* sctp conntrack @ 2004-07-22 19:16 Harald Welte 2004-07-27 8:18 ` Kiran Kumar Immidi 0 siblings, 1 reply; 9+ messages in thread From: Harald Welte @ 2004-07-22 19:16 UTC (permalink / raw) To: Kiran Kumar Immidi; +Cc: Netfilter Development Mailinglist [-- Attachment #1: Type: text/plain, Size: 715 bytes --] Hi! I was about to include the SCTP conntrack patch into my set of pending patches for 2.6.9 but then discovered that you don't export the timeouts via /proc (similar to what recent versions of ip_conntrack_tcp do). Would you please include suport for /proc tuning of the timeouts and submit a patch against current CVS? Thanks. -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: sctp conntrack 2004-07-22 19:16 sctp conntrack Harald Welte @ 2004-07-27 8:18 ` Kiran Kumar Immidi 2004-08-01 16:50 ` Harald Welte 0 siblings, 1 reply; 9+ messages in thread From: Kiran Kumar Immidi @ 2004-07-27 8:18 UTC (permalink / raw) To: Harald Welte; +Cc: Netfilter Development Mailinglist [-- Attachment #1: Type: text/plain, Size: 795 bytes --] On Friday 23 July 2004 12:46 am, Harald Welte wrote: > I was about to include the SCTP conntrack patch into my set of pending > patches for 2.6.9 but then discovered that you don't export the timeouts > via /proc (similar to what recent versions of ip_conntrack_tcp do). > > Would you please include suport for /proc tuning of the timeouts and > submit a patch against current CVS? The attached patch adds this support. It is a diff against current cvs pom sctp-conntrack-nat module, the following doubt remains: - The type of these timeouts in case of TCP is unsigned long, though the code in ip_conntrack_standalone.c treats them as unsigned int. I am not sure of the working, but I suspect something wrong here. I have followed the same pattern however. Regards, Kiran Kumar Immidi [-- Attachment #2: sctp_timeout.diff --] [-- Type: text/x-diff, Size: 6444 bytes --] Index: linux.patch =================================================================== RCS file: /cvspublic/patch-o-matic-ng/sctp-conntrack-nat/linux.patch,v retrieving revision 1.1 diff -u -r1.1 linux.patch --- linux.patch 10 Apr 2004 15:52:01 -0000 1.1 +++ linux.patch 27 Jul 2004 05:48:13 -0000 @@ -1,6 +1,6 @@ -diff -ru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.4/include/linux/netfilter_ipv4/ip_conntrack_tuple.h tp/linux-2.6.4/include/linux/netfilter_ipv4/ip_conntrack_tuple.h ---- linux-2.6.4/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-01-09 12:29:48.000000000 +0530 -+++ tp/linux-2.6.4/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-04-14 15:33:18.000000000 +0530 +diff -ru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.6.orig/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_tuple.h +--- linux-2.6.6.orig/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-01-09 12:29:48.000000000 +0530 ++++ linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-04-14 15:33:18.000000000 +0530 @@ -25,6 +25,9 @@ struct { u_int16_t id; @@ -21,3 +21,19 @@ } u; /* The protocol. */ +--- linux-2.6.6.orig/include/linux/sysctl.h 2004-07-27 04:16:46.000000000 +0530 ++++ linux-2.6.6/include/linux/sysctl.h 2004-07-27 06:20:48.333196352 +0530 +@@ -406,6 +406,13 @@ + NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT=12, + NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT=13, + NET_IPV4_NF_CONNTRACK_BUCKETS=14, ++ NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED=15, ++ NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT=16, ++ NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED=17, ++ NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED=18, ++ NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT=19, ++ NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD=20, ++ NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT=21, + }; + + /* /proc/sys/net/ipv6 */ Index: linux/net/ipv4/netfilter/ip_conntrack_proto_sctp.c =================================================================== RCS file: /cvspublic/patch-o-matic-ng/sctp-conntrack-nat/linux/net/ipv4/netfilter/ip_conntrack_proto_sctp.c,v retrieving revision 1.1 diff -u -r1.1 ip_conntrack_proto_sctp.c --- linux/net/ipv4/netfilter/ip_conntrack_proto_sctp.c 10 Apr 2004 15:52:01 -0000 1.1 +++ linux/net/ipv4/netfilter/ip_conntrack_proto_sctp.c 27 Jul 2004 05:48:14 -0000 @@ -9,6 +9,10 @@ * published by the Free Software Foundation. */ +/* + * Added support for proc manipulation of timeouts. + */ + #include <linux/types.h> #include <linux/sched.h> #include <linux/timer.h> @@ -505,11 +509,125 @@ .me = THIS_MODULE }; +#ifdef CONFIG_SYSCTL +static ctl_table ip_ct_sysctl_table[] = { + { + .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED, + .procname = "ip_conntrack_sctp_timeout_closed", + .data = &ip_ct_sctp_timeout_closed, + .maxlen = sizeof(unsigned int), + .mode = 0644, + .proc_handler = &proc_dointvec_jiffies, + }, + { + .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT, + .procname = "ip_conntrack_sctp_timeout_cookie_wait", + .data = &ip_ct_sctp_timeout_cookie_wait, + .maxlen = sizeof(unsigned int), + .mode = 0644, + .proc_handler = &proc_dointvec_jiffies, + }, + { + .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED, + .procname = "ip_conntrack_sctp_timeout_cookie_echoed", + .data = &ip_ct_sctp_timeout_cookie_echoed, + .maxlen = sizeof(unsigned int), + .mode = 0644, + .proc_handler = &proc_dointvec_jiffies, + }, + { + .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED, + .procname = "ip_conntrack_sctp_timeout_established", + .data = &ip_ct_sctp_timeout_established, + .maxlen = sizeof(unsigned int), + .mode = 0644, + .proc_handler = &proc_dointvec_jiffies, + }, + { + .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT, + .procname = "ip_conntrack_sctp_timeout_shutdown_sent", + .data = &ip_ct_sctp_timeout_shutdown_sent, + .maxlen = sizeof(unsigned int), + .mode = 0644, + .proc_handler = &proc_dointvec_jiffies, + }, + { + .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD, + .procname = "ip_conntrack_sctp_timeout_shutdown_recd", + .data = &ip_ct_sctp_timeout_shutdown_recd, + .maxlen = sizeof(unsigned int), + .mode = 0644, + .proc_handler = &proc_dointvec_jiffies, + }, + { + .ctl_name = NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT, + .procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent", + .data = &ip_ct_sctp_timeout_shutdown_ack_sent, + .maxlen = sizeof(unsigned int), + .mode = 0644, + .proc_handler = &proc_dointvec_jiffies, + }, + { .ctl_name = 0 } +}; + +static ctl_table ip_ct_netfilter_table[] = { + { + .ctl_name = NET_IPV4_NETFILTER, + .procname = "netfilter", + .mode = 0555, + .child = ip_ct_sysctl_table, + }, + { .ctl_name = 0 } +}; + +static ctl_table ip_ct_ipv4_table[] = { + { + .ctl_name = NET_IPV4, + .procname = "ipv4", + .mode = 0555, + .child = ip_ct_netfilter_table, + }, + { .ctl_name = 0 } +}; + +static ctl_table ip_ct_net_table[] = { + { + .ctl_name = CTL_NET, + .procname = "net", + .mode = 0555, + .child = ip_ct_ipv4_table, + }, + { .ctl_name = 0 } +}; + +static struct ctl_table_header *ip_ct_sysctl_header; +#endif + int __init init(void) { int ret; ret = ip_conntrack_protocol_register(&ip_conntrack_protocol_sctp); + if (ret) { + printk("ip_conntrack_proto_sctp: protocol register failed\n"); + goto out; + } + +#ifdef CONFIG_SYSCTL + ip_ct_sysctl_header = register_sysctl_table(ip_ct_net_table, 0); + if (ip_ct_sysctl_header == NULL) { + printk("ip_conntrack_proto_sctp: can't register to sysctl.