This source file includes following definitions.
- print_tuple
- ct_get_first
- ct_get_next
- ct_get_idx
- ct_seq_start
- ct_seq_next
- ct_seq_stop
- ct_show_secctx
- ct_show_secctx
- ct_show_zone
- ct_show_zone
- ct_show_delta_time
- ct_show_delta_time
- l3proto_name
- l4proto_name
- seq_print_acct
- ct_seq_show
- ct_cpu_seq_start
- ct_cpu_seq_next
- ct_cpu_seq_stop
- ct_cpu_seq_show
- nf_conntrack_standalone_init_proc
- nf_conntrack_standalone_fini_proc
- nf_conntrack_standalone_init_proc
- nf_conntrack_standalone_fini_proc
- nf_conntrack_hash_sysctl
- nf_conntrack_standalone_init_tcp_sysctl
- nf_conntrack_standalone_init_sctp_sysctl
- nf_conntrack_standalone_init_dccp_sysctl
- nf_conntrack_standalone_init_gre_sysctl
- nf_conntrack_standalone_init_sysctl
- nf_conntrack_standalone_fini_sysctl
- nf_conntrack_standalone_init_sysctl
- nf_conntrack_standalone_fini_sysctl
- nf_conntrack_fini_net
- nf_conntrack_pernet_init
- nf_conntrack_pernet_exit
- nf_conntrack_standalone_init
- nf_conntrack_standalone_fini
1
2 #include <linux/types.h>
3 #include <linux/netfilter.h>
4 #include <linux/slab.h>
5 #include <linux/module.h>
6 #include <linux/skbuff.h>
7 #include <linux/proc_fs.h>
8 #include <linux/seq_file.h>
9 #include <linux/percpu.h>
10 #include <linux/netdevice.h>
11 #include <linux/security.h>
12 #include <net/net_namespace.h>
13 #ifdef CONFIG_SYSCTL
14 #include <linux/sysctl.h>
15 #endif
16
17 #include <net/netfilter/nf_conntrack.h>
18 #include <net/netfilter/nf_conntrack_core.h>
19 #include <net/netfilter/nf_conntrack_l4proto.h>
20 #include <net/netfilter/nf_conntrack_expect.h>
21 #include <net/netfilter/nf_conntrack_helper.h>
22 #include <net/netfilter/nf_conntrack_acct.h>
23 #include <net/netfilter/nf_conntrack_zones.h>
24 #include <net/netfilter/nf_conntrack_timestamp.h>
25 #include <linux/rculist_nulls.h>
26
27 static bool enable_hooks __read_mostly;
28 MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks");
29 module_param(enable_hooks, bool, 0000);
30
31 unsigned int nf_conntrack_net_id __read_mostly;
32
33 #ifdef CONFIG_NF_CONNTRACK_PROCFS
34 void
35 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,
36 const struct nf_conntrack_l4proto *l4proto)
37 {
38 switch (tuple->src.l3num) {
39 case NFPROTO_IPV4:
40 seq_printf(s, "src=%pI4 dst=%pI4 ",
41 &tuple->src.u3.ip, &tuple->dst.u3.ip);
42 break;
43 case NFPROTO_IPV6:
44 seq_printf(s, "src=%pI6 dst=%pI6 ",
45 tuple->src.u3.ip6, tuple->dst.u3.ip6);
46 break;
47 default:
48 break;
49 }
50
51 switch (l4proto->l4proto) {
52 case IPPROTO_ICMP:
53 seq_printf(s, "type=%u code=%u id=%u ",
54 tuple->dst.u.icmp.type,
55 tuple->dst.u.icmp.code,
56 ntohs(tuple->src.u.icmp.id));
57 break;
58 case IPPROTO_TCP:
59 seq_printf(s, "sport=%hu dport=%hu ",
60 ntohs(tuple->src.u.tcp.port),
61 ntohs(tuple->dst.u.tcp.port));
62 break;
63 case IPPROTO_UDPLITE:
64 case IPPROTO_UDP:
65 seq_printf(s, "sport=%hu dport=%hu ",
66 ntohs(tuple->src.u.udp.port),
67 ntohs(tuple->dst.u.udp.port));
68
69 break;
70 case IPPROTO_DCCP:
71 seq_printf(s, "sport=%hu dport=%hu ",
72 ntohs(tuple->src.u.dccp.port),
73 ntohs(tuple->dst.u.dccp.port));
74 break;
75 case IPPROTO_SCTP:
76 seq_printf(s, "sport=%hu dport=%hu ",
77 ntohs(tuple->src.u.sctp.port),
78 ntohs(tuple->dst.u.sctp.port));
79 break;
80 case IPPROTO_ICMPV6:
81 seq_printf(s, "type=%u code=%u id=%u ",
82 tuple->dst.u.icmp.type,
83 tuple->dst.u.icmp.code,
84 ntohs(tuple->src.u.icmp.id));
85 break;
86 case IPPROTO_GRE:
87 seq_printf(s, "srckey=0x%x dstkey=0x%x ",
88 ntohs(tuple->src.u.gre.key),
89 ntohs(tuple->dst.u.gre.key));
90 break;
91 default:
92 break;
93 }
94 }
95 EXPORT_SYMBOL_GPL(print_tuple);
96
97 struct ct_iter_state {
98 struct seq_net_private p;
99 struct hlist_nulls_head *hash;
100 unsigned int htable_size;
101 unsigned int bucket;
102 u_int64_t time_now;
103 };
104
105 static struct hlist_nulls_node *ct_get_first(struct seq_file *seq)
106 {
107 struct ct_iter_state *st = seq->private;
108 struct hlist_nulls_node *n;
109
110 for (st->bucket = 0;
111 st->bucket < st->htable_size;
112 st->bucket++) {
113 n = rcu_dereference(
114 hlist_nulls_first_rcu(&st->hash[st->bucket]));
115 if (!is_a_nulls(n))
116 return n;
117 }
118 return NULL;
119 }
120
121 static struct hlist_nulls_node *ct_get_next(struct seq_file *seq,
122 struct hlist_nulls_node *head)
123 {
124 struct ct_iter_state *st = seq->private;
125
126 head = rcu_dereference(hlist_nulls_next_rcu(head));
127 while (is_a_nulls(head)) {
128 if (likely(get_nulls_value(head) == st->bucket)) {
129 if (++st->bucket >= st->htable_size)
130 return NULL;
131 }
132 head = rcu_dereference(
