* [PATCH nf-next] netfilter: move nf_ct_netns_get out of nf_conncount_init
@ 2024-07-18 2:09 Xin Long
2024-07-18 7:00 ` Florian Westphal
2024-08-19 16:28 ` Pablo Neira Ayuso
0 siblings, 2 replies; 3+ messages in thread
From: Xin Long @ 2024-07-18 2:09 UTC (permalink / raw)
To: netfilter-devel, coreteam, network dev
Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal, davem,
kuba, Eric Dumazet, Paolo Abeni, Pravin B Shelar, Ilya Maximets,
Aaron Conole
This patch is to move nf_ct_netns_get() out of nf_conncount_init()
and let the consumers of nf_conncount decide if they want to turn
on netfilter conntrack.
It makes nf_conncount more flexible to be used in other places and
avoids netfilter conntrack turned on when using it in openvswitch
conntrack.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
include/net/netfilter/nf_conntrack_count.h | 6 ++----
net/netfilter/nf_conncount.c | 15 +++------------
net/netfilter/xt_connlimit.c | 15 +++++++++++++--
net/openvswitch/conntrack.c | 5 ++---
4 files changed, 20 insertions(+), 21 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h
index e227d997fc71..1b58b5b91ff6 100644
--- a/include/net/netfilter/nf_conntrack_count.h
+++ b/include/net/netfilter/nf_conntrack_count.h
@@ -15,10 +15,8 @@ struct nf_conncount_list {
unsigned int count; /* length of list */
};
-struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
- unsigned int keylen);
-void nf_conncount_destroy(struct net *net, unsigned int family,
- struct nf_conncount_data *data);
+struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen);
+void nf_conncount_destroy(struct net *net, struct nf_conncount_data *data);
unsigned int nf_conncount_count(struct net *net,
struct nf_conncount_data *data,
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 34ba14e59e95..4890af4dc263 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -522,11 +522,10 @@ unsigned int nf_conncount_count(struct net *net,
}
EXPORT_SYMBOL_GPL(nf_conncount_count);
-struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
- unsigned int keylen)
+struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen)
{
struct nf_conncount_data *data;
- int ret, i;
+ int i;
if (keylen % sizeof(u32) ||
keylen / sizeof(u32) > MAX_KEYLEN ||
@@ -539,12 +538,6 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family
if (!data)
return ERR_PTR(-ENOMEM);
- ret = nf_ct_netns_get(net, family);
- if (ret < 0) {
- kfree(data);
- return ERR_PTR(ret);
- }
-
for (i = 0; i < ARRAY_SIZE(data->root); ++i)
data->root[i] = RB_ROOT;
@@ -581,13 +574,11 @@ static void destroy_tree(struct rb_root *r)
}
}
-void nf_conncount_destroy(struct net *net, unsigned int family,
- struct nf_conncount_data *data)
+void nf_conncount_destroy(struct net *net, struct nf_conncount_data *data)
{
unsigned int i;
cancel_work_sync(&data->gc_work);
- nf_ct_netns_put(net, family);
for (i = 0; i < ARRAY_SIZE(data->root); ++i)
destroy_tree(&data->root[i]);
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 5d04ef80a61d..0e762277bcf8 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -86,6 +86,7 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
{
struct xt_connlimit_info *info = par->matchinfo;
unsigned int keylen;
+ int ret;
keylen = sizeof(u32);
if (par->family == NFPROTO_IPV6)
@@ -93,8 +94,17 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
else
keylen += sizeof(struct in_addr);
+ ret = nf_ct_netns_get(par->net, par->family);
+ if (ret < 0) {
+ pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
+ par->family);
+ return ret;
+ }
+
/* init private data */
- info->data = nf_conncount_init(par->net, par->family, keylen);
