diff options
| author | Alexey Dobriyan <adobriyan@gmail.com> | 2008-10-08 05:35:03 -0400 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2008-10-08 05:35:03 -0400 |
| commit | 9b03f38d0487f3908696242286d934c9b38f9d2a (patch) | |
| tree | 8f45ef997e2badfe7c534b6991f3a4816905e4d3 | |
| parent | b21f89019399ff75d9c239010e38b840eb6e01e7 (diff) | |
netfilter: netns nf_conntrack: per-netns expectations
Make per-netns a) expectation hash and b) expectations count.
Expectations always belongs to netns to which it's master conntrack belong.
This is natural and doesn't bloat expectation.
Proc files and leaf users are stubbed to init_net, this is temporary.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
| -rw-r--r-- | include/net/netfilter/nf_conntrack_expect.h | 20 | ||||
| -rw-r--r-- | include/net/netns/conntrack.h | 3 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | 6 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_nat_pptp.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_core.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_expect.c | 55 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_h323_main.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_helper.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 13 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_pptp.c | 4 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_sip.c | 2 |
11 files changed, 66 insertions, 51 deletions
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 4c4d894cb9b5..37a7fc1164b0 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h | |||
| @@ -6,7 +6,6 @@ | |||
| 6 | #define _NF_CONNTRACK_EXPECT_H | 6 | #define _NF_CONNTRACK_EXPECT_H |
| 7 | #include <net/netfilter/nf_conntrack.h> | 7 | #include <net/netfilter/nf_conntrack.h> |
| 8 | 8 | ||
| 9 | extern struct hlist_head *nf_ct_expect_hash; | ||
| 10 | extern unsigned int nf_ct_expect_hsize; | 9 | extern unsigned int nf_ct_expect_hsize; |
| 11 | extern unsigned int nf_ct_expect_max; | 10 | extern unsigned int nf_ct_expect_max; |
| 12 | 11 | ||
| @@ -56,6 +55,15 @@ struct nf_conntrack_expect | |||
| 56 | struct rcu_head rcu; | 55 | struct rcu_head rcu; |
| 57 | }; | 56 | }; |
| 58 | 57 | ||
| 58 | static inline struct net *nf_ct_exp_net(struct nf_conntrack_expect *exp) | ||
| 59 | { | ||
| 60 | #ifdef CONFIG_NET_NS | ||
| 61 | return exp->master->ct_net; /* by definition */ | ||
| 62 | #else | ||
| 63 | return &init_net; | ||
| 64 | #endif | ||
| 65 | } | ||
| 66 | |||
| 59 | struct nf_conntrack_expect_policy | 67 | struct nf_conntrack_expect_policy |
| 60 | { | 68 | { |
| 61 | unsigned int max_expected; | 69 | unsigned int max_expected; |
| @@ -67,17 +75,17 @@ struct nf_conntrack_expect_policy | |||
| 67 | #define NF_CT_EXPECT_PERMANENT 0x1 | 75 | #define NF_CT_EXPECT_PERMANENT 0x1 |
| 68 | #define NF_CT_EXPECT_INACTIVE 0x2 | 76 | #define NF_CT_EXPECT_INACTIVE 0x2 |
| 69 | 77 | ||
| 70 | int nf_conntrack_expect_init(void); | 78 | int nf_conntrack_expect_init(struct net *net); |
| 71 | void nf_conntrack_expect_fini(void); | 79 | void nf_conntrack_expect_fini(struct net *net); |
| 72 | 80 | ||
| 73 | struct nf_conntrack_expect * | 81 | struct nf_conntrack_expect * |
| 74 | __nf_ct_expect_find(const struct nf_conntrack_tuple *tuple); | 82 | __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple); |
| 75 | 83 | ||
| 76 | struct nf_conntrack_expect * | 84 | struct nf_conntrack_expect * |
| 77 | nf_ct_expect_find_get(const struct nf_conntrack_tuple *tuple); | 85 | nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple); |
| 78 | 86 | ||
| 79 | struct nf_conntrack_expect * | 87 | struct nf_conntrack_expect * |
| 80 | nf_ct_find_expectation(const struct nf_conntrack_tuple *tuple); | 88 | nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple); |