133 hlist_nulls_first_rcu(&st->hash[st->bucket]));
134 }
135 return head;
136 }
137
138 static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos)
139 {
140 struct hlist_nulls_node *head = ct_get_first(seq);
141
142 if (head)
143 while (pos && (head = ct_get_next(seq, head)))
144 pos--;
145 return pos ? NULL : head;
146 }
147
148 static void *ct_seq_start(struct seq_file *seq, loff_t *pos)
149 __acquires(RCU)
150 {
151 struct ct_iter_state *st = seq->private;
152
153 st->time_now = ktime_get_real_ns();
154 rcu_read_lock();
155
156 nf_conntrack_get_ht(&st->hash, &st->htable_size);
157 return ct_get_idx(seq, *pos);
158 }
159
160 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos)
161 {
162 (*pos)++;
163 return ct_get_next(s, v);
164 }
165
166 static void ct_seq_stop(struct seq_file *s, void *v)
167 __releases(RCU)
168 {
169 rcu_read_unlock();
170 }
171
172 #ifdef CONFIG_NF_CONNTRACK_SECMARK
173 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
174 {
175 int ret;
176 u32 len;
177 char *secctx;
178
179 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
180 if (ret)
181 return;
182
183 seq_printf(s, "secctx=%s ", secctx);
184
185 security_release_secctx(secctx, len);
186 }
187 #else
188 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
189 {
190 }
191 #endif
192
193 #ifdef CONFIG_NF_CONNTRACK_ZONES
194 static void ct_show_zone(struct seq_file *s, const struct nf_conn *ct,
195 int dir)
196 {
197 const struct nf_conntrack_zone *zone = nf_ct_zone(ct);
198
199 if (zone->dir != dir)
200 return;
201 switch (zone->dir) {
202 case NF_CT_DEFAULT_ZONE_DIR:
203 seq_printf(s, "zone=%u ", zone->id);
204 break;
205 case NF_CT_ZONE_DIR_ORIG:
206 seq_printf(s, "zone-orig=%u ", zone->id);
207 break;
208 case NF_CT_ZONE_DIR_REPL:
209 seq_printf(s, "zone-reply=%u ", zone->id);
210 break;
211 default:
212 break;
213 }
214 }
215 #else
216 static inline void ct_show_zone(struct seq_file *s, const struct nf_conn *ct,
217 int dir)
218 {
219 }
220 #endif
221
222 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
223 static void ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct)
224 {
225 struct ct_iter_state *st = s->private;
226 struct nf_conn_tstamp *tstamp;
227 s64 delta_time;
228
229 tstamp = nf_conn_tstamp_find(ct);
230 if (tstamp) {
231 delta_time = st->time_now - tstamp->start;
232 if (delta_time > 0)
233 delta_time = div_s64(delta_time, NSEC_PER_SEC);
234 else
235 delta_time = 0;
236
237 seq_printf(s, "delta-time=%llu ",
238 (unsigned long long)delta_time);
239 }
240 return;
241 }
242 #else
243 static inline void
244 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct)
245 {
246 }
247 #endif
248
249 static const char* l3proto_name(u16 proto)
250 {
251 switch (proto) {
252 case AF_INET: return "ipv4";
253 case AF_INET6: return "ipv6";
254 }
255
256 return "unknown";
257 }
258
259 static const char* l4proto_name(u16 proto)
260 {
261 switch (proto) {
262 case IPPROTO_ICMP: return "icmp";
263 case IPPROTO_TCP: return "tcp";
264 case IPPROTO_UDP: return "udp";
265 case IPPROTO_DCCP: return "dccp";
266 case IPPROTO_GRE: return "gre";
267 case IPPROTO_SCTP: return "sctp";
268 case IPPROTO_UDPLITE: return "udplite";
269 }
270
271 return "unknown";
272 }
273
274 static unsigned int
275 seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir)
276 {
277 struct nf_conn_acct *acct;
278 struct nf_conn_counter *counter;
279
280 acct = nf_conn_acct_find(ct);
281 if (!acct)
282 return 0;
283
284 counter = acct->counter;
285 seq_printf(s, "packets=%llu bytes=%llu ",
286 (unsigned long long)atomic64_read(&counter[dir].packets),
287 (unsigned long long)atomic64_read(&counter[dir].bytes));
288
289 return 0;
290 }
291
292
293 static int ct_seq_show(struct seq_file *s, void *v)
294 {
295 struct nf_conntrack_tuple_hash *hash = v;
296 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash);
297 const struct nf_conntrack_l4proto *l4proto;
298 struct net *net = seq_file_net(s);
299 int ret = 0;
300
301 WARN_ON(!ct);
302 if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
303 return 0;
304
305 if (nf_ct_should_gc(ct)) {
306 nf_ct_kill(ct);
307 goto release;
308 }
309
310
311 if (NF_CT_DIRECTION(hash))
312 goto release;
313
314 if (!net_eq(nf_ct_net(ct), net))
315 goto release;
316
317 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
318
319 ret = -ENOSPC;
320 seq_printf(s, "%-8s %u %-8s %u ",
321 l3proto_name(nf_ct_l3num(ct)), nf_ct_l3num(ct),
322 l4proto_name(l4proto->l4proto), nf_ct_protonum(ct));
323
324 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status))
325 seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ);
326
