* [PATCH 05/17] netfilter: add namespace support for l4proto_tcp
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
implement tcp_init_net to initial the pernet sysctl data
for tcp proto.
Because tcp_init_net is called by l4proto_tcp[4,6],so use
nf_proto_net.users to identify if the pernet data is initialized
when CONFIG_SYSCTL is not configured.
nf_tcp_net as a field of netns_ct,when proto is tcp,
return net->ct.proto.tcp in function nf_ct_l4proto_net.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netns/conntrack.h | 10 +++
net/netfilter/nf_conntrack_proto.c | 2 +
net/netfilter/nf_conntrack_proto_tcp.c | 114 ++++++++++++++++++++++++--------
3 files changed, 97 insertions(+), 29 deletions(-)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 3381b80..d79e627 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -4,6 +4,7 @@
#include <linux/list.h>
#include <linux/list_nulls.h>
#include <linux/atomic.h>
+#include <linux/netfilter/nf_conntrack_tcp.h>
struct ctl_table_header;
struct nf_conntrack_ecache;
@@ -25,8 +26,17 @@ struct nf_generic_net {
unsigned int timeout;
};
+struct nf_tcp_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[TCP_CONNTRACK_TIMEOUT_MAX];
+ unsigned int tcp_loose;
+ unsigned int tcp_be_liberal;
+ unsigned int tcp_max_retrans;
+};
+
struct nf_ip_net {
struct nf_generic_net generic;
+ struct nf_tcp_net tcp;
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
struct ctl_table_header *ctl_table_header;
struct ctl_table *ctl_table;
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 9b4bf6d..4531d6a 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -288,6 +288,8 @@ static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
struct nf_conntrack_l4proto *l4proto)
{
switch (l4proto->l4proto) {
+ case IPPROTO_TCP:
+ return (struct nf_proto_net *)&net->ct.proto.tcp;
case 255: /* l4proto_generic */
return (struct nf_proto_net *)&net->ct.proto.generic;
default:
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 4dfbfa8..dd19350 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -270,6 +270,11 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
}
};
+static inline struct nf_tcp_net *tcp_pernet(struct net *net)
+{
+ return &net->ct.proto.tcp;
+}
+
static bool tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
{
@@ -516,6 +521,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
u_int8_t pf)
{
struct net *net = nf_ct_net(ct);
+ struct nf_tcp_net *tn = tcp_pernet(net);
struct ip_ct_tcp_state *sender = &state->seen[dir];
struct ip_ct_tcp_state *receiver = &state->seen[!dir];
const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
@@ -720,7 +726,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
} else {
res = false;
if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
- nf_ct_tcp_be_liberal)
+ tn->tcp_be_liberal)
res = true;
if (!res && LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
@@ -828,6 +834,7 @@ static int tcp_packet(struct nf_conn *ct,
unsigned int *timeouts)
{
struct net *net = nf_ct_net(ct);
+ struct nf_tcp_net *tn = tcp_pernet(net);
struct nf_conntrack_tuple *tuple;
enum tcp_conntrack new_state, old_state;
enum ip_conntrack_dir dir;
@@ -1019,7 +1026,7 @@ static int tcp_packet(struct nf_conn *ct,
&& new_state == TCP_CONNTRACK_FIN_WAIT)
ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
- if (ct->proto.tcp.retrans >= nf_ct_tcp_max_retrans &&
+ if (ct->proto.tcp.retrans >= tn->tcp_max_retrans &&
timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
timeout = timeouts[TCP_CONNTRACK_RETRANS];
else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) &
@@ -1064,6 +1071,8 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
enum tcp_conntrack new_state;
const struct tcphdr *th;
struct tcphdr _tcph;
+ struct net *net = nf_ct_net(ct);
+ struct nf_tcp_net *tn = tcp_pernet(net);
const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
@@ -1092,7 +1101,7 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
ct->proto.tcp.seen[0].td_end;
tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]);
- } else if (nf_ct_tcp_loose == 0) {
+ } else if (tn->tcp_loose == 0) {
/* Don't try to pick up connections. */
return false;
} else {
@@ -1359,91 +1368,78 @@ static struct ctl_table_header *tcp_sysctl_header;
static struct ctl_table tcp_sysctl_table[] = {
{
.procname = "nf_conntrack_tcp_timeout_syn_sent",
- .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_syn_recv",
- .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_established",
- .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_fin_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_close_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_last_ack",
- .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_time_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_close",
- .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_max_retrans",
- .data = &tcp_timeouts[TCP_CONNTRACK_RETRANS],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_unacknowledged",
- .data = &tcp_timeouts[TCP_CONNTRACK_UNACK],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_loose",
- .data = &nf_ct_tcp_loose,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "nf_conntrack_tcp_be_liberal",
- .data = &nf_ct_tcp_be_liberal,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "nf_conntrack_tcp_max_retrans",
- .data = &nf_ct_tcp_max_retrans,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
@@ -1455,91 +1451,78 @@ static struct ctl_table tcp_sysctl_table[] = {
static struct ctl_table tcp_compat_sysctl_table[] = {
{
.procname = "ip_conntrack_tcp_timeout_syn_sent",
- .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_syn_sent2",
- .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT2],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_syn_recv",
- .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_established",
- .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_fin_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_close_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_last_ack",
- .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_time_wait",
- .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_close",
- .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_max_retrans",
- .data = &tcp_timeouts[TCP_CONNTRACK_RETRANS],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_loose",
- .data = &nf_ct_tcp_loose,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_tcp_be_liberal",
- .data = &nf_ct_tcp_be_liberal,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_tcp_max_retrans",
- .data = &nf_ct_tcp_max_retrans,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec,
@@ -1549,10 +1532,80 @@ static struct ctl_table tcp_compat_sysctl_table[] = {
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
#endif /* CONFIG_SYSCTL */
+static int tcp_init_net(struct net *net, u_int8_t compat)
+{
+ int i;
+ struct nf_tcp_net *tn = tcp_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)tn;
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ pn->ctl_compat_table = kmemdup(tcp_compat_sysctl_table,
+ sizeof(tcp_compat_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_compat_table)
+ return -ENOMEM;
+
+ pn->ctl_compat_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
+ pn->ctl_compat_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT2];
+ pn->ctl_compat_table[2].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
+ pn->ctl_compat_table[3].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
+ pn->ctl_compat_table[4].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
+ pn->ctl_compat_table[5].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
+ pn->ctl_compat_table[6].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
+ pn->ctl_compat_table[7].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
+ pn->ctl_compat_table[8].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
+ pn->ctl_compat_table[9].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
+ pn->ctl_compat_table[10].data = &tn->tcp_loose;
+ pn->ctl_compat_table[11].data = &tn->tcp_be_liberal;
+ pn->ctl_compat_table[12].data = &tn->tcp_max_retrans;
+ }
+#endif
+ if (!pn->ctl_table) {
+#else
+ if (!pn->user++) {
+#endif
+ for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++)
+ tn->timeouts[i] = tcp_timeouts[i];
+ tn->tcp_loose = nf_ct_tcp_loose;
+ tn->tcp_be_liberal = nf_ct_tcp_be_liberal;
+ tn->tcp_max_retrans = nf_ct_tcp_max_retrans;
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(tcp_sysctl_table,
+ sizeof(tcp_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table) {
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ kfree(pn->ctl_compat_table);
+ pn->ctl_compat_table = NULL;
+ }
+#endif
+ return -ENOMEM;
+ }
+ pn->ctl_table[0].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT];
+ pn->ctl_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];
+ pn->ctl_table[2].data = &tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
+ pn->ctl_table[3].data = &tn->timeouts[TCP_CONNTRACK_FIN_WAIT];
+ pn->ctl_table[4].data = &tn->timeouts[TCP_CONNTRACK_CLOSE_WAIT];
+ pn->ctl_table[5].data = &tn->timeouts[TCP_CONNTRACK_LAST_ACK];
+ pn->ctl_table[6].data = &tn->timeouts[TCP_CONNTRACK_TIME_WAIT];
+ pn->ctl_table[7].data = &tn->timeouts[TCP_CONNTRACK_CLOSE];
+ pn->ctl_table[8].data = &tn->timeouts[TCP_CONNTRACK_RETRANS];
+ pn->ctl_table[9].data = &tn->timeouts[TCP_CONNTRACK_UNACK];
+ pn->ctl_table[10].data = &tn->tcp_loose;
+ pn->ctl_table[11].data = &tn->tcp_be_liberal;
+ pn->ctl_table[12].data = &tn->tcp_max_retrans;
+#endif
+ }
+ return 0;
+}
+
struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
{
.l3proto = PF_INET,
.l4proto = IPPROTO_TCP,
+ .compat = 1,
.name = "tcp",
.pkt_to_tuple = tcp_pkt_to_tuple,
.invert_tuple = tcp_invert_tuple,
@@ -1589,6 +1642,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
.ctl_compat_table = tcp_compat_sysctl_table,
#endif
#endif
+ .init_net = tcp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4);
@@ -1596,6 +1650,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
{
.l3proto = PF_INET6,
.l4proto = IPPROTO_TCP,
+ .compat = 0,
.name = "tcp",
.pkt_to_tuple = tcp_pkt_to_tuple,
.invert_tuple = tcp_invert_tuple,
@@ -1629,5 +1684,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
.ctl_table_header = &tcp_sysctl_header,
.ctl_table = tcp_sysctl_table,
#endif
+ .init_net = tcp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6);
--
1.7.7.6
^ permalink raw reply related
* [PATCH 06/17] netfilter: add namespace support for l4proto_udp
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
implement udp_init_net to initial the pernet sysctl data for
udp protos.
Because udp_init_net is called by l4proto_udp[4,6],so use
nf_proto_net.users to identify if the pernet data is initialized
when CONFIG_SYSCTL is not configured.
nf_udp_net as a field of netns_ct,when proto is udp,
return net->ct.proto.udp in function nf_ct_l4proto_net.
and move enum udp_conntrack to conntrack.h
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netns/conntrack.h | 12 ++++++
net/netfilter/nf_conntrack_proto.c | 2 +
net/netfilter/nf_conntrack_proto_udp.c | 65 ++++++++++++++++++++++++++-----
3 files changed, 68 insertions(+), 11 deletions(-)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index d79e627..3d1450b 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -34,9 +34,21 @@ struct nf_tcp_net {
unsigned int tcp_max_retrans;
};
+enum udp_conntrack {
+ UDP_CT_UNREPLIED,
+ UDP_CT_REPLIED,
+ UDP_CT_MAX
+};
+
+struct nf_udp_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[UDP_CT_MAX];
+};
+
struct nf_ip_net {
struct nf_generic_net generic;
struct nf_tcp_net tcp;
+ struct nf_udp_net udp;
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
struct ctl_table_header *ctl_table_header;
struct ctl_table *ctl_table;
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 4531d6a..ba96447 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -290,6 +290,8 @@ static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
switch (l4proto->l4proto) {
case IPPROTO_TCP:
return (struct nf_proto_net *)&net->ct.proto.tcp;
+ case IPPROTO_UDP:
+ return (struct nf_proto_net *)&net->ct.proto.udp;
case 255: /* l4proto_generic */
return (struct nf_proto_net *)&net->ct.proto.generic;
default:
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 7259a6b..072ef9c 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -25,17 +25,16 @@
#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
-enum udp_conntrack {
- UDP_CT_UNREPLIED,
- UDP_CT_REPLIED,
- UDP_CT_MAX
-};
-
static unsigned int udp_timeouts[UDP_CT_MAX] = {
[UDP_CT_UNREPLIED] = 30*HZ,
[UDP_CT_REPLIED] = 180*HZ,
};
+static inline struct nf_udp_net *udp_pernet(struct net *net)
+{
+ return &net->ct.proto.udp;
+}
+
static bool udp_pkt_to_tuple(const struct sk_buff *skb,
unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
@@ -73,7 +72,7 @@ static int udp_print_tuple(struct seq_file *s,
static unsigned int *udp_get_timeouts(struct net *net)
{
- return udp_timeouts;
+ return udp_pernet(net)->timeouts;
}
/* Returns verdict for packet, and may modify conntracktype */
@@ -205,14 +204,12 @@ static struct ctl_table_header *udp_sysctl_header;
static struct ctl_table udp_sysctl_table[] = {
{
.procname = "nf_conntrack_udp_timeout",
- .data = &udp_timeouts[UDP_CT_UNREPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_udp_timeout_stream",
- .data = &udp_timeouts[UDP_CT_REPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -223,14 +220,12 @@ static struct ctl_table udp_sysctl_table[] = {
static struct ctl_table udp_compat_sysctl_table[] = {
{
.procname = "ip_conntrack_udp_timeout",
- .data = &udp_timeouts[UDP_CT_UNREPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_udp_timeout_stream",
- .data = &udp_timeouts[UDP_CT_REPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -240,10 +235,55 @@ static struct ctl_table udp_compat_sysctl_table[] = {
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
#endif /* CONFIG_SYSCTL */
+static int udp_init_net(struct net *net, u_int8_t compat)
+{
+ int i;
+ struct nf_udp_net *un = udp_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)un;
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ pn->ctl_compat_table = kmemdup(udp_compat_sysctl_table,
+ sizeof(udp_compat_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_compat_table)
+ return -ENOMEM;
+
+ pn->ctl_compat_table[0].data = &un->timeouts[UDP_CT_UNREPLIED];
+ pn->ctl_compat_table[1].data = &un->timeouts[UDP_CT_REPLIED];
+ }
+#endif
+ if (!pn->ctl_table) {
+#else
+ if (!pn->user++) {
+#endif
+ for (i = 0; i < UDP_CT_MAX; i++)
+ un->timeouts[i] = udp_timeouts[i];
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(udp_sysctl_table,
+ sizeof(udp_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table) {
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ kfree(pn->ctl_compat_table);
+ pn->ctl_compat_table = NULL;
+ }
+#endif
+ return -ENOMEM;
+ }
+ pn->ctl_table[0].data = &un->timeouts[UDP_CT_UNREPLIED];
+ pn->ctl_table[1].data = &un->timeouts[UDP_CT_REPLIED];
+#endif
+ }
+ return 0;
+}
+
struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
{
.l3proto = PF_INET,
.l4proto = IPPROTO_UDP,
+ .compat = 1,
.name = "udp",
.pkt_to_tuple = udp_pkt_to_tuple,
.invert_tuple = udp_invert_tuple,
@@ -275,6 +315,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
.ctl_compat_table = udp_compat_sysctl_table,
#endif
#endif
+ .init_net = udp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp4);
@@ -282,6 +323,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
{
.l3proto = PF_INET6,
.l4proto = IPPROTO_UDP,
+ .compat = 0,
.name = "udp",
.pkt_to_tuple = udp_pkt_to_tuple,
.invert_tuple = udp_invert_tuple,
@@ -310,5 +352,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
.ctl_table_header = &udp_sysctl_header,
.ctl_table = udp_sysctl_table,
#endif
+ .init_net = udp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp6);
--
1.7.7.6
^ permalink raw reply related
* [PATCH 09/17] netfilter: add namespace support for l3proto_ipv4
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
add pernet_operations ipv4_net_ops and register it when
module nf_conntrack_ipv4 is loaded.
