sctp conntrack

sctp conntrack

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 715 bytes --]

Hi!

I was about to include the SCTP conntrack patch into my set of pending
patches for 2.6.9 but then discovered that you don't export the timeouts
via /proc (similar to what recent versions of ip_conntrack_tcp do).

Would you please include suport for /proc tuning of the timeouts and
submit a patch against current CVS?

Thanks.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: sctp conntrack

[Kiran Kumar Immidi]

[-- Attachment #1: Type: text/plain, Size: 795 bytes --]

On Friday 23 July 2004 12:46 am, Harald Welte wrote:

> I was about to include the SCTP conntrack patch into my set of pending
> patches for 2.6.9 but then discovered that you don't export the timeouts
> via /proc (similar to what recent versions of ip_conntrack_tcp do).
>
> Would you please include suport for /proc tuning of the timeouts and
> submit a patch against current CVS?

  The attached patch adds this support. It is a diff against current cvs pom 
sctp-conntrack-nat module, the following doubt remains:

- The type of these timeouts in case of TCP is unsigned long, though the code 
in ip_conntrack_standalone.c treats them as unsigned int. I am not sure of 
the working, but I suspect something wrong here. I have followed the same 
pattern however.

Regards,
Kiran Kumar Immidi

[-- Attachment #2: sctp_timeout.diff --]
[-- Type: text/x-diff, Size: 6444 bytes --]

Index: linux.patch
===================================================================
RCS file: /cvspublic/patch-o-matic-ng/sctp-conntrack-nat/linux.patch,v
retrieving revision 1.1
diff -u -r1.1 linux.patch
--- linux.patch	10 Apr 2004 15:52:01 -0000	1.1
+++ linux.patch	27 Jul 2004 05:48:13 -0000
@@ -1,6 +1,6 @@
-diff -ru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.4/include/linux/netfilter_ipv4/ip_conntrack_tuple.h tp/linux-2.6.4/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
---- linux-2.6.4/include/linux/netfilter_ipv4/ip_conntrack_tuple.h	2004-01-09 12:29:48.000000000 +0530
-+++ tp/linux-2.6.4/include/linux/netfilter_ipv4/ip_conntrack_tuple.h	2004-04-14 15:33:18.000000000 +0530
+diff -ru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.6.orig/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
+--- linux-2.6.6.orig/include/linux/netfilter_ipv4/ip_conntrack_tuple.h	2004-01-09 12:29:48.000000000 +0530
++++ linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_tuple.h	2004-04-14 15:33:18.000000000 +0530
 @@ -25,6 +25,9 @@
  	struct {
  		u_int16_t id;
@@ -21,3 +21,19 @@
  		} u;
  
  		/* The protocol. */
+--- linux-2.6.6.orig/include/linux/sysctl.h    2004-07-27 04:16:46.000000000 +0530
++++ linux-2.6.6/include/linux/sysctl.h      2004-07-27 06:20:48.333196352 +0530
+@@ -406,6 +406,13 @@
+	NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT=12,
+	NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT=13,
+	NET_IPV4_NF_CONNTRACK_BUCKETS=14,
++	NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED=15,
++	NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT=16,
++	NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED=17,
++	NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED=18,
++	NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT=19,
++	NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD=20,
++	NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT=21,
+ };
+
+ /* /proc/sys/net/ipv6 */
Index: linux/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
===================================================================
RCS file: /cvspublic/patch-o-matic-ng/sctp-conntrack-nat/linux/net/ipv4/netfilter/ip_conntrack_proto_sctp.c,v
retrieving revision 1.1
diff -u -r1.1 ip_conntrack_proto_sctp.c
--- linux/net/ipv4/netfilter/ip_conntrack_proto_sctp.c	10 Apr 2004 15:52:01 -0000	1.1
+++ linux/net/ipv4/netfilter/ip_conntrack_proto_sctp.c	27 Jul 2004 05:48:14 -0000
@@ -9,6 +9,10 @@
  * published by the Free Software Foundation.
  */
 