327 if (l4proto->print_conntrack)
328 l4proto->print_conntrack(s, ct);
329
330 print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
331 l4proto);
332
333 ct_show_zone(s, ct, NF_CT_ZONE_DIR_ORIG);
334
335 if (seq_has_overflowed(s))
336 goto release;
337
338 if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL))
339 goto release;
340
341 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status)))
342 seq_puts(s, "[UNREPLIED] ");
343
344 print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, l4proto);
345
346 ct_show_zone(s, ct, NF_CT_ZONE_DIR_REPL);
347
348 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY))
349 goto release;
350
351 if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
352 seq_puts(s, "[OFFLOAD] ");
353 else if (test_bit(IPS_ASSURED_BIT, &ct->status))
354 seq_puts(s, "[ASSURED] ");
355
356 if (seq_has_overflowed(s))
357 goto release;
358
359 #if defined(CONFIG_NF_CONNTRACK_MARK)
360 seq_printf(s, "mark=%u ", ct->mark);
361 #endif
362
363 ct_show_secctx(s, ct);
364 ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR);
365 ct_show_delta_time(s, ct);
366
367 seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use));
368
369 if (seq_has_overflowed(s))
370 goto release;
371
372 ret = 0;
373 release:
374 nf_ct_put(ct);
375 return ret;
376 }
377
378 static const struct seq_operations ct_seq_ops = {
379 .start = ct_seq_start,
380 .next = ct_seq_next,
381 .stop = ct_seq_stop,
382 .show = ct_seq_show
383 };
384
385 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos)
386 {
387 struct net *net = seq_file_net(seq);
388 int cpu;
389
390 if (*pos == 0)
391 return SEQ_START_TOKEN;
392
393 for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) {
394 if (!cpu_possible(cpu))
395 continue;
396 *pos = cpu + 1;
397 return per_cpu_ptr(net->ct.stat, cpu);
398 }
399
400 return NULL;
401 }
402
403 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
404 {
405 struct net *net = seq_file_net(seq);
406 int cpu;
407
408 for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) {
409 if (!cpu_possible(cpu))
410 continue;
411 *pos = cpu + 1;
412 return per_cpu_ptr(net->ct.stat, cpu);
413 }
414 (*pos)++;
415 return NULL;
416 }
417
418 static void ct_cpu_seq_stop(struct seq_file *seq, void *v)
419 {
420 }
421
422 static int ct_cpu_seq_show(struct seq_file *seq, void *v)
423 {
424 struct net *net = seq_file_net(seq);
425 unsigned int nr_conntracks = atomic_read(&net->ct.count);
426 const struct ip_conntrack_stat *st = v;
427
428 if (v == SEQ_START_TOKEN) {
429 seq_puts(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n");
430 return 0;
431 }
432
433 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x "
434 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n",
435 nr_conntracks,
436 0,
437 st->found,
438 0,
439 st->invalid,
440 st->ignore,
441 0,
442 0,
443 st->insert,
444 st->insert_failed,
445 st->drop,
446 st->early_drop,
447 st->error,
448
449 st->expect_new,
450 st->expect_create,
451 st->expect_delete,
452 st->search_restart
453 );
454 return 0;
455 }
456
457 static const struct seq_operations ct_cpu_seq_ops = {
458 .start = ct_cpu_seq_start,
459 .next = ct_cpu_seq_next,
460 .stop = ct_cpu_seq_stop,
461 .show = ct_cpu_seq_show,
462 };
463
464 static int nf_conntrack_standalone_init_proc(struct net *net)
465 {
466 struct proc_dir_entry *pde;
467 kuid_t root_uid;
468 kgid_t root_gid;
469
470 pde = proc_create_net("nf_conntrack", 0440, net->proc_net, &ct_seq_ops,
471 sizeof(struct ct_iter_state));
472 if (!pde)
473 goto out_nf_conntrack;
474
475 root_uid = make_kuid(net->user_ns, 0);
476 root_gid = make_kgid(net->user_ns, 0);
477 if (uid_valid(root_uid) && gid_valid(root_gid))
478 proc_set_user(pde, root_uid, root_gid);
479
480 pde = proc_create_net("nf_conntrack", 0444, net->proc_net_stat,
481 &ct_cpu_seq_ops, sizeof(struct seq_net_private));
482 if (!pde)
483 goto out_stat_nf_conntrack;
484 return 0;
485
486 out_stat_nf_conntrack:
487 remove_proc_entry("nf_conntrack", net->proc_net);
488 out_nf_conntrack:
489 return -ENOMEM;
490 }
491
492 static void nf_conntrack_standalone_fini_proc(struct net *net)
493 {
494 remove_proc_entry("nf_conntrack", net->proc_net_stat);
495 remove_proc_entry("nf_conntrack", net->proc_net);
496 }
497 #else
498 static int nf_conntrack_standalone_init_proc(struct net *net)
499 {
500 return 0;
501 }
502
503 static void nf_conntrack_standalone_fini_proc(struct net *net)
504 {
505 }
506 #endif
507
508
509
510 #ifdef CONFIG_SYSCTL
511
512 static int log_invalid_proto_min __read_mostly;
513 static int log_invalid_proto_max __read_mostly = 255;
514
515
516 static unsigned int nf_conntrack_htable_size_user __read_mostly;