move the l4proto_register and l3proto_register from module_init
function to ipv4_net_ops.init.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 122 ++++++++++++++++--------
1 files changed, 84 insertions(+), 38 deletions(-)
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 0c0fb90..1dd17ed 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -207,35 +207,30 @@ static int log_invalid_proto_max = 255;
static ctl_table ip_ct_sysctl_table[] = {
{
.procname = "ip_conntrack_max",
- .data = &nf_conntrack_max,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_count",
- .data = &init_net.ct.count,
.maxlen = sizeof(int),
.mode = 0444,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_buckets",
- .data = &init_net.ct.htable_size,
.maxlen = sizeof(unsigned int),
.mode = 0444,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_checksum",
- .data = &init_net.ct.sysctl_checksum,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "ip_conntrack_log_invalid",
- .data = &init_net.ct.sysctl_log_invalid,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
@@ -351,6 +346,24 @@ static struct nf_sockopt_ops so_getorigdst = {
.owner = THIS_MODULE,
};
+static int ipv4_init_net(struct net *net)
+{
+#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
+ struct nf_ip_net *in = &net->ct.proto;
+ in->ctl_table = kmemdup(ip_ct_sysctl_table,
+ sizeof(ip_ct_sysctl_table),
+ GFP_KERNEL);
+ if (!in->ctl_table)
+ return -ENOMEM;
+ in->ctl_table[0].data = &nf_conntrack_max;
+ in->ctl_table[1].data = &net->ct.count;
+ in->ctl_table[2].data = &net->ct.htable_size;
+ in->ctl_table[3].data = &net->ct.sysctl_checksum;
+ in->ctl_table[4].data = &net->ct.sysctl_log_invalid;
+#endif
+ return 0;
+}
+
struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
.l3proto = PF_INET,
.name = "ipv4",
@@ -368,6 +381,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
.ctl_table_path = "net/ipv4/netfilter",
.ctl_table = ip_ct_sysctl_table,
#endif
+ .init_net = ipv4_init_net,
.me = THIS_MODULE,
};
@@ -378,6 +392,65 @@ MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
MODULE_ALIAS("ip_conntrack");
MODULE_LICENSE("GPL");
+static int ipv4_net_init(struct net *net)
+{
+ int ret = 0;
+
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_tcp4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_tcp4 :protocol register failed\n");
+ goto out_tcp;
+ }
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_udp4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_udp4 :protocol register failed\n");
+ goto out_udp;
+ }
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_icmp);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_icmp4 :protocol register failed\n");
+ goto out_icmp;
+ }
+ ret = nf_conntrack_l3proto_register(net,
+ &nf_conntrack_l3proto_ipv4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l3proto_ipv4 :protocol register failed\n");
+ goto out_ipv4;
+ }
+ return 0;
+out_ipv4:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_icmp);
+out_icmp:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udp4);
+out_udp:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_tcp4);
+out_tcp:
+ return ret;
+}
+
+static void ipv4_net_exit(struct net *net)
+{
+ nf_conntrack_l3proto_unregister(net,
+ &nf_conntrack_l3proto_ipv4);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_icmp);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udp4);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_tcp4);
+}
+
+static struct pernet_operations ipv4_net_ops = {
+ .init = ipv4_net_init,
+ .exit = ipv4_net_exit,
+};
+
static int __init nf_conntrack_l3proto_ipv4_init(void)
{
int ret = 0;
@@ -391,35 +464,17 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
return ret;
}
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp4);
+ ret = register_pernet_subsys(&ipv4_net_ops);
if (ret < 0) {
- pr_err("nf_conntrack_ipv4: can't register tcp.\n");
+ pr_err("nf_conntrack_ipv4: can't register pernet ops\n");
goto cleanup_sockopt;
}
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp4);
- if (ret < 0) {
- pr_err("nf_conntrack_ipv4: can't register udp.\n");
- goto cleanup_tcp;
- }
-
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmp);
- if (ret < 0) {
- pr_err("nf_conntrack_ipv4: can't register icmp.\n");
- goto cleanup_udp;
- }
-
- ret = nf_conntrack_l3proto_register(&init_net, &nf_conntrack_l3proto_ipv4);
- if (ret < 0) {
- pr_err("nf_conntrack_ipv4: can't register ipv4\n");
- goto cleanup_icmp;
- }
-
ret = nf_register_hooks(ipv4_conntrack_ops,
ARRAY_SIZE(ipv4_conntrack_ops));
if (ret < 0) {
pr_err("nf_conntrack_ipv4: can't register hooks.\n");
- goto cleanup_ipv4;
+ goto cleanup_pernet;
}
#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
ret = nf_conntrack_ipv4_compat_init();
@@ -431,14 +486,8 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
cleanup_hooks:
nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
#endif
- cleanup_ipv4:
- nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv4);
- cleanup_icmp:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
- cleanup_udp:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
- cleanup_tcp:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
+ cleanup_pernet:
+ unregister_pernet_subsys(&ipv4_net_ops);
cleanup_sockopt:
nf_unregister_sockopt(&so_getorigdst);
return ret;
@@ -451,10 +500,7 @@ static void __exit nf_conntrack_l3proto_ipv4_fini(void)
nf_conntrack_ipv4_compat_fini();
#endif
nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
- nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv4);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
+ unregister_pernet_subsys(&ipv4_net_ops);
nf_unregister_sockopt(&so_getorigdst);
}
--
1.7.7.6
^ permalink raw reply related
* [PATCH 11/17] netfilter: add namespace support for l4proto_sctp
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
add pernet_operations sctp_net_ops and register it when
module nf_conntrack_proto_sctp is loaded.
move the l4proto_register from module_init function to
sctp_net_ops.init.
and implement sctp_init_net to initial the pernet sysctl
data for sctp[4,6] protos.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/netfilter/nf_conntrack_proto_sctp.c | 135 ++++++++++++++++++++++++-------
1 files changed, 106 insertions(+), 29 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 97bbc20..3f0fdf8 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -127,6 +127,17 @@ static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
}
};
+static int sctp_net_id __read_mostly;
+struct sctp_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[SCTP_CONNTRACK_MAX];
+};
+
+static inline struct sctp_net *sctp_pernet(struct net *net)
+{
+ return net_generic(net, sctp_net_id);
+}
+
static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
{
@@ -281,7 +292,7 @@ static int sctp_new_state(enum ip_conntrack_dir dir,
static unsigned int *sctp_get_timeouts(struct net *net)
{
- return sctp_timeouts;
+ return sctp_pernet(net)->timeouts;
}
/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
@@ -604,49 +615,42 @@ static struct ctl_table_header *sctp_sysctl_header;
static struct ctl_table sctp_sysctl_table[] = {
{
.procname = "nf_conntrack_sctp_timeout_closed",
- .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_cookie_wait",
- .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_cookie_echoed",
- .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_established",
- .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_shutdown_sent",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_shutdown_recd",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -658,49 +662,42 @@ static struct ctl_table sctp_sysctl_table[] = {
static struct ctl_table sctp_compat_sysctl_table[] = {
{
.procname = "ip_conntrack_sctp_timeout_closed",
- .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_cookie_wait",
- .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_cookie_echoed",
- .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_established",
- .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_shutdown_sent",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_shutdown_recd",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
- .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -710,9 +707,63 @@ static struct ctl_table sctp_compat_sysctl_table[] = {
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
#endif
+static int sctp_init_net(struct net *net, u_int8_t compat)
+{
+ int i;
+ struct sctp_net *sn = sctp_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)sn;
+#ifdef CONFIG_SYSCTL
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ pn->ctl_compat_table = kmemdup(sctp_compat_sysctl_table,
+ sizeof(sctp_compat_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_compat_table)
+ return -ENOMEM;
+ pn->ctl_compat_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
+ pn->ctl_compat_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
+ pn->ctl_compat_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
+ pn->ctl_compat_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
+ pn->ctl_compat_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
+ pn->ctl_compat_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
+ pn->ctl_compat_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
+ }
+#endif
+ if (!pn->ctl_table) {
+#else
+ if (!pn->users++) {
+#endif
+ for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
+ sn->timeouts[i] = sctp_timeouts[i];
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(sctp_sysctl_table,
+ sizeof(sctp_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table) {
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ if (compat) {
+ kfree(pn->ctl_compat_table);
+ pn->ctl_compat_table = NULL;
+ }
+#endif
+ return -ENOMEM;
+ }
+ pn->ctl_table[0].data = &sn->timeouts[SCTP_CONNTRACK_CLOSED];
+ pn->ctl_table[1].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_WAIT];
+ pn->ctl_table[2].data = &sn->timeouts[SCTP_CONNTRACK_COOKIE_ECHOED];
+ pn->ctl_table[3].data = &sn->timeouts[SCTP_CONNTRACK_ESTABLISHED];
+ pn->ctl_table[4].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT];
+ pn->ctl_table[5].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD];
+ pn->ctl_table[6].data = &sn->timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT];
+#endif
+ }
+ return 0;
+}
+
static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
.l3proto = PF_INET,
.l4proto = IPPROTO_SCTP,
+ .compat = 1,
.name = "sctp",
.pkt_to_tuple = sctp_pkt_to_tuple,
.invert_tuple = sctp_invert_tuple,
@@ -748,11 +799,14 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
.ctl_compat_table = sctp_compat_sysctl_table,
#endif
#endif
+ .net_id = &sctp_net_id,
+ .init_net = sctp_init_net,
};
static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
.l3proto = PF_INET6,
.l4proto = IPPROTO_SCTP,
+ .compat = 0,
.name = "sctp",
.pkt_to_tuple = sctp_pkt_to_tuple,
.invert_tuple = sctp_invert_tuple,
@@ -785,35 +839,58 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
.ctl_table_header = &sctp_sysctl_header,
.ctl_table = sctp_sysctl_table,
#endif
+ .net_id = &sctp_net_id,
+ .init_net = sctp_init_net,
};
-static int __init nf_conntrack_proto_sctp_init(void)
+static int sctp_net_init(struct net *net)
{
- int ret;
+ int ret = 0;
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_sctp4);
- if (ret) {
- pr_err("nf_conntrack_l4proto_sctp4: protocol register failed\n");
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_sctp4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_sctp4 :protocol register failed.\n");
goto out;
}
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_sctp6);
- if (ret) {
- pr_err("nf_conntrack_l4proto_sctp6: protocol register failed\n");
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_sctp6);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_sctp6 :protocol register failed.\n");
goto cleanup_sctp4;
}
+ return 0;
+cleanup_sctp4:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_sctp4);
+out:
return ret;
+}
- cleanup_sctp4:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp4);
- out:
- return ret;
+static void sctp_net_exit(struct net *net)
+{
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_sctp6);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_sctp4);
+}
+
+static struct pernet_operations sctp_net_ops = {
+ .init = sctp_net_init,
+ .exit = sctp_net_exit,
+ .id = &sctp_net_id,
+ .size = sizeof(struct sctp_net),
+};
+
+static int __init nf_conntrack_proto_sctp_init(void)
+{
+ return register_pernet_subsys(&sctp_net_ops);
}
static void __exit nf_conntrack_proto_sctp_fini(void)
{
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp6);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp4);
+ unregister_pernet_subsys(&sctp_net_ops);
}
module_init(nf_conntrack_proto_sctp_init);
--
1.7.7.6
^ permalink raw reply related
* [PATCH 02/17] netfilter: add namespace support for l4proto
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
From: Gao feng <gaofeng@cn.fujitus.com>
-nf_ct_(un)register_sysctl are changed to support net namespace,
use (un)register_net_sysctl_table replaces (un)register_sysctl_paths.
and in nf_ct_unregister_sysctl,kfree table only when users is 0.
-Add the struct net as param of nf_conntrack_l4proto_(un)register.
register or unregister the l4proto only when the net is init_net.
-nf_conntrack_l4proto_register call init_net to initial the pernet
data of l4proto.
-nf_ct_l4proto_net is used to get the pernet data of l4proto.
-use init_net as a param of nf_conntrack_l4proto_(un)register.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitus.com>
---
include/net/netfilter/nf_conntrack_l4proto.h | 13 +-
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 18 +-
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18 +-
net/netfilter/nf_conntrack_proto.c | 245 ++++++++++++++----------
net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
net/netfilter/nf_conntrack_proto_gre.c | 6 +-
net/netfilter/nf_conntrack_proto_sctp.c | 10 +-
net/netfilter/nf_conntrack_proto_udplite.c | 10 +-
8 files changed, 191 insertions(+), 139 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index a90eab5..a93dcd5 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -12,7 +12,7 @@
#include <linux/netlink.h>
#include <net/netlink.h>
#include <net/netfilter/nf_conntrack.h>
-
+#include <net/netns/generic.h>
struct seq_file;
struct nf_conntrack_l4proto {
@@ -129,8 +129,15 @@ nf_ct_l4proto_find_get(u_int16_t l3proto, u_int8_t l4proto);
extern void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p);
/* Protocol registration. */
-extern int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *proto);
-extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto);
+extern int nf_conntrack_l4proto_register(struct net *net,
+ struct nf_conntrack_l4proto *proto);
+extern void nf_conntrack_l4proto_unregister(struct net *net,
+ struct nf_conntrack_l4proto *proto);
+
+extern int nf_ct_l4proto_register_sysctl(struct net *net,
+ struct nf_conntrack_l4proto *l4proto);
+extern void nf_ct_l4proto_unregister_sysctl(struct net *net,
+ struct nf_conntrack_l4proto *l4proto);
/* Generic netlink helpers */
extern int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 91747d4..46ec515 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -391,19 +391,19 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
return ret;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp4);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp4);
if (ret < 0) {
pr_err("nf_conntrack_ipv4: can't register tcp.\n");
goto cleanup_sockopt;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp4);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp4);
if (ret < 0) {
pr_err("nf_conntrack_ipv4: can't register udp.\n");
goto cleanup_tcp;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmp);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmp);
if (ret < 0) {
pr_err("nf_conntrack_ipv4: can't register icmp.\n");
goto cleanup_udp;
@@ -434,11 +434,11 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
cleanup_ipv4:
nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
cleanup_icmp:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmp);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
cleanup_udp:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
cleanup_tcp:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
cleanup_sockopt:
nf_unregister_sockopt(&so_getorigdst);
return ret;
@@ -452,9 +452,9 @@ static void __exit nf_conntrack_l3proto_ipv4_fini(void)
#endif
nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmp);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp4);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
nf_unregister_sockopt(&so_getorigdst);
}
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index fe925e4..55f379f 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -341,19 +341,19 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
need_conntrack();
nf_defrag_ipv6_enable();
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp6);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp6);
if (ret < 0) {
pr_err("nf_conntrack_ipv6: can't register tcp.\n");
return ret;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp6);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp6);
if (ret < 0) {
pr_err("nf_conntrack_ipv6: can't register udp.\n");
goto cleanup_tcp;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmpv6);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmpv6);
if (ret < 0) {
pr_err("nf_conntrack_ipv6: can't register icmpv6.\n");
goto cleanup_udp;
@@ -377,11 +377,11 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
cleanup_ipv6:
nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
cleanup_icmpv6:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
cleanup_udp:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
cleanup_tcp:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
return ret;
}
@@ -390,9 +390,9 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
synchronize_net();
nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp6);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
}
module_init(nf_conntrack_l3proto_ipv6_init);
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 8b631b0..6d68727 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -35,30 +35,39 @@ EXPORT_SYMBOL_GPL(nf_ct_l3protos);
static DEFINE_MUTEX(nf_ct_proto_mutex);
#ifdef CONFIG_SYSCTL
-static int
-nf_ct_register_sysctl(struct ctl_table_header **header, const char *path,
- struct ctl_table *table, unsigned int *users)
+int
+nf_ct_register_sysctl(struct net *net,
+ struct ctl_table_header **header,
+ const char *path,
+ struct ctl_table *table,
+ unsigned int *users)
{
if (*header == NULL) {
- *header = register_net_sysctl(&init_net, path, table);
+ *header = register_net_sysctl(net, path, table);
if (*header == NULL)
return -ENOMEM;
}
if (users != NULL)
(*users)++;
+
return 0;
}
+EXPORT_SYMBOL_GPL(nf_ct_register_sysctl);
-static void
+void
nf_ct_unregister_sysctl(struct ctl_table_header **header,
- struct ctl_table *table, unsigned int *users)
+ struct ctl_table **table,
+ unsigned int *users)
{
if (users != NULL && --*users > 0)
return;
unregister_net_sysctl_table(*header);
+ kfree(*table);
*header = NULL;
+ *table = NULL;
}
+EXPORT_SYMBOL_GPL(nf_ct_unregister_sysctl);
#endif
struct nf_conntrack_l4proto *
@@ -167,7 +176,8 @@ static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
#ifdef CONFIG_SYSCTL
if (l3proto->ctl_table != NULL) {
- err = nf_ct_register_sysctl(&l3proto->ctl_table_header,
+ err = nf_ct_register_sysctl(&init_net,
+ &l3proto->ctl_table_header,
l3proto->ctl_table_path,
l3proto->ctl_table, NULL);
}
@@ -180,7 +190,7 @@ static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto
#ifdef CONFIG_SYSCTL
if (l3proto->ctl_table_header != NULL)
nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
- l3proto->ctl_table, NULL);
+ &l3proto->ctl_table, NULL);
#endif
}
@@ -243,137 +253,172 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
}
EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
-static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
+static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
+ struct nf_conntrack_l4proto *l4proto)
{
- int err = 0;
+ if (l4proto->net_id)
+ return net_generic(net, *l4proto->net_id);
+ else
+ return NULL;
+}
+int nf_ct_l4proto_register_sysctl(struct net *net,
+ struct nf_conntrack_l4proto *l4proto)
+{
+ int err = 0;
+ struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
+ if (pn == NULL)
+ return 0;
#ifdef CONFIG_SYSCTL
- if (l4proto->ctl_table != NULL) {
- err = nf_ct_register_sysctl(l4proto->ctl_table_header,
+ if (pn->ctl_table != NULL) {
+ err = nf_ct_register_sysctl(net,
+ &pn->ctl_table_header,
"net/netfilter",
- l4proto->ctl_table,
- l4proto->ctl_table_users);
- if (err < 0)
+ pn->ctl_table,
+ &pn->users);
+ if (err < 0) {
+ kfree(pn->ctl_table);
+ pn->ctl_table = NULL;
goto out;
+ }
}
#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- if (l4proto->ctl_compat_table != NULL) {
- err = nf_ct_register_sysctl(&l4proto->ctl_compat_table_header,
+ if (l4proto->compat && pn->ctl_compat_table != NULL) {
+ err = nf_ct_register_sysctl(net,
+ &pn->ctl_compat_header,
"net/ipv4/netfilter",
- l4proto->ctl_compat_table, NULL);
+ pn->ctl_compat_table,
+ NULL);
if (err == 0)
goto out;
- nf_ct_unregister_sysctl(l4proto->ctl_table_header,
- l4proto->ctl_table,
- l4proto->ctl_table_users);
+
+ kfree(pn->ctl_compat_table);
+ pn->ctl_compat_table = NULL;
+ nf_ct_unregister_sysctl(&pn->ctl_table_header,
+ &pn->ctl_table,
+ &pn->users);
}
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
out:
#endif /* CONFIG_SYSCTL */
return err;
}
+EXPORT_SYMBOL_GPL(nf_ct_l4proto_register_sysctl);
-static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto)
+void nf_ct_l4proto_unregister_sysctl(struct net *net,
+ struct nf_conntrack_l4proto *l4proto)
{
+ struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
+ if (pn == NULL)
+ return;
#ifdef CONFIG_SYSCTL
- if (l4proto->ctl_table_header != NULL &&
- *l4proto->ctl_table_header != NULL)
- nf_ct_unregister_sysctl(l4proto->ctl_table_header,
- l4proto->ctl_table,
- l4proto->ctl_table_users);
+ if (pn->ctl_table_header != NULL)
+ nf_ct_unregister_sysctl(&pn->ctl_table_header,
+ &pn->ctl_table,
+ &pn->users);
+
#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- if (l4proto->ctl_compat_table_header != NULL)
- nf_ct_unregister_sysctl(&l4proto->ctl_compat_table_header,
- l4proto->ctl_compat_table, NULL);
+ if (l4proto->compat && pn->ctl_compat_header != NULL)
+ nf_ct_unregister_sysctl(&pn->ctl_compat_header,
+ &pn->ctl_compat_table,
+ NULL);
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
+#else
+ pn->users--;
#endif /* CONFIG_SYSCTL */
}
+EXPORT_SYMBOL_GPL(nf_ct_l4proto_unregister_sysctl);
/* FIXME: Allow NULL functions and sub in pointers to generic for
them. --RR */
-int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
+int nf_conntrack_l4proto_register(struct net *net,
+ struct nf_conntrack_l4proto *l4proto)
{
int ret = 0;
- if (l4proto->l3proto >= PF_MAX)
- return -EBUSY;
-
- if ((l4proto->to_nlattr && !l4proto->nlattr_size)
- || (l4proto->tuple_to_nlattr && !l4proto->nlattr_tuple_size))
- return -EINVAL;
-
- mutex_lock(&nf_ct_proto_mutex);
- if (!nf_ct_protos[l4proto->l3proto]) {
- /* l3proto may be loaded latter. */
- struct nf_conntrack_l4proto __rcu **proto_array;
- int i;
-
- proto_array = kmalloc(MAX_NF_CT_PROTO *
- sizeof(struct nf_conntrack_l4proto *),
- GFP_KERNEL);
- if (proto_array == NULL) {
- ret = -ENOMEM;
+ if (net == &init_net) {
+ if (l4proto->l3proto >= PF_MAX)
+ return -EBUSY;
+
+ if ((l4proto->to_nlattr && !l4proto->nlattr_size)
+ || (l4proto->tuple_to_nlattr && !l4proto->nlattr_tuple_size))
+ return -EINVAL;
+
+ mutex_lock(&nf_ct_proto_mutex);
+ if (!nf_ct_protos[l4proto->l3proto]) {
+ /* l3proto may be loaded latter. */
+ struct nf_conntrack_l4proto __rcu **proto_array;
+ int i;
+
+ proto_array = kmalloc(MAX_NF_CT_PROTO *
+ sizeof(struct nf_conntrack_l4proto *),
+ GFP_KERNEL);
+ if (proto_array == NULL) {
+ ret = -ENOMEM;
+ goto out_unlock;
+ }
+
+ for (i = 0; i < MAX_NF_CT_PROTO; i++)
+ RCU_INIT_POINTER(proto_array[i], &nf_conntrack_l4proto_generic);
+
+ /* Before making proto_array visible to lockless readers,
+ * we must make sure its content is committed to memory.