+/*
+ * Added support for proc manipulation of timeouts.
+ */
+
 #include <linux/types.h>
 #include <linux/sched.h>
 #include <linux/timer.h>
@@ -505,11 +509,125 @@
 	.me 		 = THIS_MODULE 
 };
 
+#ifdef CONFIG_SYSCTL
+static ctl_table ip_ct_sysctl_table[] = {
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED,
+		.procname	= "ip_conntrack_sctp_timeout_closed",
+		.data		= &ip_ct_sctp_timeout_closed,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT,
+		.procname	= "ip_conntrack_sctp_timeout_cookie_wait",
+		.data		= &ip_ct_sctp_timeout_cookie_wait,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED,
+		.procname	= "ip_conntrack_sctp_timeout_cookie_echoed",
+		.data		= &ip_ct_sctp_timeout_cookie_echoed,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED,
+		.procname	= "ip_conntrack_sctp_timeout_established",
+		.data		= &ip_ct_sctp_timeout_established,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT,
+		.procname	= "ip_conntrack_sctp_timeout_shutdown_sent",
+		.data		= &ip_ct_sctp_timeout_shutdown_sent,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD,
+		.procname	= "ip_conntrack_sctp_timeout_shutdown_recd",
+		.data		= &ip_ct_sctp_timeout_shutdown_recd,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT,
+		.procname	= "ip_conntrack_sctp_timeout_shutdown_ack_sent",
+		.data		= &ip_ct_sctp_timeout_shutdown_ack_sent,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{ .ctl_name = 0 }
+};
+
+static ctl_table ip_ct_netfilter_table[] = {
+	{
+		.ctl_name	= NET_IPV4_NETFILTER,
+		.procname	= "netfilter",
+		.mode		= 0555,
+		.child		= ip_ct_sysctl_table,
+	},
+	{ .ctl_name = 0 }
+};
+
+static ctl_table ip_ct_ipv4_table[] = {
+	{
+		.ctl_name	= NET_IPV4,
+		.procname	= "ipv4",
+		.mode		= 0555,
+		.child		= ip_ct_netfilter_table,
+	},
+	{ .ctl_name = 0 }
+};
+
+static ctl_table ip_ct_net_table[] = {
+	{
+		.ctl_name	= CTL_NET,
+		.procname	= "net",
+		.mode		= 0555, 
+		.child		= ip_ct_ipv4_table,
+	},
+	{ .ctl_name = 0 }
+};
+
+static struct ctl_table_header *ip_ct_sysctl_header;
+#endif
+
 int __init init(void)
 {
 	int ret;
 
 	ret = ip_conntrack_protocol_register(&ip_conntrack_protocol_sctp);
+	if (ret) {
+		printk("ip_conntrack_proto_sctp: protocol register failed\n");
+		goto out;
+	}
+
+#ifdef CONFIG_SYSCTL
+	ip_ct_sysctl_header = register_sysctl_table(ip_ct_net_table, 0);
+	if (ip_ct_sysctl_header == NULL) {
+		printk("ip_conntrack_proto_sctp: can't register to sysctl.\n");
+		goto cleanup;
+	}
+#endif
+
+	return ret;
+
+ cleanup:
+#ifdef CONFIG_SYSCTL
+	ip_conntrack_protocol_unregister(&ip_conntrack_protocol_sctp);
+#endif
+ out:
 	DEBUGP("SCTP conntrack module loading %s\n", 
 					ret ? "failed": "succeeded");
 	return ret;
@@ -518,6 +636,9 @@
 void __exit fini(void)
 {
 	ip_conntrack_protocol_unregister(&ip_conntrack_protocol_sctp);
+#ifdef CONFIG_SYSCTL
+ 	unregister_sysctl_table(ip_ct_sysctl_header);
+#endif
 	DEBUGP("SCTP conntrack module unloaded\n");
 }
 

Re: sctp conntrack

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1377 bytes --]

On Tue, Jul 27, 2004 at 01:48:34PM +0530, Kiran Kumar Immidi wrote:
> On Friday 23 July 2004 12:46 am, Harald Welte wrote:
> 
> > I was about to include the SCTP conntrack patch into my set of pending
> > patches for 2.6.9 but then discovered that you don't export the timeouts
> > via /proc (similar to what recent versions of ip_conntrack_tcp do).
> >
> > Would you please include suport for /proc tuning of the timeouts and
> > submit a patch against current CVS?
> 
>   The attached patch adds this support. It is a diff against current cvs pom 
> sctp-conntrack-nat module, the following doubt remains:

thanks, applied.

