[NETFILTER]: nf_conntrack: sysctl compatibility with old connection tracking

This patch adds an option to keep the connection tracking sysctls visible under their old names. Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@trash.net> 2006-11-28 20:35:20 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-12-03 00:31:19 -0500
commit: a999e6837603e4b5a164333c93918a1292f074c8 (patch)
tree: 22e04633ff4f046b9769ebf304520eb0e0acfa5b /net
parent: 933a41e7e12b773d1dd026018f02b86b5d257a22 (diff)
9 files changed, 327 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index d88c292f118c..4ac5b5c4678d 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -19,6 +19,17 @@ config NF_CONNTRACK_IPV4
          To compile it as a module, choose M here.  If unsure, say N.
+config NF_CONNTRACK_PROC_COMPAT
+        bool "proc/sysctl compatibility with old connection tracking"
+        depends on NF_CONNTRACK
+        default y
+        help
+          This option enables /proc and sysctl compatibility with the old
+          layer 3 dependant connection tracking. This is needed to keep
+          old programs that have not been adapted to the new names working.
+          If unsure, say Y.
 # connection tracking, helpers and protocols
 config IP_NF_CONNTRACK
        tristate "Connection tracking (required for masq/NAT)"
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 786c4ce96cdf..bcec6822f2ee 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -266,6 +266,60 @@ static struct nf_hook_ops ipv4_conntrack_ops[] = {
        },
 };
+#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
+static int log_invalid_proto_min = 0;
+static int log_invalid_proto_max = 255;
+static ctl_table ip_ct_sysctl_table[] = {
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_MAX,
+                .procname       = "ip_conntrack_max",
+                .data           = &nf_conntrack_max,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_COUNT,
+                .procname       = "ip_conntrack_count",
+                .data           = &nf_conntrack_count,
+                .maxlen         = sizeof(int),
+                .mode           = 0444,
+                .proc_handler   = &proc_dointvec,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_BUCKETS,
+                .procname       = "ip_conntrack_buckets",
+                .data           = &nf_conntrack_htable_size,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0444,
+                .proc_handler   = &proc_dointvec,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_CHECKSUM,
+                .procname       = "ip_conntrack_checksum",
+                .data           = &nf_conntrack_checksum,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_LOG_INVALID,
+                .procname       = "ip_conntrack_log_invalid",
+                .data           = &nf_ct_log_invalid,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_minmax,
+                .strategy       = &sysctl_intvec,
+                .extra1         = &log_invalid_proto_min,
+                .extra2         = &log_invalid_proto_max,
+        },
+        {
+                .ctl_name       = 0
+        }
+};
+#endif /* CONFIG_SYSCTL && CONFIG_NF_CONNTRACK_PROC_COMPAT */
 /* Fast function for those who don't want to parse /proc (and I don't
   blame them). */
 /* Reversing the socket's dst/src point of view gives us the reply
@@ -386,6 +440,10 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 = {
        .tuple_to_nfattr = ipv4_tuple_to_nfattr,
        .nfattr_to_tuple = ipv4_nfattr_to_tuple,
 #endif
+#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
+        .ctl_table_path  = nf_net_ipv4_netfilter_sysctl_path,
+        .ctl_table       = ip_ct_sysctl_table,
+#endif
        .me              = THIS_MODULE,
 };
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index c59f28193a39..46aa44abc078 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -336,6 +336,21 @@ static struct ctl_table icmp_sysctl_table[] = {
                .ctl_name = 0
        }
 };
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+static struct ctl_table icmp_compat_sysctl_table[] = {
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT,
+                .procname       = "ip_conntrack_icmp_timeout",
+                .data           = &nf_ct_icmp_timeout,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name = 0
+        }
+};
+#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
 #endif /* CONFIG_SYSCTL */
 struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
@@ -360,6 +375,9 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
 #ifdef CONFIG_SYSCTL
        .ctl_table_header       = &icmp_sysctl_header,
        .ctl_table              = icmp_sysctl_table,
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+        .ctl_compat_table       = icmp_compat_sysctl_table,
+#endif
 #endif
 };
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 4b972791149d..a6728067780a 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -66,10 +66,12 @@ DEFINE_RWLOCK(nf_conntrack_lock);
 /* nf_conntrack_standalone needs this */
 atomic_t nf_conntrack_count = ATOMIC_INIT(0);
+EXPORT_SYMBOL_GPL(nf_conntrack_count);
 void (*nf_conntrack_destroyed)(struct nf_conn *conntrack) = NULL;
 unsigned int nf_conntrack_htable_size __read_mostly;
 int nf_conntrack_max __read_mostly;
+EXPORT_SYMBOL_GPL(nf_conntrack_max);