| 81 | 89 | ||
| 82 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp); | 90 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp); |
| 83 | void nf_ct_remove_expectations(struct nf_conn *ct); | 91 | void nf_ct_remove_expectations(struct nf_conn *ct); |
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index b767683f112b..e453a33f3e93 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h | |||
| @@ -5,7 +5,10 @@ | |||
| 5 | 5 | ||
| 6 | struct netns_ct { | 6 | struct netns_ct { |
| 7 | atomic_t count; | 7 | atomic_t count; |
| 8 | unsigned int expect_count; | ||
| 8 | struct hlist_head *hash; | 9 | struct hlist_head *hash; |
| 10 | struct hlist_head *expect_hash; | ||
| 9 | int hash_vmalloc; | 11 | int hash_vmalloc; |
| 12 | int expect_vmalloc; | ||
| 10 | }; | 13 | }; |
| 11 | #endif | 14 | #endif |
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c index 8e0afdc2b134..f8636a57e8cc 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | |||
| @@ -177,11 +177,12 @@ struct ct_expect_iter_state { | |||
| 177 | 177 | ||
| 178 | static struct hlist_node *ct_expect_get_first(struct seq_file *seq) | 178 | static struct hlist_node *ct_expect_get_first(struct seq_file *seq) |
| 179 | { | 179 | { |
| 180 | struct net *net = &init_net; | ||
| 180 | struct ct_expect_iter_state *st = seq->private; | 181 | struct ct_expect_iter_state *st = seq->private; |
| 181 | struct hlist_node *n; | 182 | struct hlist_node *n; |
| 182 | 183 | ||
| 183 | for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) { | 184 | for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) { |
| 184 | n = rcu_dereference(nf_ct_expect_hash[st->bucket].first); | 185 | n = rcu_dereference(net->ct.expect_hash[st->bucket].first); |
| 185 | if (n) | 186 | if (n) |
| 186 | return n; | 187 | return n; |
| 187 | } | 188 | } |
| @@ -191,13 +192,14 @@ static struct hlist_node *ct_expect_get_first(struct seq_file *seq) | |||
| 191 | static struct hlist_node *ct_expect_get_next(struct seq_file *seq, | 192 | static struct hlist_node *ct_expect_get_next(struct seq_file *seq, |
| 192 | struct hlist_node *head) | 193 | struct hlist_node *head) |
| 193 | { | 194 | { |
| 195 | struct net *net = &init_net; | ||
| 194 | struct ct_expect_iter_state *st = seq->private; | 196 | struct ct_expect_iter_state *st = seq->private; |
| 195 | 197 | ||
| 196 | head = rcu_dereference(head->next); | 198 | head = rcu_dereference(head->next); |
| 197 | while (head == NULL) { | 199 | while (head == NULL) { |
| 198 | if (++st->bucket >= nf_ct_expect_hsize) | 200 | if (++st->bucket >= nf_ct_expect_hsize) |
| 199 | return NULL; | 201 | return NULL; |
| 200 | head = rcu_dereference(nf_ct_expect_hash[st->bucket].first); | 202 | head = rcu_dereference(net->ct.expect_hash[st->bucket].first); |
| 201 | } | 203 | } |
| 202 | return head; | 204 | return head; |
| 203 | } | 205 | } |
diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c index da3d91a5ef5c..e4bdddc60343 100644 --- a/net/ipv4/netfilter/nf_nat_pptp.c +++ b/net/ipv4/netfilter/nf_nat_pptp.c | |||
| @@ -73,7 +73,7 @@ static void pptp_nat_expected(struct nf_conn *ct, | |||
| 73 | 73 | ||
| 74 | pr_debug("trying to unexpect other dir: "); | 74 | pr_debug("trying to unexpect other dir: "); |
| 75 | nf_ct_dump_tuple_ip(&t); | 75 | nf_ct_dump_tuple_ip(&t); |
| 76 | other_exp = nf_ct_expect_find_get(&t); | 76 | other_exp = nf_ct_expect_find_get(&init_net, &t); |
| 77 | if (other_exp) { | 77 | if (other_exp) { |
| 78 | nf_ct_unexpect_related(other_exp); | 78 | nf_ct_unexpect_related(other_exp); |
| 79 | nf_ct_expect_put(other_exp); | 79 | nf_ct_expect_put(other_exp); |
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index da56b2605529..c188edea2492 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