> 
> - The type of these timeouts in case of TCP is unsigned long, though the code 
> in ip_conntrack_standalone.c treats them as unsigned int. I am not sure of 
> the working, but I suspect something wrong here. I have followed the same 
> pattern however.

yes, indeed. on 64bit archs this is going to cause trouble :(

> Regards,
> Kiran Kumar Immidi
-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: sctp conntrack

[Kiran Kumar Immidi]

[-- Attachment #1: Type: text/plain, Size: 615 bytes --]

On Sunday 01 August 2004 10:20 pm, Harald Welte wrote:

> > - The type of these timeouts in case of TCP is unsigned long, though the
> > code in ip_conntrack_standalone.c treats them as unsigned int. I am not
> > sure of the working, but I suspect something wrong here. I have followed
> > the same pattern however.
>
> yes, indeed. on 64bit archs this is going to cause trouble :(

  Do you want me to make a patch for this?

  Attached is a patch which adds SCTP support for the LOG target. This applies 
against 2.6.7 sources. (I had sent this patch earlier, but that one seems to 
have problems.. this is fine).

[-- Attachment #2: ipt_LOG.c_sctp.diff --]
[-- Type: text/x-diff, Size: 2593 bytes --]

--- linux-2.6.7/net/ipv4/netfilter/ipt_LOG.c.orig	2004-08-02 15:44:29.009342792 +0530
+++ linux-2.6.7/net/ipv4/netfilter/ipt_LOG.c	2004-08-02 15:45:08.014413120 +0530
@@ -17,6 +17,7 @@
 #include <net/icmp.h>
 #include <net/udp.h>
 #include <net/tcp.h>
+#include <linux/sctp.h>
 #include <net/route.h>
 
 #include <linux/netfilter.h>
@@ -310,6 +311,90 @@
 		printk("SPI=0x%x ", ntohl(esph.spi));
 		break;
 	}
+	case IPPROTO_SCTP: {
+			u_int32_t offset, count;
+			sctp_sctphdr_t sh;
+			sctp_chunkhdr_t sch;
+
+			const char *sctp_chunk_names[255] = {
+			 [0]    = "DATA",
+			 [1]    = "INIT",
+			 [2]    = "INIT_ACK",
+			 [3]    = "SACK",
+			 [4]    = "HEARTBEAT",
+			 [5]    = "HEARTBEAT_ACK",
+			 [6]    = "ABORT",
+			 [7]    = "SHUTDOWN",
+			 [8]    = "SHUTDOWN_ACK",
+			 [9]    = "ERROR",
+			 [10]   = "COOKIE_ECHO",
+			 [11]   = "COOKIE_ACK",
+			 [12]   = "ECN_ECNE",
+			 [13]   = "ECN_CWR",
+			 [14]   = "SHUTDOWN_COMPLETE",
+			 [0xc1] = "ASCONF",
+			 [0x80] = "ASCONF_ACK",
+			};
+
+		/* Max length: 11 "PROTO=SCTP " */
+		printk("PROTO=SCTP ");
+
+		if (ntohs(iph.frag_off) & IP_OFFSET)
+			break;
+
+		/* Max length: 25 "INCOMPLETE [65535 bytes] " */
+		if (skb_copy_bits(skb, iphoff+iph.ihl*4, &sh, sizeof(sh))
+		    < 0) {
+			printk("INCOMPLETE [%u bytes] ",
+			       skb->len - iphoff - iph.ihl*4);
+			break;
+		}
+
+		/* Max length: 20 "SPT=65535 DPT=65535 " */
+		printk("SPT=%u DPT=%u ",
+		       ntohs(sh.source), ntohs(sh.dest));
+
+		printk("Chunks: ");
+		count = 0;
+		for (offset = iph.ihl * 4 + sizeof (sctp_sctphdr_t) + iphoff;
+			offset < skb->len;
+			offset += (htons(sch.length) + 3) & ~3, count++) {
+			if (skb_copy_bits(skb, offset, &sch, 
+				sizeof(sch)) < 0) {
+				printk("INCOMPLETE CHUNK HDR[%u bytes] ",
+					skb->len - iphoff - iph.ihl*4);
+				break;
+			}
+			printk("%s",sctp_chunk_names[sch.type]? 
+				sctp_chunk_names[sch.type]: "UNKNOWN");
+
+			/* Print the chunk flags */
+			if (sch.type == SCTP_CID_DATA) {
+				char u,b,e;
+
+				u = b = e = 0;
+				if (sch.flags & 1) e = 1;
+				if (sch.flags & 2) b = 1;
+				if (sch.flags & 4) u = 1;
+
+				if (u || b || e) {
+					printk("[");
+					u && printk("U");
+					b && printk("B");
+					e && printk("E");
+					printk("]");
+				}
+			} else if (sch.type == SCTP_CID_ABORT 
+				|| sch.type == SCTP_CID_SHUTDOWN_COMPLETE) {
+				if (sch.flags & 1) {
+					printk("[T]");
+				}
+			}
+			printk(" ");
+		}
+		printk(": %d chunk%s ", count, (count == 1)? "": "s");
+		break;
+	}
 	/* Max length: 10 "PROTO 255 " */
 	default:
 		printk("PROTO=%u ", iph.protocol);