 struct list_head *nf_conntrack_hash __read_mostly;
 struct nf_conn nf_conntrack_untracked __read_mostly;
 unsigned int nf_ct_log_invalid __read_mostly;
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 891c9c56c319..4798afcbbb0d 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -250,7 +250,22 @@ static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
                                            nf_net_netfilter_sysctl_path,
                                            l4proto->ctl_table,
                                            l4proto->ctl_table_users);
+                if (err < 0)
+                        goto out;
        }
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+        if (l4proto->ctl_compat_table != NULL) {
+                err = nf_ct_register_sysctl(&l4proto->ctl_compat_table_header,
+                                            nf_net_ipv4_netfilter_sysctl_path,
+                                            l4proto->ctl_compat_table, NULL);
+                if (err == 0)
+                        goto out;
+                nf_ct_unregister_sysctl(l4proto->ctl_table_header,
+                                        l4proto->ctl_table,
+                                        l4proto->ctl_table_users);
+        }
+#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
+out:
        mutex_unlock(&nf_ct_proto_sysctl_mutex);
 #endif /* CONFIG_SYSCTL */
        return err;
@@ -265,6 +280,11 @@ static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto
                nf_ct_unregister_sysctl(l4proto->ctl_table_header,
                                        l4proto->ctl_table,
                                        l4proto->ctl_table_users);
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+        if (l4proto->ctl_compat_table_header != NULL)
+                nf_ct_unregister_sysctl(&l4proto->ctl_compat_table_header,
+                                        l4proto->ctl_compat_table, NULL);
+#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
        mutex_unlock(&nf_ct_proto_sysctl_mutex);
 #endif /* CONFIG_SYSCTL */
 }
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 15306b952510..69902531c236 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -86,6 +86,21 @@ static struct ctl_table generic_sysctl_table[] = {
                .ctl_name       = 0
        }
 };
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+static struct ctl_table generic_compat_sysctl_table[] = {
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT,
+                .procname       = "ip_conntrack_generic_timeout",
+                .data           = &nf_ct_generic_timeout,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = 0
+        }
+};
+#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
 #endif /* CONFIG_SYSCTL */
 struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =
@@ -102,5 +117,8 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =
 #ifdef CONFIG_SYSCTL
        .ctl_table_header       = &generic_sysctl_header,
        .ctl_table              = generic_sysctl_table,
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+        .ctl_compat_table       = generic_compat_sysctl_table,
+#endif
 #endif
 };
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index cc693308878f..7c64b9c1cf4a 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -573,6 +573,70 @@ static struct ctl_table sctp_sysctl_table[] = {
                .ctl_name = 0
        }
 };
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+static struct ctl_table sctp_compat_sysctl_table[] = {
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED,
+                .procname       = "ip_conntrack_sctp_timeout_closed",
+                .data           = &nf_ct_sctp_timeout_closed,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT,
+                .procname       = "ip_conntrack_sctp_timeout_cookie_wait",
+                .data           = &nf_ct_sctp_timeout_cookie_wait,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED,
+                .procname       = "ip_conntrack_sctp_timeout_cookie_echoed",
+                .data           = &nf_ct_sctp_timeout_cookie_echoed,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED,
+                .procname       = "ip_conntrack_sctp_timeout_established",
+                .data           = &nf_ct_sctp_timeout_established,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT,
+                .procname       = "ip_conntrack_sctp_timeout_shutdown_sent",
+                .data           = &nf_ct_sctp_timeout_shutdown_sent,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD,
+                .procname       = "ip_conntrack_sctp_timeout_shutdown_recd",
+                .data           = &nf_ct_sctp_timeout_shutdown_recd,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT,
+                .procname       = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
+                .data           = &nf_ct_sctp_timeout_shutdown_ack_sent,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name = 0
+        }
+};
+#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
 #endif
 struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
@@ -590,6 +654,9 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
        .ctl_table_users        = &sctp_sysctl_table_users,
        .ctl_table_header       = &sctp_sysctl_header,
        .ctl_table              = sctp_sysctl_table,
