netfilter: netns nf_conntrack: per-netns conntrack accounting

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Alexey Dobriyan <adobriyan@gmail.com> 2008-10-08 05:35:09 -0400
committer: Patrick McHardy <kaber@trash.net> 2008-10-08 05:35:09 -0400
commit: d716a4dfbbdf0d4731d596a96e5f4b0d892ac168 (patch)
tree: 6131d86efdcebf7da50ded77e437223df9f41f7c /net/netfilter
parent: c2a2c7e0cc39e7f9336cd67e8307a110bdba82f3 (diff)
2 files changed, 74 insertions, 30 deletions
diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c
index 59bd8b903a19..03591d37b9cc 100644
--- a/net/netfilter/nf_conntrack_acct.c
+++ b/net/netfilter/nf_conntrack_acct.c
@@ -22,19 +22,17 @@
 #define NF_CT_ACCT_DEFAULT 0
 #endif
-int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT;
+static int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT;
-EXPORT_SYMBOL_GPL(nf_ct_acct);
 module_param_named(acct, nf_ct_acct, bool, 0644);
 MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting.");
 #ifdef CONFIG_SYSCTL
-static struct ctl_table_header *acct_sysctl_header;
 static struct ctl_table acct_sysctl_table[] = {
        {
                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "nf_conntrack_acct",
-                .data           = &nf_ct_acct,
+                .data           = &init_net.ct.sysctl_acct,
                .maxlen         = sizeof(unsigned int),
                .mode           = 0644,
                .proc_handler   = &proc_dointvec,
@@ -64,41 +62,87 @@ static struct nf_ct_ext_type acct_extend __read_mostly = {
        .id     = NF_CT_EXT_ACCT,
 };
-int nf_conntrack_acct_init(void)
+#ifdef CONFIG_SYSCTL
+static int nf_conntrack_acct_init_sysctl(struct net *net)
 {
-        int ret;
+        struct ctl_table *table;
-#ifdef CONFIG_NF_CT_ACCT
+        table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
-        printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Plase use\n");
+                        GFP_KERNEL);
-        printk(KERN_WARNING "nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or\n");
+        if (!table)
-        printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n");
+                goto out;
-#endif
+        table[0].data = &net->ct.sysctl_acct;
-        ret = nf_ct_extend_register(&acct_extend);
+        net->ct.acct_sysctl_header = register_net_sysctl_table(net,
-        if (ret < 0) {
+                        nf_net_netfilter_sysctl_path, table);
-                printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n");
+        if (!net->ct.acct_sysctl_header) {
-                return ret;
+                printk(KERN_ERR "nf_conntrack_acct: can't register to sysctl.\n");
+                goto out_register;
        }
+        return 0;
-#ifdef CONFIG_SYSCTL
+out_register:
-        acct_sysctl_header = register_sysctl_paths(nf_net_netfilter_sysctl_path,
+        kfree(table);
-                                acct_sysctl_table);
+out:
+        return -ENOMEM;
+}
-        if (!acct_sysctl_header) {
+static void nf_conntrack_acct_fini_sysctl(struct net *net)
-                nf_ct_extend_unregister(&acct_extend);
+{
+        struct ctl_table *table;
-                printk(KERN_ERR "nf_conntrack_acct: can't register to sysctl.\n");
+        table = net->ct.acct_sysctl_header->ctl_table_arg;
-                return -ENOMEM;
+        unregister_net_sysctl_table(net->ct.acct_sysctl_header);
-        }
+        kfree(table);
+}
+#else
+static int nf_conntrack_acct_init_sysctl(struct net *net)
+{
+        return 0;
+}
+static void nf_conntrack_acct_fini_sysctl(struct net *net)
+{
+}
+#endif
+int nf_conntrack_acct_init(struct net *net)
+{
+        int ret;
+        net->ct.sysctl_acct = nf_ct_acct;
+        if (net_eq(net, &init_net)) {
+#ifdef CONFIG_NF_CT_ACCT
+                printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Plase use\n");
