0001
0002 #include <linux/types.h>
0003 #include <linux/netfilter.h>
0004 #include <linux/slab.h>
0005 #include <linux/module.h>
0006 #include <linux/skbuff.h>
0007 #include <linux/proc_fs.h>
0008 #include <linux/seq_file.h>
0009 #include <linux/percpu.h>
0010 #include <linux/netdevice.h>
0011 #include <linux/security.h>
0012 #include <net/net_namespace.h>
0013 #ifdef CONFIG_SYSCTL
0014 #include <linux/sysctl.h>
0015 #endif
0016
0017 #include <net/netfilter/nf_conntrack.h>
0018 #include <net/netfilter/nf_conntrack_core.h>
0019 #include <net/netfilter/nf_conntrack_l4proto.h>
0020 #include <net/netfilter/nf_conntrack_expect.h>
0021 #include <net/netfilter/nf_conntrack_helper.h>
0022 #include <net/netfilter/nf_conntrack_acct.h>
0023 #include <net/netfilter/nf_conntrack_zones.h>
0024 #include <net/netfilter/nf_conntrack_timestamp.h>
0025 #ifdef CONFIG_LWTUNNEL
0026 #include <net/netfilter/nf_hooks_lwtunnel.h>
0027 #endif
0028 #include <linux/rculist_nulls.h>
0029
0030 static bool enable_hooks __read_mostly;
0031 MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks");
0032 module_param(enable_hooks, bool, 0000);
0033
0034 unsigned int nf_conntrack_net_id __read_mostly;
0035
0036 #ifdef CONFIG_NF_CONNTRACK_PROCFS
0037 void
0038 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,
0039 const struct nf_conntrack_l4proto *l4proto)
0040 {
0041 switch (tuple->src.l3num) {
0042 case NFPROTO_IPV4:
0043 seq_printf(s, "src=%pI4 dst=%pI4 ",
0044 &tuple->src.u3.ip, &tuple->dst.u3.ip);
0045 break;
0046 case NFPROTO_IPV6:
0047 seq_printf(s, "src=%pI6 dst=%pI6 ",
0048 tuple->src.u3.ip6, tuple->dst.u3.ip6);
0049 break;
0050 default:
0051 break;
0052 }
0053
0054 switch (l4proto->l4proto) {
0055 case IPPROTO_ICMP:
0056 seq_printf(s, "type=%u code=%u id=%u ",
0057 tuple->dst.u.icmp.type,
0058 tuple->dst.u.icmp.code,
0059 ntohs(tuple->src.u.icmp.id));
0060 break;
0061 case IPPROTO_TCP:
0062 seq_printf(s, "sport=%hu dport=%hu ",
0063 ntohs(tuple->src.u.tcp.port),
0064 ntohs(tuple->dst.u.tcp.port));
0065 break;
0066 case IPPROTO_UDPLITE:
0067 case IPPROTO_UDP:
0068 seq_printf(s, "sport=%hu dport=%hu ",
0069 ntohs(tuple->src.u.udp.port),
0070 ntohs(tuple->dst.u.udp.port));
0071
0072 break;
0073 case IPPROTO_DCCP:
0074 seq_printf(s, "sport=%hu dport=%hu ",
0075 ntohs(tuple->src.u.dccp.port),
0076 ntohs(tuple->dst.u.dccp.port));
0077 break;
0078 case IPPROTO_SCTP:
0079 seq_printf(s, "sport=%hu dport=%hu ",
0080 ntohs(tuple->src.u.sctp.port),
0081 ntohs(tuple->dst.u.sctp.port));
0082 break;
0083 case IPPROTO_ICMPV6:
0084 seq_printf(s, "type=%u code=%u id=%u ",
0085 tuple->dst.u.icmp.type,
0086 tuple->dst.u.icmp.code,
0087 ntohs(tuple->src.u.icmp.id));
0088 break;
0089 case IPPROTO_GRE:
0090 seq_printf(s, "srckey=0x%x dstkey=0x%x ",
0091 ntohs(tuple->src.u.gre.key),
0092 ntohs(tuple->dst.u.gre.key));
0093 break;
0094 default:
0095 break;
0096 }
0097 }
0098 EXPORT_SYMBOL_GPL(print_tuple);
0099
0100 struct ct_iter_state {
0101 struct seq_net_private p;
0102 struct hlist_nulls_head *hash;
0103 unsigned int htable_size;
0104 unsigned int bucket;
0105 u_int64_t time_now;
0106 };
0107
0108 static struct hlist_nulls_node *ct_get_first(struct seq_file *seq)
0109 {
0110 struct ct_iter_state *st = seq->private;
0111 struct hlist_nulls_node *n;
0112
0113 for (st->bucket = 0;
0114 st->bucket < st->htable_size;
0115 st->bucket++) {
0116 n = rcu_dereference(
0117 hlist_nulls_first_rcu(&st->hash[st->bucket]));
0118 if (!is_a_nulls(n))
0119 return n;
0120 }
0121 return NULL;
0122 }
0123
0124 static struct hlist_nulls_node *ct_get_next(struct seq_file *seq,
0125 struct hlist_nulls_node *head)
0126 {
0127 struct ct_iter_state *st = seq->private;
0128
0129 head = rcu_dereference(hlist_nulls_next_rcu(head));
0130 while (is_a_nulls(head)) {
0131 if (likely(get_nulls_value(head) == st->bucket)) {
0132 if (++st->bucket >= st->htable_size)
0133 return NULL;
0134 }
0135 head = rcu_dereference(
0136 hlist_nulls_first_rcu(&st->hash[st->bucket]));
0137 }
0138 return head;
0139 }
0140
0141 static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos)
0142 {
0143 struct hlist_nulls_node *head = ct_get_first(seq);
0144
0145 if (head)
0146 while (pos && (head = ct_get_next(seq, head)))
0147 pos--;
0148 return pos ? NULL : head;
0149 }
0150
0151 static void *ct_seq_start(struct seq_file *seq, loff_t *pos)
0152 __acquires(RCU)
0153 {
0154 struct ct_iter_state *st = seq->private;
0155
0156 st->time_now = ktime_get_real_ns();
0157 rcu_read_lock();
0158
0159 nf_conntrack_get_ht(&st->hash, &st->htable_size);
0160 return ct_get_idx(seq, *pos);
0161 }
0162
0163 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos)
0164 {
0165 (*pos)++;
0166 return ct_get_next(s, v);
0167 }
0168
0169 static void ct_seq_stop(struct seq_file *s, void *v)
