aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorAlexey Dobriyan <adobriyan@gmail.com>2008-10-08 05:35:03 -0400
committerPatrick McHardy <kaber@trash.net>2008-10-08 05:35:03 -0400
commit49ac8713b6d064adf7474080fdccebd7cce76be0 (patch)
treed74b70b92fbf7741b715a7a1608a1ba5c20df386 /net
parent5a1fb391d881905e89623d78858d05b248cbc86a (diff)
netfilter: netns nf_conntrack: per-netns conntrack count
Sysctls and proc files are stubbed to init_net's one. This is temporary. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c2
-rw-r--r--net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c2
-rw-r--r--net/netfilter/nf_conntrack_core.c18
-rw-r--r--net/netfilter/nf_conntrack_standalone.c4
4 files changed, 12 insertions, 14 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 5a955c440364..31abee3e29f9 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -254,7 +254,7 @@ static ctl_table ip_ct_sysctl_table[] = {
254 { 254 {
255 .ctl_name = NET_IPV4_NF_CONNTRACK_COUNT, 255 .ctl_name = NET_IPV4_NF_CONNTRACK_COUNT,
256 .procname = "ip_conntrack_count", 256 .procname = "ip_conntrack_count",
257 .data = &nf_conntrack_count, 257 .data = &init_net.ct.count,
258 .maxlen = sizeof(int), 258 .maxlen = sizeof(int),
259 .mode = 0444, 259 .mode = 0444,
260 .proc_handler = &proc_dointvec, 260 .proc_handler = &proc_dointvec,
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 3a020720e40b..4556805027f7 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -314,7 +314,7 @@ static void ct_cpu_seq_stop(struct seq_file *seq, void *v)
314 314
315static int ct_cpu_seq_show(struct seq_file *seq, void *v) 315static int ct_cpu_seq_show(struct seq_file *seq, void *v)
316{ 316{
317 unsigned int nr_conntracks = atomic_read(&nf_conntrack_count); 317 unsigned int nr_conntracks = atomic_read(&init_net.ct.count);
318 const struct ip_conntrack_stat *st = v; 318 const struct ip_conntrack_stat *st = v;
319 319
320 if (v == SEQ_START_TOKEN) { 320 if (v == SEQ_START_TOKEN) {
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index cefc338f6e58..8299b3490e77 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -44,10 +44,6 @@
44DEFINE_SPINLOCK(nf_conntrack_lock); 44DEFINE_SPINLOCK(nf_conntrack_lock);
45EXPORT_SYMBOL_GPL(nf_conntrack_lock); 45EXPORT_SYMBOL_GPL(nf_conntrack_lock);
46 46
47/* nf_conntrack_standalone needs this */
48atomic_t nf_conntrack_count = ATOMIC_INIT(0);
49EXPORT_SYMBOL_GPL(nf_conntrack_count);
50
51unsigned int nf_conntrack_htable_size __read_mostly; 47unsigned int nf_conntrack_htable_size __read_mostly;
52EXPORT_SYMBOL_GPL(nf_conntrack_htable_size); 48EXPORT_SYMBOL_GPL(nf_conntrack_htable_size);
53 49
@@ -477,13 +473,13 @@ struct nf_conn *nf_conntrack_alloc(struct net *net,
477 } 473 }
478 474
479 /* We don't want any race condition at early drop stage */ 475 /* We don't want any race condition at early drop stage */
480 atomic_inc(&nf_conntrack_count); 476 atomic_inc(&net->ct.count);
481 477
482 if (nf_conntrack_max && 478 if (nf_conntrack_max &&
483 unlikely(atomic_read(&nf_conntrack_count) > nf_conntrack_max)) { 479 unlikely(atomic_read(&net->ct.count) > nf_conntrack_max)) {
484 unsigned int hash = hash_conntrack(orig); 480 unsigned int hash = hash_conntrack(orig);
485 if (!early_drop(hash)) { 481 if (!early_drop(hash)) {
486 atomic_dec(&nf_conntrack_count); 482 atomic_dec(&net->ct.count);