+                printk(KERN_WARNING "nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or\n");
+                printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n");
 #endif
+                ret = nf_ct_extend_register(&acct_extend);
+                if (ret < 0) {
+                        printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n");
+                        goto out_extend_register;
+                }
+        }
+        ret = nf_conntrack_acct_init_sysctl(net);
+        if (ret < 0)
+                goto out_sysctl;
        return 0;
+out_sysctl:
+        if (net_eq(net, &init_net))
+                nf_ct_extend_unregister(&acct_extend);
+out_extend_register:
+        return ret;
 }
-void nf_conntrack_acct_fini(void)
+void nf_conntrack_acct_fini(struct net *net)
 {
-#ifdef CONFIG_SYSCTL
+        nf_conntrack_acct_fini_sysctl(net);
-        unregister_sysctl_table(acct_sysctl_header);
+        if (net_eq(net, &init_net))
-#endif
+                nf_ct_extend_unregister(&acct_extend);
-        nf_ct_extend_unregister(&acct_extend);
 }
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index ade0bb3ab2e3..bb26460d897c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1039,7 +1039,7 @@ void nf_conntrack_cleanup(struct net *net)
        nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc,
                             nf_conntrack_htable_size);
-        nf_conntrack_acct_fini();
+        nf_conntrack_acct_fini(net);
        nf_conntrack_expect_fini(net);
        free_percpu(net->ct.stat);
        nf_conntrack_helper_fini();
@@ -1191,7 +1191,7 @@ int nf_conntrack_init(struct net *net)
        if (ret < 0)
                goto out_fini_expect;
-        ret = nf_conntrack_acct_init();
+        ret = nf_conntrack_acct_init(net);
        if (ret < 0)
                goto out_fini_helper;
author	Alexey Dobriyan <adobriyan@gmail.com>	2008-10-08 05:35:09 -0400
committer	Patrick McHardy <kaber@trash.net>	2008-10-08 05:35:09 -0400
commit	d716a4dfbbdf0d4731d596a96e5f4b0d892ac168 (patch)
tree	6131d86efdcebf7da50ded77e437223df9f41f7c /net/netfilter
parent	c2a2c7e0cc39e7f9336cd67e8307a110bdba82f3 (diff)

diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c index 59bd8b903a19..03591d37b9cc 100644 --- a/net/netfilter/nf_conntrack_acct.c +++ b/net/netfilter/nf_conntrack_acct.c
@@ -22,19 +22,17 @@
22	#define NF_CT_ACCT_DEFAULT 0	22	#define NF_CT_ACCT_DEFAULT 0
23	#endif	23	#endif
24		24
25	int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT;	25	static int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT;
26	EXPORT_SYMBOL_GPL(nf_ct_acct);
27		26
28	module_param_named(acct, nf_ct_acct, bool, 0644);	27	module_param_named(acct, nf_ct_acct, bool, 0644);
29	MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting.");	28	MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting.");
30		29
31	#ifdef CONFIG_SYSCTL	30	#ifdef CONFIG_SYSCTL
32	static struct ctl_table_header *acct_sysctl_header;
33	static struct ctl_table acct_sysctl_table[] = {	31	static struct ctl_table acct_sysctl_table[] = {
34	{	32	{
35	.ctl_name = CTL_UNNUMBERED,	33	.ctl_name = CTL_UNNUMBERED,
36	.procname = "nf_conntrack_acct",	34	.procname = "nf_conntrack_acct",
37	.data = &nf_ct_acct,	35	.data = &init_net.ct.sysctl_acct,
38	.maxlen = sizeof(unsigned int),	36	.maxlen = sizeof(unsigned int),
39	.mode = 0644,	37	.mode = 0644,
40	.proc_handler = &proc_dointvec,	38	.proc_handler = &proc_dointvec,
@@ -64,41 +62,87 @@ static struct nf_ct_ext_type acct_extend __read_mostly = {
64	.id = NF_CT_EXT_ACCT,	62	.id = NF_CT_EXT_ACCT,
65	};	63	};
66		64
67	int nf_conntrack_acct_init(void)	65	#ifdef CONFIG_SYSCTL
		66	static int nf_conntrack_acct_init_sysctl(struct net *net)
68	{	67	{
69	int ret;	68	struct ctl_table *table;
70		69
71	#ifdef CONFIG_NF_CT_ACCT	70	table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
