diff options
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 67 |
1 files changed, 28 insertions, 39 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index dbd8f84fa192..64c9b910419c 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
| @@ -64,32 +64,21 @@ static const char *tcp_conntrack_names[] = { | |||
| 64 | #define HOURS * 60 MINS | 64 | #define HOURS * 60 MINS |
| 65 | #define DAYS * 24 HOURS | 65 | #define DAYS * 24 HOURS |
| 66 | 66 | ||
| 67 | static unsigned int nf_ct_tcp_timeout_syn_sent __read_mostly = 2 MINS; | ||
| 68 | static unsigned int nf_ct_tcp_timeout_syn_recv __read_mostly = 60 SECS; | ||
| 69 | static unsigned int nf_ct_tcp_timeout_established __read_mostly = 5 DAYS; | ||
| 70 | static unsigned int nf_ct_tcp_timeout_fin_wait __read_mostly = 2 MINS; | ||
| 71 | static unsigned int nf_ct_tcp_timeout_close_wait __read_mostly = 60 SECS; | ||
| 72 | static unsigned int nf_ct_tcp_timeout_last_ack __read_mostly = 30 SECS; | ||
| 73 | static unsigned int nf_ct_tcp_timeout_time_wait __read_mostly = 2 MINS; | ||
| 74 | static unsigned int nf_ct_tcp_timeout_close __read_mostly = 10 SECS; | ||
| 75 | |||
| 76 | /* RFC1122 says the R2 limit should be at least 100 seconds. | 67 | /* RFC1122 says the R2 limit should be at least 100 seconds. |
| 77 | Linux uses 15 packets as limit, which corresponds | 68 | Linux uses 15 packets as limit, which corresponds |
| 78 | to ~13-30min depending on RTO. */ | 69 | to ~13-30min depending on RTO. */ |
| 79 | static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS; | 70 | static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS; |
| 80 | 71 | ||
| 81 | static unsigned int * tcp_timeouts[] = { | 72 | static unsigned int tcp_timeouts[TCP_CONNTRACK_MAX] __read_mostly = { |
| 82 | NULL, /* TCP_CONNTRACK_NONE */ | 73 | [TCP_CONNTRACK_SYN_SENT] = 2 MINS, |
| 83 | &nf_ct_tcp_timeout_syn_sent, /* TCP_CONNTRACK_SYN_SENT, */ | 74 | [TCP_CONNTRACK_SYN_RECV] = 60 SECS, |
| 84 | &nf_ct_tcp_timeout_syn_recv, /* TCP_CONNTRACK_SYN_RECV, */ | 75 | [TCP_CONNTRACK_ESTABLISHED] = 5 DAYS, |
| 85 | &nf_ct_tcp_timeout_established, /* TCP_CONNTRACK_ESTABLISHED, */ | 76 | [TCP_CONNTRACK_FIN_WAIT] = 2 MINS, |
| 86 | &nf_ct_tcp_timeout_fin_wait, /* TCP_CONNTRACK_FIN_WAIT, */ | 77 | [TCP_CONNTRACK_CLOSE_WAIT] = 60 SECS, |
| 87 | &nf_ct_tcp_timeout_close_wait, /* TCP_CONNTRACK_CLOSE_WAIT, */ | 78 | [TCP_CONNTRACK_LAST_ACK] = 30 SECS, |
| 88 | &nf_ct_tcp_timeout_last_ack, /* TCP_CONNTRACK_LAST_ACK, */ | 79 | [TCP_CONNTRACK_TIME_WAIT] = 2 MINS, |
| 89 | &nf_ct_tcp_timeout_time_wait, /* TCP_CONNTRACK_TIME_WAIT, */ | 80 | [TCP_CONNTRACK_CLOSE] = 10 SECS, |
| 90 | &nf_ct_tcp_timeout_close, /* TCP_CONNTRACK_CLOSE, */ | 81 | }; |
| 91 | NULL, /* TCP_CONNTRACK_LISTEN */ | ||
| 92 | }; | ||
| 93 | 82 | ||
| 94 | #define sNO TCP_CONNTRACK_NONE | 83 | #define sNO TCP_CONNTRACK_NONE |
| 95 | #define sSS TCP_CONNTRACK_SYN_SENT | 84 | #define sSS TCP_CONNTRACK_SYN_SENT |
| @@ -941,8 +930,8 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
| 941 | || new_state == TCP_CONNTRACK_CLOSE)) | 930 | || new_state == TCP_CONNTRACK_CLOSE)) |