517
518 static int
519 nf_conntrack_hash_sysctl(struct ctl_table *table, int write,
520 void __user *buffer, size_t *lenp, loff_t *ppos)
521 {
522 int ret;
523
524 ret = proc_dointvec(table, write, buffer, lenp, ppos);
525 if (ret < 0 || !write)
526 return ret;
527
528
529 ret = nf_conntrack_hash_resize(nf_conntrack_htable_size_user);
530
531
532 nf_conntrack_htable_size_user = nf_conntrack_htable_size;
533 return ret;
534 }
535
536 static struct ctl_table_header *nf_ct_netfilter_header;
537
538 enum nf_ct_sysctl_index {
539 NF_SYSCTL_CT_MAX,
540 NF_SYSCTL_CT_COUNT,
541 NF_SYSCTL_CT_BUCKETS,
542 NF_SYSCTL_CT_CHECKSUM,
543 NF_SYSCTL_CT_LOG_INVALID,
544 NF_SYSCTL_CT_EXPECT_MAX,
545 NF_SYSCTL_CT_ACCT,
546 NF_SYSCTL_CT_HELPER,
547 #ifdef CONFIG_NF_CONNTRACK_EVENTS
548 NF_SYSCTL_CT_EVENTS,
549 #endif
550 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
551 NF_SYSCTL_CT_TIMESTAMP,
552 #endif
553 NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC,
554 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT,
555 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV,
556 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED,
557 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT,
558 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT,
559 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK,
560 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT,
561 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE,
562 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS,
563 NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK,
564 NF_SYSCTL_CT_PROTO_TCP_LOOSE,
565 NF_SYSCTL_CT_PROTO_TCP_LIBERAL,
566 NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS,
567 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP,
568 NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM,
569 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP,
570 NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6,
571 #ifdef CONFIG_NF_CT_PROTO_SCTP
572 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED,
573 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT,
574 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED,
575 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED,
576 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT,
577 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD,
578 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
579 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT,
580 NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED,
581 #endif
582 #ifdef CONFIG_NF_CT_PROTO_DCCP
583 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST,
584 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND,
585 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN,
586 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN,
587 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ,
588 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING,
589 NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT,
590 NF_SYSCTL_CT_PROTO_DCCP_LOOSE,
591 #endif
592 #ifdef CONFIG_NF_CT_PROTO_GRE
593 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE,
594 NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM,
595 #endif
596
597 __NF_SYSCTL_CT_LAST_SYSCTL,
598 };
599
600 #define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1)
601
602 static struct ctl_table nf_ct_sysctl_table[] = {
603 [NF_SYSCTL_CT_MAX] = {
604 .procname = "nf_conntrack_max",
605 .data = &nf_conntrack_max,
606 .maxlen = sizeof(int),
607 .mode = 0644,
608 .proc_handler = proc_dointvec,
609 },
610 [NF_SYSCTL_CT_COUNT] = {
611 .procname = "nf_conntrack_count",
612 .data = &init_net.ct.count,
613 .maxlen = sizeof(int),
614 .mode = 0444,
615 .proc_handler = proc_dointvec,
616 },
617 [NF_SYSCTL_CT_BUCKETS] = {
618 .procname = "nf_conntrack_buckets",
619 .data = &nf_conntrack_htable_size_user,
620 .maxlen = sizeof(unsigned int),
621 .mode = 0644,
622 .proc_handler = nf_conntrack_hash_sysctl,
623 },
624 [NF_SYSCTL_CT_CHECKSUM] = {
625 .procname = "nf_conntrack_checksum",
626 .data = &init_net.ct.sysctl_checksum,
627 .maxlen = sizeof(int),
628 .mode = 0644,
629 .proc_handler = proc_dointvec_minmax,
630 .extra1 = SYSCTL_ZERO,
631 .extra2 = SYSCTL_ONE,
632 },
633 [NF_SYSCTL_CT_LOG_INVALID] = {
634 .procname = "nf_conntrack_log_invalid",
635 .data = &init_net.ct.sysctl_log_invalid,
636 .maxlen = sizeof(unsigned int),
637 .mode = 0644,
638 .proc_handler = proc_dointvec_minmax,
639 .extra1 = &log_invalid_proto_min,
640 .extra2 = &log_invalid_proto_max,
641 },
642 [NF_SYSCTL_CT_EXPECT_MAX] = {
643 .procname = "nf_conntrack_expect_max",