Re: sctp conntrack

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1153 bytes --]

On Mon, Aug 02, 2004 at 03:55:38PM +0530, Kiran Kumar Immidi wrote:
> On Sunday 01 August 2004 10:20 pm, Harald Welte wrote:
> 
> > > - The type of these timeouts in case of TCP is unsigned long, though the
> > > code in ip_conntrack_standalone.c treats them as unsigned int. I am not
> > > sure of the working, but I suspect something wrong here. I have followed
> > > the same pattern however.
> >
> > yes, indeed. on 64bit archs this is going to cause trouble :(
> 
>   Do you want me to make a patch for this?

that would be appreciated, yes.

>   Attached is a patch which adds SCTP support for the LOG target. This
>   applies 

Thanks, I'm putting it in patch-o-matic right now.

A patch for ulogd_BASE.c from ulogd would also be very much appreciated.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: sctp conntrack

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 777 bytes --]

Hi Harald,

Harald Welte wrote:

>On Mon, Aug 02, 2004 at 03:55:38PM +0530, Kiran Kumar Immidi wrote:
>  
>
>>On Sunday 01 August 2004 10:20 pm, Harald Welte wrote:
>>
>>    
>>
>>>>- The type of these timeouts in case of TCP is unsigned long, though the
>>>>code in ip_conntrack_standalone.c treats them as unsigned int. I am not
>>>>sure of the working, but I suspect something wrong here. I have followed
>>>>the same pattern however.
>>>>        
>>>>
>>>yes, indeed. on 64bit archs this is going to cause trouble :(
>>>      
>>>

I've observed this problem two weeks ago, actually I prepared a patch 
but I was a bit busy to post it to the mailling list. I just tried it 
with my current kernel and works for me. If missing anything, please let 
me know.

regards,
Pablo

[-- Attachment #2: sysctl.patch --]
[-- Type: text/x-patch, Size: 6568 bytes --]

diff -u -r1.1.1.1 sysctl.c
--- a/kernel/sysctl.c	29 Jul 2004 13:06:24 -0000	1.1.1.1
+++ b/kernel/sysctl.c	29 Jul 2004 13:15:31 -0000
@@ -1819,6 +1819,30 @@
 				     lenp, HZ, 1000l);
 }
 