| 942 | conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT; | 931 | conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT; |
| 943 | timeout = conntrack->proto.tcp.retrans >= nf_ct_tcp_max_retrans | 932 | timeout = conntrack->proto.tcp.retrans >= nf_ct_tcp_max_retrans |
| 944 | && *tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans | 933 | && tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans |
| 945 | ? nf_ct_tcp_timeout_max_retrans : *tcp_timeouts[new_state]; | 934 | ? nf_ct_tcp_timeout_max_retrans : tcp_timeouts[new_state]; |
| 946 | write_unlock_bh(&tcp_lock); | 935 | write_unlock_bh(&tcp_lock); |
| 947 | 936 | ||
| 948 | nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb); | 937 | nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb); |
| @@ -1163,56 +1152,56 @@ static struct ctl_table_header *tcp_sysctl_header; | |||
| 1163 | static struct ctl_table tcp_sysctl_table[] = { | 1152 | static struct ctl_table tcp_sysctl_table[] = { |
| 1164 | { | 1153 | { |
| 1165 | .procname = "nf_conntrack_tcp_timeout_syn_sent", | 1154 | .procname = "nf_conntrack_tcp_timeout_syn_sent", |
| 1166 | .data = &nf_ct_tcp_timeout_syn_sent, | 1155 | .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT], |
| 1167 | .maxlen = sizeof(unsigned int), | 1156 | .maxlen = sizeof(unsigned int), |
| 1168 | .mode = 0644, | 1157 | .mode = 0644, |
| 1169 | .proc_handler = &proc_dointvec_jiffies, | 1158 | .proc_handler = &proc_dointvec_jiffies, |
| 1170 | }, | 1159 | }, |
| 1171 | { | 1160 | { |
| 1172 | .procname = "nf_conntrack_tcp_timeout_syn_recv", | 1161 | .procname = "nf_conntrack_tcp_timeout_syn_recv", |
| 1173 | .data = &nf_ct_tcp_timeout_syn_recv, | 1162 | .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV], |
| 1174 | .maxlen = sizeof(unsigned int), | 1163 | .maxlen = sizeof(unsigned int), |
| 1175 | .mode = 0644, | 1164 | .mode = 0644, |
| 1176 | .proc_handler = &proc_dointvec_jiffies, | 1165 | .proc_handler = &proc_dointvec_jiffies, |
| 1177 | }, | 1166 | }, |
| 1178 | { | 1167 | { |
| 1179 | .procname = "nf_conntrack_tcp_timeout_established", | 1168 | .procname = "nf_conntrack_tcp_timeout_established", |
| 1180 | .data = &nf_ct_tcp_timeout_established, | 1169 | .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED], |
| 1181 | .maxlen = sizeof(unsigned int), | 1170 | .maxlen = sizeof(unsigned int), |
| 1182 | .mode = 0644, | 1171 | .mode = 0644, |
| 1183 | .proc_handler = &proc_dointvec_jiffies, | 1172 | .proc_handler = &proc_dointvec_jiffies, |
| 1184 | }, | 1173 | }, |
| 1185 | { | 1174 | { |
| 1186 | .procname = "nf_conntrack_tcp_timeout_fin_wait", | 1175 | .procname = "nf_conntrack_tcp_timeout_fin_wait", |
| 1187 | .data = &nf_ct_tcp_timeout_fin_wait, | 1176 | .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT], |
| 1188 | .maxlen = sizeof(unsigned int), | 1177 | .maxlen = sizeof(unsigned int), |
| 1189 | .mode = 0644, | 1178 | .mode = 0644, |
| 1190 | .proc_handler = &proc_dointvec_jiffies, | 1179 | .proc_handler = &proc_dointvec_jiffies, |
| 1191 | }, | 1180 | }, |
| 1192 | { | 1181 | { |
| 1193 | .procname = "nf_conntrack_tcp_timeout_close_wait", | 1182 | .procname = "nf_conntrack_tcp_timeout_close_wait", |