| @@ -562,7 +562,7 @@ init_conntrack(struct net *net, | |||
| 562 | nf_ct_acct_ext_add(ct, GFP_ATOMIC); | 562 | nf_ct_acct_ext_add(ct, GFP_ATOMIC); |
| 563 | 563 | ||
| 564 | spin_lock_bh(&nf_conntrack_lock); | 564 | spin_lock_bh(&nf_conntrack_lock); |
| 565 | exp = nf_ct_find_expectation(tuple); | 565 | exp = nf_ct_find_expectation(net, tuple); |
| 566 | if (exp) { | 566 | if (exp) { |
| 567 | pr_debug("conntrack: expectation arrives ct=%p exp=%p\n", | 567 | pr_debug("conntrack: expectation arrives ct=%p exp=%p\n", |
| 568 | ct, exp); | 568 | ct, exp); |
| @@ -1038,7 +1038,7 @@ void nf_conntrack_cleanup(struct net *net) | |||
| 1038 | nf_conntrack_htable_size); | 1038 | nf_conntrack_htable_size); |
| 1039 | 1039 | ||
| 1040 | nf_conntrack_acct_fini(); | 1040 | nf_conntrack_acct_fini(); |
| 1041 | nf_conntrack_expect_fini(); | 1041 | nf_conntrack_expect_fini(net); |
| 1042 | nf_conntrack_helper_fini(); | 1042 | nf_conntrack_helper_fini(); |
| 1043 | nf_conntrack_proto_fini(); | 1043 | nf_conntrack_proto_fini(); |
| 1044 | } | 1044 | } |
| @@ -1173,7 +1173,7 @@ int nf_conntrack_init(struct net *net) | |||
| 1173 | if (ret < 0) | 1173 | if (ret < 0) |
| 1174 | goto err_free_conntrack_slab; | 1174 | goto err_free_conntrack_slab; |
| 1175 | 1175 | ||
| 1176 | ret = nf_conntrack_expect_init(); | 1176 | ret = nf_conntrack_expect_init(net); |
| 1177 | if (ret < 0) | 1177 | if (ret < 0) |
| 1178 | goto out_fini_proto; | 1178 | goto out_fini_proto; |
| 1179 | 1179 | ||
| @@ -1203,7 +1203,7 @@ int nf_conntrack_init(struct net *net) | |||
| 1203 | out_fini_helper: | 1203 | out_fini_helper: |
| 1204 | nf_conntrack_helper_fini(); | 1204 | nf_conntrack_helper_fini(); |
| 1205 | out_fini_expect: | 1205 | out_fini_expect: |
| 1206 | nf_conntrack_expect_fini(); | 1206 | nf_conntrack_expect_fini(net); |
| 1207 | out_fini_proto: | 1207 | out_fini_proto: |
| 1208 | nf_conntrack_proto_fini(); | 1208 | nf_conntrack_proto_fini(); |
| 1209 | err_free_conntrack_slab: | 1209 | err_free_conntrack_slab: |
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index e6a79f2a7c53..5307316356ea 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c | |||
| @@ -28,17 +28,12 @@ | |||
| 28 | #include <net/netfilter/nf_conntrack_helper.h> | 28 | #include <net/netfilter/nf_conntrack_helper.h> |
| 29 | #include <net/netfilter/nf_conntrack_tuple.h> | 29 | #include <net/netfilter/nf_conntrack_tuple.h> |
| 30 | 30 | ||
| 31 | struct hlist_head *nf_ct_expect_hash __read_mostly; | ||
| 32 | EXPORT_SYMBOL_GPL(nf_ct_expect_hash); | ||
| 33 | |||
| 34 | unsigned int nf_ct_expect_hsize __read_mostly; | 31 | unsigned int nf_ct_expect_hsize __read_mostly; |
| 35 | EXPORT_SYMBOL_GPL(nf_ct_expect_hsize); | 32 | EXPORT_SYMBOL_GPL(nf_ct_expect_hsize); |
| 36 | 33 | ||
| 37 | static unsigned int nf_ct_expect_hash_rnd __read_mostly; | 34 | static unsigned int nf_ct_expect_hash_rnd __read_mostly; |
| 38 | static unsigned int nf_ct_expect_count; | ||
| 39 | unsigned int nf_ct_expect_max __read_mostly; | 35 | unsigned int nf_ct_expect_max __read_mostly; |
| 40 | static int nf_ct_expect_hash_rnd_initted __read_mostly; | 36 | static int nf_ct_expect_hash_rnd_initted __read_mostly; |
| 41 | static int nf_ct_expect_vmalloc; | ||
| 42 | 37 | ||
| 43 | static struct kmem_cache *nf_ct_expect_cachep __read_mostly; | 38 | static struct kmem_cache *nf_ct_expect_cachep __read_mostly; |
| 44 | 39 | ||
| @@ -46,12 +41,13 @@ static struct kmem_cache *nf_ct_expect_cachep __read_mostly; | |||
| 46 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp) | 41 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp) |
| 47 | { | 42 | { |
| 48 | struct nf_conn_help *master_help = nfct_help(exp->master); | 43 | struct nf_conn_help *master_help = nfct_help(exp->master); |