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+        .ctl_compat_table       = sctp_compat_sysctl_table,
+#endif
 #endif
 };
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 6f6f9a061e76..d99c7c4176d4 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1273,6 +1273,110 @@ static struct ctl_table tcp_sysctl_table[] = {
                .ctl_name       = 0
        }
 };
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+static struct ctl_table tcp_compat_sysctl_table[] = {
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT,
+                .procname       = "ip_conntrack_tcp_timeout_syn_sent",
+                .data           = &nf_ct_tcp_timeout_syn_sent,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV,
+                .procname       = "ip_conntrack_tcp_timeout_syn_recv",
+                .data           = &nf_ct_tcp_timeout_syn_recv,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED,
+                .procname       = "ip_conntrack_tcp_timeout_established",
+                .data           = &nf_ct_tcp_timeout_established,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT,
+                .procname       = "ip_conntrack_tcp_timeout_fin_wait",
+                .data           = &nf_ct_tcp_timeout_fin_wait,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT,
+                .procname       = "ip_conntrack_tcp_timeout_close_wait",
+                .data           = &nf_ct_tcp_timeout_close_wait,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK,
+                .procname       = "ip_conntrack_tcp_timeout_last_ack",
+                .data           = &nf_ct_tcp_timeout_last_ack,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT,
+                .procname       = "ip_conntrack_tcp_timeout_time_wait",
+                .data           = &nf_ct_tcp_timeout_time_wait,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE,
+                .procname       = "ip_conntrack_tcp_timeout_close",
+                .data           = &nf_ct_tcp_timeout_close,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS,
+                .procname       = "ip_conntrack_tcp_timeout_max_retrans",
+                .data           = &nf_ct_tcp_timeout_max_retrans,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_LOOSE,
+                .procname       = "ip_conntrack_tcp_loose",
+                .data           = &nf_ct_tcp_loose,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_BE_LIBERAL,
+                .procname       = "ip_conntrack_tcp_be_liberal",
+                .data           = &nf_ct_tcp_be_liberal,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_TCP_MAX_RETRANS,
+                .procname       = "ip_conntrack_tcp_max_retrans",
+                .data           = &nf_ct_tcp_max_retrans,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec,
+        },
+        {
+                .ctl_name       = 0
+        }
+};
+#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
 #endif /* CONFIG_SYSCTL */
 struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
@@ -1298,6 +1402,9 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
        .ctl_table_users        = &tcp_sysctl_table_users,
        .ctl_table_header       = &tcp_sysctl_header,
        .ctl_table              = tcp_sysctl_table,
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+        .ctl_compat_table       = tcp_compat_sysctl_table,
+#endif
 #endif
 };
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index d86749cb4a46..908fde7719f4 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -172,6 +172,29 @@ static struct ctl_table udp_sysctl_table[] = {
                .ctl_name       = 0
        }
 };
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+static struct ctl_table udp_compat_sysctl_table[] = {
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT,
+                .procname       = "ip_conntrack_udp_timeout",
+                .data           = &nf_ct_udp_timeout,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT_STREAM,
+                .procname       = "ip_conntrack_udp_timeout_stream",
+                .data           = &nf_ct_udp_timeout_stream,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = &proc_dointvec_jiffies,
+        },
+        {
+                .ctl_name       = 0
+        }
+};
+#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
 #endif /* CONFIG_SYSCTL */
 struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
@@ -195,6 +218,9 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
        .ctl_table_users        = &udp_sysctl_table_users,
        .ctl_table_header       = &udp_sysctl_header,
        .ctl_table              = udp_sysctl_table,
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+        .ctl_compat_table       = udp_compat_sysctl_table,
+#endif
 #endif
 };
author	Patrick McHardy <kaber@trash.net>	2006-11-28 20:35:20 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-12-03 00:31:19 -0500
commit	a999e6837603e4b5a164333c93918a1292f074c8 (patch)
tree	22e04633ff4f046b9769ebf304520eb0e0acfa5b /net
parent	933a41e7e12b773d1dd026018f02b86b5d257a22 (diff)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index d88c292f118c..4ac5b5c4678d 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -19,6 +19,17 @@ config NF_CONNTRACK_IPV4
19		19
20	To compile it as a module, choose M here. If unsure, say N.	20	To compile it as a module, choose M here. If unsure, say N.