0170 __releases(RCU)
0171 {
0172 rcu_read_unlock();
0173 }
0174
0175 #ifdef CONFIG_NF_CONNTRACK_SECMARK
0176 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
0177 {
0178 int ret;
0179 u32 len;
0180 char *secctx;
0181
0182 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
0183 if (ret)
0184 return;
0185
0186 seq_printf(s, "secctx=%s ", secctx);
0187
0188 security_release_secctx(secctx, len);
0189 }
0190 #else
0191 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
0192 {
0193 }
0194 #endif
0195
0196 #ifdef CONFIG_NF_CONNTRACK_ZONES
0197 static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct,
0198 int dir)
0199 {
0200 const struct nf_conntrack_zone *zone = nf_ct_zone(ct);
0201
0202 if (zone->dir != dir)
0203 return;
0204 switch (zone->dir) {
0205 case NF_CT_DEFAULT_ZONE_DIR:
0206 seq_printf(s, "zone=%u ", zone->id);
0207 break;
0208 case NF_CT_ZONE_DIR_ORIG:
0209 seq_printf(s, "zone-orig=%u ", zone->id);
0210 break;
0211 case NF_CT_ZONE_DIR_REPL:
0212 seq_printf(s, "zone-reply=%u ", zone->id);
0213 break;
0214 default:
0215 break;
0216 }
0217 }
0218 #else
0219 static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct,
0220 int dir)
0221 {
0222 }
0223 #endif
0224
0225 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
0226 static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct)
0227 {
0228 struct ct_iter_state *st = s->private;
0229 struct nf_conn_tstamp *tstamp;
0230 s64 delta_time;
0231
0232 tstamp = nf_conn_tstamp_find(ct);
0233 if (tstamp) {
0234 delta_time = st->time_now - tstamp->start;
0235 if (delta_time > 0)
0236 delta_time = div_s64(delta_time, NSEC_PER_SEC);
0237 else
0238 delta_time = 0;
0239
0240 seq_printf(s, "delta-time=%llu ",
0241 (unsigned long long)delta_time);
0242 }
0243 return;
0244 }
0245 #else
0246 static inline void
0247 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct)
0248 {
0249 }
0250 #endif
0251
0252 static const char* l3proto_name(u16 proto)
0253 {
0254 switch (proto) {
0255 case AF_INET: return "ipv4";
0256 case AF_INET6: return "ipv6";
0257 }
0258
0259 return "unknown";
0260 }
0261
0262 static const char* l4proto_name(u16 proto)
0263 {
0264 switch (proto) {
0265 case IPPROTO_ICMP: return "icmp";
0266 case IPPROTO_TCP: return "tcp";
0267 case IPPROTO_UDP: return "udp";
0268 case IPPROTO_DCCP: return "dccp";
0269 case IPPROTO_GRE: return "gre";
0270 case IPPROTO_SCTP: return "sctp";
0271 case IPPROTO_UDPLITE: return "udplite";
0272 case IPPROTO_ICMPV6: return "icmpv6";
0273 }
0274
0275 return "unknown";
0276 }
0277
0278 static unsigned int
0279 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir)
0280 {
0281 struct nf_conn_acct *acct;
0282 struct nf_conn_counter *counter;
0283
0284 acct = nf_conn_acct_find(ct);
0285 if (!acct)
0286 return 0;
0287
0288 counter = acct->counter;
0289 seq_printf(s, "packets=%llu bytes=%llu ",
0290 (unsigned long long)atomic64_read(&counter[dir].packets),
0291 (unsigned long long)atomic64_read(&counter[dir].bytes));
0292
0293 return 0;
0294 }
0295
0296
0297 static int ct_seq_show(struct seq_file *s, void *v)
0298 {
0299 struct nf_conntrack_tuple_hash *hash = v;
0300 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash);
0301 const struct nf_conntrack_l4proto *l4proto;
0302 struct net *net = seq_file_net(s);
0303 int ret = 0;
0304
0305 WARN_ON(!ct);
0306 if (unlikely(!refcount_inc_not_zero(&ct->ct_general.use)))
0307 return 0;
0308
0309
0310 smp_acquire__after_ctrl_dep();
0311
0312 if (nf_ct_should_gc(ct)) {
0313 nf_ct_kill(ct);
0314 goto release;
0315 }
0316
0317
0318 if (NF_CT_DIRECTION(hash))
0319 goto release;
0320
0321 if (!net_eq(nf_ct_net(ct), net))
0322 goto release;
0323
0324 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
0325
0326 ret = -ENOSPC;
0327 seq_printf(s, "%-8s %u %-8s %u ",
0328 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct),
0329 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct));
0330
0331 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status))
0332 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ);
0333
0334 if (l4proto->print_conntrack)
0335 l4proto->print_conntrack(s, ct);
0336
0337 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
0338 l4proto);
0339
0340 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG);
0341
0342 if (seq_has_overflowed(s))
0343 goto release;
0344
0345 if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL))
0346 goto release;
0347
0348 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status)))
0349 seq_puts(s, "[UNREPLIED] ");
0350
0351 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto);
0352
0353 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL);
0354
0355 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY))
0356 goto release;
0357
0358 if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status))