| 44 | struct net *net = nf_ct_exp_net(exp); | ||
| 49 | 45 | ||
| 50 | NF_CT_ASSERT(master_help); | 46 | NF_CT_ASSERT(master_help); |
| 51 | NF_CT_ASSERT(!timer_pending(&exp->timeout)); | 47 | NF_CT_ASSERT(!timer_pending(&exp->timeout)); |
| 52 | 48 | ||
| 53 | hlist_del_rcu(&exp->hnode); | 49 | hlist_del_rcu(&exp->hnode); |
| 54 | nf_ct_expect_count--; | 50 | net->ct.expect_count--; |
| 55 | 51 | ||
| 56 | hlist_del(&exp->lnode); | 52 | hlist_del(&exp->lnode); |
| 57 | master_help->expecting[exp->class]--; | 53 | master_help->expecting[exp->class]--; |
| @@ -87,17 +83,17 @@ static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple | |||
| 87 | } | 83 | } |
| 88 | 84 | ||
| 89 | struct nf_conntrack_expect * | 85 | struct nf_conntrack_expect * |
| 90 | __nf_ct_expect_find(const struct nf_conntrack_tuple *tuple) | 86 | __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple) |
| 91 | { | 87 | { |
| 92 | struct nf_conntrack_expect *i; | 88 | struct nf_conntrack_expect *i; |
| 93 | struct hlist_node *n; | 89 | struct hlist_node *n; |
| 94 | unsigned int h; | 90 | unsigned int h; |
| 95 | 91 | ||
| 96 | if (!nf_ct_expect_count) | 92 | if (!net->ct.expect_count) |
| 97 | return NULL; | 93 | return NULL; |
| 98 | 94 | ||
| 99 | h = nf_ct_expect_dst_hash(tuple); | 95 | h = nf_ct_expect_dst_hash(tuple); |
| 100 | hlist_for_each_entry_rcu(i, n, &nf_ct_expect_hash[h], hnode) { | 96 | hlist_for_each_entry_rcu(i, n, &net->ct.expect_hash[h], hnode) { |
| 101 | if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) | 97 | if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) |
| 102 | return i; | 98 | return i; |
| 103 | } | 99 | } |
| @@ -107,12 +103,12 @@ EXPORT_SYMBOL_GPL(__nf_ct_expect_find); | |||
| 107 | 103 | ||
| 108 | /* Just find a expectation corresponding to a tuple. */ | 104 | /* Just find a expectation corresponding to a tuple. */ |
| 109 | struct nf_conntrack_expect * | 105 | struct nf_conntrack_expect * |
| 110 | nf_ct_expect_find_get(const struct nf_conntrack_tuple *tuple) | 106 | nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple) |
| 111 | { | 107 | { |
| 112 | struct nf_conntrack_expect *i; | 108 | struct nf_conntrack_expect *i; |
| 113 | 109 | ||
| 114 | rcu_read_lock(); | 110 | rcu_read_lock(); |
| 115 | i = __nf_ct_expect_find(tuple); | 111 | i = __nf_ct_expect_find(net, tuple); |
| 116 | if (i && !atomic_inc_not_zero(&i->use)) | 112 | if (i && !atomic_inc_not_zero(&i->use)) |
| 117 | i = NULL; | 113 | i = NULL; |
| 118 | rcu_read_unlock(); | 114 | rcu_read_unlock(); |
| @@ -124,17 +120,17 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_find_get); | |||
| 124 | /* If an expectation for this connection is found, it gets delete from | 120 | /* If an expectation for this connection is found, it gets delete from |
| 125 | * global list then returned. */ | 121 | * global list then returned. */ |
| 126 | struct nf_conntrack_expect * | 122 | struct nf_conntrack_expect * |
| 127 | nf_ct_find_expectation(const struct nf_conntrack_tuple *tuple) | 123 | nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple) |
| 128 | { | 124 | { |
| 129 | struct nf_conntrack_expect *i, *exp = NULL; | 125 | struct nf_conntrack_expect *i, *exp = NULL; |
| 130 | struct hlist_node *n; | 126 | struct hlist_node *n; |
| 131 | unsigned int h; | 127 | unsigned int h; |
| 132 | 128 | ||
| 133 | if (!nf_ct_expect_count) | 129 | if (!net->ct.expect_count) |
| 134 | return NULL; | 130 | return NULL; |
| 135 | 131 | ||
| 136 | h = nf_ct_expect_dst_hash(tuple); | 132 | h = nf_ct_expect_dst_hash(tuple); |
| 137 | hlist_for_each_entry(i, n, &nf_ct_expect_hash[h], hnode) { | 133 | hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) { |
| 138 | if (!(i->flags & NF_CT_EXPECT_INACTIVE) && | 134 | if (!(i->flags & NF_CT_EXPECT_INACTIVE) && |