21		21
		22	config NF_CONNTRACK_PROC_COMPAT
		23	bool "proc/sysctl compatibility with old connection tracking"
		24	depends on NF_CONNTRACK
		25	default y
		26	help
		27	This option enables /proc and sysctl compatibility with the old
		28	layer 3 dependant connection tracking. This is needed to keep
		29	old programs that have not been adapted to the new names working.
		30
		31	If unsure, say Y.
		32
22	# connection tracking, helpers and protocols	33	# connection tracking, helpers and protocols
23	config IP_NF_CONNTRACK	34	config IP_NF_CONNTRACK
24	tristate "Connection tracking (required for masq/NAT)"	35	tristate "Connection tracking (required for masq/NAT)"


diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 786c4ce96cdf..bcec6822f2ee 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -266,6 +266,60 @@ static struct nf_hook_ops ipv4_conntrack_ops[] = {
266	},	266	},
267	};	267	};
268		268
		269	#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
		270	static int log_invalid_proto_min = 0;
		271	static int log_invalid_proto_max = 255;
		272
		273	static ctl_table ip_ct_sysctl_table[] = {
		274	{
		275	.ctl_name = NET_IPV4_NF_CONNTRACK_MAX,
		276	.procname = "ip_conntrack_max",
		277	.data = &nf_conntrack_max,
		278	.maxlen = sizeof(int),
		279	.mode = 0644,
		280	.proc_handler = &proc_dointvec,
		281	},
		282	{
		283	.ctl_name = NET_IPV4_NF_CONNTRACK_COUNT,
		284	.procname = "ip_conntrack_count",
		285	.data = &nf_conntrack_count,
		286	.maxlen = sizeof(int),
		287	.mode = 0444,
		288	.proc_handler = &proc_dointvec,
		289	},
		290	{
		291	.ctl_name = NET_IPV4_NF_CONNTRACK_BUCKETS,
		292	.procname = "ip_conntrack_buckets",
		293	.data = &nf_conntrack_htable_size,
		294	.maxlen = sizeof(unsigned int),
		295	.mode = 0444,
		296	.proc_handler = &proc_dointvec,
		297	},
		298	{
		299	.ctl_name = NET_IPV4_NF_CONNTRACK_CHECKSUM,
		300	.procname = "ip_conntrack_checksum",
		301	.data = &nf_conntrack_checksum,
		302	.maxlen = sizeof(int),
		303	.mode = 0644,
		304	.proc_handler = &proc_dointvec,
		305	},
		306	{
		307	.ctl_name = NET_IPV4_NF_CONNTRACK_LOG_INVALID,
		308	.procname = "ip_conntrack_log_invalid",
		309	.data = &nf_ct_log_invalid,
		310	.maxlen = sizeof(unsigned int),
		311	.mode = 0644,
		312	.proc_handler = &proc_dointvec_minmax,
		313	.strategy = &sysctl_intvec,
		314	.extra1 = &log_invalid_proto_min,
		315	.extra2 = &log_invalid_proto_max,
		316	},
		317	{
		318	.ctl_name = 0
		319	}
		320	};
		321	#endif /* CONFIG_SYSCTL && CONFIG_NF_CONNTRACK_PROC_COMPAT */
		322
269	/* Fast function for those who don't want to parse /proc (and I don't	323	/* Fast function for those who don't want to parse /proc (and I don't
270	blame them). */	324	blame them). */
271	/* Reversing the socket's dst/src point of view gives us the reply	325	/* Reversing the socket's dst/src point of view gives us the reply
@@ -386,6 +440,10 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 = {
386	.tuple_to_nfattr = ipv4_tuple_to_nfattr,	440	.tuple_to_nfattr = ipv4_tuple_to_nfattr,
387	.nfattr_to_tuple = ipv4_nfattr_to_tuple,	441	.nfattr_to_tuple = ipv4_nfattr_to_tuple,
388	#endif	442	#endif
		443	#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
		444	.ctl_table_path = nf_net_ipv4_netfilter_sysctl_path,
		445	.ctl_table = ip_ct_sysctl_table,
		446	#endif
389	.me = THIS_MODULE,	447	.me = THIS_MODULE,
390	};	448	};
391		449


diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index c59f28193a39..46aa44abc078 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -336,6 +336,21 @@ static struct ctl_table icmp_sysctl_table[] = {
336	.ctl_name = 0	336	.ctl_name = 0
337	}	337	}
338	};	338	};
		339	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		340	static struct ctl_table icmp_compat_sysctl_table[] = {
		341	{