644 .data = &nf_ct_expect_max,
645 .maxlen = sizeof(int),
646 .mode = 0644,
647 .proc_handler = proc_dointvec,
648 },
649 [NF_SYSCTL_CT_ACCT] = {
650 .procname = "nf_conntrack_acct",
651 .data = &init_net.ct.sysctl_acct,
652 .maxlen = sizeof(int),
653 .mode = 0644,
654 .proc_handler = proc_dointvec_minmax,
655 .extra1 = SYSCTL_ZERO,
656 .extra2 = SYSCTL_ONE,
657 },
658 [NF_SYSCTL_CT_HELPER] = {
659 .procname = "nf_conntrack_helper",
660 .data = &init_net.ct.sysctl_auto_assign_helper,
661 .maxlen = sizeof(int),
662 .mode = 0644,
663 .proc_handler = proc_dointvec_minmax,
664 .extra1 = SYSCTL_ZERO,
665 .extra2 = SYSCTL_ONE,
666 },
667 #ifdef CONFIG_NF_CONNTRACK_EVENTS
668 [NF_SYSCTL_CT_EVENTS] = {
669 .procname = "nf_conntrack_events",
670 .data = &init_net.ct.sysctl_events,
671 .maxlen = sizeof(int),
672 .mode = 0644,
673 .proc_handler = proc_dointvec_minmax,
674 .extra1 = SYSCTL_ZERO,
675 .extra2 = SYSCTL_ONE,
676 },
677 #endif
678 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
679 [NF_SYSCTL_CT_TIMESTAMP] = {
680 .procname = "nf_conntrack_timestamp",
681 .data = &init_net.ct.sysctl_tstamp,
682 .maxlen = sizeof(int),
683 .mode = 0644,
684 .proc_handler = proc_dointvec_minmax,
685 .extra1 = SYSCTL_ZERO,
686 .extra2 = SYSCTL_ONE,
687 },
688 #endif
689 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = {
690 .procname = "nf_conntrack_generic_timeout",
691 .maxlen = sizeof(unsigned int),
692 .mode = 0644,
693 .proc_handler = proc_dointvec_jiffies,
694 },
695 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_SENT] = {
696 .procname = "nf_conntrack_tcp_timeout_syn_sent",
697 .maxlen = sizeof(unsigned int),
698 .mode = 0644,
699 .proc_handler = proc_dointvec_jiffies,
700 },
701 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_SYN_RECV] = {
702 .procname = "nf_conntrack_tcp_timeout_syn_recv",
703 .maxlen = sizeof(unsigned int),
704 .mode = 0644,
705 .proc_handler = proc_dointvec_jiffies,
706 },
707 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ESTABLISHED] = {
708 .procname = "nf_conntrack_tcp_timeout_established",
709 .maxlen = sizeof(unsigned int),
710 .mode = 0644,
711 .proc_handler = proc_dointvec_jiffies,
712 },
713 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_FIN_WAIT] = {
714 .procname = "nf_conntrack_tcp_timeout_fin_wait",
715 .maxlen = sizeof(unsigned int),
716 .mode = 0644,
717 .proc_handler = proc_dointvec_jiffies,
718 },
719 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE_WAIT] = {
720 .procname = "nf_conntrack_tcp_timeout_close_wait",
721 .maxlen = sizeof(unsigned int),
722 .mode = 0644,
723 .proc_handler = proc_dointvec_jiffies,
724 },
725 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_LAST_ACK] = {
726 .procname = "nf_conntrack_tcp_timeout_last_ack",
727 .maxlen = sizeof(unsigned int),
728 .mode = 0644,
729 .proc_handler = proc_dointvec_jiffies,
730 },
731 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_TIME_WAIT] = {
732 .procname = "nf_conntrack_tcp_timeout_time_wait",
733 .maxlen = sizeof(unsigned int),
734 .mode = 0644,
735 .proc_handler = proc_dointvec_jiffies,
736 },
737 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_CLOSE] = {
738 .procname = "nf_conntrack_tcp_timeout_close",
739 .maxlen = sizeof(unsigned int),
740 .mode = 0644,
741 .proc_handler = proc_dointvec_jiffies,
742 },
743 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_RETRANS] = {
744 .procname = "nf_conntrack_tcp_timeout_max_retrans",
745 .maxlen = sizeof(unsigned int),
746 .mode = 0644,
747 .proc_handler = proc_dointvec_jiffies,
748 },
749 [NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_UNACK] = {
750 .procname = "nf_conntrack_tcp_timeout_unacknowledged",
751 .maxlen = sizeof(unsigned int),
752 .mode = 0644,
753 .proc_handler = proc_dointvec_jiffies,
754 },
755 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = {
756 .procname = "nf_conntrack_tcp_loose",
757 .maxlen = sizeof(int),
758 .mode = 0644,
759 .proc_handler = proc_dointvec_minmax,
760 .extra1 = SYSCTL_ZERO,
761 .extra2 = SYSCTL_ONE,
762 },
763 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = {
764 .procname = "nf_conntrack_tcp_be_liberal",
765 .maxlen = sizeof(int),
766 .mode = 0644,
767 .proc_handler = proc_dointvec_minmax,
768 .extra1 = SYSCTL_ZERO,
769 .extra2 = SYSCTL_ONE,
770 },
771 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = {
772 .procname = "nf_conntrack_tcp_max_retrans",
773 .maxlen = sizeof(unsigned int),
774 .mode = 0644,
775 .proc_handler = proc_dointvec,
776 },
777 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP] = {
778 .procname = "nf_conntrack_udp_timeout",