0359 seq_puts(s, "[HW_OFFLOAD] ");
0360 else if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
0361 seq_puts(s, "[OFFLOAD] ");
0362 else if (test_bit(IPS_ASSURED_BIT, &ct->status))
0363 seq_puts(s, "[ASSURED] ");
0364
0365 if (seq_has_overflowed(s))
0366 goto release;
0367
0368 #if defined(CONFIG_NF_CONNTRACK_MARK)
0369 seq_printf(s, "mark=%u ", ct->mark);
0370 #endif
0371
0372 ct_show_secctx(s, ct);
0373 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR);
0374 ct_show_delta_time(s, ct);
0375
0376 seq_printf(s, "use=%u\n", refcount_read(&ct->ct_general.use));
0377
0378 if (seq_has_overflowed(s))
0379 goto release;
0380
0381 ret = 0;
0382 release:
0383 nf_ct_put(ct);
0384 return ret;
0385 }
0386
0387 static const struct seq_operations ct_seq_ops = {
0388 .start = ct_seq_start,
0389 .next = ct_seq_next,
0390 .stop = ct_seq_stop,
0391 .show = ct_seq_show
0392 };
0393
0394 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos)
0395 {
0396 struct net *net = seq_file_net(seq);
0397 int cpu;
0398
0399 if (*pos == 0)
0400 return SEQ_START_TOKEN;
0401
0402 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) {
0403 if (!cpu_possible(cpu))
0404 continue;
0405 *pos = cpu + 1;
0406 return per_cpu_ptr(net->ct.stat, cpu);
0407 }
0408
0409 return NULL;
0410 }
0411
0412 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
0413 {
0414 struct net *net = seq_file_net(seq);
0415 int cpu;
0416
0417 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) {
0418 if (!cpu_possible(cpu))
0419 continue;
0420 *pos = cpu + 1;
0421 return per_cpu_ptr(net->ct.stat, cpu);
0422 }
0423 (*pos)++;
0424 return NULL;
0425 }
0426
0427 static void ct_cpu_seq_stop(struct seq_file *seq, void *v)
0428 {
0429 }
0430
0431 static int ct_cpu_seq_show(struct seq_file *seq, void *v)
0432 {
0433 struct net *net = seq_file_net(seq);
0434 const struct ip_conntrack_stat *st = v;
0435 unsigned int nr_conntracks;
0436
0437 if (v == SEQ_START_TOKEN) {
0438 seq_puts(seq, "entries clashres found new invalid ignore delete chainlength insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n");
0439 return 0;
0440 }
0441
0442 nr_conntracks = nf_conntrack_count(net);
0443
0444 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x "
0445 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n",
0446 nr_conntracks,
0447 st->clash_resolve,
0448 st->found,
0449 0,
0450 st->invalid,
0451 0,
0452 0,
0453 st->chaintoolong,
0454 st->insert,
0455 st->insert_failed,
0456 st->drop,
0457 st->early_drop,
0458 st->error,
0459
0460 st->expect_new,
0461 st->expect_create,
0462 st->expect_delete,
0463 st->search_restart
0464 );
0465 return 0;
0466 }
0467
0468 static const struct seq_operations ct_cpu_seq_ops = {
0469 .start = ct_cpu_seq_start,
0470 .next = ct_cpu_seq_next,
0471 .stop = ct_cpu_seq_stop,
0472 .show = ct_cpu_seq_show,
0473 };
0474
0475 static int nf_conntrack_standalone_init_proc(struct net *net)
0476 {
0477 struct proc_dir_entry *pde;
0478 kuid_t root_uid;
0479 kgid_t root_gid;
0480
0481 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops,
0482 sizeof(struct ct_iter_state));
0483 if (!pde)
0484 goto out_nf_conntrack;
0485
0486 root_uid = make_kuid(net->user_ns, 0);
0487 root_gid = make_kgid(net->user_ns, 0);
0488 if (uid_valid(root_uid) && gid_valid(root_gid))
0489 proc_set_user(pde, root_uid, root_gid);
0490
0491 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat,
0492 &ct_cpu_seq_ops, sizeof(struct seq_net_private));
0493 if (!pde)
0494 goto out_stat_nf_conntrack;
0495 return 0;
0496
0497 out_stat_nf_conntrack:
0498 remove_proc_entry("nf_conntrack", net->proc_net);
0499 out_nf_conntrack:
0500 return -ENOMEM;
0501 }
0502
0503 static void nf_conntrack_standalone_fini_proc(struct net *net)
0504 {
0505 remove_proc_entry("nf_conntrack", net->proc_net_stat);
0506 remove_proc_entry("nf_conntrack", net->proc_net);
0507 }
0508 #else
0509 static int nf_conntrack_standalone_init_proc(struct net *net)
0510 {
0511 return 0;
0512 }
0513
0514 static void nf_conntrack_standalone_fini_proc(struct net *net)
0515 {
0516 }
0517 #endif
0518
0519 u32 nf_conntrack_count(const struct net *net)
0520 {
0521 const struct nf_conntrack_net *cnet = nf_ct_pernet(net);
0522
0523 return atomic_read(&cnet->count);
0524 }
0525 EXPORT_SYMBOL_GPL(nf_conntrack_count);
0526
0527
0528
0529 #ifdef CONFIG_SYSCTL
0530
0531 static unsigned int nf_conntrack_htable_size_user __read_mostly;
0532
0533 static int
0534 nf_conntrack_hash_sysctl(struct ctl_table *table, int write,
0535 void *buffer, size_t *lenp, loff_t *ppos)
0536 {
0537 int ret;
0538
0539
0540 nf_conntrack_htable_size_user = nf_conntrack_htable_size;
0541
0542 ret = proc_dointvec(table, write, buffer, lenp, ppos);
0543 if (ret < 0 || !write)
0544 return ret;
0545
0546