+ info->data = nf_conncount_init(par->net, keylen);
+ if (IS_ERR(info->data))
+ nf_ct_netns_put(par->net, par->family);
return PTR_ERR_OR_ZERO(info->data);
}
@@ -103,7 +113,8 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
{
const struct xt_connlimit_info *info = par->matchinfo;
- nf_conncount_destroy(par->net, par->family, info->data);
+ nf_conncount_destroy(par->net, info->data);
+ nf_ct_netns_put(par->net, par->family);
}
static struct xt_match connlimit_mt_reg __read_mostly = {
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 3b980bf2770b..056f6120ee36 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -1576,8 +1576,7 @@ static int ovs_ct_limit_init(struct net *net, struct ovs_net *ovs_net)
for (i = 0; i < CT_LIMIT_HASH_BUCKETS; i++)
INIT_HLIST_HEAD(&ovs_net->ct_limit_info->limits[i]);
- ovs_net->ct_limit_info->data =
- nf_conncount_init(net, NFPROTO_INET, sizeof(u32));
+ ovs_net->ct_limit_info->data = nf_conncount_init(net, sizeof(u32));
if (IS_ERR(ovs_net->ct_limit_info->data)) {
err = PTR_ERR(ovs_net->ct_limit_info->data);
@@ -1594,7 +1593,7 @@ static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net)
const struct ovs_ct_limit_info *info = ovs_net->ct_limit_info;
int i;
- nf_conncount_destroy(net, NFPROTO_INET, info->data);
+ nf_conncount_destroy(net, info->data);
for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) {
struct hlist_head *head = &info->limits[i];
struct ovs_ct_limit *ct_limit;
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH nf-next] netfilter: move nf_ct_netns_get out of nf_conncount_init
2024-07-18 2:09 [PATCH nf-next] netfilter: move nf_ct_netns_get out of nf_conncount_init Xin Long
@ 2024-07-18 7:00 ` Florian Westphal
2024-08-19 16:28 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2024-07-18 7:00 UTC (permalink / raw)
To: Xin Long
Cc: netfilter-devel, coreteam, network dev, Pablo Neira Ayuso,
Jozsef Kadlecsik, Florian Westphal, davem, kuba, Eric Dumazet,
Paolo Abeni, Pravin B Shelar, Ilya Maximets, Aaron Conole
Xin Long <lucien.xin@gmail.com> wrote:
> This patch is to move nf_ct_netns_get() out of nf_conncount_init()
> and let the consumers of nf_conncount decide if they want to turn
> on netfilter conntrack.
>
> It makes nf_conncount more flexible to be used in other places and
> avoids netfilter conntrack turned on when using it in openvswitch
> conntrack.
Reviewed-by: Florian Westphal <fw@strlen.de>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH nf-next] netfilter: move nf_ct_netns_get out of nf_conncount_init
2024-07-18 2:09 [PATCH nf-next] netfilter: move nf_ct_netns_get out of nf_conncount_init Xin Long
2024-07-18 7:00 ` Florian Westphal
@ 2024-08-19 16:28 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2024-08-19 16:28 UTC (permalink / raw)
To: Xin Long
Cc: netfilter-devel, coreteam, network dev, Jozsef Kadlecsik,
Florian Westphal, davem, kuba, Eric Dumazet, Paolo Abeni,
Pravin B Shelar, Ilya Maximets, Aaron Conole
On Wed, Jul 17, 2024 at 10:09:44PM -0400, Xin Long wrote:
> This patch is to move nf_ct_netns_get() out of nf_conncount_init()
> and let the consumers of nf_conncount decide if they want to turn
> on netfilter conntrack.
>
> It makes nf_conncount more flexible to be used in other places and
> avoids netfilter conntrack turned on when using it in openvswitch
> conntrack.
Applied nf-next, thanks
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-08-19 16:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-18 2:09 [PATCH nf-next] netfilter: move nf_ct_netns_get out of nf_conncount_init Xin Long
2024-07-18 7:00 ` Florian Westphal
2024-08-19 16:28 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).