779 .maxlen = sizeof(unsigned int),
780 .mode = 0644,
781 .proc_handler = proc_dointvec_jiffies,
782 },
783 [NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM] = {
784 .procname = "nf_conntrack_udp_timeout_stream",
785 .maxlen = sizeof(unsigned int),
786 .mode = 0644,
787 .proc_handler = proc_dointvec_jiffies,
788 },
789 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP] = {
790 .procname = "nf_conntrack_icmp_timeout",
791 .maxlen = sizeof(unsigned int),
792 .mode = 0644,
793 .proc_handler = proc_dointvec_jiffies,
794 },
795 [NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6] = {
796 .procname = "nf_conntrack_icmpv6_timeout",
797 .maxlen = sizeof(unsigned int),
798 .mode = 0644,
799 .proc_handler = proc_dointvec_jiffies,
800 },
801 #ifdef CONFIG_NF_CT_PROTO_SCTP
802 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_CLOSED] = {
803 .procname = "nf_conntrack_sctp_timeout_closed",
804 .maxlen = sizeof(unsigned int),
805 .mode = 0644,
806 .proc_handler = proc_dointvec_jiffies,
807 },
808 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_WAIT] = {
809 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
810 .maxlen = sizeof(unsigned int),
811 .mode = 0644,
812 .proc_handler = proc_dointvec_jiffies,
813 },
814 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_COOKIE_ECHOED] = {
815 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
816 .maxlen = sizeof(unsigned int),
817 .mode = 0644,
818 .proc_handler = proc_dointvec_jiffies,
819 },
820 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ESTABLISHED] = {
821 .procname = "nf_conntrack_sctp_timeout_established",
822 .maxlen = sizeof(unsigned int),
823 .mode = 0644,
824 .proc_handler = proc_dointvec_jiffies,
825 },
826 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_SENT] = {
827 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
828 .maxlen = sizeof(unsigned int),
829 .mode = 0644,
830 .proc_handler = proc_dointvec_jiffies,
831 },
832 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_RECD] = {
833 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
834 .maxlen = sizeof(unsigned int),
835 .mode = 0644,
836 .proc_handler = proc_dointvec_jiffies,
837 },
838 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT] = {
839 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
840 .maxlen = sizeof(unsigned int),
841 .mode = 0644,
842 .proc_handler = proc_dointvec_jiffies,
843 },
844 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT] = {
845 .procname = "nf_conntrack_sctp_timeout_heartbeat_sent",
846 .maxlen = sizeof(unsigned int),
847 .mode = 0644,
848 .proc_handler = proc_dointvec_jiffies,
849 },
850 [NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED] = {
851 .procname = "nf_conntrack_sctp_timeout_heartbeat_acked",
852 .maxlen = sizeof(unsigned int),
853 .mode = 0644,
854 .proc_handler = proc_dointvec_jiffies,
855 },
856 #endif
857 #ifdef CONFIG_NF_CT_PROTO_DCCP
858 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = {
859 .procname = "nf_conntrack_dccp_timeout_request",
860 .maxlen = sizeof(unsigned int),
861 .mode = 0644,
862 .proc_handler = proc_dointvec_jiffies,
863 },
864 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_RESPOND] = {
865 .procname = "nf_conntrack_dccp_timeout_respond",
866 .maxlen = sizeof(unsigned int),
867 .mode = 0644,
868 .proc_handler = proc_dointvec_jiffies,
869 },
870 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_PARTOPEN] = {
871 .procname = "nf_conntrack_dccp_timeout_partopen",
872 .maxlen = sizeof(unsigned int),
873 .mode = 0644,
874 .proc_handler = proc_dointvec_jiffies,
875 },
876 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_OPEN] = {
877 .procname = "nf_conntrack_dccp_timeout_open",
878 .maxlen = sizeof(unsigned int),
879 .mode = 0644,
880 .proc_handler = proc_dointvec_jiffies,
881 },
882 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSEREQ] = {
883 .procname = "nf_conntrack_dccp_timeout_closereq",
884 .maxlen = sizeof(unsigned int),
885 .mode = 0644,
886 .proc_handler = proc_dointvec_jiffies,
887 },
888 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_CLOSING] = {
889 .procname = "nf_conntrack_dccp_timeout_closing",
890 .maxlen = sizeof(unsigned int),
891 .mode = 0644,
892 .proc_handler = proc_dointvec_jiffies,
893 },
894 [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_TIMEWAIT] = {
895 .procname = "nf_conntrack_dccp_timeout_timewait",
896 .maxlen = sizeof(unsigned int),
897 .mode = 0644,
898 .proc_handler = proc_dointvec_jiffies,
899 },
900 [NF_SYSCTL_CT_PROTO_DCCP_LOOSE] = {
901 .procname = "nf_conntrack_dccp_loose",
902 .maxlen = sizeof(int),
903 .mode = 0644,
