netfilter: add cttimeout infrastructure for fine timeout tuning

This patch adds the infrastructure to add fine timeout tuning over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT subsystem to create/delete/dump timeout objects that contain some specific timeout policy for one flow. The follow up patches will allow you attach timeout policy object to conntrack via the CT target and the conntrack extension infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2012-02-28 13:13:48 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2012-03-07 11:41:22 -0500
commit: 50978462300f74dc48aea4a38471cb69bdf741a5 (patch)
tree: 0d63f721f996d4c4a4e37cd08df949e25d4c980e /net/ipv6
parent: 2c8503f55fbdfbeff4164f133df804cf4d316290 (diff)
1 files changed, 47 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 2eb9751eb7a8..92cc9f2931ae 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -276,6 +276,44 @@ static int icmpv6_nlattr_tuple_size(void)
 }
 #endif
+#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/nfnetlink_cttimeout.h>
+static int icmpv6_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+{
+        unsigned int *timeout = data;
+        if (tb[CTA_TIMEOUT_ICMPV6_TIMEOUT]) {
+                *timeout =
+                    ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMPV6_TIMEOUT])) * HZ;
+        } else {
+                /* Set default ICMPv6 timeout. */
+                *timeout = nf_ct_icmpv6_timeout;
+        }
+        return 0;
+}
+static int
+icmpv6_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
+{
+        const unsigned int *timeout = data;
+        NLA_PUT_BE32(skb, CTA_TIMEOUT_ICMPV6_TIMEOUT, htonl(*timeout / HZ));
+        return 0;
+nla_put_failure:
+        return -ENOSPC;
+}
+static const struct nla_policy
+icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = {
+        [CTA_TIMEOUT_ICMPV6_TIMEOUT]    = { .type = NLA_U32 },
+};
+#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 #ifdef CONFIG_SYSCTL
 static struct ctl_table_header *icmpv6_sysctl_header;
 static struct ctl_table icmpv6_sysctl_table[] = {
@@ -308,6 +346,15 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
        .nlattr_to_tuple        = icmpv6_nlattr_to_tuple,
        .nla_policy             = icmpv6_nla_policy,
 #endif
+#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+        .ctnl_timeout           = {
+                .nlattr_to_obj  = icmpv6_timeout_nlattr_to_obj,
+                .obj_to_nlattr  = icmpv6_timeout_obj_to_nlattr,
+                .nlattr_max     = CTA_TIMEOUT_ICMP_MAX,
+                .obj_size       = sizeof(unsigned int),
+                .nla_policy     = icmpv6_timeout_nla_policy,
+        },
+#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 #ifdef CONFIG_SYSCTL
        .ctl_table_header       = &icmpv6_sysctl_header,
        .ctl_table              = icmpv6_sysctl_table,
author	Pablo Neira Ayuso <pablo@netfilter.org>	2012-02-28 13:13:48 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2012-03-07 11:41:22 -0500
commit	50978462300f74dc48aea4a38471cb69bdf741a5 (patch)
tree	0d63f721f996d4c4a4e37cd08df949e25d4c980e /net/ipv6
parent	2c8503f55fbdfbeff4164f133df804cf4d316290 (diff)

diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index 2eb9751eb7a8..92cc9f2931ae 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -276,6 +276,44 @@ static int icmpv6_nlattr_tuple_size(void)
276	}	276	}
277	#endif	277	#endif
278		278
		279	#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
		280
		281	#include <linux/netfilter/nfnetlink.h>
		282	#include <linux/netfilter/nfnetlink_cttimeout.h>
		283
		284	static int icmpv6_timeout_nlattr_to_obj(struct nlattr tb[], void data)
		285	{
		286	unsigned int *timeout = data;
		287
		288	if (tb[CTA_TIMEOUT_ICMPV6_TIMEOUT]) {
		289	*timeout =
		290	ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMPV6_TIMEOUT])) * HZ;
		291	} else {
		292	/* Set default ICMPv6 timeout. */
		293	*timeout = nf_ct_icmpv6_timeout;
		294	}
		295	return 0;
		296	}
		297
		298	static int
		299	icmpv6_timeout_obj_to_nlattr(struct sk_buff skb, const void data)
		300	{
		301	const unsigned int *timeout = data;
		302
		303	NLA_PUT_BE32(skb, CTA_TIMEOUT_ICMPV6_TIMEOUT, htonl(*timeout / HZ));
		304
		305	return 0;
		306
		307	nla_put_failure:
		308	return -ENOSPC;
		309	}
		310
		311	static const struct nla_policy
		312	icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = {
		313	[CTA_TIMEOUT_ICMPV6_TIMEOUT] = { .type = NLA_U32 },
		314	};
		315	#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
		316
279	#ifdef CONFIG_SYSCTL	317	#ifdef CONFIG_SYSCTL
280	static struct ctl_table_header *icmpv6_sysctl_header;	318	static struct ctl_table_header *icmpv6_sysctl_header;
281	static struct ctl_table icmpv6_sysctl_table[] = {	319	static struct ctl_table icmpv6_sysctl_table[] = {
@@ -308,6 +346,15 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
308	.nlattr_to_tuple = icmpv6_nlattr_to_tuple,	346	.nlattr_to_tuple = icmpv6_nlattr_to_tuple,
309	.nla_policy = icmpv6_nla_policy,	347	.nla_policy = icmpv6_nla_policy,
310	#endif	348	#endif
		349	#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
		350	.ctnl_timeout = {
		351	.nlattr_to_obj = icmpv6_timeout_nlattr_to_obj,
		352	.obj_to_nlattr = icmpv6_timeout_obj_to_nlattr,
		353	.nlattr_max = CTA_TIMEOUT_ICMP_MAX,
		354	.obj_size = sizeof(unsigned int),
		355	.nla_policy = icmpv6_timeout_nla_policy,
		356	},
		357	#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
311	#ifdef CONFIG_SYSCTL	358	#ifdef CONFIG_SYSCTL
312	.ctl_table_header = &icmpv6_sysctl_header,	359	.ctl_table_header = &icmpv6_sysctl_header,
313	.ctl_table = icmpv6_sysctl_table,	360	.ctl_table = icmpv6_sysctl_table,