0547 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user);
0548
0549
0550 nf_conntrack_htable_size_user = nf_conntrack_htable_size;
0551 return ret;
0552 }
0553
0554 static struct ctl_table_header *nf_ct_netfilter_header;
0555
0556 enum nf_ct_sysctl_index {
0557 NF_SYSCTL_CT_MAX,
0558 NF_SYSCTL_CT_COUNT,
0559 NF_SYSCTL_CT_BUCKETS,
0560 NF_SYSCTL_CT_CHECKSUM,
0561 NF_SYSCTL_CT_LOG_INVALID,
0562 NF_SYSCTL_CT_EXPECT_MAX,
0563 NF_SYSCTL_CT_ACCT,
0564 #ifdef CONFIG_NF_CONNTRACK_EVENTS
0565 NF_SYSCTL_CT_EVENTS,
0566 #endif
0567 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
0568 NF_SYSCTL_CT_TIMESTAMP,
0569 #endif
0570 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC,
0571 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT,
0572 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV,
0573 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED,
0574 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT,
0575 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT,
0576 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK,
0577 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT,
0578 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE,
0579 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS,
0580 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK,
0581 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
0582 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD,
0583 #endif
0584 NF_SYSCTL_CT_PROTO_TCP_LOOSE,
0585 NF_SYSCTL_CT_PROTO_TCP_LIBERAL,
0586 NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST,
0587 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS,
0588 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP,
0589 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM,
0590 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
0591 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD,
0592 #endif
0593 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP,
0594 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6,
0595 #ifdef CONFIG_NF_CT_PROTO_SCTP
0596 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED,
0597 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT,
0598 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED,
0599 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED,
0600 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT,
0601 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD,
0602 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
0603 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT,
0604 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED,
0605 #endif
0606 #ifdef CONFIG_NF_CT_PROTO_DCCP
0607 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST,
0608 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND,
0609 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN,
0610 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN,
0611 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ,
0612 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING,
0613 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT,
0614 NF_SYSCTL_CT_PROTO_DCCP_LOOSE,
0615 #endif
0616 #ifdef CONFIG_NF_CT_PROTO_GRE
0617 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE,
0618 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM,
0619 #endif
0620 #ifdef CONFIG_LWTUNNEL
0621 NF_SYSCTL_CT_LWTUNNEL,
0622 #endif
0623
0624 __NF_SYSCTL_CT_LAST_SYSCTL,
0625 };
0626
0627 #define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1)
0628
0629 static struct ctl_table nf_ct_sysctl_table[] = {
0630 [NF_SYSCTL_CT_MAX] = {
0631 .procname = "nf_conntrack_max",
0632 .data = &nf_conntrack_max,
0633 .maxlen = sizeof(int),
0634 .mode = 0644,
0635 .proc_handler = proc_dointvec,
0636 },
0637 [NF_SYSCTL_CT_COUNT] = {
0638 .procname = "nf_conntrack_count",
0639 .maxlen = sizeof(int),
0640 .mode = 0444,
0641 .proc_handler = proc_dointvec,
0642 },
0643 [NF_SYSCTL_CT_BUCKETS] = {
0644 .procname = "nf_conntrack_buckets",
0645 .data = &nf_conntrack_htable_size_user,
0646 .maxlen = sizeof(unsigned int),
0647 .mode = 0644,
0648 .proc_handler = nf_conntrack_hash_sysctl,
0649 },
0650 [NF_SYSCTL_CT_CHECKSUM] = {
0651 .procname = "nf_conntrack_checksum",
0652 .data = &init_net.ct.sysctl_checksum,
0653 .maxlen = sizeof(u8),
0654 .mode = 0644,
0655 .proc_handler = proc_dou8vec_minmax,
0656 .extra1 = SYSCTL_ZERO,
0657 .extra2 = SYSCTL_ONE,
0658 },
0659 [NF_SYSCTL_CT_LOG_INVALID] = {
0660 .procname = "nf_conntrack_log_invalid",
0661 .data = &init_net.ct.sysctl_log_invalid,
0662 .maxlen = sizeof(u8),
0663 .mode = 0644,
0664 .proc_handler = proc_dou8vec_minmax,
0665 },
0666 [NF_SYSCTL_CT_EXPECT_MAX] = {
0667 .procname = "nf_conntrack_expect_max",
0668 .data = &nf_ct_expect_max,
0669 .maxlen = sizeof(int),
0670 .mode = 0644,
0671 .proc_handler = proc_dointvec,