904 .proc_handler = proc_dointvec_minmax,
905 .extra1 = SYSCTL_ZERO,
906 .extra2 = SYSCTL_ONE,
907 },
908 #endif
909 #ifdef CONFIG_NF_CT_PROTO_GRE
910 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE] = {
911 .procname = "nf_conntrack_gre_timeout",
912 .maxlen = sizeof(unsigned int),
913 .mode = 0644,
914 .proc_handler = proc_dointvec_jiffies,
915 },
916 [NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM] = {
917 .procname = "nf_conntrack_gre_timeout_stream",
918 .maxlen = sizeof(unsigned int),
919 .mode = 0644,
920 .proc_handler = proc_dointvec_jiffies,
921 },
922 #endif
923 {}
924 };
925
926 static struct ctl_table nf_ct_netfilter_table[] = {
927 {
928 .procname = "nf_conntrack_max",
929 .data = &nf_conntrack_max,
930 .maxlen = sizeof(int),
931 .mode = 0644,
932 .proc_handler = proc_dointvec,
933 },
934 { }
935 };
936
937 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net,
938 struct ctl_table *table)
939 {
940 struct nf_tcp_net *tn = nf_tcp_pernet(net);
941
942 #define XASSIGN(XNAME, tn) \
943 table[NF_SYSCTL_CT_PROTO_TIMEOUT_TCP_ ## XNAME].data = \
944 &(tn)->timeouts[TCP_CONNTRACK_ ## XNAME]
945
946 XASSIGN(SYN_SENT, tn);
947 XASSIGN(SYN_RECV, tn);
948 XASSIGN(ESTABLISHED, tn);
949 XASSIGN(FIN_WAIT, tn);
950 XASSIGN(CLOSE_WAIT, tn);
951 XASSIGN(LAST_ACK, tn);
952 XASSIGN(TIME_WAIT, tn);
953 XASSIGN(CLOSE, tn);
954 XASSIGN(RETRANS, tn);
955 XASSIGN(UNACK, tn);
956 #undef XASSIGN
957 #define XASSIGN(XNAME, rval) \
958 table[NF_SYSCTL_CT_PROTO_TCP_ ## XNAME].data = (rval)
959
960 XASSIGN(LOOSE, &tn->tcp_loose);
961 XASSIGN(LIBERAL, &tn->tcp_be_liberal);
962 XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans);
963 #undef XASSIGN
964 }
965
966 static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net,
967 struct ctl_table *table)
968 {
969 #ifdef CONFIG_NF_CT_PROTO_SCTP
970 struct nf_sctp_net *sn = nf_sctp_pernet(net);
971
972 #define XASSIGN(XNAME, sn) \
973 table[NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_ ## XNAME].data = \
974 &(sn)->timeouts[SCTP_CONNTRACK_ ## XNAME]
975
976 XASSIGN(CLOSED, sn);
977 XASSIGN(COOKIE_WAIT, sn);
978 XASSIGN(COOKIE_ECHOED, sn);
979 XASSIGN(ESTABLISHED, sn);
980 XASSIGN(SHUTDOWN_SENT, sn);
981 XASSIGN(SHUTDOWN_RECD, sn);
982 XASSIGN(SHUTDOWN_ACK_SENT, sn);
983 XASSIGN(HEARTBEAT_SENT, sn);
984 XASSIGN(HEARTBEAT_ACKED, sn);
985 #undef XASSIGN
986 #endif
987 }
988
989 static void nf_conntrack_standalone_init_dccp_sysctl(struct net *net,
990 struct ctl_table *table)
991 {
992 #ifdef CONFIG_NF_CT_PROTO_DCCP
993 struct nf_dccp_net *dn = nf_dccp_pernet(net);
994
995 #define XASSIGN(XNAME, dn) \
996 table[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_ ## XNAME].data = \
997 &(dn)->dccp_timeout[CT_DCCP_ ## XNAME]
998
999 XASSIGN(REQUEST, dn);
1000 XASSIGN(RESPOND, dn);
1001 XASSIGN(PARTOPEN, dn);
1002 XASSIGN(OPEN, dn);
1003 XASSIGN(CLOSEREQ, dn);
1004 XASSIGN(CLOSING, dn);
1005 XASSIGN(TIMEWAIT, dn);
1006 #undef XASSIGN
1007
1008 table[NF_SYSCTL_CT_PROTO_DCCP_LOOSE].data = &dn->dccp_loose;
1009 #endif
1010 }
1011
1012 static void nf_conntrack_standalone_init_gre_sysctl(struct net *net,
1013 struct ctl_table *table)
1014 {
1015 #ifdef CONFIG_NF_CT_PROTO_GRE
1016 struct nf_gre_net *gn = nf_gre_pernet(net);
1017
1018 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE].data = &gn->timeouts[GRE_CT_UNREPLIED];
1019 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM].data = &gn->timeouts[GRE_CT_REPLIED];
1020 #endif
1021 }
1022
1023 static int nf_conntrack_standalone_init_sysctl(struct net *net)
1024 {
1025 struct nf_udp_net *un = nf_udp_pernet(net);
1026 struct ctl_table *table;
1027
1028 BUILD_BUG_ON(ARRAY_SIZE(nf_ct_sysctl_table) != NF_SYSCTL_CT_LAST_SYSCTL);
1029
1030 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table),
1031 GFP_KERNEL);
1032 if (!table)
1033 return -ENOMEM;
1034
1035 table[NF_SYSCTL_CT_COUNT].data = &net->ct.count;
1036 table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum;
1037 table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid;
1038 table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct;
1039 table[NF_SYSCTL_CT_HELPER].data = &net->ct.sysctl_auto_assign_helper;
1040 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1041 table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events;
1042 #endif
1043 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
1044 table[NF_SYSCTL_CT_TIMESTAMP].data = &net->ct.sysctl_tstamp;
1045 #endif
1046 table[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC].data = &nf_generic_pernet(net)->timeout;
1047 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMP].data = &nf_icmp_pernet(net)->timeout;