+/**
+ * proc_doulongvec_jiffies_minmax - read a vector of second values with min/max values
+ * @table: the sysctl table
+ * @write: %TRUE if this is a write to the sysctl file
+ * @filp: the file structure
+ * @buffer: the user buffer
+ * @lenp: the size of the user buffer
+ *
+ * Reads/writes up to table->maxlen/sizeof(unsigned long) unsigned long
+ * values from/to the user buffer, treated as an ASCII string. The values
+ * are treated as milliseconds, and converted to jiffies when they are stored.
+ *
+ * This routine will ensure the values are within the range specified by
+ * table->extra1 (min) and table->extra2 (max).
+ *
+ * Returns 0 on success.
+ */
+int proc_doulongvec_jiffies_minmax(ctl_table *table, int write,
+				   struct file *filp,
+				   void __user *buffer, size_t *lenp)
+{
+    return do_proc_doulongvec_minmax(table, write, filp, buffer,
+		    		      lenp, HZ, 1l);
+}
 
 static int do_proc_dointvec_jiffies_conv(int *negp, unsigned long *lvalp,
 					 int *valp,
@@ -2157,6 +2181,13 @@
     return -ENOSYS;
 }
 
+int proc_doulongvec_jiffies_minmax(ctl_table *table, int write,
+				   struct file *filp,
+				   void __user *buffer, size_t *lenp)
+{
+    return -ENOSYS;
+}
+
 struct ctl_table_header * register_sysctl_table(ctl_table * table, 
 						int insert_at_head)
 {
@@ -2180,6 +2211,7 @@
 EXPORT_SYMBOL(proc_dostring);
 EXPORT_SYMBOL(proc_doulongvec_minmax);
 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
+EXPORT_SYMBOL(proc_doulongvec_jiffies_minmax);
 EXPORT_SYMBOL(register_sysctl_table);
 EXPORT_SYMBOL(sysctl_intvec);
 EXPORT_SYMBOL(sysctl_jiffies);
diff -u -r1.1.1.1 ip_conntrack_standalone.c
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c	29 Jun 2004 14:04:08 -0000	1.1.1.1
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c	29 Jul 2004 13:13:12 -0000
@@ -356,103 +356,101 @@
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT,
 		.procname	= "ip_conntrack_tcp_timeout_syn_sent",
 		.data		= &ip_ct_tcp_timeout_syn_sent,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV,
 		.procname	= "ip_conntrack_tcp_timeout_syn_recv",
 		.data		= &ip_ct_tcp_timeout_syn_recv,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED,
 		.procname	= "ip_conntrack_tcp_timeout_established",
 		.data		= &ip_ct_tcp_timeout_established,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT,
 		.procname	= "ip_conntrack_tcp_timeout_fin_wait",
 		.data		= &ip_ct_tcp_timeout_fin_wait,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT,
 		.procname	= "ip_conntrack_tcp_timeout_close_wait",
 		.data		= &ip_ct_tcp_timeout_close_wait,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK,
 		.procname	= "ip_conntrack_tcp_timeout_last_ack",
 		.data		= &ip_ct_tcp_timeout_last_ack,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT,
 		.procname	= "ip_conntrack_tcp_timeout_time_wait",
 		.data		= &ip_ct_tcp_timeout_time_wait,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE,
 		.procname	= "ip_conntrack_tcp_timeout_close",
 		.data		= &ip_ct_tcp_timeout_close,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT,
 		.procname	= "ip_conntrack_udp_timeout",
 		.data		= &ip_ct_udp_timeout,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT_STREAM,
 		.procname	= "ip_conntrack_udp_timeout_stream",
 		.data		= &ip_ct_udp_timeout_stream,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT,
 		.procname	= "ip_conntrack_icmp_timeout",
 		.data		= &ip_ct_icmp_timeout,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT,
 		.procname	= "ip_conntrack_generic_timeout",
 		.data		= &ip_ct_generic_timeout,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{ .ctl_name = 0 }
 };
 