+ */
+ smp_wmb();
+
+ nf_ct_protos[l4proto->l3proto] = proto_array;
+ } else if (rcu_dereference_protected(
+ nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
+ lockdep_is_held(&nf_ct_proto_mutex)
+ ) != &nf_conntrack_l4proto_generic) {
+ ret = -EBUSY;
goto out_unlock;
}
- for (i = 0; i < MAX_NF_CT_PROTO; i++)
- RCU_INIT_POINTER(proto_array[i], &nf_conntrack_l4proto_generic);
-
- /* Before making proto_array visible to lockless readers,
- * we must make sure its content is committed to memory.
- */
- smp_wmb();
-
- nf_ct_protos[l4proto->l3proto] = proto_array;
- } else if (rcu_dereference_protected(
- nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
- lockdep_is_held(&nf_ct_proto_mutex)
- ) != &nf_conntrack_l4proto_generic) {
- ret = -EBUSY;
- goto out_unlock;
- }
-
- ret = nf_ct_l4proto_register_sysctl(l4proto);
- if (ret < 0)
- goto out_unlock;
-
- l4proto->nla_size = 0;
- if (l4proto->nlattr_size)
- l4proto->nla_size += l4proto->nlattr_size();
- if (l4proto->nlattr_tuple_size)
- l4proto->nla_size += 3 * l4proto->nlattr_tuple_size();
-
- rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
- l4proto);
+ l4proto->nla_size = 0;
+ if (l4proto->nlattr_size)
+ l4proto->nla_size += l4proto->nlattr_size();
+ if (l4proto->nlattr_tuple_size)
+ l4proto->nla_size += 3 * l4proto->nlattr_tuple_size();
+ rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
+ l4proto);
out_unlock:
- mutex_unlock(&nf_ct_proto_mutex);
- return ret;
+ mutex_unlock(&nf_ct_proto_mutex);
+ if (ret < 0)
+ return ret;
+ }
+ if (l4proto->init_net) {
+ ret = l4proto->init_net(net, l4proto->compat);
+ if (ret < 0)
+ return ret;
+ }
+ return nf_ct_l4proto_register_sysctl(net, l4proto);
}
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_register);
-void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)
+void nf_conntrack_l4proto_unregister(struct net *net,
+ struct nf_conntrack_l4proto *l4proto)
{
- struct net *net;
-
- BUG_ON(l4proto->l3proto >= PF_MAX);
-
- mutex_lock(&nf_ct_proto_mutex);
- BUG_ON(rcu_dereference_protected(
- nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
- lockdep_is_held(&nf_ct_proto_mutex)
- ) != l4proto);
- rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
- &nf_conntrack_l4proto_generic);
- nf_ct_l4proto_unregister_sysctl(l4proto);
- mutex_unlock(&nf_ct_proto_mutex);
-
- synchronize_rcu();
+ if (net == &init_net) {
+ BUG_ON(l4proto->l3proto >= PF_MAX);
+ mutex_lock(&nf_ct_proto_mutex);
+
+ BUG_ON(rcu_dereference_protected(
+ nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
+ lockdep_is_held(&nf_ct_proto_mutex)
+ ) != l4proto);
+ rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
+ &nf_conntrack_l4proto_generic);
+ mutex_unlock(&nf_ct_proto_mutex);
+
+ synchronize_rcu();
+ }
+ nf_ct_l4proto_unregister_sysctl(net, l4proto);
/* Remove all contrack entries for this protocol */
rtnl_lock();
- for_each_net(net)
- nf_ct_iterate_cleanup(net, kill_l4proto, l4proto);
+ nf_ct_iterate_cleanup(net, kill_l4proto, l4proto);
rtnl_unlock();
}
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
@@ -383,7 +428,7 @@ int nf_conntrack_proto_init(void)
unsigned int i;
int err;
- err = nf_ct_l4proto_register_sysctl(&nf_conntrack_l4proto_generic);
+ err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
if (err < 0)
return err;
@@ -397,7 +442,7 @@ void nf_conntrack_proto_fini(void)
{
unsigned int i;
- nf_ct_l4proto_unregister_sysctl(&nf_conntrack_l4proto_generic);
+ nf_ct_l4proto_unregister_sysctl(&init_net, &nf_conntrack_l4proto_generic);
/* free l3proto protocol tables */
for (i = 0; i < PF_MAX; i++)
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index ef706a4..5a8e037 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -945,17 +945,17 @@ static int __init nf_conntrack_proto_dccp_init(void)
if (err < 0)
goto err1;
- err = nf_conntrack_l4proto_register(&dccp_proto4);
+ err = nf_conntrack_l4proto_register(&init_net, &dccp_proto4);
if (err < 0)
goto err2;
- err = nf_conntrack_l4proto_register(&dccp_proto6);
+ err = nf_conntrack_l4proto_register(&init_net, &dccp_proto6);
if (err < 0)
goto err3;
return 0;
err3:
- nf_conntrack_l4proto_unregister(&dccp_proto4);
+ nf_conntrack_l4proto_unregister(&init_net, &dccp_proto4);
err2:
unregister_pernet_subsys(&dccp_net_ops);
err1:
@@ -965,8 +965,8 @@ err1:
static void __exit nf_conntrack_proto_dccp_fini(void)
{
unregister_pernet_subsys(&dccp_net_ops);
- nf_conntrack_l4proto_unregister(&dccp_proto6);
- nf_conntrack_l4proto_unregister(&dccp_proto4);
+ nf_conntrack_l4proto_unregister(&init_net, &dccp_proto6);
+ nf_conntrack_l4proto_unregister(&init_net, &dccp_proto4);
}
module_init(nf_conntrack_proto_dccp_init);
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index 4bf6b4e..132f0d2 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -396,18 +396,18 @@ static int __init nf_ct_proto_gre_init(void)
{
int rv;
- rv = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_gre4);
+ rv = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_gre4);
if (rv < 0)
return rv;
rv = register_pernet_subsys(&proto_gre_net_ops);
if (rv < 0)
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_gre4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_gre4);
return rv;
}
static void __exit nf_ct_proto_gre_fini(void)
{
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_gre4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_gre4);
unregister_pernet_subsys(&proto_gre_net_ops);
}
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 996db2f..97bbc20 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -791,12 +791,12 @@ static int __init nf_conntrack_proto_sctp_init(void)
{
int ret;
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp4);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_sctp4);
if (ret) {
pr_err("nf_conntrack_l4proto_sctp4: protocol register failed\n");
goto out;
}
- ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp6);
+ ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_sctp6);
if (ret) {
pr_err("nf_conntrack_l4proto_sctp6: protocol register failed\n");
goto cleanup_sctp4;
@@ -805,15 +805,15 @@ static int __init nf_conntrack_proto_sctp_init(void)
return ret;
cleanup_sctp4:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp4);
out:
return ret;
}
static void __exit nf_conntrack_proto_sctp_fini(void)
{
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_sctp4);
}
module_init(nf_conntrack_proto_sctp_init);
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 4d60a53..fa142a8 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -299,23 +299,23 @@ static int __init nf_conntrack_proto_udplite_init(void)
{
int err;
- err = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udplite4);
+ err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite4);
if (err < 0)
goto err1;
- err = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udplite6);
+ err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite6);
if (err < 0)
goto err2;
return 0;
err2:
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
err1:
return err;
}
static void __exit nf_conntrack_proto_udplite_exit(void)
{
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite6);
- nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite4);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite6);
+ nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
}
module_init(nf_conntrack_proto_udplite_init);
--
1.7.7.6
^ permalink raw reply related
* [PATCH 07/17] netfilter: add namespace support for l4proto_icmp
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
implement icmp_init_net is to initial the pernet data for
icmp proto.
beacuse nf_icmp_net is a field of netns_ct,so when proto is icmp,
return net->ct.proto.icmp in function nf_ct_l4proto_net.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netns/conntrack.h | 6 ++++
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 39 ++++++++++++++++++++++++--
net/netfilter/nf_conntrack_proto.c | 2 +
3 files changed, 44 insertions(+), 3 deletions(-)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 3d1450b..430cc71 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -45,10 +45,16 @@ struct nf_udp_net {
unsigned int timeouts[UDP_CT_MAX];
};
+struct nf_icmp_net {
+ struct nf_proto_net pn;
+ unsigned int timeout;
+};
+
struct nf_ip_net {
struct nf_generic_net generic;
struct nf_tcp_net tcp;
struct nf_udp_net udp;
+ struct nf_icmp_net icmp;
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
struct ctl_table_header *ctl_table_header;
struct ctl_table *ctl_table;
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 0847e37..f468d10 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -23,6 +23,11 @@
static unsigned int nf_ct_icmp_timeout __read_mostly = 30*HZ;
+static inline struct nf_icmp_net *icmp_pernet(struct net *net)
+{
+ return &net->ct.proto.icmp;
+}
+
static bool icmp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
{
@@ -77,7 +82,7 @@ static int icmp_print_tuple(struct seq_file *s,
static unsigned int *icmp_get_timeouts(struct net *net)
{
- return &nf_ct_icmp_timeout;
+ return &icmp_pernet(net)->timeout;
}
/* Returns verdict for packet, or -1 for invalid. */
@@ -312,7 +317,6 @@ static struct ctl_table_header *icmp_sysctl_header;
static struct ctl_table icmp_sysctl_table[] = {
{
.procname = "nf_conntrack_icmp_timeout",
- .data = &nf_ct_icmp_timeout,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -323,7 +327,6 @@ static struct ctl_table icmp_sysctl_table[] = {
static struct ctl_table icmp_compat_sysctl_table[] = {
{
.procname = "ip_conntrack_icmp_timeout",
- .data = &nf_ct_icmp_timeout,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -333,10 +336,39 @@ static struct ctl_table icmp_compat_sysctl_table[] = {
#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
#endif /* CONFIG_SYSCTL */
+static int icmp_init_net(struct net *net, u_int8_t compat)
+{
+ struct nf_icmp_net *in = icmp_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)in;
+ in->timeout = nf_ct_icmp_timeout;
+
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(icmp_sysctl_table,
+ sizeof(icmp_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table)
+ return -ENOMEM;
+ pn->ctl_table[0].data = &in->timeout;
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+ pn->ctl_compat_table = kmemdup(icmp_compat_sysctl_table,
+ sizeof(icmp_compat_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_compat_table) {
+ kfree(pn->ctl_table);
+ pn->ctl_table = NULL;
+ return -ENOMEM;
+ }
+ pn->ctl_compat_table[0].data = &in->timeout;
+#endif
+#endif
+ return 0;
+}
+
struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
{
.l3proto = PF_INET,
.l4proto = IPPROTO_ICMP,
+ .compat = 1,
.name = "icmp",
.pkt_to_tuple = icmp_pkt_to_tuple,
.invert_tuple = icmp_invert_tuple,
@@ -369,4 +401,5 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
.ctl_compat_table = icmp_compat_sysctl_table,
#endif
#endif
+ .init_net = icmp_init_net,
};
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index ba96447..fc0accd 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -292,6 +292,8 @@ static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
return (struct nf_proto_net *)&net->ct.proto.tcp;
case IPPROTO_UDP:
return (struct nf_proto_net *)&net->ct.proto.udp;
+ case IPPROTO_ICMP:
+ return (struct nf_proto_net *)&net->ct.proto.icmp;
case 255: /* l4proto_generic */
return (struct nf_proto_net *)&net->ct.proto.generic;
default:
--
1.7.7.6
^ permalink raw reply related
* [PATCH 10/17] netfilter: add namespace support for l3proto_ipv6
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
add pernet_operations ipv6_net_ops and register it when
module nf_conntrack_ipv6 is loaded.