0672 },
0673 [NF_SYSCTL_CT_ACCT] = {
0674 .procname = "nf_conntrack_acct",
0675 .data = &init_net.ct.sysctl_acct,
0676 .maxlen = sizeof(u8),
0677 .mode = 0644,
0678 .proc_handler = proc_dou8vec_minmax,
0679 .extra1 = SYSCTL_ZERO,
0680 .extra2 = SYSCTL_ONE,
0681 },
0682 #ifdef CONFIG_NF_CONNTRACK_EVENTS
0683 [NF_SYSCTL_CT_EVENTS] = {
0684 .procname = "nf_conntrack_events",
0685 .data = &init_net.ct.sysctl_events,
0686 .maxlen = sizeof(u8),
0687 .mode = 0644,
0688 .proc_handler = proc_dou8vec_minmax,
0689 .extra1 = SYSCTL_ZERO,
0690 .extra2 = SYSCTL_TWO,
0691 },
0692 #endif
0693 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
0694 [NF_SYSCTL_CT_TIMESTAMP] = {
0695 .procname = "nf_conntrack_timestamp",
0696 .data = &init_net.ct.sysctl_tstamp,
0697 .maxlen = sizeof(u8),
0698 .mode = 0644,
0699 .proc_handler = proc_dou8vec_minmax,
0700 .extra1 = SYSCTL_ZERO,
0701 .extra2 = SYSCTL_ONE,
0702 },
0703 #endif
0704 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = {
0705 .procname = "nf_conntrack_generic_timeout",
0706 .maxlen = sizeof(unsigned int),
0707 .mode = 0644,
0708 .proc_handler = proc_dointvec_jiffies,
0709 },
0710 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = {
0711 .procname = "nf_conntrack_tcp_timeout_syn_sent",
0712 .maxlen = sizeof(unsigned int),
0713 .mode = 0644,
0714 .proc_handler = proc_dointvec_jiffies,
0715 },
0716 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = {
0717 .procname = "nf_conntrack_tcp_timeout_syn_recv",
0718 .maxlen = sizeof(unsigned int),
0719 .mode = 0644,
0720 .proc_handler = proc_dointvec_jiffies,
0721 },
0722 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = {
0723 .procname = "nf_conntrack_tcp_timeout_established",
0724 .maxlen = sizeof(unsigned int),
0725 .mode = 0644,
0726 .proc_handler = proc_dointvec_jiffies,
0727 },
0728 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = {
0729 .procname = "nf_conntrack_tcp_timeout_fin_wait",
0730 .maxlen = sizeof(unsigned int),
0731 .mode = 0644,
0732 .proc_handler = proc_dointvec_jiffies,
0733 },
0734 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = {
0735 .procname = "nf_conntrack_tcp_timeout_close_wait",
0736 .maxlen = sizeof(unsigned int),
0737 .mode = 0644,
0738 .proc_handler = proc_dointvec_jiffies,
0739 },
0740 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = {
0741 .procname = "nf_conntrack_tcp_timeout_last_ack",
0742 .maxlen = sizeof(unsigned int),
0743 .mode = 0644,
0744 .proc_handler = proc_dointvec_jiffies,
0745 },
0746 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = {
0747 .procname = "nf_conntrack_tcp_timeout_time_wait",
0748 .maxlen = sizeof(unsigned int),
0749 .mode = 0644,
0750 .proc_handler = proc_dointvec_jiffies,
0751 },
0752 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = {
0753 .procname = "nf_conntrack_tcp_timeout_close",
0754 .maxlen = sizeof(unsigned int),
0755 .mode = 0644,
0756 .proc_handler = proc_dointvec_jiffies,
0757 },
0758 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = {
0759 .procname = "nf_conntrack_tcp_timeout_max_retrans",
0760 .maxlen = sizeof(unsigned int),
0761 .mode = 0644,
0762 .proc_handler = proc_dointvec_jiffies,
0763 },
0764 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = {
0765 .procname = "nf_conntrack_tcp_timeout_unacknowledged",
0766 .maxlen = sizeof(unsigned int),
0767 .mode = 0644,
0768 .proc_handler = proc_dointvec_jiffies,
0769 },
0770 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
0771 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD] = {
0772 .procname = "nf_flowtable_tcp_timeout",
0773 .maxlen = sizeof(unsigned int),
0774 .mode = 0644,
0775 .proc_handler = proc_dointvec_jiffies,
0776 },
0777 #endif
0778 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = {
0779 .procname = "nf_conntrack_tcp_loose",
0780 .maxlen = sizeof(u8),
0781 .mode = 0644,
0782 .proc_handler = proc_dou8vec_minmax,
0783 .extra1 = SYSCTL_ZERO,
0784 .extra2 = SYSCTL_ONE,
0785 },
0786 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = {
0787 .procname = "nf_conntrack_tcp_be_liberal",
0788 .maxlen = sizeof(u8),
0789 .mode = 0644,
0790 .proc_handler = proc_dou8vec_minmax,
0791 .extra1 = SYSCTL_ZERO,
0792 .extra2 = SYSCTL_ONE,
0793 },
0794 [NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST] = {
0795 .procname = "nf_conntrack_tcp_ignore_invalid_rst",
0796 .maxlen = sizeof(u8),
0797 .mode = 0644,
0798 .proc_handler = proc_dou8vec_minmax,
0799 .extra1 = SYSCTL_ZERO,
0800 .extra2 = SYSCTL_ONE,
0801 },
0802 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = {
0803 .procname = "nf_conntrack_tcp_max_retrans",
0804 .maxlen = sizeof(u8),
0805 .mode = 0644,
0806 .proc_handler = proc_dou8vec_minmax,
0807 },
0808 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = {
0809 .procname = "nf_conntrack_udp_timeout",
0810 .maxlen = sizeof(unsigned int),
0811 .mode = 0644,
0812 .proc_handler = proc_dointvec_jiffies,
0813 },
0814 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = {
0815 .procname = "nf_conntrack_udp_timeout_stream",
0816 .maxlen = sizeof(unsigned int),
0817 .mode = 0644,
0818 .proc_handler = proc_dointvec_jiffies,
0819 },
0820 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
0821 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD] = {
0822 .procname = "nf_flowtable_udp_timeout",
0823 .maxlen = sizeof(unsigned int),
0824 .mode = 0644,
0825 .proc_handler = proc_dointvec_jiffies,
0826 },
0827 #endif
0828 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = {
0829 .procname = "nf_conntrack_icmp_timeout",
0830 .maxlen = sizeof(unsigned int),
0831 .mode = 0644,
0832 .proc_handler = proc_dointvec_jiffies,
0833 },
0834 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = {
0835 .procname = "nf_conntrack_icmpv6_timeout",
0836 .maxlen = sizeof(unsigned int),
0837 .mode = 0644,
0838 .proc_handler = proc_dointvec_jiffies,
0839 },
0840 #ifdef CONFIG_NF_CT_PROTO_SCTP
0841 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = {
0842 .procname = "nf_conntrack_sctp_timeout_closed",
0843 .maxlen = sizeof(unsigned int),
0844 .mode = 0644,
0845 .proc_handler = proc_dointvec_jiffies,
0846 },
0847 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = {
0848 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
0849 .maxlen = sizeof(unsigned int),
0850 .mode = 0644,
0851 .proc_handler = proc_dointvec_jiffies,
0852 },
0853 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = {
0854 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
0855 .maxlen = sizeof(unsigned int),
0856 .mode = 0644,
0857 .proc_handler = proc_dointvec_jiffies,
0858 },
0859 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = {
0860 .procname = "nf_conntrack_sctp_timeout_established",
0861 .maxlen = sizeof(unsigned int),
0862 .mode = 0644,
0863 .proc_handler = proc_dointvec_jiffies,
0864 },
0865 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = {
0866 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
0867 .maxlen = sizeof(unsigned int),
0868 .mode = 0644,
0869 .proc_handler = proc_dointvec_jiffies,
0870 },
0871 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = {
0872 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
0873 .maxlen = sizeof(unsigned int),
0874 .mode = 0644,
0875 .proc_handler = proc_dointvec_jiffies,
0876 },
0877 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = {
0878 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
0879 .maxlen = sizeof(unsigned int),
0880 .mode = 0644,
0881 .proc_handler = proc_dointvec_jiffies,
0882 },
0883 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = {
0884 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
0885 .maxlen = sizeof(unsigned int),
0886 .mode = 0644,
0887 .proc_handler = proc_dointvec_jiffies,
0888 },
0889 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED] = {
0890 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
0891 .maxlen = sizeof(unsigned int),
0892 .mode = 0644,
0893 .proc_handler = proc_dointvec_jiffies,
0894 },
0895 #endif
0896 #ifdef CONFIG_NF_CT_PROTO_DCCP
0897 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = {
0898 .procname = "nf_conntrack_dccp_timeout_request",
0899 .maxlen = sizeof(unsigned int),
0900 .mode = 0644,
0901 .proc_handler = proc_dointvec_jiffies,
0902 },
0903 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = {
0904 .procname = "nf_conntrack_dccp_timeout_respond",
0905 .maxlen = sizeof(unsigned int),
0906 .mode = 0644,
0907 .proc_handler = proc_dointvec_jiffies,
0908 },
0909 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = {
0910 .procname = "nf_conntrack_dccp_timeout_partopen",
0911 .maxlen = sizeof(unsigned int),
0912 .mode = 0644,
0913 .proc_handler = proc_dointvec_jiffies,
0914 },
0915 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = {
0916 .procname = "nf_conntrack_dccp_timeout_open",
0917 .maxlen = sizeof(unsigned int),
0918 .mode = 0644,
0919 .proc_handler = proc_dointvec_jiffies,
0920 },
0921 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = {
0922 .procname = "nf_conntrack_dccp_timeout_closereq",
0923 .maxlen = sizeof(unsigned int),
0924 .mode = 0644,
0925 .proc_handler = proc_dointvec_jiffies,
0926 },
0927 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = {
0928 .procname = "nf_conntrack_dccp_timeout_closing",
0929 .maxlen = sizeof(unsigned int),
0930 .mode = 0644,
0931 .proc_handler = proc_dointvec_jiffies,
0932 },
0933 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = {
0934 .procname = "nf_conntrack_dccp_timeout_timewait",
0935 .maxlen = sizeof(unsigned int),
0936 .mode = 0644,
0937 .proc_handler = proc_dointvec_jiffies,
