netfilter: xt_connbytes: Force CT accounting to be enabled

Check at rule install time that CT accounting is enabled. Force it
to be enabled if not while also emitting a warning since this is not
the default state.

This is in preparation for deprecating CONFIG_NF_CT_ACCT upon which
CONFIG_NETFILTER_XT_MATCH_CONNBYTES depended being set.

Added 2 CT accounting support functions:

nf_ct_acct_enabled() - Get CT accounting state.
nf_ct_set_acct() - Enable/disable CT accountuing.

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

1 files changed, 10 insertions, 0 deletions

diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 73517835303d..5b138506690e 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -112,6 +112,16 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
         if (ret < 0)
                 pr_info("cannot load conntrack support for proto=%u\n",
                         par->family);
+
+        /*
+         * This filter cannot function correctly unless connection tracking
+         * accounting is enabled, so complain in the hope that someone notices.
+         */
+        if (!nf_ct_acct_enabled(par->net)) {
+                pr_warning("Forcing CT accounting to be enabled\n");
+                nf_ct_set_acct(par->net, true);
+        }
+
         return ret;
 }