| 1194 | .data = &nf_ct_tcp_timeout_close_wait, | 1183 | .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT], |
| 1195 | .maxlen = sizeof(unsigned int), | 1184 | .maxlen = sizeof(unsigned int), |
| 1196 | .mode = 0644, | 1185 | .mode = 0644, |
| 1197 | .proc_handler = &proc_dointvec_jiffies, | 1186 | .proc_handler = &proc_dointvec_jiffies, |
| 1198 | }, | 1187 | }, |
| 1199 | { | 1188 | { |
| 1200 | .procname = "nf_conntrack_tcp_timeout_last_ack", | 1189 | .procname = "nf_conntrack_tcp_timeout_last_ack", |
| 1201 | .data = &nf_ct_tcp_timeout_last_ack, | 1190 | .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK], |
| 1202 | .maxlen = sizeof(unsigned int), | 1191 | .maxlen = sizeof(unsigned int), |
| 1203 | .mode = 0644, | 1192 | .mode = 0644, |
| 1204 | .proc_handler = &proc_dointvec_jiffies, | 1193 | .proc_handler = &proc_dointvec_jiffies, |
| 1205 | }, | 1194 | }, |
| 1206 | { | 1195 | { |
| 1207 | .procname = "nf_conntrack_tcp_timeout_time_wait", | 1196 | .procname = "nf_conntrack_tcp_timeout_time_wait", |
| 1208 | .data = &nf_ct_tcp_timeout_time_wait, | 1197 | .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT], |
| 1209 | .maxlen = sizeof(unsigned int), | 1198 | .maxlen = sizeof(unsigned int), |
| 1210 | .mode = 0644, | 1199 | .mode = 0644, |
| 1211 | .proc_handler = &proc_dointvec_jiffies, | 1200 | .proc_handler = &proc_dointvec_jiffies, |
| 1212 | }, | 1201 | }, |
| 1213 | { | 1202 | { |
| 1214 | .procname = "nf_conntrack_tcp_timeout_close", | 1203 | .procname = "nf_conntrack_tcp_timeout_close", |
| 1215 | .data = &nf_ct_tcp_timeout_close, | 1204 | .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE], |
| 1216 | .maxlen = sizeof(unsigned int), | 1205 | .maxlen = sizeof(unsigned int), |
| 1217 | .mode = 0644, | 1206 | .mode = 0644, |
| 1218 | .proc_handler = &proc_dointvec_jiffies, | 1207 | .proc_handler = &proc_dointvec_jiffies, |
| @@ -1257,56 +1246,56 @@ static struct ctl_table tcp_sysctl_table[] = { | |||
| 1257 | static struct ctl_table tcp_compat_sysctl_table[] = { | 1246 | static struct ctl_table tcp_compat_sysctl_table[] = { |
| 1258 | { | 1247 | { |
| 1259 | .procname = "ip_conntrack_tcp_timeout_syn_sent", | 1248 | .procname = "ip_conntrack_tcp_timeout_syn_sent", |
| 1260 | .data = &nf_ct_tcp_timeout_syn_sent, | 1249 | .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT], |
| 1261 | .maxlen = sizeof(unsigned int), | 1250 | .maxlen = sizeof(unsigned int), |
| 1262 | .mode = 0644, | 1251 | .mode = 0644, |
| 1263 | .proc_handler = &proc_dointvec_jiffies, | 1252 | .proc_handler = &proc_dointvec_jiffies, |
| 1264 | }, | 1253 | }, |
| 1265 | { | 1254 | { |
| 1266 | .procname = "ip_conntrack_tcp_timeout_syn_recv", | 1255 | .procname = "ip_conntrack_tcp_timeout_syn_recv", |
| 1267 | .data = &nf_ct_tcp_timeout_syn_recv, | 1256 | .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV], |
| 1268 | .maxlen = sizeof(unsigned int), | 1257 | .maxlen = sizeof(unsigned int), |
| 1269 | .mode = 0644, | 1258 | .mode = 0644, |
| 1270 | .proc_handler = &proc_dointvec_jiffies, | 1259 | .proc_handler = &proc_dointvec_jiffies, |