0938 },
0939 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = {
0940 .procname = "nf_conntrack_dccp_loose",
0941 .maxlen = sizeof(u8),
0942 .mode = 0644,
0943 .proc_handler = proc_dou8vec_minmax,
0944 .extra1 = SYSCTL_ZERO,
0945 .extra2 = SYSCTL_ONE,
0946 },
0947 #endif
0948 #ifdef CONFIG_NF_CT_PROTO_GRE
0949 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = {
0950 .procname = "nf_conntrack_gre_timeout",
0951 .maxlen = sizeof(unsigned int),
0952 .mode = 0644,
0953 .proc_handler = proc_dointvec_jiffies,
0954 },
0955 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = {
0956 .procname = "nf_conntrack_gre_timeout_stream",
0957 .maxlen = sizeof(unsigned int),
0958 .mode = 0644,
0959 .proc_handler = proc_dointvec_jiffies,
0960 },
0961 #endif
0962 #ifdef CONFIG_LWTUNNEL
0963 [NF_SYSCTL_CT_LWTUNNEL] = {
0964 .procname = "nf_hooks_lwtunnel",
0965 .data = NULL,
0966 .maxlen = sizeof(int),
0967 .mode = 0644,
0968 .proc_handler = nf_hooks_lwtunnel_sysctl_handler,
0969 },
0970 #endif
0971 {}
0972 };
0973
0974 static struct ctl_table nf_ct_netfilter_table[] = {
0975 {
0976 .procname = "nf_conntrack_max",
0977 .data = &nf_conntrack_max,
0978 .maxlen = sizeof(int),
0979 .mode = 0644,
0980 .proc_handler = proc_dointvec,
0981 },
0982 { }
0983 };
0984
0985 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net,
0986 struct ctl_table *table)
0987 {
0988 struct nf_tcp_net *tn = nf_tcp_pernet(net);
0989
0990 #define XASSIGN(XNAME, tn) \
0991 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \
0992 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME]
0993
0994 XASSIGN(SYN_SENT, tn);
0995 XASSIGN(SYN_RECV, tn);
0996 XASSIGN(ESTABLISHED, tn);
0997 XASSIGN(FIN_WAIT, tn);
0998 XASSIGN(CLOSE_WAIT, tn);
0999 XASSIGN(LAST_ACK, tn);
1000 XASSIGN(TIME_WAIT, tn);
1001 XASSIGN(CLOSE, tn);
1002 XASSIGN(RETRANS, tn);
1003 XASSIGN(UNACK, tn);
1004 #undef XASSIGN
1005 #define XASSIGN(XNAME, rval) \
1006 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval)
1007
1008 XASSIGN(LOOSE, &tn->tcp_loose);
1009 XASSIGN(LIBERAL, &tn->tcp_be_liberal);
1010 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans);
1011 XASSIGN(IGNORE_INVALID_RST, &tn->tcp_ignore_invalid_rst);
1012 #undef XASSIGN
1013
1014 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
1015 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_OFFLOAD].data = &tn->offload_timeout;
1016 #endif
1017
1018 }
1019
1020 static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net,
1021 struct ctl_table *table)
1022 {
1023 #ifdef CONFIG_NF_CT_PROTO_SCTP
1024 struct nf_sctp_net *sn = nf_sctp_pernet(net);
1025
1026 #define XASSIGN(XNAME, sn) \
1027 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \
1028 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME]
1029
1030 XASSIGN(CLOSED, sn);
1031 XASSIGN(COOKIE_WAIT, sn);
1032 XASSIGN(COOKIE_ECHOED, sn);
1033 XASSIGN(ESTABLISHED, sn);
1034 XASSIGN(SHUTDOWN_SENT, sn);
1035 XASSIGN(SHUTDOWN_RECD, sn);
1036 XASSIGN(SHUTDOWN_ACK_SENT, sn);
1037 XASSIGN(HEARTBEAT_SENT, sn);
1038 XASSIGN(HEARTBEAT_ACKED, sn);
1039 #undef XASSIGN
1040 #endif
1041 }
1042
1043 static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net,
1044 struct ctl_table *table)
1045 {
1046 #ifdef CONFIG_NF_CT_PROTO_DCCP
1047 struct nf_dccp_net *dn = nf_dccp_pernet(net);
1048
1049 #define XASSIGN(XNAME, dn) \
1050 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \
1051 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME]
1052
1053 XASSIGN(REQUEST, dn);
1054 XASSIGN(RESPOND, dn);
1055 XASSIGN(PARTOPEN, dn);
1056 XASSIGN(OPEN, dn);
1057 XASSIGN(CLOSEREQ, dn);
1058 XASSIGN(CLOSING, dn);
1059 XASSIGN(TIMEWAIT, dn);
1060 #undef XASSIGN
1061
1062 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose;
1063 #endif
1064 }
1065
1066 static void nf_conntrack_standalone_init_gre_sysctl(struct net *net,
1067 struct ctl_table *table)
1068 {
1069 #ifdef CONFIG_NF_CT_PROTO_GRE
1070 struct nf_gre_net *gn = nf_gre_pernet(net);
1071
1072 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED];
1073 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED];
1074 #endif
1075 }
1076
1077 static int nf_conntrack_standalone_init_sysctl(struct net *net)
1078 {
1079 struct nf_conntrack_net *cnet = nf_ct_pernet(net);
1080 struct nf_udp_net *un = nf_udp_pernet(net);
1081 struct ctl_table *table;
1082
1083 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL);
1084
1085 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table),
1086 GFP_KERNEL);
1087 if (!table)
1088 return -ENOMEM;
1089
1090 table[NF_SYSCTL_CT_COUNT].data = &cnet->count;
1091 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum;
1092 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid;
1093 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct;