		342	.ctl_name = NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT,
		343	.procname = "ip_conntrack_icmp_timeout",
		344	.data = &nf_ct_icmp_timeout,
		345	.maxlen = sizeof(unsigned int),
		346	.mode = 0644,
		347	.proc_handler = &proc_dointvec_jiffies,
		348	},
		349	{
		350	.ctl_name = 0
		351	}
		352	};
		353	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
339	#endif /* CONFIG_SYSCTL */	354	#endif /* CONFIG_SYSCTL */
340		355
341	struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =	356	struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
@@ -360,6 +375,9 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
360	#ifdef CONFIG_SYSCTL	375	#ifdef CONFIG_SYSCTL
361	.ctl_table_header = &icmp_sysctl_header,	376	.ctl_table_header = &icmp_sysctl_header,
362	.ctl_table = icmp_sysctl_table,	377	.ctl_table = icmp_sysctl_table,
		378	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		379	.ctl_compat_table = icmp_compat_sysctl_table,
		380	#endif
363	#endif	381	#endif
364	};	382	};
365		383


diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 4b972791149d..a6728067780a 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c
@@ -66,10 +66,12 @@ DEFINE_RWLOCK(nf_conntrack_lock);
66		66
67	/* nf_conntrack_standalone needs this */	67	/* nf_conntrack_standalone needs this */
68	atomic_t nf_conntrack_count = ATOMIC_INIT(0);	68	atomic_t nf_conntrack_count = ATOMIC_INIT(0);
		69	EXPORT_SYMBOL_GPL(nf_conntrack_count);
69		70
70	void (nf_conntrack_destroyed)(struct nf_conn conntrack) = NULL;	71	void (nf_conntrack_destroyed)(struct nf_conn conntrack) = NULL;
71	unsigned int nf_conntrack_htable_size __read_mostly;	72	unsigned int nf_conntrack_htable_size __read_mostly;
72	int nf_conntrack_max __read_mostly;	73	int nf_conntrack_max __read_mostly;
		74	EXPORT_SYMBOL_GPL(nf_conntrack_max);
73	struct list_head *nf_conntrack_hash __read_mostly;	75	struct list_head *nf_conntrack_hash __read_mostly;
74	struct nf_conn nf_conntrack_untracked __read_mostly;	76	struct nf_conn nf_conntrack_untracked __read_mostly;
75	unsigned int nf_ct_log_invalid __read_mostly;	77	unsigned int nf_ct_log_invalid __read_mostly;


diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index 891c9c56c319..4798afcbbb0d 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c
@@ -250,7 +250,22 @@ static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
250	nf_net_netfilter_sysctl_path,	250	nf_net_netfilter_sysctl_path,
251	l4proto->ctl_table,	251	l4proto->ctl_table,
252	l4proto->ctl_table_users);	252	l4proto->ctl_table_users);
		253	if (err < 0)
		254	goto out;
253	}	255	}
		256	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		257	if (l4proto->ctl_compat_table != NULL) {
		258	err = nf_ct_register_sysctl(&l4proto->ctl_compat_table_header,
		259	nf_net_ipv4_netfilter_sysctl_path,
		260	l4proto->ctl_compat_table, NULL);
		261	if (err == 0)
		262	goto out;
		263	nf_ct_unregister_sysctl(l4proto->ctl_table_header,
		264	l4proto->ctl_table,
		265	l4proto->ctl_table_users);
		266	}
		267	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
		268	out:
254	mutex_unlock(&nf_ct_proto_sysctl_mutex);	269	mutex_unlock(&nf_ct_proto_sysctl_mutex);
255	#endif /* CONFIG_SYSCTL */	270	#endif /* CONFIG_SYSCTL */
256	return err;	271	return err;
@@ -265,6 +280,11 @@ static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto
265	nf_ct_unregister_sysctl(l4proto->ctl_table_header,	280	nf_ct_unregister_sysctl(l4proto->ctl_table_header,
266	l4proto->ctl_table,	281	l4proto->ctl_table,
267	l4proto->ctl_table_users);	282	l4proto->ctl_table_users);
		283	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		284	if (l4proto->ctl_compat_table_header != NULL)
		285	nf_ct_unregister_sysctl(&l4proto->ctl_compat_table_header,
		286	l4proto->ctl_compat_table, NULL);