move the l4proto_register and l3proto_register from module_init
function to ipv6_net_ops.init.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 88 ++++++++++++++++--------
1 files changed, 59 insertions(+), 29 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 6cfbe7b..7553019 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -334,37 +334,75 @@ MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Yasuyuki KOZAKAI @USAGI <yasuyuki.kozakai@toshiba.co.jp>");
-static int __init nf_conntrack_l3proto_ipv6_init(void)
+static int ipv6_net_init(struct net *net)
{
int ret = 0;
- need_conntrack();
- nf_defrag_ipv6_enable();
-
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp6);
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_tcp6);
if (ret < 0) {
- pr_err("nf_conntrack_ipv6: can't register tcp.\n");
- return ret;
+ printk(KERN_ERR "nf_conntrack_l4proto_tcp6: protocol register failed\n");
+ goto out;
}
-
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp6);
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_udp6);
if (ret < 0) {
- pr_err("nf_conntrack_ipv6: can't register udp.\n");
- goto cleanup_tcp;
+ printk(KERN_ERR "nf_conntrack_l4proto_udp6: protocol register failed\n");
+ goto cleanup_tcp6;
}
-
- ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmpv6);
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_icmpv6);
if (ret < 0) {
- pr_err("nf_conntrack_ipv6: can't register icmpv6.\n");
- goto cleanup_udp;
+ printk(KERN_ERR "nf_conntrack_l4proto_icmp6: protocol register failed\n");
+ goto cleanup_udp6;
}
-
- ret = nf_conntrack_l3proto_register(&init_net, &nf_conntrack_l3proto_ipv6);
+ ret = nf_conntrack_l3proto_register(net,
+ &nf_conntrack_l3proto_ipv6);
if (ret < 0) {
- pr_err("nf_conntrack_ipv6: can't register ipv6\n");
+ printk(KERN_ERR "nf_conntrack_l3proto_ipv6: protocol register failed\n");
goto cleanup_icmpv6;
}
+ return 0;
+ cleanup_icmpv6:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_icmpv6);
+ cleanup_udp6:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udp6);
+ cleanup_tcp6:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_tcp6);
+ out:
+ return ret;
+}
+static void ipv6_net_exit(struct net *net)
+{
+ nf_conntrack_l3proto_unregister(net,
+ &nf_conntrack_l3proto_ipv6);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_icmpv6);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udp6);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_tcp6);
+}
+
+static struct pernet_operations ipv6_net_ops = {
+ .init = ipv6_net_init,
+ .exit = ipv6_net_exit,
+};
+
+static int __init nf_conntrack_l3proto_ipv6_init(void)
+{
+ int ret = 0;
+
+ need_conntrack();
+ nf_defrag_ipv6_enable();
+
+ ret = register_pernet_subsys(&ipv6_net_ops);
+ if (ret < 0)
+ goto cleanup_pernet;
ret = nf_register_hooks(ipv6_conntrack_ops,
ARRAY_SIZE(ipv6_conntrack_ops));
if (ret < 0) {
@@ -375,13 +413,8 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
return ret;
cleanup_ipv6:
- nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv6);
- cleanup_icmpv6:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
- cleanup_udp:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
- cleanup_tcp:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
+ unregister_pernet_subsys(&ipv6_net_ops);
+ cleanup_pernet:
return ret;
}
@@ -389,10 +422,7 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
{
synchronize_net();
nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
- nf_conntrack_l3proto_unregister(&init_net, &nf_conntrack_l3proto_ipv6);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
+ unregister_pernet_subsys(&ipv6_net_ops);
}
module_init(nf_conntrack_l3proto_ipv6_init);
--
1.7.7.6
^ permalink raw reply related
* [PATCH 08/17] netfilter: add namespace support for l4proto_icmpv6
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
implement icmpv6_init_net is to initial the pernet data for
icmpv6 proto.
because nf_icmp_net is a field of netns_ct,so when proto is icmpv6,
return net->ct.proto.icmpv6 in function nf_ct_l4proto_net.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netns/conntrack.h | 1 +
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 26 ++++++++++++++++++++++-
net/netfilter/nf_conntrack_proto.c | 2 +
3 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 430cc71..3409b26 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -55,6 +55,7 @@ struct nf_ip_net {
struct nf_tcp_net tcp;
struct nf_udp_net udp;
struct nf_icmp_net icmp;
+ struct nf_icmp_net icmpv6;
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
struct ctl_table_header *ctl_table_header;
struct ctl_table *ctl_table;
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 3e81904..3cb422e 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -29,6 +29,11 @@
static unsigned int nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
+static inline struct nf_icmp_net *icmpv6_pernet(struct net *net)
+{
+ return &net->ct.proto.icmpv6;
+}
+
static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
@@ -90,7 +95,7 @@ static int icmpv6_print_tuple(struct seq_file *s,
static unsigned int *icmpv6_get_timeouts(struct net *net)
{
- return &nf_ct_icmpv6_timeout;
+ return &icmpv6_pernet(net)->timeout;
}
/* Returns verdict for packet, or -1 for invalid. */
@@ -319,7 +324,6 @@ static struct ctl_table_header *icmpv6_sysctl_header;
static struct ctl_table icmpv6_sysctl_table[] = {
{
.procname = "nf_conntrack_icmpv6_timeout",
- .data = &nf_ct_icmpv6_timeout,
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -328,10 +332,27 @@ static struct ctl_table icmpv6_sysctl_table[] = {
};
#endif /* CONFIG_SYSCTL */
+static int icmpv6_init_net(struct net *net, u_int8_t compat)
+{
+ struct nf_icmp_net *in = icmpv6_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)in;
+ in->timeout = nf_ct_icmpv6_timeout;
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(icmpv6_sysctl_table,
+ sizeof(icmpv6_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table)
+ return -ENOMEM;
+ pn->ctl_table[0].data = &in->timeout;
+#endif
+ return 0;
+}
+
struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
{
.l3proto = PF_INET6,
.l4proto = IPPROTO_ICMPV6,
+ .compat = 0,
.name = "icmpv6",
.pkt_to_tuple = icmpv6_pkt_to_tuple,
.invert_tuple = icmpv6_invert_tuple,
@@ -359,4 +380,5 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
.ctl_table_header = &icmpv6_sysctl_header,
.ctl_table = icmpv6_sysctl_table,
#endif
+ .init_net = icmpv6_init_net,
};
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index fc0accd..79b7c76 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -294,6 +294,8 @@ static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
return (struct nf_proto_net *)&net->ct.proto.udp;
case IPPROTO_ICMP:
return (struct nf_proto_net *)&net->ct.proto.icmp;
+ case IPPROTO_ICMPV6:
+ return (struct nf_proto_net *)&net->ct.proto.icmpv6;
case 255: /* l4proto_generic */
return (struct nf_proto_net *)&net->ct.proto.generic;
default:
--
1.7.7.6
^ permalink raw reply related
* [PATCH 13/17] netfilter: adjust l4proto_dccp to the nf_conntrack_l4proto_register
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
move the nf_conntrack_l4proto_register from module_init to
dccp_net_ops.init,and change the struct dccp_net to adjust
to the nf_conntrack_l4proto_register.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/netfilter/nf_conntrack_proto_dccp.c | 135 ++++++++++++++++---------------
1 files changed, 69 insertions(+), 66 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 5a8e037..034f8ea 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -387,12 +387,9 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] =
/* this module per-net specifics */
static int dccp_net_id __read_mostly;
struct dccp_net {
+ struct nf_proto_net np;
int dccp_loose;
unsigned int dccp_timeout[CT_DCCP_MAX + 1];
-#ifdef CONFIG_SYSCTL
- struct ctl_table_header *sysctl_header;
- struct ctl_table *sysctl_table;
-#endif
};
static inline struct dccp_net *dccp_pernet(struct net *net)
@@ -817,9 +814,50 @@ static struct ctl_table dccp_sysctl_table[] = {
};
#endif /* CONFIG_SYSCTL */
+static int dccp_init_net(struct net *net, u_int8_t compat)
+{
+
+ struct dccp_net *dn = dccp_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)dn;
+
+#ifdef CONFIG_SYSCTL
+ if (!pn->ctl_table) {
+#else
+ if (!pn->users++) {
+#endif
+ /* default values */
+ dn->dccp_loose = 1;
+ dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL;
+ dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL;
+ dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL;
+ dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ;
+ dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ;
+ dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ;
+ dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL;
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(dccp_sysctl_table,
+ sizeof(dccp_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table)
+ return -ENOMEM;
+
+ pn->ctl_table[0].data = &dn->dccp_timeout[CT_DCCP_REQUEST];
+ pn->ctl_table[1].data = &dn->dccp_timeout[CT_DCCP_RESPOND];
+ pn->ctl_table[2].data = &dn->dccp_timeout[CT_DCCP_PARTOPEN];
+ pn->ctl_table[3].data = &dn->dccp_timeout[CT_DCCP_OPEN];
+ pn->ctl_table[4].data = &dn->dccp_timeout[CT_DCCP_CLOSEREQ];
+ pn->ctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING];
+ pn->ctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT];
+ pn->ctl_table[7].data = &dn->dccp_loose;
+#endif
+ }
+ return 0;
+}
+
static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
.l3proto = AF_INET,
.l4proto = IPPROTO_DCCP,
+ .compat = 0,
.name = "dccp",
.pkt_to_tuple = dccp_pkt_to_tuple,
.invert_tuple = dccp_invert_tuple,
@@ -847,11 +885,14 @@ static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
.nla_policy = dccp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+ .net_id = &dccp_net_id,
+ .init_net = dccp_init_net,
};
static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
.l3proto = AF_INET6,
.l4proto = IPPROTO_DCCP,
+ .compat = 0,
.name = "dccp",
.pkt_to_tuple = dccp_pkt_to_tuple,
.invert_tuple = dccp_invert_tuple,
@@ -879,55 +920,39 @@ static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
.nla_policy = dccp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+ .net_id = &dccp_net_id,
+ .init_net = dccp_init_net,
};
static __net_init int dccp_net_init(struct net *net)
{
- struct dccp_net *dn = dccp_pernet(net);
-
- /* default values */
- dn->dccp_loose = 1;
- dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL;
- dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL;
- dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL;
- dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ;
- dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ;
- dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ;
- dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL;
-
-#ifdef CONFIG_SYSCTL
- dn->sysctl_table = kmemdup(dccp_sysctl_table,
- sizeof(dccp_sysctl_table), GFP_KERNEL);
- if (!dn->sysctl_table)
- return -ENOMEM;
-
- dn->sysctl_table[0].data = &dn->dccp_timeout[CT_DCCP_REQUEST];
- dn->sysctl_table[1].data = &dn->dccp_timeout[CT_DCCP_RESPOND];
- dn->sysctl_table[2].data = &dn->dccp_timeout[CT_DCCP_PARTOPEN];
- dn->sysctl_table[3].data = &dn->dccp_timeout[CT_DCCP_OPEN];
- dn->sysctl_table[4].data = &dn->dccp_timeout[CT_DCCP_CLOSEREQ];
- dn->sysctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING];
- dn->sysctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT];
- dn->sysctl_table[7].data = &dn->dccp_loose;
-
- dn->sysctl_header = register_net_sysctl(net, "net/netfilter",
- dn->sysctl_table);
- if (!dn->sysctl_header) {
- kfree(dn->sysctl_table);
- return -ENOMEM;
+ int ret = 0;
+ ret = nf_conntrack_l4proto_register(net,
+ &dccp_proto4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_dccp4 :protocol register failed.\n");
+ goto out;
+ }
+ ret = nf_conntrack_l4proto_register(net,
+ &dccp_proto6);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_dccp6 :protocol register failed.\n");
+ goto cleanup_dccp4;
}
-#endif
-
return 0;
+cleanup_dccp4:
+ nf_conntrack_l4proto_unregister(net,
+ &dccp_proto4);
+out:
+ return ret;
}
static __net_exit void dccp_net_exit(struct net *net)
{
- struct dccp_net *dn = dccp_pernet(net);
-#ifdef CONFIG_SYSCTL
- unregister_net_sysctl_table(dn->sysctl_header);
- kfree(dn->sysctl_table);
-#endif
+ nf_conntrack_l4proto_unregister(net,
+ &dccp_proto6);
+ nf_conntrack_l4proto_unregister(net,
+ &dccp_proto4);
}
static struct pernet_operations dccp_net_ops = {
@@ -939,34 +964,12 @@ static struct pernet_operations dccp_net_ops = {
static int __init nf_conntrack_proto_dccp_init(void)
{
- int err;
-
- err = register_pernet_subsys(&dccp_net_ops);
- if (err < 0)
- goto err1;
-
- err = nf_conntrack_l4proto_register(&init_net, &dccp_proto4);
- if (err < 0)
- goto err2;
-
- err = nf_conntrack_l4proto_register(&init_net, &dccp_proto6);
- if (err < 0)
- goto err3;
- return 0;
-
-err3:
- nf_conntrack_l4proto_unregister(&init_net, &dccp_proto4);
-err2:
- unregister_pernet_subsys(&dccp_net_ops);
-err1:
- return err;
+ return register_pernet_subsys(&dccp_net_ops);
}
static void __exit nf_conntrack_proto_dccp_fini(void)
{
unregister_pernet_subsys(&dccp_net_ops);
- nf_conntrack_l4proto_unregister(&init_net, &dccp_proto6);
- nf_conntrack_l4proto_unregister(&init_net, &dccp_proto4);
}
module_init(nf_conntrack_proto_dccp_init);
--
1.7.7.6
^ permalink raw reply related
* [PATCH 12/17] netfilter: add namespace support for l4proto_udplite
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
add pernet_operations udplite_net_ops and register it when
module nf_conntrack_proto_udplite is loaded.
move the l4proto_register from module_init function to
udplite_net_ops.init.
and implement udplite_init_net to initial the pernet sysctl
table for udplite[4,6] protos.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/netfilter/nf_conntrack_proto_udplite.c | 103 +++++++++++++++++++++++-----
1 files changed, 85 insertions(+), 18 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index fa142a8..1e90cf5 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -35,6 +35,17 @@ static unsigned int udplite_timeouts[UDPLITE_CT_MAX] = {
[UDPLITE_CT_REPLIED] = 180*HZ,
};
+static int udplite_net_id __read_mostly;
+struct udplite_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[UDPLITE_CT_MAX];
+};
+
+static inline struct udplite_net *udplite_pernet(struct net *net)
+{
+ return net_generic(net, udplite_net_id);
+}
+
static bool udplite_pkt_to_tuple(const struct sk_buff *skb,
unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
@@ -70,7 +81,7 @@ static int udplite_print_tuple(struct seq_file *s,
static unsigned int *udplite_get_timeouts(struct net *net)
{
- return udplite_timeouts;
+ return udplite_pernet(net)->timeouts;
}
/* Returns verdict for packet, and may modify conntracktype */
@@ -209,14 +220,12 @@ static struct ctl_table_header *udplite_sysctl_header;
static struct ctl_table udplite_sysctl_table[] = {
{
.procname = "nf_conntrack_udplite_timeout",
- .data = &udplite_timeouts[UDPLITE_CT_UNREPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_udplite_timeout_stream",
- .data = &udplite_timeouts[UDPLITE_CT_REPLIED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
@@ -225,10 +234,36 @@ static struct ctl_table udplite_sysctl_table[] = {
};
#endif /* CONFIG_SYSCTL */
+static int udplite_init_net(struct net *net, u_int8_t compat)
+{
+ int i;
+ struct udplite_net *un = udplite_pernet(net);
+ struct nf_proto_net *pn = (struct nf_proto_net *)un;
+#ifdef CONFIG_SYSCTL
+ if (!pn->ctl_table) {
+#else
+ if (!pn->users++) {
+#endif
+ for (i = 0 ; i < UDPLITE_CT_MAX; i++)
+ un->timeouts[i] = udplite_timeouts[i];
+#ifdef CONFIG_SYSCTL
+ pn->ctl_table = kmemdup(udplite_sysctl_table,
+ sizeof(udplite_sysctl_table),
+ GFP_KERNEL);
+ if (!pn->ctl_table)
+ return -ENOMEM;
+ pn->ctl_table[0].data = &un->timeouts[UDPLITE_CT_UNREPLIED];
+ pn->ctl_table[1].data = &un->timeouts[UDPLITE_CT_REPLIED];
+#endif
+ }
+ return 0;
+}
+
static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
{
.l3proto = PF_INET,
.l4proto = IPPROTO_UDPLITE,
+ .compat = 0,
.name = "udplite",
.pkt_to_tuple = udplite_pkt_to_tuple,
.invert_tuple = udplite_invert_tuple,
@@ -258,12 +293,15 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
.ctl_table_header = &udplite_sysctl_header,
.ctl_table = udplite_sysctl_table,
#endif
+ .net_id = &udplite_net_id,
+ .init_net = udplite_init_net,
};
static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
{
.l3proto = PF_INET6,
.l4proto = IPPROTO_UDPLITE,
+ .compat = 0,
.name = "udplite",
.pkt_to_tuple = udplite_pkt_to_tuple,
.invert_tuple = udplite_invert_tuple,
@@ -293,29 +331,58 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
.ctl_table_header = &udplite_sysctl_header,
.ctl_table = udplite_sysctl_table,
#endif
+ .net_id = &udplite_net_id,
+ .init_net = udplite_init_net,
};
-static int __init nf_conntrack_proto_udplite_init(void)
+static int udplite_net_init(struct net *net)
{
- int err;
-
- err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite4);
- if (err < 0)
- goto err1;
- err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite6);
- if (err < 0)
- goto err2;
+ int ret = 0;
+
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_udplite4);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_udplite4 :protocol register failed.\n");
+ goto out;
+ }
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_udplite6);
+ if (ret < 0) {
+ pr_err("nf_conntrack_l4proto_udplite4 :protocol register failed.\n");
+ goto cleanup_udplite4;
+ }
return 0;
-err2:
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
-err1:
- return err;
+
+cleanup_udplite4:
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udplite4);
+out:
+ return ret;
+}
+
+static void udplite_net_exit(struct net *net)
+{
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udplite6);
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_udplite4);
+}
+
+static struct pernet_operations udplite_net_ops = {
+ .init = udplite_net_init,
+ .exit = udplite_net_exit,
+ .id = &udplite_net_id,
+ .size = sizeof(struct udplite_net),
+};
+
+static int __init nf_conntrack_proto_udplite_init(void)
+{
+ return register_pernet_subsys(&udplite_net_ops);
}
static void __exit nf_conntrack_proto_udplite_exit(void)
{
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite6);
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
+ unregister_pernet_subsys(&udplite_net_ops);
}
module_init(nf_conntrack_proto_udplite_init);
--
1.7.7.6
^ permalink raw reply related
* [PATCH 14/17] netfilter: adjust l4proto_gre4 to the nf_conntrack_l4proto_register
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
move the nf_conntrack_l4proto_register from module_init to
proto_gre_net_ops.init.