1094 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1095 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events;
1096 #endif
1097 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
1098 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp;
1099 #endif
1100 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout;
1101 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout;
1102 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout;
1103 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED];
1104 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED];
1105 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
1106 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_OFFLOAD].data = &un->offload_timeout;
1107 #endif
1108
1109 nf_conntrack_standalone_init_tcp_sysctl(net, table);
1110 nf_conntrack_standalone_init_sctp_sysctl(net, table);
1111 nf_conntrack_standalone_init_dccp_sysctl(net, table);
1112 nf_conntrack_standalone_init_gre_sysctl(net, table);
1113
1114
1115 if (!net_eq(&init_net, net)) {
1116 table[NF_SYSCTL_CT_MAX].mode = 0444;
1117 table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444;
1118 table[NF_SYSCTL_CT_BUCKETS].mode = 0444;
1119 }
1120
1121 cnet->sysctl_header = register_net_sysctl(net, "net/netfilter", table);
1122 if (!cnet->sysctl_header)
1123 goto out_unregister_netfilter;
1124
1125 return 0;
1126
1127 out_unregister_netfilter:
1128 kfree(table);
1129 return -ENOMEM;
1130 }
1131
1132 static void nf_conntrack_standalone_fini_sysctl(struct net *net)
1133 {
1134 struct nf_conntrack_net *cnet = nf_ct_pernet(net);
1135 struct ctl_table *table;
1136
1137 table = cnet->sysctl_header->ctl_table_arg;
1138 unregister_net_sysctl_table(cnet->sysctl_header);
1139 kfree(table);
1140 }
1141 #else
1142 static int nf_conntrack_standalone_init_sysctl(struct net *net)
1143 {
1144 return 0;
1145 }
1146
1147 static void nf_conntrack_standalone_fini_sysctl(struct net *net)
1148 {
1149 }
1150 #endif
1151
1152 static void nf_conntrack_fini_net(struct net *net)
1153 {
1154 if (enable_hooks)
1155 nf_ct_netns_put(net, NFPROTO_INET);
1156
1157 nf_conntrack_standalone_fini_proc(net);
1158 nf_conntrack_standalone_fini_sysctl(net);
1159 }
1160
1161 static int nf_conntrack_pernet_init(struct net *net)
1162 {
1163 int ret;
1164
1165 net->ct.sysctl_checksum = 1;
1166
1167 ret = nf_conntrack_standalone_init_sysctl(net);
1168 if (ret < 0)
1169 return ret;
1170
1171 ret = nf_conntrack_standalone_init_proc(net);
1172 if (ret < 0)
1173 goto out_proc;
1174
1175 ret = nf_conntrack_init_net(net);
1176 if (ret < 0)
1177 goto out_init_net;
1178
1179 if (enable_hooks) {
1180 ret = nf_ct_netns_get(net, NFPROTO_INET);
1181 if (ret < 0)
1182 goto out_hooks;
1183 }
1184
1185 return 0;
1186
1187 out_hooks:
1188 nf_conntrack_cleanup_net(net);
1189 out_init_net:
1190 nf_conntrack_standalone_fini_proc(net);
1191 out_proc:
1192 nf_conntrack_standalone_fini_sysctl(net);
1193 return ret;
1194 }
1195
1196 static void nf_conntrack_pernet_exit(struct list_head *net_exit_list)
1197 {
1198 struct net *net;
1199
1200 list_for_each_entry(net, net_exit_list, exit_list)
1201 nf_conntrack_fini_net(net);
1202
1203 nf_conntrack_cleanup_net_list(net_exit_list);
1204 }
1205
1206 static struct pernet_operations nf_conntrack_net_ops = {
1207 .init = nf_conntrack_pernet_init,
1208 .exit_batch = nf_conntrack_pernet_exit,
1209 .id = &nf_conntrack_net_id,
1210 .size = sizeof(struct nf_conntrack_net),
1211 };
1212
1213 static int __init nf_conntrack_standalone_init(void)
1214 {
1215 int ret = nf_conntrack_init_start();
1216 if (ret < 0)
1217 goto out_start;
1218
1219 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER);
1220
1221 #ifdef CONFIG_SYSCTL
1222 nf_ct_netfilter_header =
1223 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table);
1224 if (!nf_ct_netfilter_header) {
1225 pr_err("nf_conntrack: can't register to sysctl.\n");
1226 ret = -ENOMEM;
1227 goto out_sysctl;
1228 }
1229
1230 nf_conntrack_htable_size_user = nf_conntrack_htable_size;
1231 #endif
1232
1233 ret = register_pernet_subsys(&nf_conntrack_net_ops);
1234 if (ret < 0)
1235 goto out_pernet;
1236
1237 nf_conntrack_init_end();
1238 return 0;
1239
1240 out_pernet:
1241 #ifdef CONFIG_SYSCTL
1242 unregister_net_sysctl_table(nf_ct_netfilter_header);
1243 out_sysctl:
1244 #endif
1245 nf_conntrack_cleanup_end();
1246 out_start:
1247 return ret;
1248 }
1249
1250 static void __exit nf_conntrack_standalone_fini(void)
1251 {
1252 nf_conntrack_cleanup_start();
1253 unregister_pernet_subsys(&nf_conntrack_net_ops);
1254 #ifdef CONFIG_SYSCTL
1255 unregister_net_sysctl_table(nf_ct_netfilter_header);
1256 #endif
1257 nf_conntrack_cleanup_end();
1258 }
1259
1260 module_init(nf_conntrack_standalone_init);
1261 module_exit(nf_conntrack_standalone_fini);
