lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1334631383-12326-4-git-send-email-gaofeng@cn.fujitsu.com>
Date:	Tue, 17 Apr 2012 10:56:14 +0800
From:	Gao feng <gaofeng@...fujitsu.com>
To:	pablo@...filter.org
Cc:	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
	ebiederm@...ssion.com, serge.hallyn@...onical.com,
	dlezcano@...ibm.com, Gao feng <gaofeng@...fujitsu.com>
Subject: [PATCH 03/12] netfilter: generic proto sysctl support for net namespace

register the generic proto's sysctl in pernet_operations.init.
and use net->ct.proto.sysctl_generic_timeout replaces nf_ct_generic_timeout.

in the after patch,the timeout_nlattr_to_obj will be modified too.

Signed-off-by: Gao feng <gaofeng@...fujitsu.com>
---
 net/netfilter/nf_conntrack_core.c          |    6 ++
 net/netfilter/nf_conntrack_proto_generic.c |   93 +++++++++++++++++++++++++---
 2 files changed, 91 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 729f157..bf11dd6 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1358,6 +1358,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
 	nf_conntrack_tstamp_fini(net);
 	nf_conntrack_acct_fini(net);
 	nf_conntrack_expect_fini(net);
+	nf_conntrack_proto_generic_net_fini(net);
 	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
 	kfree(net->ct.slabname);
 	free_percpu(net->ct.stat);
@@ -1573,6 +1574,9 @@ static int nf_conntrack_init_net(struct net *net)
 		printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
 		goto err_hash;
 	}
+	ret = nf_conntrack_proto_generic_net_init(net);
+	if (ret < 0)
+		goto err_generic;
 	ret = nf_conntrack_expect_init(net);
 	if (ret < 0)
 		goto err_expect;
@@ -1600,6 +1604,8 @@ err_tstamp:
 err_acct:
 	nf_conntrack_expect_fini(net);
 err_expect:
+	nf_conntrack_proto_generic_net_fini(net);
+err_generic:
 	nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
 err_hash:
 	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 835e24c..0d4545b 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -42,7 +42,7 @@ static int generic_print_tuple(struct seq_file *s,
 
 static unsigned int *generic_get_timeouts(struct net *net)
 {
-	return &nf_ct_generic_timeout;
+	return &(net->ct.proto.sysctl_generic_timeout);
 }
 
 /* Returns verdict for packet, or -1 for invalid. */
@@ -105,11 +105,10 @@ generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
-static struct ctl_table_header *generic_sysctl_header;
 static struct ctl_table generic_sysctl_table[] = {
 	{
 		.procname	= "nf_conntrack_generic_timeout",
-		.data		= &nf_ct_generic_timeout,
+		.data		= &init_net.ct.proto.sysctl_generic_timeout,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
@@ -120,7 +119,7 @@ static struct ctl_table generic_sysctl_table[] = {
 static struct ctl_table generic_compat_sysctl_table[] = {
 	{
 		.procname	= "ip_conntrack_generic_timeout",
-		.data		= &nf_ct_generic_timeout,
+		.data		= &init_net.ct.proto.sysctl_generic_timeout,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
@@ -150,11 +149,89 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
 		.nla_policy	= generic_timeout_nla_policy,
 	},
 #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+};
+
+int nf_conntrack_proto_generic_net_init(struct net *net)
+{
+	struct ctl_table *table;
+	int ret = 0;
 #ifdef CONFIG_SYSCTL
-	.ctl_table_header	= &generic_sysctl_header,
-	.ctl_table		= generic_sysctl_table,
 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
-	.ctl_compat_table	= generic_compat_sysctl_table,
+	struct ctl_table *compat_table;
 #endif
 #endif
-};
+	net->ct.proto.sysctl_generic_timeout = nf_ct_generic_timeout;
+#ifdef CONFIG_SYSCTL
+	table = kmemdup(generic_sysctl_table,
+			sizeof(generic_sysctl_table),
+			GFP_KERNEL);
+	if (!table)
+		return -ENOMEM;
+	
+	table[0].data = &net->ct.proto.sysctl_generic_timeout;
+
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.generic_sysctl_header,
+					nf_net_netfilter_sysctl_path,
+					table,
+					NULL);
+	if (ret < 0) {
+		printk(KERN_ERR 
+			"nf_conntrack_proto_generic:"
+			" can't register to sysctl.\n");
+		kfree(table);
+		return ret;
+	}
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	compat_table = kmemdup(generic_compat_sysctl_table,
+			       sizeof(generic_compat_sysctl_table),
+			       GFP_KERNEL);
+	if (!compat_table) {
+		ret = -ENOMEM;
+		goto out_compat;
+	}
+	compat_table[0].data = &net->ct.proto.sysctl_generic_timeout;
+	ret = nf_ct_register_net_sysctl(net,
+					&net->ct.proto.generic_compat_header,
+					nf_net_ipv4_netfilter_sysctl_path,
+					compat_table,
+					NULL);
+	if (ret < 0) {
+		printk(KERN_ERR 
+			"nf_conntrack_proto_generic:"
+			" can't register to compat sysctl.\n");
+		goto out_compat_register;
+	}
+#endif
+	return 0;
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+out_compat_register:
+	kfree(compat_table);
+out_compat:
+	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_sysctl_header,
+				    table,
+				    NULL);
+#endif
+#endif
+	return ret;
+}
+
+void nf_conntrack_proto_generic_net_fini(struct net *net)
+{
+#ifdef CONFIG_SYSCTL
+	struct ctl_table *table;
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table *compat_table;
+#endif
+	table = net->ct.proto.generic_sysctl_header->ctl_table_arg;
+	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_sysctl_header,
+				    table,
+				    NULL);
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	compat_table = net->ct.proto.generic_compat_header->ctl_table_arg;
+	nf_ct_unregister_net_sysctl(&net->ct.proto.generic_compat_header,
+				    compat_table,
+				    NULL);
+#endif
+#endif
+}
-- 
1.7.7.6

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