| 1271 | }, | 1260 | }, |
| 1272 | { | 1261 | { |
| 1273 | .procname = "ip_conntrack_tcp_timeout_established", | 1262 | .procname = "ip_conntrack_tcp_timeout_established", |
| 1274 | .data = &nf_ct_tcp_timeout_established, | 1263 | .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED], |
| 1275 | .maxlen = sizeof(unsigned int), | 1264 | .maxlen = sizeof(unsigned int), |
| 1276 | .mode = 0644, | 1265 | .mode = 0644, |
| 1277 | .proc_handler = &proc_dointvec_jiffies, | 1266 | .proc_handler = &proc_dointvec_jiffies, |
| 1278 | }, | 1267 | }, |
| 1279 | { | 1268 | { |
| 1280 | .procname = "ip_conntrack_tcp_timeout_fin_wait", | 1269 | .procname = "ip_conntrack_tcp_timeout_fin_wait", |
| 1281 | .data = &nf_ct_tcp_timeout_fin_wait, | 1270 | .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT], |
| 1282 | .maxlen = sizeof(unsigned int), | 1271 | .maxlen = sizeof(unsigned int), |
| 1283 | .mode = 0644, | 1272 | .mode = 0644, |
| 1284 | .proc_handler = &proc_dointvec_jiffies, | 1273 | .proc_handler = &proc_dointvec_jiffies, |
| 1285 | }, | 1274 | }, |
| 1286 | { | 1275 | { |
| 1287 | .procname = "ip_conntrack_tcp_timeout_close_wait", | 1276 | .procname = "ip_conntrack_tcp_timeout_close_wait", |
| 1288 | .data = &nf_ct_tcp_timeout_close_wait, | 1277 | .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT], |
| 1289 | .maxlen = sizeof(unsigned int), | 1278 | .maxlen = sizeof(unsigned int), |
| 1290 | .mode = 0644, | 1279 | .mode = 0644, |
| 1291 | .proc_handler = &proc_dointvec_jiffies, | 1280 | .proc_handler = &proc_dointvec_jiffies, |
| 1292 | }, | 1281 | }, |
| 1293 | { | 1282 | { |
| 1294 | .procname = "ip_conntrack_tcp_timeout_last_ack", | 1283 | .procname = "ip_conntrack_tcp_timeout_last_ack", |
| 1295 | .data = &nf_ct_tcp_timeout_last_ack, | 1284 | .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK], |
| 1296 | .maxlen = sizeof(unsigned int), | 1285 | .maxlen = sizeof(unsigned int), |
| 1297 | .mode = 0644, | 1286 | .mode = 0644, |
| 1298 | .proc_handler = &proc_dointvec_jiffies, | 1287 | .proc_handler = &proc_dointvec_jiffies, |
| 1299 | }, | 1288 | }, |
| 1300 | { | 1289 | { |
| 1301 | .procname = "ip_conntrack_tcp_timeout_time_wait", | 1290 | .procname = "ip_conntrack_tcp_timeout_time_wait", |
| 1302 | .data = &nf_ct_tcp_timeout_time_wait, | 1291 | .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT], |
| 1303 | .maxlen = sizeof(unsigned int), | 1292 | .maxlen = sizeof(unsigned int), |
| 1304 | .mode = 0644, | 1293 | .mode = 0644, |
| 1305 | .proc_handler = &proc_dointvec_jiffies, | 1294 | .proc_handler = &proc_dointvec_jiffies, |
| 1306 | }, | 1295 | }, |
| 1307 | { | 1296 | { |
| 1308 | .procname = "ip_conntrack_tcp_timeout_close", | 1297 | .procname = "ip_conntrack_tcp_timeout_close", |
| 1309 | .data = &nf_ct_tcp_timeout_close, | 1298 | .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE], |
| 1310 | .maxlen = sizeof(unsigned int), | 1299 | .maxlen = sizeof(unsigned int), |
| 1311 | .mode = 0644, | 1300 | .mode = 0644, |
| 1312 | .proc_handler = &proc_dointvec_jiffies, | 1301 | .proc_handler = &proc_dointvec_jiffies, |