and use gre_pernet to replace net_generic.
because gre proto has no sysctl,so only need to initial pernet data
for gre proto.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/netfilter/nf_conntrack_proto_gre.c | 56 ++++++++++++++++++++------------
1 files changed, 35 insertions(+), 21 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index 132f0d2..8d70452 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -54,13 +54,20 @@ static unsigned int gre_timeouts[GRE_CT_MAX] = {
static int proto_gre_net_id __read_mostly;
struct netns_proto_gre {
+ struct nf_proto_net nf;
rwlock_t keymap_lock;
struct list_head keymap_list;
+ unsigned int gre_timeouts[GRE_CT_MAX];
};
+static inline struct netns_proto_gre *gre_pernet(struct net *net)
+{
+ return net_generic(net, proto_gre_net_id);
+}
+
void nf_ct_gre_keymap_flush(struct net *net)
{
- struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
+ struct netns_proto_gre *net_gre = gre_pernet(net);
struct nf_ct_gre_keymap *km, *tmp;
write_lock_bh(&net_gre->keymap_lock);
@@ -85,7 +92,7 @@ static inline int gre_key_cmpfn(const struct nf_ct_gre_keymap *km,
/* look up the source key for a given tuple */
static __be16 gre_keymap_lookup(struct net *net, struct nf_conntrack_tuple *t)
{
- struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
+ struct netns_proto_gre *net_gre = gre_pernet(net);
struct nf_ct_gre_keymap *km;
__be16 key = 0;
@@ -109,7 +116,7 @@ int nf_ct_gre_keymap_add(struct nf_conn *ct, enum ip_conntrack_dir dir,
struct nf_conntrack_tuple *t)
{
struct net *net = nf_ct_net(ct);
- struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
+ struct netns_proto_gre *net_gre = gre_pernet(net);
struct nf_conn_help *help = nfct_help(ct);
struct nf_ct_gre_keymap **kmp, *km;
@@ -150,7 +157,7 @@ EXPORT_SYMBOL_GPL(nf_ct_gre_keymap_add);
void nf_ct_gre_keymap_destroy(struct nf_conn *ct)
{
struct net *net = nf_ct_net(ct);
- struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
+ struct netns_proto_gre *net_gre = gre_pernet(net);
struct nf_conn_help *help = nfct_help(ct);
enum ip_conntrack_dir dir;
@@ -237,7 +244,7 @@ static int gre_print_conntrack(struct seq_file *s, struct nf_conn *ct)
static unsigned int *gre_get_timeouts(struct net *net)
{
- return gre_timeouts;
+ return gre_pernet(net)->gre_timeouts;
}
/* Returns verdict for packet, and may modify conntrack */
@@ -339,6 +346,18 @@ gre_timeout_nla_policy[CTA_TIMEOUT_GRE_MAX+1] = {
};
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+static int gre_init_net(struct net *net, u_int8_t compat)
+{
+ int i;
+ struct netns_proto_gre *net_gre = gre_pernet(net);
+
+ rwlock_init(&net_gre->keymap_lock);
+ INIT_LIST_HEAD(&net_gre->keymap_list);
+ for (i = 0; i < GRE_CT_MAX; i++)
+ net_gre->gre_timeouts[i] = gre_timeouts[i];
+ return 0;
+}
+
/* protocol helper struct */
static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = {
.l3proto = AF_INET,
@@ -368,20 +387,24 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = {
.nla_policy = gre_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+ .net_id = &proto_gre_net_id,
+ .init_net = gre_init_net,
};
static int proto_gre_net_init(struct net *net)
{
- struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
-
- rwlock_init(&net_gre->keymap_lock);
- INIT_LIST_HEAD(&net_gre->keymap_list);
-
- return 0;
+ int ret = 0;
+ ret = nf_conntrack_l4proto_register(net,
+ &nf_conntrack_l4proto_gre4);
+ if (ret < 0)
+ pr_err("nf_conntrack_l4proto_gre4 :protocol register failed.\n");
+ return ret;
}
static void proto_gre_net_exit(struct net *net)
{
+ nf_conntrack_l4proto_unregister(net,
+ &nf_conntrack_l4proto_gre4);
nf_ct_gre_keymap_flush(net);
}
@@ -394,20 +417,11 @@ static struct pernet_operations proto_gre_net_ops = {
static int __init nf_ct_proto_gre_init(void)
{
- int rv;
-
- rv = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_gre4);
- if (rv < 0)
- return rv;
- rv = register_pernet_subsys(&proto_gre_net_ops);
- if (rv < 0)
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_gre4);
- return rv;
+ return register_pernet_subsys(&proto_gre_net_ops);
}
static void __exit nf_ct_proto_gre_fini(void)
{
- nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_gre4);
unregister_pernet_subsys(&proto_gre_net_ops);
}
--
1.7.7.6
^ permalink raw reply related
* [PATCH 15/17] netfilter: cleanup sysctl for l4proto and l3proto
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
delete no useless sysctl data for l4proto and l3proto.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netfilter/nf_conntrack_l3proto.h | 2 --
include/net/netfilter/nf_conntrack_l4proto.h | 10 ----------
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 1 -
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 8 --------
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 5 -----
net/netfilter/nf_conntrack_proto_generic.c | 8 --------
net/netfilter/nf_conntrack_proto_sctp.c | 15 ---------------
net/netfilter/nf_conntrack_proto_tcp.c | 15 ---------------
net/netfilter/nf_conntrack_proto_udp.c | 15 ---------------
net/netfilter/nf_conntrack_proto_udplite.c | 12 ------------
10 files changed, 0 insertions(+), 91 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index d6df8c7..6f7c13f 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -64,9 +64,7 @@ struct nf_conntrack_l3proto {
size_t nla_size;
#ifdef CONFIG_SYSCTL
- struct ctl_table_header *ctl_table_header;
const char *ctl_table_path;
- struct ctl_table *ctl_table;
#endif /* CONFIG_SYSCTL */
/* Init l3proto pernet data */
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index 0d329b9..4881df34 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -95,16 +95,6 @@ struct nf_conntrack_l4proto {
const struct nla_policy *nla_policy;
} ctnl_timeout;
#endif
-
-#ifdef CONFIG_SYSCTL
- struct ctl_table_header **ctl_table_header;
- struct ctl_table *ctl_table;
- unsigned int *ctl_table_users;
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- struct ctl_table_header *ctl_compat_table_header;
- struct ctl_table *ctl_compat_table;
-#endif
-#endif
int *net_id;
/* Init l4proto pernet data */
int (*init_net)(struct net *net, u_int8_t compat);
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 1dd17ed..173da4d 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -379,7 +379,6 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
#endif
#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
.ctl_table_path = "net/ipv4/netfilter",
- .ctl_table = ip_ct_sysctl_table,
#endif
.init_net = ipv4_init_net,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index f468d10..90da247 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -313,7 +313,6 @@ icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static struct ctl_table_header *icmp_sysctl_header;
static struct ctl_table icmp_sysctl_table[] = {
{
.procname = "nf_conntrack_icmp_timeout",
@@ -394,12 +393,5 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
.nla_policy = icmp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_header = &icmp_sysctl_header,
- .ctl_table = icmp_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- .ctl_compat_table = icmp_compat_sysctl_table,
-#endif
-#endif
.init_net = icmp_init_net,
};
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 3cb422e..12ca315 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -320,7 +320,6 @@ icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static struct ctl_table_header *icmpv6_sysctl_header;
static struct ctl_table icmpv6_sysctl_table[] = {
{
.procname = "nf_conntrack_icmpv6_timeout",
@@ -376,9 +375,5 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
.nla_policy = icmpv6_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_header = &icmpv6_sysctl_header,
- .ctl_table = icmpv6_sysctl_table,
-#endif
.init_net = icmpv6_init_net,
};
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 7976a64..0f87a77 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -111,7 +111,6 @@ generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static struct ctl_table_header *generic_sysctl_header;
static struct ctl_table generic_sysctl_table[] = {
{
.procname = "nf_conntrack_generic_timeout",
@@ -183,13 +182,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
.nla_policy = generic_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_header = &generic_sysctl_header,
- .ctl_table = generic_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- .ctl_compat_table = generic_compat_sysctl_table,
-#endif
-#endif
.init_net = generic_init_net,
};
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 3f0fdf8..291cef4 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -610,8 +610,6 @@ sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
#ifdef CONFIG_SYSCTL
-static unsigned int sctp_sysctl_table_users;
-static struct ctl_table_header *sctp_sysctl_header;
static struct ctl_table sctp_sysctl_table[] = {
{
.procname = "nf_conntrack_sctp_timeout_closed",
@@ -791,14 +789,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
.nla_policy = sctp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &sctp_sysctl_table_users,
- .ctl_table_header = &sctp_sysctl_header,
- .ctl_table = sctp_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- .ctl_compat_table = sctp_compat_sysctl_table,
-#endif
-#endif
.net_id = &sctp_net_id,
.init_net = sctp_init_net,
};
@@ -834,11 +824,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#endif
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &sctp_sysctl_table_users,
- .ctl_table_header = &sctp_sysctl_header,
- .ctl_table = sctp_sysctl_table,
-#endif
.net_id = &sctp_net_id,
.init_net = sctp_init_net,
};
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index dd19350..4d16b8a 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1363,8 +1363,6 @@ static const struct nla_policy tcp_timeout_nla_policy[CTA_TIMEOUT_TCP_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static unsigned int tcp_sysctl_table_users;
-static struct ctl_table_header *tcp_sysctl_header;
static struct ctl_table tcp_sysctl_table[] = {
{
.procname = "nf_conntrack_tcp_timeout_syn_sent",
@@ -1634,14 +1632,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
.nla_policy = tcp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &tcp_sysctl_table_users,
- .ctl_table_header = &tcp_sysctl_header,
- .ctl_table = tcp_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- .ctl_compat_table = tcp_compat_sysctl_table,
-#endif
-#endif
.init_net = tcp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4);
@@ -1679,11 +1669,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
.nla_policy = tcp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &tcp_sysctl_table_users,
- .ctl_table_header = &tcp_sysctl_header,
- .ctl_table = tcp_sysctl_table,
-#endif
.init_net = tcp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6);
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 072ef9c..c38ab58 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -199,8 +199,6 @@ udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static unsigned int udp_sysctl_table_users;
-static struct ctl_table_header *udp_sysctl_header;
static struct ctl_table udp_sysctl_table[] = {
{
.procname = "nf_conntrack_udp_timeout",
@@ -307,14 +305,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
.nla_policy = udp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &udp_sysctl_table_users,
- .ctl_table_header = &udp_sysctl_header,
- .ctl_table = udp_sysctl_table,
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
- .ctl_compat_table = udp_compat_sysctl_table,
-#endif
-#endif
.init_net = udp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp4);
@@ -347,11 +337,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
.nla_policy = udp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &udp_sysctl_table_users,
- .ctl_table_header = &udp_sysctl_header,
- .ctl_table = udp_sysctl_table,
-#endif
.init_net = udp_init_net,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp6);
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 1e90cf5..cb3dc81 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -215,8 +215,6 @@ udplite_timeout_nla_policy[CTA_TIMEOUT_UDPLITE_MAX+1] = {
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#ifdef CONFIG_SYSCTL
-static unsigned int udplite_sysctl_table_users;
-static struct ctl_table_header *udplite_sysctl_header;
static struct ctl_table udplite_sysctl_table[] = {
{
.procname = "nf_conntrack_udplite_timeout",
@@ -288,11 +286,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
.nla_policy = udplite_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &udplite_sysctl_table_users,
- .ctl_table_header = &udplite_sysctl_header,
- .ctl_table = udplite_sysctl_table,
-#endif
.net_id = &udplite_net_id,
.init_net = udplite_init_net,
};
@@ -326,11 +319,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
.nla_policy = udplite_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#ifdef CONFIG_SYSCTL
- .ctl_table_users = &udplite_sysctl_table_users,
- .ctl_table_header = &udplite_sysctl_header,
- .ctl_table = udplite_sysctl_table,
-#endif
.net_id = &udplite_net_id,
.init_net = udplite_init_net,
};
--
1.7.7.6
^ permalink raw reply related
* [PATCH 16/17] netfilter: add namespace support for cttimeout
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
add struct net as a param of ctnl_timeout.nlattr_to_obj,
modify ctnl_timeout_parse_policy and cttimeout_new_timeout
to transmit struct net to nlattr_to_obj.
