[NETFILTER]: nf_conntrack: sysctl compatibility with old connection tracking

This patch adds an option to keep the connection tracking sysctls visible under their old names. Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@trash.net> 2006-11-28 20:35:20 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-12-03 00:31:19 -0500
commit: a999e6837603e4b5a164333c93918a1292f074c8 (patch)
tree: 22e04633ff4f046b9769ebf304520eb0e0acfa5b /net/ipv4
parent: 933a41e7e12b773d1dd026018f02b86b5d257a22 (diff)
3 files changed, 87 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index d88c292f118c..4ac5b5c4678d 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -19,6 +19,17 @@ config NF_CONNTRACK_IPV4
          To compile it as a module, choose M here.  If unsure, say N.
+config NF_CONNTRACK_PROC_COMPAT
+        bool "proc/sysctl compatibility with old connection tracking"
+        depends on NF_CONNTRACK
+        default y
+        help
+          This option enables /proc and sysctl compatibility with the old
+          layer 3 dependant connection tracking. This is needed to keep
+          old programs that have not been adapted to the new names working.
+          If unsure, say Y.
 # connection tracking, helpers and protocols
 config IP_NF_CONNTRACK
        tristate "Connection tracking (required for masq/NAT)"
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 786c4ce96cdf..bcec6822f2ee 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -266,6 +266,60 @@ static struct nf_hook_ops ipv4_conntrack_ops[] = {
        },
 };
+#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
+static int log_invalid_proto_min = 0;
+static int log_invalid_proto_max = 255;
+static ctl_table ip_ct_sysctl_table[] = {
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_MAX,
+                .procname       = "ip_conntrack_max",
+                .data           = &nf_conntrack_max,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_COUNT,
+                .procname       = "ip_conntrack_count",
+                .data           = &nf_conntrack_count,
+                .maxlen         = sizeof(int),
+                .mode           = 0444,
+                .proc_handler   = &proc_dointvec,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_BUCKETS,
+                .procname       = "ip_conntrack_buckets",
+                .data           = &nf_conntrack_htable_size,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0444,
+                .proc_handler   = &proc_dointvec,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_CHECKSUM,
+                .procname       = "ip_conntrack_checksum",
+                .data           = &nf_conntrack_checksum,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_LOG_INVALID,
+                .procname       = "ip_conntrack_log_invalid",
+                .data           = &nf_ct_log_invalid,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_minmax,
+                .strategy       = &sysctl_intvec,
+                .extra1         = &log_invalid_proto_min,
+                .extra2         = &log_invalid_proto_max,
+        },
+        {
+                .ctl_name       = 0
+        }
+};
+#endif /* CONFIG_SYSCTL && CONFIG_NF_CONNTRACK_PROC_COMPAT */
 /* Fast function for those who don't want to parse /proc (and I don't
   blame them). */
 /* Reversing the socket's dst/src point of view gives us the reply
@@ -386,6 +440,10 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 = {
        .tuple_to_nfattr = ipv4_tuple_to_nfattr,
        .nfattr_to_tuple = ipv4_nfattr_to_tuple,
 #endif
+#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
+        .ctl_table_path  = nf_net_ipv4_netfilter_sysctl_path,
+        .ctl_table       = ip_ct_sysctl_table,
+#endif
        .me              = THIS_MODULE,
 };
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index c59f28193a39..46aa44abc078 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -336,6 +336,21 @@ static struct ctl_table icmp_sysctl_table[] = {
                .ctl_name = 0
        }
 };
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+static struct ctl_table icmp_compat_sysctl_table[] = {
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT,
+                .procname       = "ip_conntrack_icmp_timeout",
+                .data           = &nf_ct_icmp_timeout,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name = 0
+        }
+};
+#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
 #endif /* CONFIG_SYSCTL */
 struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
@@ -360,6 +375,9 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
 #ifdef CONFIG_SYSCTL
        .ctl_table_header       = &icmp_sysctl_header,
        .ctl_table              = icmp_sysctl_table,
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+        .ctl_compat_table       = icmp_compat_sysctl_table,
+#endif
 #endif
 };
author	Patrick McHardy <kaber@trash.net>	2006-11-28 20:35:20 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-12-03 00:31:19 -0500
commit	a999e6837603e4b5a164333c93918a1292f074c8 (patch)
tree	22e04633ff4f046b9769ebf304520eb0e0acfa5b /net/ipv4
parent	933a41e7e12b773d1dd026018f02b86b5d257a22 (diff)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index d88c292f118c..4ac5b5c4678d 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -19,6 +19,17 @@ config NF_CONNTRACK_IPV4
19		19
20	To compile it as a module, choose M here. If unsure, say N.	20	To compile it as a module, choose M here. If unsure, say N.
21		21
		22	config NF_CONNTRACK_PROC_COMPAT
		23	bool "proc/sysctl compatibility with old connection tracking"
		24	depends on NF_CONNTRACK
		25	default y
		26	help
		27	This option enables /proc and sysctl compatibility with the old
		28	layer 3 dependant connection tracking. This is needed to keep
		29	old programs that have not been adapted to the new names working.
		30
		31	If unsure, say Y.
		32
22	# connection tracking, helpers and protocols	33	# connection tracking, helpers and protocols
23	config IP_NF_CONNTRACK	34	config IP_NF_CONNTRACK
24	tristate "Connection tracking (required for masq/NAT)"	35	tristate "Connection tracking (required for masq/NAT)"


diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 786c4ce96cdf..bcec6822f2ee 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -266,6 +266,60 @@ static struct nf_hook_ops ipv4_conntrack_ops[] = {
266	},	266	},
267	};	267	};
268		268
		269	#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
		270	static int log_invalid_proto_min = 0;
		271	static int log_invalid_proto_max = 255;
		272
		273	static ctl_table ip_ct_sysctl_table[] = {
		274	{
		275	.ctl_name = NET_IPV4_NF_CONNTRACK_MAX,
		276	.procname = "ip_conntrack_max",
		277	.data = &nf_conntrack_max,
		278	.maxlen = sizeof(int),
		279	.mode = 0644,
		280	.proc_handler = &proc_dointvec,
		281	},
		282	{
		283	.ctl_name = NET_IPV4_NF_CONNTRACK_COUNT,
		284	.procname = "ip_conntrack_count",
		285	.data = &nf_conntrack_count,
		286	.maxlen = sizeof(int),
		287	.mode = 0444,
		288	.proc_handler = &proc_dointvec,
		289	},
		290	{
		291	.ctl_name = NET_IPV4_NF_CONNTRACK_BUCKETS,
		292	.procname = "ip_conntrack_buckets",
		293	.data = &nf_conntrack_htable_size,
		294	.maxlen = sizeof(unsigned int),
		295	.mode = 0444,
		296	.proc_handler = &proc_dointvec,
		297	},
		298	{
		299	.ctl_name = NET_IPV4_NF_CONNTRACK_CHECKSUM,
		300	.procname = "ip_conntrack_checksum",
		301	.data = &nf_conntrack_checksum,
		302	.maxlen = sizeof(int),
		303	.mode = 0644,
		304	.proc_handler = &proc_dointvec,
		305	},
		306	{
		307	.ctl_name = NET_IPV4_NF_CONNTRACK_LOG_INVALID,
		308	.procname = "ip_conntrack_log_invalid",
		309	.data = &nf_ct_log_invalid,
		310	.maxlen = sizeof(unsigned int),
		311	.mode = 0644,
		312	.proc_handler = &proc_dointvec_minmax,
		313	.strategy = &sysctl_intvec,
		314	.extra1 = &log_invalid_proto_min,
		315	.extra2 = &log_invalid_proto_max,
		316	},
		317	{
		318	.ctl_name = 0
		319	}
		320	};
		321	#endif /* CONFIG_SYSCTL && CONFIG_NF_CONNTRACK_PROC_COMPAT */
		322
269	/* Fast function for those who don't want to parse /proc (and I don't	323	/* Fast function for those who don't want to parse /proc (and I don't
270	blame them). */	324	blame them). */
271	/* Reversing the socket's dst/src point of view gives us the reply	325	/* Reversing the socket's dst/src point of view gives us the reply
@@ -386,6 +440,10 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 = {
386	.tuple_to_nfattr = ipv4_tuple_to_nfattr,	440	.tuple_to_nfattr = ipv4_tuple_to_nfattr,
387	.nfattr_to_tuple = ipv4_nfattr_to_tuple,	441	.nfattr_to_tuple = ipv4_nfattr_to_tuple,
388	#endif	442	#endif
		443	#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
		444	.ctl_table_path = nf_net_ipv4_netfilter_sysctl_path,
		445	.ctl_table = ip_ct_sysctl_table,
		446	#endif
389	.me = THIS_MODULE,	447	.me = THIS_MODULE,
390	};	448	};
391		449


diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index c59f28193a39..46aa44abc078 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -336,6 +336,21 @@ static struct ctl_table icmp_sysctl_table[] = {
336	.ctl_name = 0	336	.ctl_name = 0
337	}	337	}
338	};	338	};
		339	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		340	static struct ctl_table icmp_compat_sysctl_table[] = {
		341	{
		342	.ctl_name = NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT,
		343	.procname = "ip_conntrack_icmp_timeout",
		344	.data = &nf_ct_icmp_timeout,
		345	.maxlen = sizeof(unsigned int),
		346	.mode = 0644,
		347	.proc_handler = &proc_dointvec_jiffies,
		348	},
		349	{
		350	.ctl_name = 0
		351	}
		352	};
		353	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
339	#endif /* CONFIG_SYSCTL */	354	#endif /* CONFIG_SYSCTL */
340		355
341	struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =	356	struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
@@ -360,6 +375,9 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
360	#ifdef CONFIG_SYSCTL	375	#ifdef CONFIG_SYSCTL
361	.ctl_table_header = &icmp_sysctl_header,	376	.ctl_table_header = &icmp_sysctl_header,
362	.ctl_table = icmp_sysctl_table,	377	.ctl_table = icmp_sysctl_table,
		378	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		379	.ctl_compat_table = icmp_compat_sysctl_table,
		380	#endif
363	#endif	381	#endif
364	};	382	};
365		383