-#define NET_IP_CONNTRACK_MAX 2089
-
 static ctl_table ip_ct_netfilter_table[] = {
 	{
 		.ctl_name	= NET_IPV4_NETFILTER,
@@ -460,14 +458,6 @@
 		.mode		= 0555,
 		.child		= ip_ct_sysctl_table,
 	},
-	{
-		.ctl_name	= NET_IP_CONNTRACK_MAX,
-		.procname	= "ip_conntrack_max",
-		.data		= &ip_conntrack_max,
-		.maxlen		= sizeof(int),
-		.mode		= 0644,
-		.proc_handler	= &proc_dointvec
-	},
 	{ .ctl_name = 0 }
 };
 

Re: sctp conntrack

[Pablo Neira]

Hi again,

I forgot something...

Pablo Neira wrote:

>-#define NET_IP_CONNTRACK_MAX 2089
>-
> static ctl_table ip_ct_netfilter_table[] = {
> 	{
> 		.ctl_name	= NET_IPV4_NETFILTER,
>@@ -460,14 +458,6 @@
> 		.mode		= 0555,
> 		.child		= ip_ct_sysctl_table,
> 	},
>-	{
>-		.ctl_name	= NET_IP_CONNTRACK_MAX,
>-		.procname	= "ip_conntrack_max",
>-		.data		= &ip_conntrack_max,
>-		.maxlen		= sizeof(int),
>-		.mode		= 0644,
>-		.proc_handler	= &proc_dointvec
>-	},
> 	{ .ctl_name = 0 }
> };
> 
>  
>

ip_conntrack_max is duplicated, is there any reason to do so? that's why 
I remove that entry in the sysctl table.

regards,
Pablo

Re: sctp conntrack

[Jozsef Kadlecsik]

On Mon, 2 Aug 2004, Pablo Neira wrote:

> ip_conntrack_max is duplicated, is there any reason to do so? that's why
> I remove that entry in the sysctl table.

Yes, that's intentional: we keep the backward compatible
/proc/sys/net/ipv4/ip_conntrack_max besides the new
/proc/sys/net/ipv4/netfilter/ip_conntrack_max

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: sctp conntrack

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 444 bytes --]

Hi Jozsef,

Jozsef Kadlecsik wrote:

>On Mon, 2 Aug 2004, Pablo Neira wrote:
>  
>
>>ip_conntrack_max is duplicated, is there any reason to do so? that's why
>>I remove that entry in the sysctl table.
>>    
>>
>
>Yes, that's intentional: we keep the backward compatible
>/proc/sys/net/ipv4/ip_conntrack_max besides the new
>/proc/sys/net/ipv4/netfilter/ip_conntrack_max
>  
>

ok, in that case, please take this patch instead.

regards,
Pablo

[-- Attachment #2: sysctl.patch --]
[-- Type: text/x-patch, Size: 6681 bytes --]

diff -u -r1.1.1.1 sysctl.h
--- a/include/linux/sysctl.h	11 May 2004 13:35:37 -0000	1.1.1.1
+++ b/include/linux/sysctl.h	2 Aug 2004 11:47:49 -0000
@@ -776,6 +776,8 @@
 				  void __user *, size_t *);
 extern int proc_doulongvec_ms_jiffies_minmax(ctl_table *table, int,
 				      struct file *, void __user *, size_t *);
+extern int proc_doulongvec_jiffies_minmax(ctl_table *table, int,
+					  struct file *, void __user *, size_t *);
 
 extern int do_sysctl (int __user *name, int nlen,
 		      void __user *oldval, size_t __user *oldlenp,
diff -u -r1.1.1.1 sysctl.c
--- a/kernel/sysctl.c	11 May 2004 13:35:21 -0000	1.1.1.1
+++ b/kernel/sysctl.c	29 Jul 2004 13:21:22 -0000
@@ -1819,6 +1819,30 @@
 				     lenp, HZ, 1000l);
 }
 