		287	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
268	mutex_unlock(&nf_ct_proto_sysctl_mutex);	288	mutex_unlock(&nf_ct_proto_sysctl_mutex);
269	#endif /* CONFIG_SYSCTL */	289	#endif /* CONFIG_SYSCTL */
270	}	290	}


diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c index 15306b952510..69902531c236 100644 --- a/net/netfilter/nf_conntrack_proto_generic.c +++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -86,6 +86,21 @@ static struct ctl_table generic_sysctl_table[] = {
86	.ctl_name = 0	86	.ctl_name = 0
87	}	87	}
88	};	88	};
		89	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		90	static struct ctl_table generic_compat_sysctl_table[] = {
		91	{
		92	.ctl_name = NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT,
		93	.procname = "ip_conntrack_generic_timeout",
		94	.data = &nf_ct_generic_timeout,
		95	.maxlen = sizeof(unsigned int),
		96	.mode = 0644,
		97	.proc_handler = &proc_dointvec_jiffies,
		98	},
		99	{
		100	.ctl_name = 0
		101	}
		102	};
		103	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
89	#endif /* CONFIG_SYSCTL */	104	#endif /* CONFIG_SYSCTL */
90		105
91	struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =	106	struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =
@@ -102,5 +117,8 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =
102	#ifdef CONFIG_SYSCTL	117	#ifdef CONFIG_SYSCTL
103	.ctl_table_header = &generic_sysctl_header,	118	.ctl_table_header = &generic_sysctl_header,
104	.ctl_table = generic_sysctl_table,	119	.ctl_table = generic_sysctl_table,
		120	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		121	.ctl_compat_table = generic_compat_sysctl_table,
		122	#endif
105	#endif	123	#endif
106	};	124	};


diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index cc693308878f..7c64b9c1cf4a 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -573,6 +573,70 @@ static struct ctl_table sctp_sysctl_table[] = {
573	.ctl_name = 0	573	.ctl_name = 0
574	}	574	}
575	};	575	};
		576
		577	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		578	static struct ctl_table sctp_compat_sysctl_table[] = {
		579	{
		580	.ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED,
		581	.procname = "ip_conntrack_sctp_timeout_closed",
		582	.data = &nf_ct_sctp_timeout_closed,
		583	.maxlen = sizeof(unsigned int),
		584	.mode = 0644,
		585	.proc_handler = &proc_dointvec_jiffies,
		586	},
		587	{
		588	.ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT,
		589	.procname = "ip_conntrack_sctp_timeout_cookie_wait",
		590	.data = &nf_ct_sctp_timeout_cookie_wait,
		591	.maxlen = sizeof(unsigned int),
		592	.mode = 0644,
		593	.proc_handler = &proc_dointvec_jiffies,
		594	},
		595	{
		596	.ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED,
		597	.procname = "ip_conntrack_sctp_timeout_cookie_echoed",
		598	.data = &nf_ct_sctp_timeout_cookie_echoed,
		599	.maxlen = sizeof(unsigned int),
		600	.mode = 0644,
		601	.proc_handler = &proc_dointvec_jiffies,
		602	},
		603	{
		604	.ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED,
		605	.procname = "ip_conntrack_sctp_timeout_established",
		606	.data = &nf_ct_sctp_timeout_established,
		607	.maxlen = sizeof(unsigned int),
		608	.mode = 0644,
		609	.proc_handler = &proc_dointvec_jiffies,
		610	},
		611	{
		612	.ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT,
		613	.procname = "ip_conntrack_sctp_timeout_shutdown_sent",
		614	.data = &nf_ct_sctp_timeout_shutdown_sent,
		615	.maxlen = sizeof(unsigned int),
		616	.mode = 0644,
		617	.proc_handler = &proc_dointvec_jiffies,
		618	},
		619	{
		620	.ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD,
		621	.procname = "ip_conntrack_sctp_timeout_shutdown_recd",
		622	.data = &nf_ct_sctp_timeout_shutdown_recd,
		623	.maxlen = sizeof(unsigned int),
		624	.mode = 0644,