| 139 | nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) { | 135 | nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) { |
| 140 | exp = i; | 136 | exp = i; |
| @@ -311,6 +307,7 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_put); | |||
| 311 | static void nf_ct_expect_insert(struct nf_conntrack_expect *exp) | 307 | static void nf_ct_expect_insert(struct nf_conntrack_expect *exp) |
| 312 | { | 308 | { |
| 313 | struct nf_conn_help *master_help = nfct_help(exp->master); | 309 | struct nf_conn_help *master_help = nfct_help(exp->master); |
| 310 | struct net *net = nf_ct_exp_net(exp); | ||
| 314 | const struct nf_conntrack_expect_policy *p; | 311 | const struct nf_conntrack_expect_policy *p; |
| 315 | unsigned int h = nf_ct_expect_dst_hash(&exp->tuple); | 312 | unsigned int h = nf_ct_expect_dst_hash(&exp->tuple); |
| 316 | 313 | ||
| @@ -319,8 +316,8 @@ static void nf_ct_expect_insert(struct nf_conntrack_expect *exp) | |||
| 319 | hlist_add_head(&exp->lnode, &master_help->expectations); | 316 | hlist_add_head(&exp->lnode, &master_help->expectations); |
| 320 | master_help->expecting[exp->class]++; | 317 | master_help->expecting[exp->class]++; |
| 321 | 318 | ||
| 322 | hlist_add_head_rcu(&exp->hnode, &nf_ct_expect_hash[h]); | 319 | hlist_add_head_rcu(&exp->hnode, &net->ct.expect_hash[h]); |
| 323 | nf_ct_expect_count++; | 320 | net->ct.expect_count++; |
| 324 | 321 | ||
| 325 | setup_timer(&exp->timeout, nf_ct_expectation_timed_out, | 322 | setup_timer(&exp->timeout, nf_ct_expectation_timed_out, |
| 326 | (unsigned long)exp); | 323 | (unsigned long)exp); |
| @@ -371,6 +368,7 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect) | |||
| 371 | struct nf_conntrack_expect *i; | 368 | struct nf_conntrack_expect *i; |
| 372 | struct nf_conn *master = expect->master; | 369 | struct nf_conn *master = expect->master; |
| 373 | struct nf_conn_help *master_help = nfct_help(master); | 370 | struct nf_conn_help *master_help = nfct_help(master); |
| 371 | struct net *net = nf_ct_exp_net(expect); | ||
| 374 | struct hlist_node *n; | 372 | struct hlist_node *n; |
| 375 | unsigned int h; | 373 | unsigned int h; |
| 376 | int ret; | 374 | int ret; |
| @@ -383,7 +381,7 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect) | |||
| 383 | goto out; | 381 | goto out; |
| 384 | } | 382 | } |
| 385 | h = nf_ct_expect_dst_hash(&expect->tuple); | 383 | h = nf_ct_expect_dst_hash(&expect->tuple); |
| 386 | hlist_for_each_entry(i, n, &nf_ct_expect_hash[h], hnode) { | 384 | hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) { |
| 387 | if (expect_matches(i, expect)) { | 385 | if (expect_matches(i, expect)) { |
| 388 | /* Refresh timer: if it's dying, ignore.. */ | 386 | /* Refresh timer: if it's dying, ignore.. */ |
| 389 | if (refresh_timer(i)) { | 387 | if (refresh_timer(i)) { |
| @@ -406,7 +404,7 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect) | |||
| 406 | } | 404 | } |
| 407 | } | 405 | } |
| 408 | 406 | ||
| 409 | if (nf_ct_expect_count >= nf_ct_expect_max) { | 407 | if (net->ct.expect_count >= nf_ct_expect_max) { |
| 410 | if (net_ratelimit()) | 408 | if (net_ratelimit()) |
| 411 | printk(KERN_WARNING | 409 | printk(KERN_WARNING |
| 412 | "nf_conntrack: expectation table full\n"); | 410 | "nf_conntrack: expectation table full\n"); |
| @@ -430,11 +428,12 @@ struct ct_expect_iter_state { | |||
| 430 | 428 | ||
| 431 | static struct hlist_node *ct_expect_get_first(struct seq_file *seq) | 429 | static struct hlist_node *ct_expect_get_first(struct seq_file *seq) |
| 432 | { | 430 | { |
| 431 | struct net *net = &init_net; | ||
| 433 | struct ct_expect_iter_state *st = seq->private; | 432 | struct ct_expect_iter_state *st = seq->private; |