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
include/net/netfilter/nf_conntrack_l4proto.h | 3 ++-
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 3 ++-
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 3 ++-
net/netfilter/nf_conntrack_proto_dccp.c | 3 ++-
net/netfilter/nf_conntrack_proto_generic.c | 3 ++-
net/netfilter/nf_conntrack_proto_gre.c | 3 ++-
net/netfilter/nf_conntrack_proto_sctp.c | 3 ++-
net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
net/netfilter/nf_conntrack_proto_udp.c | 3 ++-
net/netfilter/nf_conntrack_proto_udplite.c | 3 ++-
net/netfilter/nfnetlink_cttimeout.c | 13 ++++++++-----
11 files changed, 28 insertions(+), 15 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index 4881df34..d8457c4 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -88,7 +88,8 @@ struct nf_conntrack_l4proto {
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
struct {
size_t obj_size;
- int (*nlattr_to_obj)(struct nlattr *tb[], void *data);
+ int (*nlattr_to_obj)(struct nlattr *tb[],
+ struct net *net, void *data);
int (*obj_to_nlattr)(struct sk_buff *skb, const void *data);
unsigned int nlattr_max;
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 90da247..c80b73c 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -279,7 +279,8 @@ static int icmp_nlattr_tuple_size(void)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int icmp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int icmp_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeout = data;
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 12ca315..0ea5ba9 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -286,7 +286,8 @@ static int icmpv6_nlattr_tuple_size(void)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int icmpv6_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int icmpv6_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeout = data;
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 034f8ea..b301fb0 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -712,7 +712,8 @@ static int dccp_nlattr_size(void)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
struct dccp_net *dn = dccp_pernet(&init_net);
unsigned int *timeouts = data;
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 0f87a77..de326f4 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -75,7 +75,8 @@ static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb,
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int generic_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int generic_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeout = data;
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index 8d70452..e4cc5e4 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -304,7 +304,8 @@ static void gre_destroy(struct nf_conn *ct)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int gre_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int gre_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeouts = data;
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 291cef4..a28f3c4 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -562,7 +562,8 @@ static int sctp_nlattr_size(void)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeouts = data;
int i;
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 4d16b8a..c0c0010 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1259,7 +1259,8 @@ static int tcp_nlattr_tuple_size(void)
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeouts = data;
int i;
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index c38ab58..14444a9 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -156,7 +156,8 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int udp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int udp_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeouts = data;
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index cb3dc81..34bd65f 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -172,7 +172,8 @@ static int udplite_error(struct net *net, struct nf_conn *tmpl,
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_cttimeout.h>
-static int udplite_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)
+static int udplite_timeout_nlattr_to_obj(struct nlattr *tb[],
+ struct net *net, void *data)
{
unsigned int *timeouts = data;
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 3e65528..cdecbc8 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -49,8 +49,9 @@ static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = {
static int
ctnl_timeout_parse_policy(struct ctnl_timeout *timeout,
- struct nf_conntrack_l4proto *l4proto,
- const struct nlattr *attr)
+ struct nf_conntrack_l4proto *l4proto,
+ struct net *net,
+ const struct nlattr *attr)
{
int ret = 0;
@@ -60,7 +61,8 @@ ctnl_timeout_parse_policy(struct ctnl_timeout *timeout,
nla_parse_nested(tb, l4proto->ctnl_timeout.nlattr_max,
attr, l4proto->ctnl_timeout.nla_policy);
- ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, &timeout->data);
+ ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, net,
+ &timeout->data);
}
return ret;
}
@@ -74,6 +76,7 @@ cttimeout_new_timeout(struct sock *ctnl, struct sk_buff *skb,
__u8 l4num;
struct nf_conntrack_l4proto *l4proto;
struct ctnl_timeout *timeout, *matching = NULL;
+ struct net *net = sock_net(skb->sk);
char *name;
int ret;
@@ -117,7 +120,7 @@ cttimeout_new_timeout(struct sock *ctnl, struct sk_buff *skb,
goto err_proto_put;
}
- ret = ctnl_timeout_parse_policy(matching, l4proto,
+ ret = ctnl_timeout_parse_policy(matching, l4proto, net,
cda[CTA_TIMEOUT_DATA]);
return ret;
}
@@ -132,7 +135,7 @@ cttimeout_new_timeout(struct sock *ctnl, struct sk_buff *skb,
goto err_proto_put;
}
- ret = ctnl_timeout_parse_policy(timeout, l4proto,
+ ret = ctnl_timeout_parse_policy(timeout, l4proto, net,
cda[CTA_TIMEOUT_DATA]);
if (ret < 0)
goto err;
--
1.7.7.6
^ permalink raw reply related
* [PATCH 17/17] netfilter: cttimeout use pernet data of l4proto
From: Gao feng @ 2012-05-14 8:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, serge.hallyn, ebiederm, dlezcano,
Gao feng
In-Reply-To: <1336985547-31960-1-git-send-email-gaofeng@cn.fujitsu.com>
replace global data with pernet data of l4proto
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 3 ++-
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 3 ++-
net/netfilter/nf_conntrack_proto_dccp.c | 2 +-
net/netfilter/nf_conntrack_proto_generic.c | 3 ++-
net/netfilter/nf_conntrack_proto_gre.c | 5 +++--
net/netfilter/nf_conntrack_proto_sctp.c | 3 ++-
net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
net/netfilter/nf_conntrack_proto_udp.c | 5 +++--
net/netfilter/nf_conntrack_proto_udplite.c | 5 +++--
9 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index c80b73c..87e0827 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -283,13 +283,14 @@ static int icmp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeout = data;
+ struct nf_icmp_net *in = icmp_pernet(net);
if (tb[CTA_TIMEOUT_ICMP_TIMEOUT]) {
*timeout =
ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMP_TIMEOUT])) * HZ;
} else {
/* Set default ICMP timeout. */
- *timeout = nf_ct_icmp_timeout;
+ *timeout = in->timeout;
}
return 0;
}
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 0ea5ba9..0a191a7 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -290,13 +290,14 @@ static int icmpv6_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeout = data;
+ struct nf_icmp_net *in = icmpv6_pernet(net);
if (tb[CTA_TIMEOUT_ICMPV6_TIMEOUT]) {
*timeout =
ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMPV6_TIMEOUT])) * HZ;
} else {
/* Set default ICMPv6 timeout. */
- *timeout = nf_ct_icmpv6_timeout;
+ *timeout = in->timeout;
}
return 0;
}
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index b301fb0..e7c71ed 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -715,7 +715,7 @@ static int dccp_nlattr_size(void)
static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
- struct dccp_net *dn = dccp_pernet(&init_net);
+ struct dccp_net *dn = dccp_pernet(net);
unsigned int *timeouts = data;
int i;
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index de326f4..a69c478 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -79,13 +79,14 @@ static int generic_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeout = data;
+ struct nf_generic_net *gn = generic_pernet(net);
if (tb[CTA_TIMEOUT_GENERIC_TIMEOUT])
*timeout =
ntohl(nla_get_be32(tb[CTA_TIMEOUT_GENERIC_TIMEOUT])) * HZ;
else {
/* Set default generic timeout. */
- *timeout = nf_ct_generic_timeout;
+ *timeout = gn->timeout;
}
return 0;
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index e4cc5e4..2a29ca5 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -308,10 +308,11 @@ static int gre_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
+ struct netns_proto_gre *net_gre = gre_pernet(net);
/* set default timeouts for GRE. */
- timeouts[GRE_CT_UNREPLIED] = gre_timeouts[GRE_CT_UNREPLIED];
- timeouts[GRE_CT_REPLIED] = gre_timeouts[GRE_CT_REPLIED];
+ timeouts[GRE_CT_UNREPLIED] = net_gre->gre_timeouts[GRE_CT_UNREPLIED];
+ timeouts[GRE_CT_REPLIED] = net_gre->gre_timeouts[GRE_CT_REPLIED];
if (tb[CTA_TIMEOUT_GRE_UNREPLIED]) {
timeouts[GRE_CT_UNREPLIED] =
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index a28f3c4..ee8f2b5 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -566,11 +566,12 @@ static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
+ struct sctp_net *sn = sctp_pernet(net);
int i;
/* set default SCTP timeouts. */
for (i=0; i<SCTP_CONNTRACK_MAX; i++)
- timeouts[i] = sctp_timeouts[i];
+ timeouts[i] = sn->timeouts[i];
/* there's a 1:1 mapping between attributes and protocol states. */
for (i=CTA_TIMEOUT_SCTP_UNSPEC+1; i<CTA_TIMEOUT_SCTP_MAX+1; i++) {
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index c0c0010..58f9523 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1263,11 +1263,12 @@ static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
+ struct nf_tcp_net *tn = tcp_pernet(net);
int i;
/* set default TCP timeouts. */
for (i=0; i<TCP_CONNTRACK_TIMEOUT_MAX; i++)
- timeouts[i] = tcp_timeouts[i];
+ timeouts[i] = tn->timeouts[i];
if (tb[CTA_TIMEOUT_TCP_SYN_SENT]) {
timeouts[TCP_CONNTRACK_SYN_SENT] =
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 14444a9..70ed8b9 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -160,10 +160,11 @@ static int udp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
+ struct nf_udp_net *un = udp_pernet(net);
/* set default timeouts for UDP. */
- timeouts[UDP_CT_UNREPLIED] = udp_timeouts[UDP_CT_UNREPLIED];
- timeouts[UDP_CT_REPLIED] = udp_timeouts[UDP_CT_REPLIED];
+ timeouts[UDP_CT_UNREPLIED] = un->timeouts[UDP_CT_UNREPLIED];
+ timeouts[UDP_CT_REPLIED] = un->timeouts[UDP_CT_REPLIED];
if (tb[CTA_TIMEOUT_UDP_UNREPLIED]) {
timeouts[UDP_CT_UNREPLIED] =
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 34bd65f..807c9ab 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -176,10 +176,11 @@ static int udplite_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
+ struct udplite_net *un = udplite_pernet(net);
/* set default timeouts for UDPlite. */
- timeouts[UDPLITE_CT_UNREPLIED] = udplite_timeouts[UDPLITE_CT_UNREPLIED];
- timeouts[UDPLITE_CT_REPLIED] = udplite_timeouts[UDPLITE_CT_REPLIED];
+ timeouts[UDPLITE_CT_UNREPLIED] = un->timeouts[UDPLITE_CT_UNREPLIED];
+ timeouts[UDPLITE_CT_REPLIED] = un->timeouts[UDPLITE_CT_REPLIED];
if (tb[CTA_TIMEOUT_UDPLITE_UNREPLIED]) {
timeouts[UDPLITE_CT_UNREPLIED] =
--
1.7.7.6
^ permalink raw reply related
* 1500bytes packets coming out from ipsec tunnel
From: Marco Berizzi @ 2012-05-14 9:51 UTC (permalink / raw)
To: netdev
Hi Folks,
I'm running a linux box (3.3.5) as
an ipsec gateway/firewall. The are
some sporadic network connectivity
problems with some of our network
clients.
Here is a tcpdump capture taken
on the ipsec gateway:
12:26:20.889697 IP (tos 0x0, ttl 127, id 20667, offset 0, flags [DF], proto: TCP (6), length: 52) 172.22.1.129.49772 > 10.16.178.113.80: S, cksum 0x03cc (correct), 1431292197:1431292197(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
12:26:20.932333 IP (tos 0x20, ttl 119, id 29189, offset 0, flags [none], proto: TCP (6), length: 52) 10.16.178.113.80 > 172.16.128.1.49772: S, cksum 0xacd3 (correct), 585947793:585947793(0) ack 1431292198 win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK>
12:26:20.963983 IP (tos 0x0, ttl 127, id 20668, offset 0, flags [DF], proto: TCP (6), length: 40) 172.22.1.129.49772 > 10.16.178.113.80: ., cksum 0x25e2 (correct), ack 585947794 win 16680
12:26:20.972126 IP (tos 0x0, ttl 127, id 20669, offset 0, flags [DF], proto: TCP (6), length: 1430) 172.22.1.129.49772 > 10.16.178.113.80: . 0:1390(1390) ack 1 win 16680
12:26:20.972563 IP (tos 0x0, ttl 127, id 20670, offset 0, flags [DF], proto: TCP (6), length: 241) 172.22.1.129.49772 > 10.16.178.113.80: P 1390:1591(201) ack 1 win 16680
12:26:21.016955 IP (tos 0x20, ttl 119, id 29190, offset 0, flags [DF], proto: TCP (6), length: 40) 10.16.178.113.80 > 172.16.128.1.49772: ., cksum 0xe767 (correct), ack 1592 win 64240
this is a 1500 bytes packet ====>>>>>> 12:26:21.020581 IP (tos 0x20, ttl 119, id 29191, offset 0, flags [DF], proto: TCP (6), length: 1500) 10.16.178.113.80 > 172.16.128.1.49772: . 1:1461(1460) ack 1592 win 64240
12:26:21.021155 IP (tos 0x20, ttl 119, id 29192, offset 0, flags [DF], proto: TCP (6), length: 429) 10.16.178.113.80 > 172.16.128.1.49772: P 1461:1850(389) ack 1592 win 64240
12:26:21.052193 IP (tos 0x0, ttl 127, id 20671, offset 0, flags [DF], proto: TCP (6), length: 52) 172.22.1.129.49772 > 10.16.178.113.80: ., cksum 0xe1a8 (correct), ack 1 win 16680 <nop,nop,sack 1 {1461:1850}>
12:26:24.061073 IP (tos 0x20, ttl 119, id 29321, offset 0, flags [DF], proto: TCP (6), length: 1500) 10.16.178.113.80 > 172.16.128.1.49772: . 1:1461(1460) ack 1592 win 64240
12:26:29.995309 IP (tos 0x20, ttl 119, id 29621, offset 0, flags [DF], proto: TCP (6), length: 1500) 10.16.178.113.80 > 172.16.128.1.49772: . 1:1461(1460) ack 1592 win 64240
12:26:40.438969 IP (tos 0x20, ttl 119, id 29874, offset 0, flags [DF], proto: TCP (6), length: 40) 10.16.178.113.80 > 172.16.128.1.49772: R, cksum 0xdb1b (correct), 1850:1850(0) ack 1592 win 0
12:26:40.464618 IP (tos 0x0, ttl 127, id 20680, offset 0, flags [DF], proto: TCP (6), length: 52) 172.22.1.129.49772 > 10.16.178.113.80: ., cksum 0xe1a8 (correct), ack 1 win 16680 <nop,nop,sack 1 {1461:1850}>
12:26:40.504737 IP (tos 0x20, ttl 119, id 29879, offset 0, flags [none], proto: TCP (6), length: 40) 10.16.178.113.80 > 172.16.128.1.49772: R, cksum 0x0993 (correct), 585947794:585947794(0) win 0
Take a look at the 1500 bytes
packet: this packet comes out
from a des3/md5 ipsec tunnel.
Mtu for that tunnel is 1446.
How could this happen?
Nevermind, packet has been
delivered, but the linux box
must re-route that one in an
aes/sha1/ipcomp ipsec tunnel
where the mtu is 1430. This
packet is never delivered.
This is the tcpdump capture
on the final gateway:
12:26:20.907803 IP (tos 0x0, ttl 128, id 20667, offset 0, flags [DF], length: 52) 172.22.1.129.49772 > 10.16.178.113.80: S [tcp sum ok] 1431292197:1431292197(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
12:26:20.982131 IP (tos 0x20, ttl 117, id 29189, offset 0, flags [none], length: 52) 10.16.178.113.80 > 172.22.1.129.49772: S [tcp sum ok] 585947793:585947793(0) ack 1431292198 win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK>
12:26:20.982447 IP (tos 0x0, ttl 128, id 20668, offset 0, flags [DF], length: 40) 172.22.1.129.49772 > 10.16.178.113.80: . [tcp sum ok] ack 1 win 16680
12:26:20.983048 IP (tos 0x0, ttl 128, id 20669, offset 0, flags [DF], length: 1430) 172.22.1.129.49772 > 10.16.178.113.80: . 1:1391(1390) ack 1 win 16680
12:26:20.983060 IP (tos 0x0, ttl 128, id 20670, offset 0, flags [DF], length: 241) 172.22.1.129.49772 > 10.16.178.113.80: P 1391:1592(201) ack 1 win 16680
12:26:21.060270 IP (tos 0x20, ttl 117, id 29190, offset 0, flags [DF], length: 40) 10.16.178.113.80 > 172.22.1.129.49772: . [tcp sum ok] ack 1592 win 64240
1500 bytes packet with id 29191 is missing
12:26:21.070229 IP (tos 0x20, ttl 117, id 29192, offset 0, flags [DF], length: 429) 10.16.178.113.80 > 172.22.1.129.49772: P 1461:1850(389) ack 1592 win 64240
12:26:21.070642 IP (tos 0x0, ttl 128, id 20671, offset 0, flags [DF], length: 52) 172.22.1.129.49772 > 10.16.178.113.80: . [tcp sum ok] ack 1 win 16680 <nop,nop,sack sack 1 {1461:1850} >
12:26:40.483640 IP (tos 0x20, ttl 117, id 29874, offset 0, flags [DF], length: 40) 10.16.178.113.80 > 172.22.1.129.49772: R [tcp sum ok] 1850:1850(0) ack 1592 win 0
12:26:40.483989 IP (tos 0x0, ttl 128, id 20680, offset 0, flags [DF], length: 52) 172.22.1.129.49772 > 10.16.178.113.80: . [tcp sum ok] ack 1 win 16680 <nop,nop,sack sack 1 {1461:1850} >
12:26:40.570701 IP (tos 0x20, ttl 117, id 29879, offset 0, flags [none], length: 40) 10.16.178.113.80 > 172.22.1.129.49772: R [tcp sum ok] 585947794:585947794(0) win 0
I have 'fixed' the problem
campling the mss on the final
gateway with:
iptables -t mangle -I FORWARD -s 172.22.1.0/24 \
-d 10.0.0.0/8 -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --set-mss 1300
Any feedback are welcome
TIA
Here is the network schema (I hope it is clear):
customer private network 10.16.0.0/16
|
|
|
+ipsec customer gateway (checkpoint)
|
|
|
|---ipsec tunnel 10.16.0.0/16<->172.16.128.0/28 (des3/md5)
|
|
|
+linux 3.3.5 ipsec gateway (SNAT all packets from 172.22.1.0/24 to 172.16.128.1)
| this is the box where I got the first capture
| (where you see the 1500 bytes packet)
|
|---ipsec tunnel 10.16.0.0/16<->172.22.1.0/24 (aes/sha1/ipcomp)
|
|
|
+linux 2.6.28.8 ipsec gateway (final gateway)
| this is the box where I got the second capture
| (where the 1500 bytes packet was never delivered)
|
client windows 172.22.1.129
^ permalink raw reply
* Re: [PATCH 05/17] mm: allow PF_MEMALLOC from softirq context
From: Mel Gorman @ 2012-05-14 10:02 UTC (permalink / raw)
To: David Miller
Cc: akpm, linux-mm, netdev, linux-kernel, neilb, a.p.zijlstra,
michaelc, emunson
In-Reply-To: <20120511.003951.1470088131186301605.davem@davemloft.net>
On Fri, May 11, 2012 at 12:39:51AM -0400, David Miller wrote:
> From: Mel Gorman <mgorman@suse.de>
> Date: Thu, 10 May 2012 14:44:58 +0100
>
> > This is needed to allow network softirq packet processing to make
> > use of PF_MEMALLOC.
> >
> > Currently softirq context cannot use PF_MEMALLOC due to it not being
> > associated with a task, and therefore not having task flags to fiddle
> > with - thus the gfp to alloc flag mapping ignores the task flags when
> > in interrupts (hard or soft) context.