1048 table[NF_SYSCTL_CT_PROTO_TIMEOUT_ICMPV6].data = &nf_icmpv6_pernet(net)->timeout;
1049 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP].data = &un->timeouts[UDP_CT_UNREPLIED];
1050 table[NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM].data = &un->timeouts[UDP_CT_REPLIED];
1051
1052 nf_conntrack_standalone_init_tcp_sysctl(net, table);
1053 nf_conntrack_standalone_init_sctp_sysctl(net, table);
1054 nf_conntrack_standalone_init_dccp_sysctl(net, table);
1055 nf_conntrack_standalone_init_gre_sysctl(net, table);
1056
1057
1058 if (net->user_ns != &init_user_ns) {
1059 table[NF_SYSCTL_CT_MAX].procname = NULL;
1060 table[NF_SYSCTL_CT_ACCT].procname = NULL;
1061 table[NF_SYSCTL_CT_HELPER].procname = NULL;
1062 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
1063 table[NF_SYSCTL_CT_TIMESTAMP].procname = NULL;
1064 #endif
1065 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1066 table[NF_SYSCTL_CT_EVENTS].procname = NULL;
1067 #endif
1068 }
1069
1070 if (!net_eq(&init_net, net))
1071 table[NF_SYSCTL_CT_BUCKETS].mode = 0444;
1072
1073 net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table);
1074 if (!net->ct.sysctl_header)
1075 goto out_unregister_netfilter;
1076
1077 return 0;
1078
1079 out_unregister_netfilter:
1080 kfree(table);
1081 return -ENOMEM;
1082 }
1083
1084 static void nf_conntrack_standalone_fini_sysctl(struct net *net)
1085 {
1086 struct ctl_table *table;
1087
1088 table = net->ct.sysctl_header->ctl_table_arg;
1089 unregister_net_sysctl_table(net->ct.sysctl_header);
1090 kfree(table);
1091 }
1092 #else
1093 static int nf_conntrack_standalone_init_sysctl(struct net *net)
1094 {
1095 return 0;
1096 }
1097
1098 static void nf_conntrack_standalone_fini_sysctl(struct net *net)
1099 {
1100 }
1101 #endif
1102
1103 static void nf_conntrack_fini_net(struct net *net)
1104 {
1105 if (enable_hooks)
1106 nf_ct_netns_put(net, NFPROTO_INET);
1107
1108 nf_conntrack_standalone_fini_proc(net);
1109 nf_conntrack_standalone_fini_sysctl(net);
1110 }
1111
1112 static int nf_conntrack_pernet_init(struct net *net)
1113 {
1114 int ret;
1115
1116 net->ct.sysctl_checksum = 1;
1117
1118 ret = nf_conntrack_standalone_init_sysctl(net);
1119 if (ret < 0)
1120 return ret;
1121
1122 ret = nf_conntrack_standalone_init_proc(net);
1123 if (ret < 0)
1124 goto out_proc;
1125
1126 ret = nf_conntrack_init_net(net);
1127 if (ret < 0)
1128 goto out_init_net;
1129
1130 if (enable_hooks) {
1131 ret = nf_ct_netns_get(net, NFPROTO_INET);
1132 if (ret < 0)
1133 goto out_hooks;
1134 }
1135
1136 return 0;
1137
1138 out_hooks:
1139 nf_conntrack_cleanup_net(net);
1140 out_init_net:
1141 nf_conntrack_standalone_fini_proc(net);
1142 out_proc:
1143 nf_conntrack_standalone_fini_sysctl(net);
1144 return ret;
1145 }
1146
1147 static void nf_conntrack_pernet_exit(struct list_head *net_exit_list)
1148 {
1149 struct net *net;
1150
1151 list_for_each_entry(net, net_exit_list, exit_list)
1152 nf_conntrack_fini_net(net);
1153
1154 nf_conntrack_cleanup_net_list(net_exit_list);
1155 }
1156
1157 static struct pernet_operations nf_conntrack_net_ops = {
1158 .init = nf_conntrack_pernet_init,
1159 .exit_batch = nf_conntrack_pernet_exit,
1160 .id = &nf_conntrack_net_id,
1161 .size = sizeof(struct nf_conntrack_net),
1162 };
1163
1164 static int __init nf_conntrack_standalone_init(void)
1165 {
1166 int ret = nf_conntrack_init_start();
1167 if (ret < 0)
1168 goto out_start;
1169
1170 BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER);
1171
1172 #ifdef CONFIG_SYSCTL
1173 nf_ct_netfilter_header =
1174 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table);
1175 if (!nf_ct_netfilter_header) {
1176 pr_err("nf_conntrack: can't register to sysctl.\n");
1177 ret = -ENOMEM;
1178 goto out_sysctl;
1179 }
1180
1181 nf_conntrack_htable_size_user = nf_conntrack_htable_size;
1182 #endif
1183
1184 ret = register_pernet_subsys(&nf_conntrack_net_ops);
1185 if (ret < 0)
1186 goto out_pernet;
1187
1188 nf_conntrack_init_end();
1189 return 0;
1190
1191 out_pernet:
1192 #ifdef CONFIG_SYSCTL
1193 unregister_net_sysctl_table(nf_ct_netfilter_header);
1194 out_sysctl:
1195 #endif
1196 nf_conntrack_cleanup_end();
1197 out_start:
1198 return ret;
1199 }
1200
1201 static void __exit nf_conntrack_standalone_fini(void)
1202 {
1203 nf_conntrack_cleanup_start();
1204 unregister_pernet_subsys(&nf_conntrack_net_ops);
1205 #ifdef CONFIG_SYSCTL
1206 unregister_net_sysctl_table(nf_ct_netfilter_header);
1207 #endif
1208 nf_conntrack_cleanup_end();
1209 }
1210
1211 module_init(nf_conntrack_standalone_init);
1212 module_exit(nf_conntrack_standalone_fini);