| 434 | struct hlist_node *n; | 433 | struct hlist_node *n; |
| 435 | 434 | ||
| 436 | for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) { | 435 | for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) { |
| 437 | n = rcu_dereference(nf_ct_expect_hash[st->bucket].first); | 436 | n = rcu_dereference(net->ct.expect_hash[st->bucket].first); |
| 438 | if (n) | 437 | if (n) |
| 439 | return n; | 438 | return n; |
| 440 | } | 439 | } |
| @@ -444,13 +443,14 @@ static struct hlist_node *ct_expect_get_first(struct seq_file *seq) | |||
| 444 | static struct hlist_node *ct_expect_get_next(struct seq_file *seq, | 443 | static struct hlist_node *ct_expect_get_next(struct seq_file *seq, |
| 445 | struct hlist_node *head) | 444 | struct hlist_node *head) |
| 446 | { | 445 | { |
| 446 | struct net *net = &init_net; | ||
| 447 | struct ct_expect_iter_state *st = seq->private; | 447 | struct ct_expect_iter_state *st = seq->private; |
| 448 | 448 | ||
| 449 | head = rcu_dereference(head->next); | 449 | head = rcu_dereference(head->next); |
| 450 | while (head == NULL) { | 450 | while (head == NULL) { |
| 451 | if (++st->bucket >= nf_ct_expect_hsize) | 451 | if (++st->bucket >= nf_ct_expect_hsize) |
| 452 | return NULL; | 452 | return NULL; |
| 453 | head = rcu_dereference(nf_ct_expect_hash[st->bucket].first); | 453 | head = rcu_dereference(net->ct.expect_hash[st->bucket].first); |
| 454 | } | 454 | } |
| 455 | return head; | 455 | return head; |
| 456 | } | 456 | } |
| @@ -558,7 +558,7 @@ static void exp_proc_remove(void) | |||
| 558 | 558 | ||
| 559 | module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600); | 559 | module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600); |
| 560 | 560 | ||
| 561 | int nf_conntrack_expect_init(void) | 561 | int nf_conntrack_expect_init(struct net *net) |
| 562 | { | 562 | { |
| 563 | int err = -ENOMEM; | 563 | int err = -ENOMEM; |
| 564 | 564 | ||
| @@ -569,9 +569,10 @@ int nf_conntrack_expect_init(void) | |||
| 569 | } | 569 | } |
| 570 | nf_ct_expect_max = nf_ct_expect_hsize * 4; | 570 | nf_ct_expect_max = nf_ct_expect_hsize * 4; |
| 571 | 571 | ||
| 572 | nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, | 572 | net->ct.expect_count = 0; |
| 573 | &nf_ct_expect_vmalloc); | 573 | net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, |
| 574 | if (nf_ct_expect_hash == NULL) | 574 | &net->ct.expect_vmalloc); |
| 575 | if (net->ct.expect_hash == NULL) | ||
| 575 | goto err1; | 576 | goto err1; |
| 576 | 577 | ||
| 577 | nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect", | 578 | nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect", |
| @@ -589,16 +590,16 @@ int nf_conntrack_expect_init(void) | |||
| 589 | err3: | 590 | err3: |
| 590 | kmem_cache_destroy(nf_ct_expect_cachep); | 591 | kmem_cache_destroy(nf_ct_expect_cachep); |
| 591 | err2: | 592 | err2: |
| 592 | nf_ct_free_hashtable(nf_ct_expect_hash, nf_ct_expect_vmalloc, | 593 | nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc, |
| 593 | nf_ct_expect_hsize); | 594 | nf_ct_expect_hsize); |
| 594 | err1: | 595 | err1: |
| 595 | return err; | 596 | return err; |
| 596 | } | 597 | } |
| 597 | 598 | ||
| 598 | void nf_conntrack_expect_fini(void) | 599 | void nf_conntrack_expect_fini(struct net *net) |
| 599 | { | 600 | { |
| 600 | exp_proc_remove(); | 601 | exp_proc_remove(); |
| 601 | kmem_cache_destroy(nf_ct_expect_cachep); | 602 | kmem_cache_destroy(nf_ct_expect_cachep); |
| 602 | nf_ct_free_hashtable(nf_ct_expect_hash, nf_ct_expect_vmalloc, | 603 | nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc, |
| 603 | nf_ct_expect_hsize); | 604 | nf_ct_expect_hsize); |
| 604 | } | 605 | } |
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c index 5dc0478108ae..dfb826c973d9 100644 --- a/net/netfilter/nf_conntrack_h323_main.c +++ b/net/netfilter/nf_conntrack_h323_main.c | |||