> >
> > Allowing softirqs to make use of PF_MEMALLOC therefore requires some
> > trickery. We basically borrow the task flags from whatever process
> > happens to be preempted by the softirq.
> >
> > So we modify the gfp to alloc flags mapping to not exclude task flags
> > in softirq context, and modify the softirq code to save, clear and
> > restore the PF_MEMALLOC flag.
> >
> > The save and clear, ensures the preempted task's PF_MEMALLOC flag
> > doesn't leak into the softirq. The restore ensures a softirq's
> > PF_MEMALLOC flag cannot leak back into the preempted process.
> >
> > Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
> > Signed-off-by: Mel Gorman <mgorman@suse.de>
>
> We're now making changes to task->flags from both base and
> softirq context, but with non-atomic operations and no other
> kind of synchronization.
>
> As far as I can tell, this has to be racy.
>
I'm not seeing the race you are thinking of.
Softirqs can run on multiple CPUs sure but the same task should not be
executing the same softirq code. Interrupts are disabled and the
executing process cannot sleep in softirq context so the task flags
cannot "leak" nor can they be concurrently modified.
Softirqs are not execued from hard interrupt context so there are no
races with hardirqs.
If the softirq is deferred to ksoftirq then its flags may be used
instead of a normal tasks but as the softirq cannot be preempted,
the PF_MEMALLOC flag does not leak to other code by accident.
When __do_softirq() is finished, care is taken to restore the
PF_MEMALLOC flag to the value when __do_softirq() started. They
should not be accidentally clearing the flag.
I'm not seeing how current->flags can be modified while the softirq handler
is running in such a way that information is lost or misused. There
would be a problem if softirqs used GFP_KERNEL because the presense of
the PF_MEMALLOC flag would prevent the use of direct reclaim but softirqs
cannot use direct reclaim anyway.
> If this works via some magic combination of invariants, you
> absolutely have to document this, verbosely.
Did I miss a race you are thinking of or should I just add the above
explanation to the changelog?
--
Mel Gorman
SUSE Labs
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply
* Re: [PATCH 01/12] netvm: Prevent a stream-specific deadlock
From: Mel Gorman @ 2012-05-14 10:56 UTC (permalink / raw)
To: David Miller
Cc: akpm, linux-mm, netdev, linux-nfs, linux-kernel, Trond.Myklebust,
neilb, hch, a.p.zijlstra, michaelc, emunson
In-Reply-To: <20120511.011034.557833140906762226.davem@davemloft.net>
On Fri, May 11, 2012 at 01:10:34AM -0400, David Miller wrote:
> From: Mel Gorman <mgorman@suse.de>
> Date: Thu, 10 May 2012 14:54:14 +0100
>
> > It could happen that all !SOCK_MEMALLOC sockets have buffered so
> > much data that we're over the global rmem limit. This will prevent
> > SOCK_MEMALLOC buffers from receiving data, which will prevent userspace
> > from running, which is needed to reduce the buffered data.
> >
> > Fix this by exempting the SOCK_MEMALLOC sockets from the rmem limit.
> >
> > Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
> > Signed-off-by: Mel Gorman <mgorman@suse.de>
>
> This introduces an invariant which I am not so sure is enforced.
>
> With this change it is absolutely required that once a socket
> becomes SOCK_MEMALLOC it must never _ever_ lose that attribute.
>
This is effectively true. In the NFS case, the flag is cleared on
swapoff after all the entries have been paged in. In the NBD case,
SOCK_MEMALLOC is left set until the socket is destroyed. I'll update the
changelog.
--
Mel Gorman
SUSE Labs
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply
* Re: [PATCH 00/17] Swap-over-NBD without deadlocking V10
From: Mel Gorman @ 2012-05-14 11:10 UTC (permalink / raw)
To: Andrew Morton
Cc: David Miller, linux-mm, netdev, linux-kernel, neilb, a.p.zijlstra,
michaelc, emunson
In-Reply-To: <20120511142932.af7851bd.akpm@linux-foundation.org>
On Fri, May 11, 2012 at 02:29:32PM -0700, Andrew Morton wrote:
> On Fri, 11 May 2012 17:23:39 -0400 (EDT)
> David Miller <davem@davemloft.net> wrote:
>
> > From: Mel Gorman <mgorman@suse.de>
> > Date: Fri, 11 May 2012 16:45:40 +0100
> >
> > > From my point of view, the ideal would be that all the patches go
> > > through akpm's tree or yours but that probably will cause merge
> > > difficulties.
> > >
> > > Any recommendations?
> >
> > I know there will be networking side conflicts very soon, it's not a
> > matter of 'if' but 'when'.
> >
> > But the trick is that I bet the 'mm' and 'slab' folks are in a similar
> > situation.
> >
> > In any event I'm more than happy to take it all in my tree.
>
> I guess either is OK. The main thing is to get it all reviewed and
> tested, after all.
>
> I can take all the patches once it's all lined up and everyone is
> happy. If the net bits later take significant damage then I can squirt them
> at you once the core MM bits are merged. That would give you a few
> days to check them over and get them into Linus. If that's a problem,
> we can hold the net bits over for a cycle.
>
> That's all assuming that the core MM parts are mergeable without the
> net parts being merged. I trust that's the case!
I expect it to be the case as the series is (or at least should be)
bisect safe. If there is a conflict of some sort, just cut off at that
point and it should be fine until it gets fixed up.
--
Mel Gorman
SUSE Labs
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply
* [PATCH 4/4] netfilter: nf_ct_h323: fix usage of MODULE_ALIAS_NFCT_HELPER
From: pablo @ 2012-05-14 11:47 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <1336996023-20249-1-git-send-email-pablo@netfilter.org>
From: Pablo Neira Ayuso <pablo@netfilter.org>
ctnetlink uses the aliases that are created by MODULE_ALIAS_NFCT_HELPER
to auto-load the module based on the helper name. Thus, we have to use
RAS, Q.931 and H.245, not H.323.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_h323_main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 722291f..b7bf187 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -1833,4 +1833,6 @@ MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
MODULE_DESCRIPTION("H.323 connection tracking helper");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ip_conntrack_h323");
-MODULE_ALIAS_NFCT_HELPER("h323");
+MODULE_ALIAS_NFCT_HELPER("RAS");
+MODULE_ALIAS_NFCT_HELPER("Q.931");
+MODULE_ALIAS_NFCT_HELPER("H.245");
--
1.7.10
^ permalink raw reply related
* [PATCH 0/4] netfilter fixes for 3.4-rc7
From: pablo @ 2012-05-14 11:46 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Hi David,
The following patchset contains several fixes for Netfilter 3.4-rc7:
* One fix for possible timeout overflow for ipset, from Jozsef
Kadlecsik.
* One fix to ensure that hash size is correct, again for ipset
from Jozsef Kadlecsik.
* Removal of redundant include in xt_CT from Eldad Zack.
* Fix for wrong usage of MODULE_ALIAS_NFCT_HELPER in nf_ct_h323
helper from myself.
You can pull these changes from:
git://1984.lsi.us.es/net master
Thanks!
Eldad Zack (1):
netfilter: xt_CT: remove redundant header include
Jozsef Kadlecsik (2):
netfilter: ipset: fix timeout value overflow bug
netfilter: ipset: fix hash size checking in kernel
Pablo Neira Ayuso (1):
netfilter: nf_ct_h323: fix usage of MODULE_ALIAS_NFCT_HELPER
include/linux/netfilter/ipset/ip_set_ahash.h | 16 ++++++++++++++++
include/linux/netfilter/ipset/ip_set_timeout.h | 4 ++++
net/netfilter/ipset/ip_set_hash_ip.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_ipport.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_ipportip.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_ipportnet.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_net.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_netiface.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_netport.c | 10 +++++++---
net/netfilter/nf_conntrack_h323_main.c | 4 +++-
net/netfilter/xt_CT.c | 1 -
net/netfilter/xt_set.c | 15 +++++++++++++--
12 files changed, 85 insertions(+), 25 deletions(-)
--
1.7.10
^ permalink raw reply
* [PATCH 1/4] netfilter: ipset: fix timeout value overflow bug
From: pablo @ 2012-05-14 11:47 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <1336996023-20249-1-git-send-email-pablo@netfilter.org>
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Large timeout parameters could result wrong timeout values due to
an overflow at msec to jiffies conversion (reported by Andreas Herz)
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/ipset/ip_set_timeout.h | 4 ++++
net/netfilter/xt_set.c | 15 +++++++++++++--
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h b/include/linux/netfilter/ipset/ip_set_timeout.h
index 4792320..9fba34f 100644
--- a/include/linux/netfilter/ipset/ip_set_timeout.h
+++ b/include/linux/netfilter/ipset/ip_set_timeout.h
@@ -30,6 +30,10 @@ ip_set_timeout_uget(struct nlattr *tb)
{
unsigned int timeout = ip_set_get_h32(tb);
+ /* Normalize to fit into jiffies */
+ if (timeout > UINT_MAX/1000)
+ timeout = UINT_MAX/1000;
+
/* Userspace supplied TIMEOUT parameter: adjust crazy size */
return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout;
}
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 0ec8138..e97a31b 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -44,6 +44,14 @@ const struct ip_set_adt_opt n = { \
.cmdflags = cfs, \
.timeout = t, \
}
+#define ADT_MOPT(n, f, d, fs, cfs, t) \
+struct ip_set_adt_opt n = { \
+ .family = f, \
+ .dim = d, \
+ .flags = fs, \
+ .cmdflags = cfs, \
+ .timeout = t, \
+}
/* Revision 0 interface: backward compatible with netfilter/iptables */
@@ -296,11 +304,14 @@ static unsigned int
set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_set_info_target_v2 *info = par->targinfo;
- ADT_OPT(add_opt, par->family, info->add_set.dim,
- info->add_set.flags, info->flags, info->timeout);
+ ADT_MOPT(add_opt, par->family, info->add_set.dim,
+ info->add_set.flags, info->flags, info->timeout);
ADT_OPT(del_opt, par->family, info->del_set.dim,
info->del_set.flags, 0, UINT_MAX);
+ /* Normalize to fit into jiffies */
+ if (add_opt.timeout > UINT_MAX/1000)
+ add_opt.timeout = UINT_MAX/1000;
if (info->add_set.index != IPSET_INVALID_ID)
ip_set_add(info->add_set.index, skb, par, &add_opt);
if (info->del_set.index != IPSET_INVALID_ID)
--
1.7.10
^ permalink raw reply related
* [PATCH 3/4] netfilter: xt_CT: remove redundant header include
From: pablo @ 2012-05-14 11:47 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <1336996023-20249-1-git-send-email-pablo@netfilter.org>
From: Eldad Zack <eldad@fogrefinery.com>
nf_conntrack_l4proto.h is included twice.
Signed-off-by: Eldad Zack <eldad@fogrefinery.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_CT.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 3746d8b..a51de9b 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -17,7 +17,6 @@
#include <net/netfilter/nf_conntrack_l4proto.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_ecache.h>
-#include <net/netfilter/nf_conntrack_l4proto.h>
#include <net/netfilter/nf_conntrack_timeout.h>
#include <net/netfilter/nf_conntrack_zones.h>
--
1.7.10
^ permalink raw reply related
* [PATCH 2/4] netfilter: ipset: fix hash size checking in kernel
From: pablo @ 2012-05-14 11:47 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <1336996023-20249-1-git-send-email-pablo@netfilter.org>
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
The hash size must fit both into u32 (jhash) and the max value of
size_t. The missing checking could lead to kernel crash, bug reported
by Seblu.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/ipset/ip_set_ahash.h | 16 ++++++++++++++++
net/netfilter/ipset/ip_set_hash_ip.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_ipport.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_ipportip.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_ipportnet.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_net.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_netiface.c | 10 +++++++---
net/netfilter/ipset/ip_set_hash_netport.c | 10 +++++++---
8 files changed, 65 insertions(+), 21 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h
index 05a5d72..230a290 100644
--- a/include/linux/netfilter/ipset/ip_set_ahash.h
+++ b/include/linux/netfilter/ipset/ip_set_ahash.h
@@ -99,6 +99,22 @@ struct ip_set_hash {
#endif
};
+static size_t
+htable_size(u8 hbits)
+{
+ size_t hsize;
+
+ /* We must fit both into u32 in jhash and size_t */
+ if (hbits > 31)
+ return 0;
+ hsize = jhash_size(hbits);
+ if ((((size_t)-1) - sizeof(struct htable))/sizeof(struct hbucket)
+ < hsize)
+ return 0;
+
+ return hsize * sizeof(struct hbucket) + sizeof(struct htable);
+}
+
/* Compute htable_bits from the user input parameter hashsize */
static u8
htable_bits(u32 hashsize)
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index 5139dea..828ce46 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -364,6 +364,7 @@ hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
{
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
u8 netmask, hbits;
+ size_t hsize;
struct ip_set_hash *h;
if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
@@ -405,9 +406,12 @@ hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
h->timeout = IPSET_NO_TIMEOUT;
hbits = htable_bits(hashsize);
- h->table = ip_set_alloc(
- sizeof(struct htable)
- + jhash_size(hbits) * sizeof(struct hbucket));
+ hsize = htable_size(hbits);
+ if (hsize == 0) {
+ kfree(h);
+ return -ENOMEM;
+ }
+ h->table = ip_set_alloc(hsize);
if (!h->table) {
kfree(h);
return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index 9c27e24..e8dbb49 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -449,6 +449,7 @@ hash_ipport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
struct ip_set_hash *h;
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
u8 hbits;
+ size_t hsize;
if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
return -IPSET_ERR_INVALID_FAMILY;
@@ -476,9 +477,12 @@ hash_ipport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
h->timeout = IPSET_NO_TIMEOUT;
hbits = htable_bits(hashsize);
- h->table = ip_set_alloc(
- sizeof(struct htable)
- + jhash_size(hbits) * sizeof(struct hbucket));
+ hsize = htable_size(hbits);
+ if (hsize == 0) {
+ kfree(h);
+ return -ENOMEM;
+ }
+ h->table = ip_set_alloc(hsize);
if (!h->table) {
kfree(h);
return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index 9134057..52f79d8 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -467,6 +467,7 @@ hash_ipportip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
struct ip_set_hash *h;
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
u8 hbits;
+ size_t hsize;
if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
return -IPSET_ERR_INVALID_FAMILY;
@@ -494,9 +495,12 @@ hash_ipportip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
h->timeout = IPSET_NO_TIMEOUT;
hbits = htable_bits(hashsize);
- h->table = ip_set_alloc(
- sizeof(struct htable)
- + jhash_size(hbits) * sizeof(struct hbucket));
+ hsize = htable_size(hbits);
+ if (hsize == 0) {
+ kfree(h);
+ return -ENOMEM;
+ }
+ h->table = ip_set_alloc(hsize);
if (!h->table) {
kfree(h);
return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 5d05e69..97583f5 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -616,6 +616,7 @@ hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
struct ip_set_hash *h;
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
u8 hbits;
+ size_t hsize;
if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
return -IPSET_ERR_INVALID_FAMILY;
@@ -645,9 +646,12 @@ hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
h->timeout = IPSET_NO_TIMEOUT;
hbits = htable_bits(hashsize);
- h->table = ip_set_alloc(
- sizeof(struct htable)
- + jhash_size(hbits) * sizeof(struct hbucket));
+ hsize = htable_size(hbits);
+ if (hsize == 0) {
+ kfree(h);
+ return -ENOMEM;
+ }
+ h->table = ip_set_alloc(hsize);
if (!h->table) {
kfree(h);
return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 7c3d945..1721cde 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -460,6 +460,7 @@ hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
struct ip_set_hash *h;
u8 hbits;
+ size_t hsize;
if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
return -IPSET_ERR_INVALID_FAMILY;
@@ -489,9 +490,12 @@ hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
h->timeout = IPSET_NO_TIMEOUT;
hbits = htable_bits(hashsize);
- h->table = ip_set_alloc(
- sizeof(struct htable)
- + jhash_size(hbits) * sizeof(struct hbucket));
+ hsize = htable_size(hbits);
+ if (hsize == 0) {
+ kfree(h);
+ return -ENOMEM;
+ }
+ h->table = ip_set_alloc(hsize);
if (!h->table) {
kfree(h);
return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index f24037f..33bafc9 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -722,6 +722,7 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
struct ip_set_hash *h;
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
u8 hbits;
+ size_t hsize;
if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
return -IPSET_ERR_INVALID_FAMILY;
@@ -752,9 +753,12 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
h->ahash_max = AHASH_MAX_SIZE;
hbits = htable_bits(hashsize);
- h->table = ip_set_alloc(
- sizeof(struct htable)
- + jhash_size(hbits) * sizeof(struct hbucket));
+ hsize = htable_size(hbits);
+ if (hsize == 0) {
+ kfree(h);
+ return -ENOMEM;
+ }
+ h->table = ip_set_alloc(hsize);
if (!h->table) {
kfree(h);
return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index ce2e771..3a5e198 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -572,6 +572,7 @@ hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
struct ip_set_hash *h;
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
u8 hbits;
+ size_t hsize;
if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
return -IPSET_ERR_INVALID_FAMILY;
@@ -601,9 +602,12 @@ hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
h->timeout = IPSET_NO_TIMEOUT;
hbits = htable_bits(hashsize);
- h->table = ip_set_alloc(
- sizeof(struct htable)
- + jhash_size(hbits) * sizeof(struct hbucket));
+ hsize = htable_size(hbits);
+ if (hsize == 0) {
+ kfree(h);
+ return -ENOMEM;
+ }
+ h->table = ip_set_alloc(hsize);
if (!h->table) {
kfree(h);
return -ENOMEM;
--
1.7.10
^ permalink raw reply related
* [PATCH ethtool] Add command to dump module EEPROM
From: Yaniv Rosner @ 2012-05-14 15:13 UTC (permalink / raw)
To: Ben Hutchings; +Cc: David Miller, netdev, Eilon Greenstein, Yaniv Rosner
Hi Ben,
This patch adds a new option to dump (SFP+, XFP, ...) module EEPROM following
recent support to kernel side. Below some examples:
bash-3.00# ethtool -m eth1 offset 0x14 length 32 raw on
JDSU PLRXPLSCS432
bash-3.00# ethtool -m eth1 offset 0x14 length 32
Offset Values
------ ------
0x0014 4a 44 53 55 20 20 20 20 20 20 20 20 20 20 20 20
0x0024 00 00 01 9c 50 4c 52 58 50 4c 53 43 53 34 33 32
Please consider applying to ethtool.