		625	.proc_handler = &proc_dointvec_jiffies,
		626	},
		627	{
		628	.ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT,
		629	.procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
		630	.data = &nf_ct_sctp_timeout_shutdown_ack_sent,
		631	.maxlen = sizeof(unsigned int),
		632	.mode = 0644,
		633	.proc_handler = &proc_dointvec_jiffies,
		634	},
		635	{
		636	.ctl_name = 0
		637	}
		638	};
		639	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
576	#endif	640	#endif
577		641
578	struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {	642	struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
@@ -590,6 +654,9 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
590	.ctl_table_users = &sctp_sysctl_table_users,	654	.ctl_table_users = &sctp_sysctl_table_users,
591	.ctl_table_header = &sctp_sysctl_header,	655	.ctl_table_header = &sctp_sysctl_header,
592	.ctl_table = sctp_sysctl_table,	656	.ctl_table = sctp_sysctl_table,
		657	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		658	.ctl_compat_table = sctp_compat_sysctl_table,
		659	#endif
593	#endif	660	#endif
594	};	661	};
595		662


diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 6f6f9a061e76..d99c7c4176d4 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1273,6 +1273,110 @@ static struct ctl_table tcp_sysctl_table[] = {
1273	.ctl_name = 0	1273	.ctl_name = 0
1274	}	1274	}
1275	};	1275	};
		1276
		1277	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		1278	static struct ctl_table tcp_compat_sysctl_table[] = {
		1279	{
		1280	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT,
		1281	.procname = "ip_conntrack_tcp_timeout_syn_sent",
		1282	.data = &nf_ct_tcp_timeout_syn_sent,
		1283	.maxlen = sizeof(unsigned int),
		1284	.mode = 0644,
		1285	.proc_handler = &proc_dointvec_jiffies,
		1286	},
		1287	{
		1288	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV,
		1289	.procname = "ip_conntrack_tcp_timeout_syn_recv",
		1290	.data = &nf_ct_tcp_timeout_syn_recv,
		1291	.maxlen = sizeof(unsigned int),
		1292	.mode = 0644,
		1293	.proc_handler = &proc_dointvec_jiffies,
		1294	},
		1295	{
		1296	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED,
		1297	.procname = "ip_conntrack_tcp_timeout_established",
		1298	.data = &nf_ct_tcp_timeout_established,
		1299	.maxlen = sizeof(unsigned int),
		1300	.mode = 0644,
		1301	.proc_handler = &proc_dointvec_jiffies,
		1302	},
		1303	{
		1304	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT,
		1305	.procname = "ip_conntrack_tcp_timeout_fin_wait",
		1306	.data = &nf_ct_tcp_timeout_fin_wait,
		1307	.maxlen = sizeof(unsigned int),
		1308	.mode = 0644,
		1309	.proc_handler = &proc_dointvec_jiffies,
		1310	},
		1311	{
		1312	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT,
		1313	.procname = "ip_conntrack_tcp_timeout_close_wait",
		1314	.data = &nf_ct_tcp_timeout_close_wait,
		1315	.maxlen = sizeof(unsigned int),
		1316	.mode = 0644,
		1317	.proc_handler = &proc_dointvec_jiffies,
		1318	},
		1319	{
		1320	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK,
		1321	.procname = "ip_conntrack_tcp_timeout_last_ack",
		1322	.data = &nf_ct_tcp_timeout_last_ack,
		1323	.maxlen = sizeof(unsigned int),
		1324	.mode = 0644,
		1325	.proc_handler = &proc_dointvec_jiffies,
		1326	},
		1327	{
		1328	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT,
		1329	.procname = "ip_conntrack_tcp_timeout_time_wait",
		1330	.data = &nf_ct_tcp_timeout_time_wait,
		1331	.maxlen = sizeof(unsigned int),
		1332	.mode = 0644,
		1333	.proc_handler = &proc_dointvec_jiffies,
		1334	},
		1335	{
		1336	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE,
		1337	.procname = "ip_conntrack_tcp_timeout_close",
		1338	.data = &nf_ct_tcp_timeout_close,
		1339	.maxlen = sizeof(unsigned int),
		1340	.mode = 0644,
