};
89 84
85struct inet_frags_ctl ip6_frags_ctl __read_mostly = {
86 .high_thresh = 256 * 1024,
87 .low_thresh = 192 * 1024,
88 .timeout = IPV6_FRAG_TIMEOUT,
89 .secret_interval = 10 * 60 * HZ,
90};
91
90static struct inet_frags ip6_frags; 92static struct inet_frags ip6_frags;
91 93
92int ip6_frag_nqueues(void) 94int ip6_frag_nqueues(void)
@@ -147,8 +149,6 @@ static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
147 return c & (INETFRAGS_HASHSZ - 1); 149 return c & (INETFRAGS_HASHSZ - 1);
148} 150}
149 151
150int sysctl_ip6frag_secret_interval __read_mostly = 10 * 60 * HZ;
151
152static void ip6_frag_secret_rebuild(unsigned long dummy) 152static void ip6_frag_secret_rebuild(unsigned long dummy)
153{ 153{
154 unsigned long now = jiffies; 154 unsigned long now = jiffies;
@@ -177,7 +177,7 @@ static void ip6_frag_secret_rebuild(unsigned long dummy)
177 } 177 }
178 write_unlock(&ip6_frags.lock); 178 write_unlock(&ip6_frags.lock);
179 179
180 mod_timer(&ip6_frags.secret_timer, now + sysctl_ip6frag_secret_interval); 180 mod_timer(&ip6_frags.secret_timer, now + ip6_frags_ctl.secret_interval);
181} 181}
182 182
183/* Memory Tracking Functions. */ 183/* Memory Tracking Functions. */
@@ -256,7 +256,7 @@ static void ip6_evictor(struct inet6_dev *idev)
256 struct list_head *tmp; 256 struct list_head *tmp;
257 int work; 257 int work;
258 258
259 work = atomic_read(&ip6_frags.mem) - sysctl_ip6frag_low_thresh; 259 work = atomic_read(&ip6_frags.mem) - ip6_frags_ctl.low_thresh;
260 if (work <= 0) 260 if (work <= 0)
261 return; 261 return;
262 262
@@ -348,7 +348,7 @@ static struct frag_queue *ip6_frag_intern(struct frag_queue *fq_in)
348#endif 348#endif
349 fq = fq_in; 349 fq = fq_in;
350 350
351 if (!mod_timer(&fq->q.timer, jiffies + sysctl_ip6frag_time)) 351 if (!mod_timer(&fq->q.timer, jiffies + ip6_frags_ctl.timeout))
352 atomic_inc(&fq->q.refcnt); 352 atomic_inc(&fq->q.refcnt);
353 353
354 atomic_inc(&fq->q.refcnt); 354 atomic_inc(&fq->q.refcnt);
@@ -754,7 +754,7 @@ static int ipv6_frag_rcv(struct sk_buff **skbp)
754 return 1; 754 return 1;
755 } 755 }
756 756
757 if (atomic_read(&ip6_frags.mem) > sysctl_ip6frag_high_thresh) 757 if (atomic_read(&ip6_frags.mem) > ip6_frags_ctl.high_thresh)
758 ip6_evictor(ip6_dst_idev(skb->dst)); 758 ip6_evictor(ip6_dst_idev(skb->dst));
759 759
760 if ((fq = fq_find(fhdr->identification, &hdr->saddr, &hdr->daddr, 760 if ((fq = fq_find(fhdr->identification, &hdr->saddr, &hdr->daddr,
@@ -788,8 +788,9 @@ void __init ipv6_frag_init(void)
788 788
789 init_timer(&ip6_frags.secret_timer); 789 init_timer(&ip6_frags.secret_timer);
790 ip6_frags.secret_timer.function = ip6_frag_secret_rebuild; 790 ip6_frags.secret_timer.function = ip6_frag_secret_rebuild;