| @@ -1219,7 +1219,7 @@ static struct nf_conntrack_expect *find_expect(struct nf_conn *ct, | |||
| 1219 | tuple.dst.u.tcp.port = port; | 1219 | tuple.dst.u.tcp.port = port; |
| 1220 | tuple.dst.protonum = IPPROTO_TCP; | 1220 | tuple.dst.protonum = IPPROTO_TCP; |
| 1221 | 1221 | ||
| 1222 | exp = __nf_ct_expect_find(&tuple); | 1222 | exp = __nf_ct_expect_find(&init_net, &tuple); |
| 1223 | if (exp && exp->master == ct) | 1223 | if (exp && exp->master == ct) |
| 1224 | return exp; | 1224 | return exp; |
| 1225 | return NULL; | 1225 | return NULL; |
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index d91278dfdafd..c793db810cd5 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c | |||
| @@ -145,7 +145,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me) | |||
| 145 | /* Get rid of expectations */ | 145 | /* Get rid of expectations */ |
| 146 | for (i = 0; i < nf_ct_expect_hsize; i++) { | 146 | for (i = 0; i < nf_ct_expect_hsize; i++) { |
| 147 | hlist_for_each_entry_safe(exp, n, next, | 147 | hlist_for_each_entry_safe(exp, n, next, |
| 148 | &nf_ct_expect_hash[i], hnode) { | 148 | &init_net.ct.expect_hash[i], hnode) { |
| 149 | struct nf_conn_help *help = nfct_help(exp->master); | 149 | struct nf_conn_help *help = nfct_help(exp->master); |
| 150 | if ((help->helper == me || exp->helper == me) && | 150 | if ((help->helper == me || exp->helper == me) && |
| 151 | del_timer(&exp->timeout)) { | 151 | del_timer(&exp->timeout)) { |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 918a3358a126..cadfd15b44f6 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
| @@ -1458,6 +1458,7 @@ static int ctnetlink_exp_done(struct netlink_callback *cb) | |||
| 1458 | static int | 1458 | static int |
| 1459 | ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) | 1459 | ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) |
| 1460 | { | 1460 | { |
| 1461 | struct net *net = &init_net; | ||
| 1461 | struct nf_conntrack_expect *exp, *last; | 1462 | struct nf_conntrack_expect *exp, *last; |
| 1462 | struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh); | 1463 | struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh); |
| 1463 | struct hlist_node *n; | 1464 | struct hlist_node *n; |
| @@ -1467,7 +1468,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 1467 | last = (struct nf_conntrack_expect *)cb->args[1]; | 1468 | last = (struct nf_conntrack_expect *)cb->args[1]; |
| 1468 | for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { | 1469 | for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { |
| 1469 | restart: | 1470 | restart: |
| 1470 | hlist_for_each_entry(exp, n, &nf_ct_expect_hash[cb->args[0]], | 1471 | hlist_for_each_entry(exp, n, &net->ct.expect_hash[cb->args[0]], |
| 1471 | hnode) { | 1472 | hnode) { |
| 1472 | if (l3proto && exp->tuple.src.l3num != l3proto) | 1473 | if (l3proto && exp->tuple.src.l3num != l3proto) |
| 1473 | continue; | 1474 | continue; |
| @@ -1529,7 +1530,7 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, | |||
| 1529 | if (err < 0) | 1530 | if (err < 0) |
| 1530 | return err; | 1531 | return err; |
| 1531 | 1532 | ||
| 1532 | exp = nf_ct_expect_find_get(&tuple); | 1533 | exp = nf_ct_expect_find_get(&init_net, &tuple); |
| 1533 | if (!exp) | 1534 | if (!exp) |
| 1534 | return -ENOENT; | 1535 | return -ENOENT; |
| 1535 | 1536 | ||
| @@ -1583,7 +1584,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, | |||
| 1583 | return err; | 1584 | return err; |
| 1584 | 1585 | ||
| 1585 | /* bump usage count to 2 */ | 1586 | /* bump usage count to 2 */ |
| 1586 | exp = nf_ct_expect_find_get(&tuple); | 1587 | exp = nf_ct_expect_find_get(&init_net, &tuple); |
| 1587 | if (!exp) | 1588 | if (!exp) |