+/**
+ * proc_doulongvec_jiffies_minmax - read a vector of second values with min/max values
+ * @table: the sysctl table
+ * @write: %TRUE if this is a write to the sysctl file
+ * @filp: the file structure
+ * @buffer: the user buffer
+ * @lenp: the size of the user buffer
+ *
+ * Reads/writes up to table->maxlen/sizeof(unsigned long) unsigned long
+ * values from/to the user buffer, treated as an ASCII string. The values
+ * are treated as milliseconds, and converted to jiffies when they are stored.
+ *
+ * This routine will ensure the values are within the range specified by
+ * table->extra1 (min) and table->extra2 (max).
+ *
+ * Returns 0 on success.
+ */
+int proc_doulongvec_jiffies_minmax(ctl_table *table, int write,
+				   struct file *filp,
+				   void __user *buffer, size_t *lenp)
+{
+    return do_proc_doulongvec_minmax(table, write, filp, buffer,
+		    		      lenp, HZ, 1l);
+}
 
 static int do_proc_dointvec_jiffies_conv(int *negp, unsigned long *lvalp,
 					 int *valp,
@@ -2157,6 +2181,13 @@
     return -ENOSYS;
 }
 
+int proc_doulongvec_jiffies_minmax(ctl_table *table, int write,
+				   struct file *filp,
+				   void __user *buffer, size_t *lenp)
+{
+    return -ENOSYS;
+}
+
 struct ctl_table_header * register_sysctl_table(ctl_table * table, 
 						int insert_at_head)
 {
@@ -2180,6 +2211,7 @@
 EXPORT_SYMBOL(proc_dostring);
 EXPORT_SYMBOL(proc_doulongvec_minmax);
 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
+EXPORT_SYMBOL(proc_doulongvec_jiffies_minmax);
 EXPORT_SYMBOL(register_sysctl_table);
 EXPORT_SYMBOL(sysctl_intvec);
 EXPORT_SYMBOL(sysctl_jiffies);
diff -u -r1.4 ip_conntrack_standalone.c
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c	29 Jul 2004 13:23:24 -0000	1.4
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c	2 Aug 2004 11:59:40 -0000
@@ -356,97 +356,97 @@
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT,
 		.procname	= "ip_conntrack_tcp_timeout_syn_sent",
 		.data		= &ip_ct_tcp_timeout_syn_sent,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV,
 		.procname	= "ip_conntrack_tcp_timeout_syn_recv",
 		.data		= &ip_ct_tcp_timeout_syn_recv,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED,
 		.procname	= "ip_conntrack_tcp_timeout_established",
 		.data		= &ip_ct_tcp_timeout_established,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT,
 		.procname	= "ip_conntrack_tcp_timeout_fin_wait",
 		.data		= &ip_ct_tcp_timeout_fin_wait,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT,
 		.procname	= "ip_conntrack_tcp_timeout_close_wait",
 		.data		= &ip_ct_tcp_timeout_close_wait,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK,
 		.procname	= "ip_conntrack_tcp_timeout_last_ack",
 		.data		= &ip_ct_tcp_timeout_last_ack,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT,
 		.procname	= "ip_conntrack_tcp_timeout_time_wait",
 		.data		= &ip_ct_tcp_timeout_time_wait,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE,
 		.procname	= "ip_conntrack_tcp_timeout_close",
 		.data		= &ip_ct_tcp_timeout_close,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT,
 		.procname	= "ip_conntrack_udp_timeout",
 		.data		= &ip_ct_udp_timeout,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT_STREAM,
 		.procname	= "ip_conntrack_udp_timeout_stream",
 		.data		= &ip_ct_udp_timeout_stream,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT,
 		.procname	= "ip_conntrack_icmp_timeout",
 		.data		= &ip_ct_icmp_timeout,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{
 		.ctl_name	= NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT,
 		.procname	= "ip_conntrack_generic_timeout",
 		.data		= &ip_ct_generic_timeout,
-		.maxlen		= sizeof(unsigned int),
+		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
-		.proc_handler	= &proc_dointvec_jiffies,
+		.proc_handler	= &proc_doulongvec_jiffies_minmax,
 	},
 	{ .ctl_name = 0 }
 };