487 if (net_ratelimit()) 483 if (net_ratelimit())
488 printk(KERN_WARNING 484 printk(KERN_WARNING
489 "nf_conntrack: table full, dropping" 485 "nf_conntrack: table full, dropping"
@@ -495,7 +491,7 @@ struct nf_conn *nf_conntrack_alloc(struct net *net,
495 ct = kmem_cache_zalloc(nf_conntrack_cachep, gfp); 491 ct = kmem_cache_zalloc(nf_conntrack_cachep, gfp);
496 if (ct == NULL) { 492 if (ct == NULL) {
497 pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n"); 493 pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n");
498 atomic_dec(&nf_conntrack_count); 494 atomic_dec(&net->ct.count);
499 return ERR_PTR(-ENOMEM); 495 return ERR_PTR(-ENOMEM);
500 } 496 }
501 497
@@ -516,10 +512,11 @@ EXPORT_SYMBOL_GPL(nf_conntrack_alloc);
516static void nf_conntrack_free_rcu(struct rcu_head *head) 512static void nf_conntrack_free_rcu(struct rcu_head *head)
517{ 513{
518 struct nf_conn *ct = container_of(head, struct nf_conn, rcu); 514 struct nf_conn *ct = container_of(head, struct nf_conn, rcu);
515 struct net *net = nf_ct_net(ct);
519 516
520 nf_ct_ext_free(ct); 517 nf_ct_ext_free(ct);
521 kmem_cache_free(nf_conntrack_cachep, ct); 518 kmem_cache_free(nf_conntrack_cachep, ct);
522 atomic_dec(&nf_conntrack_count); 519 atomic_dec(&net->ct.count);
523} 520}
524 521
525void nf_conntrack_free(struct nf_conn *ct) 522void nf_conntrack_free(struct nf_conn *ct)
@@ -1024,7 +1021,7 @@ void nf_conntrack_cleanup(struct net *net)
1024 nf_ct_event_cache_flush(); 1021 nf_ct_event_cache_flush();
1025 i_see_dead_people: 1022 i_see_dead_people:
1026 nf_conntrack_flush(); 1023 nf_conntrack_flush();
1027 if (atomic_read(&nf_conntrack_count) != 0) { 1024 if (atomic_read(&net->ct.count) != 0) {
1028 schedule(); 1025 schedule();
1029 goto i_see_dead_people; 1026 goto i_see_dead_people;
1030 } 1027 }
@@ -1148,6 +1145,7 @@ int nf_conntrack_init(struct net *net)
1148 * entries. */ 1145 * entries. */
1149 max_factor = 4; 1146 max_factor = 4;
1150 } 1147 }
1148 atomic_set(&net->ct.count, 0);
1151 nf_conntrack_hash = nf_ct_alloc_hashtable(&nf_conntrack_htable_size, 1149 nf_conntrack_hash = nf_ct_alloc_hashtable(&nf_conntrack_htable_size,
1152 &nf_conntrack_vmalloc); 1150 &nf_conntrack_vmalloc);
1153 if (!nf_conntrack_hash) { 1151 if (!nf_conntrack_hash) {
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 81dec17196df..021b505907d2 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -226,7 +226,7 @@ static void ct_cpu_seq_stop(struct seq_file *seq, void *v)
226 226
227static int ct_cpu_seq_show(struct seq_file *seq, void *v) 227static int ct_cpu_seq_show(struct seq_file *seq, void *v)
228{ 228{
229 unsigned int nr_conntracks = atomic_read(&nf_conntrack_count); 229 unsigned int nr_conntracks = atomic_read(&init_net.ct.count);
230 const struct ip_conntrack_stat *st = v; 230 const struct ip_conntrack_stat *st = v;
231 231
232 if (v == SEQ_START_TOKEN) { 232 if (v == SEQ_START_TOKEN) {
@@ -338,7 +338,7 @@ static ctl_table nf_ct_sysctl_table[] = {
338 { 338 {
339 .ctl_name = NET_NF_CONNTRACK_COUNT, 339 .ctl_name = NET_NF_CONNTRACK_COUNT,
340 .procname = "nf_conntrack_count", 340 .procname = "nf_conntrack_count",
341 .data = &nf_conntrack_count, 341 .data = &init_net.ct.count,
342 .maxlen = sizeof(int), 342 .maxlen = sizeof(int),
343 .mode = 0444, 343 .mode = 0444,
344 .proc_handler = &proc_dointvec, 344 .proc_handler = &proc_dointvec,