diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-02-28 13:13:48 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-03-07 11:41:22 -0500 |
| commit | 50978462300f74dc48aea4a38471cb69bdf741a5 (patch) | |
| tree | 0d63f721f996d4c4a4e37cd08df949e25d4c980e /net/ipv4 | |
| parent | 2c8503f55fbdfbeff4164f133df804cf4d316290 (diff) | |
netfilter: add cttimeout infrastructure for fine timeout tuning
This patch adds the infrastructure to add fine timeout tuning
over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT
subsystem to create/delete/dump timeout objects that contain some
specific timeout policy for one flow.
The follow up patches will allow you attach timeout policy object
to conntrack via the CT target and the conntrack extension
infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index 6b801124b31f..7cbe9cb261c2 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c | |||
| @@ -269,6 +269,44 @@ static int icmp_nlattr_tuple_size(void) | |||
| 269 | } | 269 | } |
| 270 | #endif | 270 | #endif |
| 271 | 271 | ||
| 272 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | ||
| 273 | |||
| 274 | #include <linux/netfilter/nfnetlink.h> | ||
| 275 | #include <linux/netfilter/nfnetlink_cttimeout.h> | ||
| 276 | |||
| 277 | static int icmp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data) | ||
| 278 | { | ||
| 279 | unsigned int *timeout = data; | ||
| 280 | |||
| 281 | if (tb[CTA_TIMEOUT_ICMP_TIMEOUT]) { | ||
| 282 | *timeout = | ||
| 283 | ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMP_TIMEOUT])) * HZ; | ||
| 284 | } else { | ||
| 285 | /* Set default ICMP timeout. */ | ||
| 286 | *timeout = nf_ct_icmp_timeout; | ||
| 287 | } | ||
| 288 | return 0; | ||
| 289 | } | ||
| 290 | |||
| 291 | static int | ||
| 292 | icmp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) | ||
| 293 | { | ||
| 294 | const unsigned int *timeout = data; | ||
| 295 | |||
| 296 | NLA_PUT_BE32(skb, CTA_TIMEOUT_ICMP_TIMEOUT, htonl(*timeout / HZ)); | ||
| 297 | |||
| 298 | return 0; | ||
| 299 | |||
| 300 | nla_put_failure: | ||
| 301 | return -ENOSPC; | ||
| 302 | } | ||
| 303 | |||
| 304 | static const struct nla_policy | ||
| 305 | icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = { | ||
| 306 | [CTA_TIMEOUT_ICMP_TIMEOUT] = { .type = NLA_U32 }, | ||
| 307 | }; | ||
| 308 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | ||
| 309 | |||
| 272 | #ifdef CONFIG_SYSCTL | 310 | #ifdef CONFIG_SYSCTL |
| 273 | static struct ctl_table_header *icmp_sysctl_header; | 311 | static struct ctl_table_header *icmp_sysctl_header; |
| 274 | static struct ctl_table icmp_sysctl_table[] = { | 312 | static struct ctl_table icmp_sysctl_table[] = { |
| @@ -315,6 +353,15 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly = | |||
| 315 | .nlattr_to_tuple = icmp_nlattr_to_tuple, | 353 | .nlattr_to_tuple = icmp_nlattr_to_tuple, |
| 316 | .nla_policy = icmp_nla_policy, | 354 | .nla_policy = icmp_nla_policy, |
| 317 | #endif | 355 | #endif |
| 356 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | ||
| 357 | .ctnl_timeout = { | ||
| 358 | .nlattr_to_obj = icmp_timeout_nlattr_to_obj, | ||
| 359 | .obj_to_nlattr = icmp_timeout_obj_to_nlattr, | ||
| 360 | .nlattr_max = CTA_TIMEOUT_ICMP_MAX, | ||
| 361 | .obj_size = sizeof(unsigned int), | ||
| 362 | .nla_policy = icmp_timeout_nla_policy, | ||
| 363 | }, | ||
| 364 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | ||
| 318 | #ifdef CONFIG_SYSCTL | 365 | #ifdef CONFIG_SYSCTL |
| 319 | .ctl_table_header = &icmp_sysctl_header, | 366 | .ctl_table_header = &icmp_sysctl_header, |
| 320 | .ctl_table = icmp_sysctl_table, | 367 | .ctl_table = icmp_sysctl_table, |