		1341	.proc_handler = &proc_dointvec_jiffies,
		1342	},
		1343	{
		1344	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS,
		1345	.procname = "ip_conntrack_tcp_timeout_max_retrans",
		1346	.data = &nf_ct_tcp_timeout_max_retrans,
		1347	.maxlen = sizeof(unsigned int),
		1348	.mode = 0644,
		1349	.proc_handler = &proc_dointvec_jiffies,
		1350	},
		1351	{
		1352	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_LOOSE,
		1353	.procname = "ip_conntrack_tcp_loose",
		1354	.data = &nf_ct_tcp_loose,
		1355	.maxlen = sizeof(unsigned int),
		1356	.mode = 0644,
		1357	.proc_handler = &proc_dointvec,
		1358	},
		1359	{
		1360	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_BE_LIBERAL,
		1361	.procname = "ip_conntrack_tcp_be_liberal",
		1362	.data = &nf_ct_tcp_be_liberal,
		1363	.maxlen = sizeof(unsigned int),
		1364	.mode = 0644,
		1365	.proc_handler = &proc_dointvec,
		1366	},
		1367	{
		1368	.ctl_name = NET_IPV4_NF_CONNTRACK_TCP_MAX_RETRANS,
		1369	.procname = "ip_conntrack_tcp_max_retrans",
		1370	.data = &nf_ct_tcp_max_retrans,
		1371	.maxlen = sizeof(unsigned int),
		1372	.mode = 0644,
		1373	.proc_handler = &proc_dointvec,
		1374	},
		1375	{
		1376	.ctl_name = 0
		1377	}
		1378	};
		1379	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
1276	#endif /* CONFIG_SYSCTL */	1380	#endif /* CONFIG_SYSCTL */
1277		1381
1278	struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =	1382	struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
@@ -1298,6 +1402,9 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
1298	.ctl_table_users = &tcp_sysctl_table_users,	1402	.ctl_table_users = &tcp_sysctl_table_users,
1299	.ctl_table_header = &tcp_sysctl_header,	1403	.ctl_table_header = &tcp_sysctl_header,
1300	.ctl_table = tcp_sysctl_table,	1404	.ctl_table = tcp_sysctl_table,
		1405	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		1406	.ctl_compat_table = tcp_compat_sysctl_table,
		1407	#endif
1301	#endif	1408	#endif
1302	};	1409	};
1303		1410


diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c index d86749cb4a46..908fde7719f4 100644 --- a/net/netfilter/nf_conntrack_proto_udp.c +++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -172,6 +172,29 @@ static struct ctl_table udp_sysctl_table[] = {
172	.ctl_name = 0	172	.ctl_name = 0
173	}	173	}
174	};	174	};
		175	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		176	static struct ctl_table udp_compat_sysctl_table[] = {
		177	{
		178	.ctl_name = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT,
		179	.procname = "ip_conntrack_udp_timeout",
		180	.data = &nf_ct_udp_timeout,
		181	.maxlen = sizeof(unsigned int),
		182	.mode = 0644,
		183	.proc_handler = &proc_dointvec_jiffies,
		184	},
		185	{
		186	.ctl_name = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT_STREAM,
		187	.procname = "ip_conntrack_udp_timeout_stream",
		188	.data = &nf_ct_udp_timeout_stream,
		189	.maxlen = sizeof(unsigned int),
		190	.mode = 0644,
		191	.proc_handler = &proc_dointvec_jiffies,
		192	},
		193	{
		194	.ctl_name = 0
		195	}
		196	};
		197	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
175	#endif /* CONFIG_SYSCTL */	198	#endif /* CONFIG_SYSCTL */
176		199
177	struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =	200	struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
@@ -195,6 +218,9 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
195	.ctl_table_users = &udp_sysctl_table_users,	218	.ctl_table_users = &udp_sysctl_table_users,
196	.ctl_table_header = &udp_sysctl_header,	219	.ctl_table_header = &udp_sysctl_header,
197	.ctl_table = udp_sysctl_table,	220	.ctl_table = udp_sysctl_table,
		221	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
		222	.ctl_compat_table = udp_compat_sysctl_table,
		223	#endif
198	#endif	224	#endif
199	};	225	};
200		226