72	printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Plase use\n");	71	GFP_KERNEL);
73	printk(KERN_WARNING "nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or\n");	72	if (!table)
74	printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n");	73	goto out;
75	#endif	74
		75	table[0].data = &net->ct.sysctl_acct;
76		76
77	ret = nf_ct_extend_register(&acct_extend);	77	net->ct.acct_sysctl_header = register_net_sysctl_table(net,
78	if (ret < 0) {	78	nf_net_netfilter_sysctl_path, table);
79	printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n");	79	if (!net->ct.acct_sysctl_header) {
80	return ret;	80	printk(KERN_ERR "nf_conntrack_acct: can't register to sysctl.\n");
		81	goto out_register;
81	}	82	}
		83	return 0;
82		84
83	#ifdef CONFIG_SYSCTL	85	out_register:
84	acct_sysctl_header = register_sysctl_paths(nf_net_netfilter_sysctl_path,	86	kfree(table);
85	acct_sysctl_table);	87	out:
		88	return -ENOMEM;
		89	}
86		90
87	if (!acct_sysctl_header) {	91	static void nf_conntrack_acct_fini_sysctl(struct net *net)
88	nf_ct_extend_unregister(&acct_extend);	92	{
		93	struct ctl_table *table;
89		94
90	printk(KERN_ERR "nf_conntrack_acct: can't register to sysctl.\n");	95	table = net->ct.acct_sysctl_header->ctl_table_arg;
91	return -ENOMEM;	96	unregister_net_sysctl_table(net->ct.acct_sysctl_header);
92	}	97	kfree(table);
		98	}
		99	#else
		100	static int nf_conntrack_acct_init_sysctl(struct net *net)
		101	{
		102	return 0;
		103	}
		104
		105	static void nf_conntrack_acct_fini_sysctl(struct net *net)
		106	{
		107	}
		108	#endif
		109
		110	int nf_conntrack_acct_init(struct net *net)
		111	{
		112	int ret;
		113
		114	net->ct.sysctl_acct = nf_ct_acct;
		115
		116	if (net_eq(net, &init_net)) {
		117	#ifdef CONFIG_NF_CT_ACCT
		118	printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Plase use\n");
		119	printk(KERN_WARNING "nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or\n");
		120	printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n");
93	#endif	121	#endif
94		122
		123	ret = nf_ct_extend_register(&acct_extend);
		124	if (ret < 0) {
		125	printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n");
		126	goto out_extend_register;
		127	}
		128	}
		129
		130	ret = nf_conntrack_acct_init_sysctl(net);
		131	if (ret < 0)
		132	goto out_sysctl;
		133
95	return 0;	134	return 0;
		135
		136	out_sysctl:
		137	if (net_eq(net, &init_net))
		138	nf_ct_extend_unregister(&acct_extend);
		139	out_extend_register:
		140	return ret;
96	}	141	}
97		142
98	void nf_conntrack_acct_fini(void)	143	void nf_conntrack_acct_fini(struct net *net)
99	{	144	{
100	#ifdef CONFIG_SYSCTL	145	nf_conntrack_acct_fini_sysctl(net);
101	unregister_sysctl_table(acct_sysctl_header);	146	if (net_eq(net, &init_net))
102	#endif	147	nf_ct_extend_unregister(&acct_extend);
103	nf_ct_extend_unregister(&acct_extend);
104	}	148	}


diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index ade0bb3ab2e3..bb26460d897c 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c
@@ -1039,7 +1039,7 @@ void nf_conntrack_cleanup(struct net *net)
1039	nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc,	1039	nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc,
1040	nf_conntrack_htable_size);	1040	nf_conntrack_htable_size);
1041		1041
1042	nf_conntrack_acct_fini();	1042	nf_conntrack_acct_fini(net);
1043	nf_conntrack_expect_fini(net);	1043	nf_conntrack_expect_fini(net);
1044	free_percpu(net->ct.stat);	1044	free_percpu(net->ct.stat);
1045	nf_conntrack_helper_fini();	1045	nf_conntrack_helper_fini();
@@ -1191,7 +1191,7 @@ int nf_conntrack_init(struct net *net)
1191	if (ret < 0)	1191	if (ret < 0)
1192	goto out_fini_expect;	1192	goto out_fini_expect;
1193		1193
1194	ret = nf_conntrack_acct_init();	1194	ret = nf_conntrack_acct_init(net);
1195	if (ret < 0)	1195	if (ret < 0)
1196	goto out_fini_helper;	1196	goto out_fini_helper;
1197		1197