\n"); + goto cleanup; + } +#endif + + return ret; + + cleanup: +#ifdef CONFIG_SYSCTL + ip_conntrack_protocol_unregister(&ip_conntrack_protocol_sctp); +#endif + out: DEBUGP("SCTP conntrack module loading %s\n", ret ? "failed": "succeeded"); return ret; @@ -518,6 +636,9 @@ void __exit fini(void) { ip_conntrack_protocol_unregister(&ip_conntrack_protocol_sctp); +#ifdef CONFIG_SYSCTL + unregister_sysctl_table(ip_ct_sysctl_header); +#endif DEBUGP("SCTP conntrack module unloaded\n"); } ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: sctp conntrack 2004-07-27 8:18 ` Kiran Kumar Immidi @ 2004-08-01 16:50 ` Harald Welte 2004-08-02 10:25 ` Kiran Kumar Immidi 0 siblings, 1 reply; 9+ messages in thread From: Harald Welte @ 2004-08-01 16:50 UTC (permalink / raw) To: Kiran Kumar Immidi; +Cc: Netfilter Development Mailinglist [-- Attachment #1: Type: text/plain, Size: 1377 bytes --] On Tue, Jul 27, 2004 at 01:48:34PM +0530, Kiran Kumar Immidi wrote: > On Friday 23 July 2004 12:46 am, Harald Welte wrote: > > > I was about to include the SCTP conntrack patch into my set of pending > > patches for 2.6.9 but then discovered that you don't export the timeouts > > via /proc (similar to what recent versions of ip_conntrack_tcp do). > > > > Would you please include suport for /proc tuning of the timeouts and > > submit a patch against current CVS? > > The attached patch adds this support. It is a diff against current cvs pom > sctp-conntrack-nat module, the following doubt remains: thanks, applied. > > - The type of these timeouts in case of TCP is unsigned long, though the code > in ip_conntrack_standalone.c treats them as unsigned int. I am not sure of > the working, but I suspect something wrong here. I have followed the same > pattern however. yes, indeed. on 64bit archs this is going to cause trouble :( > Regards, > Kiran Kumar Immidi -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: sctp conntrack 2004-08-01 16:50 ` Harald Welte @ 2004-08-02 10:25 ` Kiran Kumar Immidi 2004-08-02 11:05 ` Harald Welte 0 siblings, 1 reply; 9+ messages in thread From: Kiran Kumar Immidi @ 2004-08-02 10:25 UTC (permalink / raw) To: Harald Welte; +Cc: Netfilter Development Mailinglist [-- Attachment #1: Type: text/plain, Size: 615 bytes --] On Sunday 01 August 2004 10:20 pm, Harald Welte wrote: > > - The type of these timeouts in case of TCP is unsigned long, though the > > code in ip_conntrack_standalone.c treats them as unsigned int. I am not > > sure of the working, but I suspect something wrong here. I have followed > > the same pattern however. > > yes, indeed. on 64bit archs this is going to cause trouble :( Do you want me to make a patch for this? Attached is a patch which adds SCTP support for the LOG target. This applies against 2.6.7 sources. (I had sent this patch earlier, but that one seems to have problems.. this is fine). [-- Attachment #2: ipt_LOG.c_sctp.diff --] [-- Type: text/x-diff, Size: 2593 bytes --] --- linux-2.6.7/net/ipv4/netfilter/ipt_LOG.c.orig 2004-08-02 15:44:29.009342792 +0530 +++ linux-2.6.7/net/ipv4/netfilter/ipt_LOG.c 2004-08-02 15:45:08.014413120 +0530 @@ -17,6 +17,7 @@ #include <net/icmp.h> #include <net/udp.h> #include <net/tcp.h> +#include <linux/sctp.h> #include <net/route.h> #include <linux/netfilter.h> @@ -310,6 +311,90 @@ printk("SPI=0x%x ", ntohl(esph.spi)); break; } + case IPPROTO_SCTP: { + u_int32_t offset, count; + sctp_sctphdr_t sh; + sctp_chunkhdr_t sch; + + const char *sctp_chunk_names[255] = { + [0] = "DATA", + [1] = "INIT", + [2] = "INIT_ACK", + [3] = "SACK", + [4] = "HEARTBEAT", + [5] = "HEARTBEAT_ACK", + [6] = "ABORT", + [7] = "SHUTDOWN", + [8] = "SHUTDOWN_ACK", + [9] = "ERROR", + [10] = "COOKIE_ECHO", + [11] = "COOKIE_ACK", + [12] = "ECN_ECNE", + [13] = "ECN_CWR", + [14] = "SHUTDOWN_COMPLETE", + [0xc1] = "ASCONF", + [0x80] = "ASCONF_ACK", + }; + + /* Max length: 11 "PROTO=SCTP " */ + printk("PROTO=SCTP "); + + if (ntohs(iph.frag_off) & IP_OFFSET) + break; + + /* Max length: 25 "INCOMPLETE [65535 bytes] " */ + if (skb_copy_bits(skb, iphoff+iph.ihl*4, &sh, sizeof(sh)) + < 0) { + printk("INCOMPLETE [%u bytes] ", + skb->len - iphoff - iph.ihl*4); + break; + } + + /* Max length: 20 "SPT=65535 DPT=65535 " */ + printk("SPT=%u DPT=%u ", + ntohs(sh.source), ntohs(sh.dest)); + + printk("Chunks: "); + count = 0; + for (offset = iph.ihl * 4 + sizeof (sctp_sctphdr_t) + iphoff; + offset < skb->len; + offset += (htons(sch.length) + 3) & ~3, count++) { + if (skb_copy_bits(skb, offset, &sch, + sizeof(sch)) < 0) { + printk("INCOMPLETE CHUNK HDR[%u bytes] ", + skb->len - iphoff - iph.ihl*4); + break; + } + printk("%s",sctp_chunk_names[sch.type]? + sctp_chunk_names[sch.type]: "UNKNOWN"); + + /* Print the chunk flags */ + if (sch.type == SCTP_CID_DATA) { + char u,b,e; + + u = b = e = 0; + if (sch.flags & 1) e = 1; + if (sch.flags & 2) b = 1; + if (sch.flags & 4) u = 1; + + if (u || b || e) { + printk("["); + u && printk("U"); + b && printk("B"); + e && printk("E"); + printk("]"); + } + } else if (sch.type == SCTP_CID_ABORT + || sch.type == SCTP_CID_SHUTDOWN_COMPLETE) { + if (sch.flags & 1) { + printk("[T]"); + } + } + printk(" "); + } + printk(": %d chunk%s ", count, (count == 1)? "": "s"); + break; + } /* Max length: 10 "PROTO 255 " */ default: printk("PROTO=%u ", iph.protocol); ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: sctp conntrack 2004-08-02 10:25 ` Kiran Kumar Immidi @ 2004-08-02 11:05 ` Harald Welte 2004-08-02 11:34 ` Pablo Neira 0 siblings, 1 reply; 9+ messages in thread From: Harald Welte @ 2004-08-02 11:05 UTC (permalink / raw) To: Kiran Kumar Immidi; +Cc: Netfilter Development Mailinglist [-- Attachment #1: Type: text/plain, Size: 1153 bytes --] On Mon, Aug 02, 2004 at 03:55:38PM +0530, Kiran Kumar Immidi wrote: > On Sunday 01 August 2004 10:20 pm, Harald Welte wrote: > > > > - The type of these timeouts in case of TCP is unsigned long, though the > > > code in ip_conntrack_standalone.c treats them as unsigned int. I am not > > > sure of the working, but I suspect something wrong here. I have followed > > > the same pattern however. > > > > yes, indeed. on 64bit archs this is going to cause trouble :( > > Do you want me to make a patch for this? that would be appreciated, yes. > Attached is a patch which adds SCTP support for the LOG target. This > applies Thanks, I'm putting it in patch-o-matic right now. A patch for ulogd_BASE.c from ulogd would also be very much appreciated. -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: sctp conntrack 2004-08-02 11:05 ` Harald Welte @ 2004-08-02 11:34 ` Pablo Neira 2004-08-02 11:37 ` Pablo Neira 0 siblings, 1 reply; 9+ messages in thread From: Pablo Neira @ 2004-08-02 11:34 UTC (permalink / raw) To: Harald Welte, Kiran Kumar, Netfilter Development Mailinglist [-- Attachment #1: Type: text/plain, Size: 777 bytes --] Hi Harald, Harald Welte wrote: >On Mon, Aug 02, 2004 at 03:55:38PM +0530, Kiran Kumar Immidi wrote: > > >>On Sunday 01 August 2004 10:20 pm, Harald Welte wrote: >> >> >> >>>>- The type of these timeouts in case of TCP is unsigned long, though the >>>>code in ip_conntrack_standalone.c treats them as unsigned int. I am not >>>>sure of the working, but I suspect something wrong here. I have followed >>>>the same pattern however. >>>> >>>> >>>yes, indeed. on 64bit archs this is going to cause trouble :( >>> >>> I've observed this problem two weeks ago, actually I prepared a patch but I was a bit busy to post it to the mailling list. I just tried it with my current kernel and works for me. If missing anything, please let me know. regards, Pablo [-- Attachment #2: sysctl.patch --] [-- Type: text/x-patch, Size: 6568 bytes --] diff -u -r1.1.1.1 sysctl.c --- a/kernel/sysctl.c 29 Jul 2004 13:06:24 -0000 1.1.1.1 +++ b/kernel/sysctl.c 29 Jul 2004 13:15:31 -0000 @@ -1819,6 +1819,30 @@ lenp, HZ, 1000l); } +/** + * proc_doulongvec_jiffies_minmax - read a vector of second values with min/max values + * @table: the sysctl table + * @write: %TRUE if this is a write to the sysctl file + * @filp: the file structure + * @buffer: the user buffer + * @lenp: the size of the user buffer + * + * Reads/writes up to table->maxlen/sizeof(unsigned long) unsigned long + * values from/to the user buffer, treated as an ASCII string. The values + * are treated as milliseconds, and converted to jiffies when they are stored. + * + * This routine will ensure the values are within the range specified by + * table->extra1 (min) and table->extra2 (max). + * + * Returns 0 on success. + */ +int proc_doulongvec_jiffies_minmax(ctl_table *table, int write, + struct file *filp, + void __user *buffer, size_t *lenp) +{ + return do_proc_doulongvec_minmax(table, write, filp, buffer, + lenp, HZ, 1l); +} static int do_proc_dointvec_jiffies_conv(int *negp, unsigned long *lvalp, int *valp, @@ -2157,6 +2181,13 @@ return -ENOSYS; } +int proc_doulongvec_jiffies_minmax(ctl_table *table, int write, + struct file *filp, + void __user *buffer, size_t *lenp) +{ + return -ENOSYS; +} + struct ctl_table_header * register_sysctl_table(ctl_table * table, int insert_at_head) { @@ -2180,6 +2211,7 @@ EXPORT_SYMBOL(proc_dostring); EXPORT_SYMBOL(proc_doulongvec_minmax); EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax); +EXPORT_SYMBOL(proc_doulongvec_jiffies_minmax); EXPORT_SYMBOL(register_sysctl_table); EXPORT_SYMBOL(sysctl_intvec); EXPORT_SYMBOL(sysctl_jiffies); diff -u -r1.1.1.1 ip_conntrack_standalone.c --- a/net/ipv4/netfilter/ip_conntrack_standalone.c 29 Jun 2004 14:04:08 -0000 1.1.1.1 +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c 29 Jul 2004 13:13:12 -0000 @@ -356,103 +356,101 @@ .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT, .procname = "ip_conntrack_tcp_timeout_syn_sent", .data = &ip_ct_tcp_timeout_syn_sent, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV, .procname = "ip_conntrack_tcp_timeout_syn_recv", .data = &ip_ct_tcp_timeout_syn_recv, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED, .procname = "ip_conntrack_tcp_timeout_established", .data = &ip_ct_tcp_timeout_established, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT, .procname = "ip_conntrack_tcp_timeout_fin_wait", .data = &ip_ct_tcp_timeout_fin_wait, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT, .procname = "ip_conntrack_tcp_timeout_close_wait", .data = &ip_ct_tcp_timeout_close_wait, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK, .procname = "ip_conntrack_tcp_timeout_last_ack", .data = &ip_ct_tcp_timeout_last_ack, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT, .procname = "ip_conntrack_tcp_timeout_time_wait", .data = &ip_ct_tcp_timeout_time_wait, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE, .procname = "ip_conntrack_tcp_timeout_close", .data = &ip_ct_tcp_timeout_close, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT, .procname = "ip_conntrack_udp_timeout", .data = &ip_ct_udp_timeout, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT_STREAM, .procname = "ip_conntrack_udp_timeout_stream", .data = &ip_ct_udp_timeout_stream, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT, .procname = "ip_conntrack_icmp_timeout", .data = &ip_ct_icmp_timeout, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT, .procname = "ip_conntrack_generic_timeout", .data = &ip_ct_generic_timeout, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = 0 } }; -#define NET_IP_CONNTRACK_MAX 2089 - static ctl_table ip_ct_netfilter_table[] = { { .ctl_name = NET_IPV4_NETFILTER, @@ -460,14 +458,6 @@ .mode = 0555, .child = ip_ct_sysctl_table, }, - { - .ctl_name = NET_IP_CONNTRACK_MAX, - .procname = "ip_conntrack_max", - .data = &ip_conntrack_max, - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = &proc_dointvec - }, { .ctl_name = 0 } }; ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: sctp conntrack 2004-08-02 11:34 ` Pablo Neira @ 2004-08-02 11:37 ` Pablo Neira 2004-08-02 11:54 ` Jozsef Kadlecsik 0 siblings, 1 reply; 9+ messages in thread From: Pablo Neira @ 2004-08-02 11:37 UTC (permalink / raw) To: Harald Welte, Kiran Kumar, Netfilter Development Mailinglist Hi again, I forgot something... Pablo Neira wrote: >-#define NET_IP_CONNTRACK_MAX 2089 >- > static ctl_table ip_ct_netfilter_table[] = { > { > .ctl_name = NET_IPV4_NETFILTER, >@@ -460,14 +458,6 @@ > .mode = 0555, > .child = ip_ct_sysctl_table, > }, >- { >- .ctl_name = NET_IP_CONNTRACK_MAX, >- .procname = "ip_conntrack_max", >- .data = &ip_conntrack_max, >- .maxlen = sizeof(int), >- .mode = 0644, >- .proc_handler = &proc_dointvec >- }, > { .ctl_name = 0 } > }; > > > ip_conntrack_max is duplicated, is there any reason to do so? that's why I remove that entry in the sysctl table. regards, Pablo ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: sctp conntrack 2004-08-02 11:37 ` Pablo Neira @ 2004-08-02 11:54 ` Jozsef Kadlecsik 2004-08-02 12:32 ` Pablo Neira 0 siblings, 1 reply; 9+ messages in thread From: Jozsef Kadlecsik @ 2004-08-02 11:54 UTC (permalink / raw) To: Pablo Neira; +Cc: Harald Welte, Kiran Kumar, Netfilter Development Mailinglist On Mon, 2 Aug 2004, Pablo Neira wrote: > ip_conntrack_max is duplicated, is there any reason to do so? that's why > I remove that entry in the sysctl table. Yes, that's intentional: we keep the backward compatible /proc/sys/net/ipv4/ip_conntrack_max besides the new /proc/sys/net/ipv4/netfilter/ip_conntrack_max Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: sctp conntrack 2004-08-02 11:54 ` Jozsef Kadlecsik @ 2004-08-02 12:32 ` Pablo Neira 0 siblings, 0 replies; 9+ messages in thread From: Pablo Neira @ 2004-08-02 12:32 UTC (permalink / raw) To: Jozsef Kadlecsik Cc: Harald Welte, Kiran Kumar, Netfilter Development Mailinglist [-- Attachment #1: Type: text/plain, Size: 444 bytes --] Hi Jozsef, Jozsef Kadlecsik wrote: >On Mon, 2 Aug 2004, Pablo Neira wrote: > > >>ip_conntrack_max is duplicated, is there any reason to do so? that's why >>I remove that entry in the sysctl table. >> >> > >Yes, that's intentional: we keep the backward compatible >/proc/sys/net/ipv4/ip_conntrack_max besides the new >/proc/sys/net/ipv4/netfilter/ip_conntrack_max > > ok, in that case, please take this patch instead. regards, Pablo [-- Attachment #2: sysctl.patch --] [-- Type: text/x-patch, Size: 6681 bytes --] diff -u -r1.1.1.1 sysctl.h --- a/include/linux/sysctl.h 11 May 2004 13:35:37 -0000 1.1.1.1 +++ b/include/linux/sysctl.h 2 Aug 2004 11:47:49 -0000 @@ -776,6 +776,8 @@ void __user *, size_t *); extern int proc_doulongvec_ms_jiffies_minmax(ctl_table *table, int, struct file *, void __user *, size_t *); +extern int proc_doulongvec_jiffies_minmax(ctl_table *table, int, + struct file *, void __user *, size_t *); extern int do_sysctl (int __user *name, int nlen, void __user *oldval, size_t __user *oldlenp, diff -u -r1.1.1.1 sysctl.c --- a/kernel/sysctl.c 11 May 2004 13:35:21 -0000 1.1.1.1 +++ b/kernel/sysctl.c 29 Jul 2004 13:21:22 -0000 @@ -1819,6 +1819,30 @@ lenp, HZ, 1000l); } +/** + * proc_doulongvec_jiffies_minmax - read a vector of second values with min/max values + * @table: the sysctl table + * @write: %TRUE if this is a write to the sysctl file + * @filp: the file structure + * @buffer: the user buffer + * @lenp: the size of the user buffer + * + * Reads/writes up to table->maxlen/sizeof(unsigned