791 ip6_frags.secret_timer.expires = jiffies + sysctl_ip6frag_secret_interval; 791 ip6_frags.secret_timer.expires = jiffies + ip6_frags_ctl.secret_interval;
792 add_timer(&ip6_frags.secret_timer); 792 add_timer(&ip6_frags.secret_timer);
793 793
794 ip6_frags.ctl = &ip6_frags_ctl;
794 inet_frags_init(&ip6_frags); 795 inet_frags_init(&ip6_frags);
795} 796}
diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
index 3fb44277207b..68bb2548e469 100644
--- a/net/ipv6/sysctl_net_ipv6.c
+++ b/net/ipv6/sysctl_net_ipv6.c
@@ -12,6 +12,7 @@
12#include <net/ndisc.h> 12#include <net/ndisc.h>
13#include <net/ipv6.h> 13#include <net/ipv6.h>
14#include <net/addrconf.h> 14#include <net/addrconf.h>
15#include <net/inet_frag.h>
15 16
16#ifdef CONFIG_SYSCTL 17#ifdef CONFIG_SYSCTL
17 18
@@ -41,7 +42,7 @@ static ctl_table ipv6_table[] = {
41 { 42 {
42 .ctl_name = NET_IPV6_IP6FRAG_HIGH_THRESH, 43 .ctl_name = NET_IPV6_IP6FRAG_HIGH_THRESH,
43 .procname = "ip6frag_high_thresh", 44 .procname = "ip6frag_high_thresh",
44 .data = &sysctl_ip6frag_high_thresh, 45 .data = &ip6_frags_ctl.high_thresh,
45 .maxlen = sizeof(int), 46 .maxlen = sizeof(int),
46 .mode = 0644, 47 .mode = 0644,
47 .proc_handler = &proc_dointvec 48 .proc_handler = &proc_dointvec
@@ -49,7 +50,7 @@ static ctl_table ipv6_table[] = {
49 { 50 {
50 .ctl_name = NET_IPV6_IP6FRAG_LOW_THRESH, 51 .ctl_name = NET_IPV6_IP6FRAG_LOW_THRESH,
51 .procname = "ip6frag_low_thresh", 52 .procname = "ip6frag_low_thresh",
52 .data = &sysctl_ip6frag_low_thresh, 53 .data = &ip6_frags_ctl.low_thresh,
53 .maxlen = sizeof(int), 54 .maxlen = sizeof(int),
54 .mode = 0644, 55 .mode = 0644,
55 .proc_handler = &proc_dointvec 56 .proc_handler = &proc_dointvec
@@ -57,7 +58,7 @@ static ctl_table ipv6_table[] = {
57 { 58 {
58 .ctl_name = NET_IPV6_IP6FRAG_TIME, 59 .ctl_name = NET_IPV6_IP6FRAG_TIME,
59 .procname = "ip6frag_time", 60 .procname = "ip6frag_time",
60 .data = &sysctl_ip6frag_time, 61 .data = &ip6_frags_ctl.timeout,
61 .maxlen = sizeof(int), 62 .maxlen = sizeof(int),
62 .mode = 0644, 63 .mode = 0644,
63 .proc_handler = &proc_dointvec_jiffies, 64 .proc_handler = &proc_dointvec_jiffies,
@@ -66,7 +67,7 @@ static ctl_table ipv6_table[] = {
66 { 67 {
67 .ctl_name = NET_IPV6_IP6FRAG_SECRET_INTERVAL, 68 .ctl_name = NET_IPV6_IP6FRAG_SECRET_INTERVAL,
68 .procname = "ip6frag_secret_interval", 69 .procname = "ip6frag_secret_interval",
69 .data = &sysctl_ip6frag_secret_interval, 70 .data = &ip6_frags_ctl.secret_interval,
70 .maxlen = sizeof(int), 71 .maxlen = sizeof(int),
71 .mode = 0644, 72 .mode = 0644,
72 .proc_handler = &proc_dointvec_jiffies, 73 .proc_handler = &proc_dointvec_jiffies,