| 1588 | return -ENOENT; | 1589 | return -ENOENT; |
| 1589 | 1590 | ||
| @@ -1613,7 +1614,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, | |||
| 1613 | } | 1614 | } |
| 1614 | for (i = 0; i < nf_ct_expect_hsize; i++) { | 1615 | for (i = 0; i < nf_ct_expect_hsize; i++) { |
| 1615 | hlist_for_each_entry_safe(exp, n, next, | 1616 | hlist_for_each_entry_safe(exp, n, next, |
| 1616 | &nf_ct_expect_hash[i], | 1617 | &init_net.ct.expect_hash[i], |
| 1617 | hnode) { | 1618 | hnode) { |
| 1618 | m_help = nfct_help(exp->master); | 1619 | m_help = nfct_help(exp->master); |
| 1619 | if (m_help->helper == h | 1620 | if (m_help->helper == h |
| @@ -1629,7 +1630,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, | |||
| 1629 | spin_lock_bh(&nf_conntrack_lock); | 1630 | spin_lock_bh(&nf_conntrack_lock); |
| 1630 | for (i = 0; i < nf_ct_expect_hsize; i++) { | 1631 | for (i = 0; i < nf_ct_expect_hsize; i++) { |
| 1631 | hlist_for_each_entry_safe(exp, n, next, | 1632 | hlist_for_each_entry_safe(exp, n, next, |
| 1632 | &nf_ct_expect_hash[i], | 1633 | &init_net.ct.expect_hash[i], |
| 1633 | hnode) { | 1634 | hnode) { |
| 1634 | if (del_timer(&exp->timeout)) { | 1635 | if (del_timer(&exp->timeout)) { |
| 1635 | nf_ct_unlink_expect(exp); | 1636 | nf_ct_unlink_expect(exp); |
| @@ -1724,7 +1725,7 @@ ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb, | |||
| 1724 | return err; | 1725 | return err; |
| 1725 | 1726 | ||
| 1726 | spin_lock_bh(&nf_conntrack_lock); | 1727 | spin_lock_bh(&nf_conntrack_lock); |
| 1727 | exp = __nf_ct_expect_find(&tuple); | 1728 | exp = __nf_ct_expect_find(&init_net, &tuple); |
| 1728 | 1729 | ||
| 1729 | if (!exp) { | 1730 | if (!exp) { |
| 1730 | spin_unlock_bh(&nf_conntrack_lock); | 1731 | spin_unlock_bh(&nf_conntrack_lock); |
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c index 7caf45b59d2c..5db7df5d19b7 100644 --- a/net/netfilter/nf_conntrack_pptp.c +++ b/net/netfilter/nf_conntrack_pptp.c | |||
| @@ -121,7 +121,7 @@ static void pptp_expectfn(struct nf_conn *ct, | |||
| 121 | pr_debug("trying to unexpect other dir: "); | 121 | pr_debug("trying to unexpect other dir: "); |
| 122 | nf_ct_dump_tuple(&inv_t); | 122 | nf_ct_dump_tuple(&inv_t); |
| 123 | 123 | ||
| 124 | exp_other = nf_ct_expect_find_get(&inv_t); | 124 | exp_other = nf_ct_expect_find_get(&init_net, &inv_t); |
| 125 | if (exp_other) { | 125 | if (exp_other) { |
| 126 | /* delete other expectation. */ | 126 | /* delete other expectation. */ |
| 127 | pr_debug("found\n"); | 127 | pr_debug("found\n"); |
| @@ -154,7 +154,7 @@ static int destroy_sibling_or_exp(const struct nf_conntrack_tuple *t) | |||
| 154 | nf_ct_put(sibling); | 154 | nf_ct_put(sibling); |
| 155 | return 1; | 155 | return 1; |
| 156 | } else { | 156 | } else { |
| 157 | exp = nf_ct_expect_find_get(t); | 157 | exp = nf_ct_expect_find_get(&init_net, t); |
| 158 | if (exp) { | 158 | if (exp) { |
| 159 | pr_debug("unexpect_related of expect %p\n", exp); | 159 | pr_debug("unexpect_related of expect %p\n", exp); |
| 160 | nf_ct_unexpect_related(exp); | 160 | nf_ct_unexpect_related(exp); |
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index 1fa306be60fb..a006080eb389 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c | |||
| @@ -775,7 +775,7 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, | |||
| 775 | 775 | ||
| 776 | rcu_read_lock(); | 776 | rcu_read_lock(); |
| 777 | do { | 777 | do { |
| 778 | exp = __nf_ct_expect_find(&tuple); | 778 | exp = __nf_ct_expect_find(&init_net, &tuple); |
| 779 | 779 | ||
| 780 | if (!exp || exp->master == ct || | 780 | if (!exp || exp->master == ct || |
| 781 | nfct_help(exp->master)->helper != nfct_help(ct)->helper || | 781 | nfct_help(exp->master)->helper != nfct_help(ct)->helper || |