long) unsigned long + * values from/to the user buffer, treated as an ASCII string. The values + * are treated as milliseconds, and converted to jiffies when they are stored. + * + * This routine will ensure the values are within the range specified by + * table->extra1 (min) and table->extra2 (max). + * + * Returns 0 on success. + */ +int proc_doulongvec_jiffies_minmax(ctl_table *table, int write, + struct file *filp, + void __user *buffer, size_t *lenp) +{ + return do_proc_doulongvec_minmax(table, write, filp, buffer, + lenp, HZ, 1l); +} static int do_proc_dointvec_jiffies_conv(int *negp, unsigned long *lvalp, int *valp, @@ -2157,6 +2181,13 @@ return -ENOSYS; } +int proc_doulongvec_jiffies_minmax(ctl_table *table, int write, + struct file *filp, + void __user *buffer, size_t *lenp) +{ + return -ENOSYS; +} + struct ctl_table_header * register_sysctl_table(ctl_table * table, int insert_at_head) { @@ -2180,6 +2211,7 @@ EXPORT_SYMBOL(proc_dostring); EXPORT_SYMBOL(proc_doulongvec_minmax); EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax); +EXPORT_SYMBOL(proc_doulongvec_jiffies_minmax); EXPORT_SYMBOL(register_sysctl_table); EXPORT_SYMBOL(sysctl_intvec); EXPORT_SYMBOL(sysctl_jiffies); diff -u -r1.4 ip_conntrack_standalone.c --- a/net/ipv4/netfilter/ip_conntrack_standalone.c 29 Jul 2004 13:23:24 -0000 1.4 +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c 2 Aug 2004 11:59:40 -0000 @@ -356,97 +356,97 @@ .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT, .procname = "ip_conntrack_tcp_timeout_syn_sent", .data = &ip_ct_tcp_timeout_syn_sent, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV, .procname = "ip_conntrack_tcp_timeout_syn_recv", .data = &ip_ct_tcp_timeout_syn_recv, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED, .procname = "ip_conntrack_tcp_timeout_established", .data = &ip_ct_tcp_timeout_established, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT, .procname = "ip_conntrack_tcp_timeout_fin_wait", .data = &ip_ct_tcp_timeout_fin_wait, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT, .procname = "ip_conntrack_tcp_timeout_close_wait", .data = &ip_ct_tcp_timeout_close_wait, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK, .procname = "ip_conntrack_tcp_timeout_last_ack", .data = &ip_ct_tcp_timeout_last_ack, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT, .procname = "ip_conntrack_tcp_timeout_time_wait", .data = &ip_ct_tcp_timeout_time_wait, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE, .procname = "ip_conntrack_tcp_timeout_close", .data = &ip_ct_tcp_timeout_close, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT, .procname = "ip_conntrack_udp_timeout", .data = &ip_ct_udp_timeout, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT_STREAM, .procname = "ip_conntrack_udp_timeout_stream", .data = &ip_ct_udp_timeout_stream, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT, .procname = "ip_conntrack_icmp_timeout", .data = &ip_ct_icmp_timeout, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT, .procname = "ip_conntrack_generic_timeout", .data = &ip_ct_generic_timeout, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(unsigned long), .mode = 0644, - .proc_handler = &proc_dointvec_jiffies, + .proc_handler = &proc_doulongvec_jiffies_minmax, }, { .ctl_name = 0 } }; ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2004-08-02 12:32 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-07-22 19:16 sctp conntrack Harald Welte 2004-07-27 8:18 ` Kiran Kumar Immidi 2004-08-01 16:50 ` Harald Welte 2004-08-02 10:25 ` Kiran Kumar Immidi 2004-08-02 11:05 ` Harald Welte 2004-08-02 11:34 ` Pablo Neira 2004-08-02 11:37 ` Pablo Neira 2004-08-02 11:54 ` Jozsef Kadlecsik 2004-08-02 12:32 ` Pablo Neira
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.