Thanks,
Yaniv
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
---
ethtool-copy.h | 312 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
ethtool.8.in | 23 ++++-
ethtool.c | 63 +++++++++++
3 files changed, 393 insertions(+), 5 deletions(-)
diff --git a/ethtool-copy.h b/ethtool-copy.h
index d904c1a..604dbef 100644
--- a/ethtool-copy.h
+++ b/ethtool-copy.h
@@ -13,6 +13,9 @@
#ifndef _LINUX_ETHTOOL_H
#define _LINUX_ETHTOOL_H
+#ifdef __KERNEL__
+#include <linux/compat.h>
+#endif
#include <linux/types.h>
#include <linux/if_ether.h>
@@ -27,10 +30,15 @@ struct ethtool_cmd {
* access it */
__u8 duplex; /* Duplex, half or full */
__u8 port; /* Which connector port */
- __u8 phy_address;
+ __u8 phy_address; /* MDIO PHY address (PRTAD for clause 45).
+ * May be read-only or read-write
+ * depending on the driver.
+ */
__u8 transceiver; /* Which transceiver to use */
__u8 autoneg; /* Enable or disable autonegotiation */
- __u8 mdio_support;
+ __u8 mdio_support; /* MDIO protocols supported. Read-only.
+ * Not set by all drivers.
+ */
__u32 maxtxpkt; /* Tx pkts before generating tx int */
__u32 maxrxpkt; /* Rx pkts before generating rx int */
__u16 speed_hi; /* The forced speed (upper
@@ -43,7 +51,7 @@ struct ethtool_cmd {
__u32 reserved[2];
};
-static __inline__ void ethtool_cmd_speed_set(struct ethtool_cmd *ep,
+static inline void ethtool_cmd_speed_set(struct ethtool_cmd *ep,
__u32 speed)
{
@@ -51,11 +59,25 @@ static __inline__ void ethtool_cmd_speed_set(struct ethtool_cmd *ep,
ep->speed_hi = (__u16)(speed >> 16);
}
-static __inline__ __u32 ethtool_cmd_speed(const struct ethtool_cmd *ep)
+static inline __u32 ethtool_cmd_speed(const struct ethtool_cmd *ep)
{
return (ep->speed_hi << 16) | ep->speed;
}
+/* Device supports clause 22 register access to PHY or peripherals
+ * using the interface defined in <linux/mii.h>. This should not be
+ * set if there are known to be no such peripherals present or if
+ * the driver only emulates clause 22 registers for compatibility.
+ */
+#define ETH_MDIO_SUPPORTS_C22 1
+
+/* Device supports clause 45 register access to PHY or peripherals
+ * using the interface defined in <linux/mii.h> and <linux/mdio.h>.
+ * This should not be set if there are known to be no such peripherals
+ * present.
+ */
+#define ETH_MDIO_SUPPORTS_C45 2
+
#define ETHTOOL_FWVERS_LEN 32
#define ETHTOOL_BUSINFO_LEN 32
/* these strings are set to whatever the driver author decides... */
@@ -115,6 +137,23 @@ struct ethtool_eeprom {
};
/**
+ * struct ethtool_modinfo - plugin module eeprom information
+ * @cmd: %ETHTOOL_GMODULEINFO
+ * @type: Standard the module information conforms to %ETH_MODULE_SFF_xxxx
+ * @eeprom_len: Length of the eeprom
+ *
+ * This structure is used to return the information to
+ * properly size memory for a subsequent call to %ETHTOOL_GMODULEEEPROM.
+ * The type code indicates the eeprom data format
+ */
+struct ethtool_modinfo {
+ __u32 cmd;
+ __u32 type;
+ __u32 eeprom_len;
+ __u32 reserved[8];
+};
+
+/**
* struct ethtool_coalesce - coalescing parameters for IRQs and stats updates
* @cmd: ETHTOOL_{G,S}COALESCE
* @rx_coalesce_usecs: How many usecs to delay an RX interrupt after
@@ -528,6 +567,30 @@ struct ethtool_rxnfc {
__u32 rule_locs[0];
};
+#ifdef __KERNEL__
+#ifdef CONFIG_COMPAT
+
+struct compat_ethtool_rx_flow_spec {
+ u32 flow_type;
+ union ethtool_flow_union h_u;
+ struct ethtool_flow_ext h_ext;
+ union ethtool_flow_union m_u;
+ struct ethtool_flow_ext m_ext;
+ compat_u64 ring_cookie;
+ u32 location;
+};
+
+struct compat_ethtool_rxnfc {
+ u32 cmd;
+ u32 flow_type;
+ compat_u64 data;
+ struct compat_ethtool_rx_flow_spec fs;
+ u32 rule_cnt;
+ u32 rule_locs[0];
+};
+
+#endif /* CONFIG_COMPAT */
+#endif /* __KERNEL__ */
/**
* struct ethtool_rxfh_indir - command to get or set RX flow hash indirection
@@ -680,6 +743,29 @@ struct ethtool_sfeatures {
struct ethtool_set_features_block features[0];
};
+/**
+ * struct ethtool_ts_info - holds a device's timestamping and PHC association
+ * @cmd: command number = %ETHTOOL_GET_TS_INFO
+ * @so_timestamping: bit mask of the sum of the supported SO_TIMESTAMPING flags
+ * @phc_index: device index of the associated PHC, or -1 if there is none
+ * @tx_types: bit mask of the supported hwtstamp_tx_types enumeration values
+ * @rx_filters: bit mask of the supported hwtstamp_rx_filters enumeration values
+ *
+ * The bits in the 'tx_types' and 'rx_filters' fields correspond to
+ * the 'hwtstamp_tx_types' and 'hwtstamp_rx_filters' enumeration values,
+ * respectively. For example, if the device supports HWTSTAMP_TX_ON,
+ * then (1 << HWTSTAMP_TX_ON) in 'tx_types' will be set.
+ */
+struct ethtool_ts_info {
+ __u32 cmd;
+ __u32 so_timestamping;
+ __s32 phc_index;
+ __u32 tx_types;
+ __u32 tx_reserved[3];
+ __u32 rx_filters;
+ __u32 rx_reserved[3];
+};
+
/*
* %ETHTOOL_SFEATURES changes features present in features[].valid to the
* values of corresponding bits in features[].requested. Bits in .requested
@@ -715,6 +801,215 @@ enum ethtool_sfeatures_retval_bits {
#define ETHTOOL_F_WISH (1 << ETHTOOL_F_WISH__BIT)
#define ETHTOOL_F_COMPAT (1 << ETHTOOL_F_COMPAT__BIT)
+#ifdef __KERNEL__
+
+#include <linux/rculist.h>
+
+extern int __ethtool_get_settings(struct net_device *dev,
+ struct ethtool_cmd *cmd);
+
+/**
+ * enum ethtool_phys_id_state - indicator state for physical identification
+ * @ETHTOOL_ID_INACTIVE: Physical ID indicator should be deactivated
+ * @ETHTOOL_ID_ACTIVE: Physical ID indicator should be activated
+ * @ETHTOOL_ID_ON: LED should be turned on (used iff %ETHTOOL_ID_ACTIVE
+ * is not supported)
+ * @ETHTOOL_ID_OFF: LED should be turned off (used iff %ETHTOOL_ID_ACTIVE
+ * is not supported)
+ */
+enum ethtool_phys_id_state {
+ ETHTOOL_ID_INACTIVE,
+ ETHTOOL_ID_ACTIVE,
+ ETHTOOL_ID_ON,
+ ETHTOOL_ID_OFF
+};
+
+struct net_device;
+
+/* Some generic methods drivers may use in their ethtool_ops */
+u32 ethtool_op_get_link(struct net_device *dev);
+int ethtool_op_get_ts_info(struct net_device *dev, struct ethtool_ts_info *eti);
+
+/**
+ * ethtool_rxfh_indir_default - get default value for RX flow hash indirection
+ * @index: Index in RX flow hash indirection table
+ * @n_rx_rings: Number of RX rings to use
+ *
+ * This function provides the default policy for RX flow hash indirection.
+ */
+static inline u32 ethtool_rxfh_indir_default(u32 index, u32 n_rx_rings)
+{
+ return index % n_rx_rings;
+}
+
+/**
+ * struct ethtool_ops - optional netdev operations
+ * @get_settings: Get various device settings including Ethernet link
+ * settings. The @cmd parameter is expected to have been cleared
+ * before get_settings is called. Returns a negative error code or
+ * zero.
+ * @set_settings: Set various device settings including Ethernet link
+ * settings. Returns a negative error code or zero.
+ * @get_drvinfo: Report driver/device information. Should only set the
+ * @driver, @version, @fw_version and @bus_info fields. If not
+ * implemented, the @driver and @bus_info fields will be filled in
+ * according to the netdev's parent device.
+ * @get_regs_len: Get buffer length required for @get_regs
+ * @get_regs: Get device registers
+ * @get_wol: Report whether Wake-on-Lan is enabled
+ * @set_wol: Turn Wake-on-Lan on or off. Returns a negative error code
+ * or zero.
+ * @get_msglevel: Report driver message level. This should be the value
+ * of the @msg_enable field used by netif logging functions.
+ * @set_msglevel: Set driver message level
+ * @nway_reset: Restart autonegotiation. Returns a negative error code
+ * or zero.
+ * @get_link: Report whether physical link is up. Will only be called if
+ * the netdev is up. Should usually be set to ethtool_op_get_link(),
+ * which uses netif_carrier_ok().
+ * @get_eeprom: Read data from the device EEPROM.
+ * Should fill in the magic field. Don't need to check len for zero
+ * or wraparound. Fill in the data argument with the eeprom values
+ * from offset to offset + len. Update len to the amount read.
+ * Returns an error or zero.
+ * @set_eeprom: Write data to the device EEPROM.
+ * Should validate the magic field. Don't need to check len for zero
+ * or wraparound. Update len to the amount written. Returns an error
+ * or zero.
+ * @get_coalesce: Get interrupt coalescing parameters. Returns a negative
+ * error code or zero.
+ * @set_coalesce: Set interrupt coalescing parameters. Returns a negative
+ * error code or zero.
+ * @get_ringparam: Report ring sizes
+ * @set_ringparam: Set ring sizes. Returns a negative error code or zero.
+ * @get_pauseparam: Report pause parameters
+ * @set_pauseparam: Set pause parameters. Returns a negative error code
+ * or zero.
+ * @self_test: Run specified self-tests
+ * @get_strings: Return a set of strings that describe the requested objects
+ * @set_phys_id: Identify the physical devices, e.g. by flashing an LED
+ * attached to it. The implementation may update the indicator
+ * asynchronously or synchronously, but in either case it must return
+ * quickly. It is initially called with the argument %ETHTOOL_ID_ACTIVE,
+ * and must either activate asynchronous updates and return zero, return
+ * a negative error or return a positive frequency for synchronous
+ * indication (e.g. 1 for one on/off cycle per second). If it returns
+ * a frequency then it will be called again at intervals with the
+ * argument %ETHTOOL_ID_ON or %ETHTOOL_ID_OFF and should set the state of
+ * the indicator accordingly. Finally, it is called with the argument
+ * %ETHTOOL_ID_INACTIVE and must deactivate the indicator. Returns a
+ * negative error code or zero.
+ * @get_ethtool_stats: Return extended statistics about the device.
+ * This is only useful if the device maintains statistics not
+ * included in &struct rtnl_link_stats64.
+ * @begin: Function to be called before any other operation. Returns a
+ * negative error code or zero.
+ * @complete: Function to be called after any other operation except
+ * @begin. Will be called even if the other operation failed.
+ * @get_priv_flags: Report driver-specific feature flags.
+ * @set_priv_flags: Set driver-specific feature flags. Returns a negative
+ * error code or zero.
+ * @get_sset_count: Get number of strings that @get_strings will write.
+ * @get_rxnfc: Get RX flow classification rules. Returns a negative
+ * error code or zero.
+ * @set_rxnfc: Set RX flow classification rules. Returns a negative
+ * error code or zero.
+ * @flash_device: Write a firmware image to device's flash memory.
+ * Returns a negative error code or zero.
+ * @reset: Reset (part of) the device, as specified by a bitmask of
+ * flags from &enum ethtool_reset_flags. Returns a negative
+ * error code or zero.
+ * @get_rxfh_indir_size: Get the size of the RX flow hash indirection table.
+ * Returns zero if not supported for this specific device.
+ * @get_rxfh_indir: Get the contents of the RX flow hash indirection table.
+ * Will not be called if @get_rxfh_indir_size returns zero.
+ * Returns a negative error code or zero.
+ * @set_rxfh_indir: Set the contents of the RX flow hash indirection table.
+ * Will not be called if @get_rxfh_indir_size returns zero.
+ * Returns a negative error code or zero.
+ * @get_channels: Get number of channels.
+ * @set_channels: Set number of channels. Returns a negative error code or
+ * zero.
+ * @get_dump_flag: Get dump flag indicating current dump length, version,
+ * and flag of the device.
+ * @get_dump_data: Get dump data.
+ * @set_dump: Set dump specific flags to the device.
+ * @get_ts_info: Get the time stamping and PTP hardware clock capabilities.
+ * Drivers supporting transmit time stamps in software should set this to
+ * ethtool_op_get_ts_info().
+ * @get_module_info: Get the size and type of the eeprom contained within
+ * a plug-in module.
+ * @get_module_eeprom: Get the eeprom information from the plug-in module
+ *
+ * All operations are optional (i.e. the function pointer may be set
+ * to %NULL) and callers must take this into account. Callers must
+ * hold the RTNL lock.
+ *
+ * See the structures used by these operations for further documentation.
+ *
+ * See &struct net_device and &struct net_device_ops for documentation
+ * of the generic netdev features interface.
+ */
+struct ethtool_ops {
+ int (*get_settings)(struct net_device *, struct ethtool_cmd *);
+ int (*set_settings)(struct net_device *, struct ethtool_cmd *);
+ void (*get_drvinfo)(struct net_device *, struct ethtool_drvinfo *);
+ int (*get_regs_len)(struct net_device *);
+ void (*get_regs)(struct net_device *, struct ethtool_regs *, void *);
+ void (*get_wol)(struct net_device *, struct ethtool_wolinfo *);
+ int (*set_wol)(struct net_device *, struct ethtool_wolinfo *);
+ u32 (*get_msglevel)(struct net_device *);
+ void (*set_msglevel)(struct net_device *, u32);
+ int (*nway_reset)(struct net_device *);
+ u32 (*get_link)(struct net_device *);
+ int (*get_eeprom_len)(struct net_device *);
+ int (*get_eeprom)(struct net_device *,
+ struct ethtool_eeprom *, u8 *);
+ int (*set_eeprom)(struct net_device *,
+ struct ethtool_eeprom *, u8 *);
+ int (*get_coalesce)(struct net_device *, struct ethtool_coalesce *);
+ int (*set_coalesce)(struct net_device *, struct ethtool_coalesce *);
+ void (*get_ringparam)(struct net_device *,
+ struct ethtool_ringparam *);
+ int (*set_ringparam)(struct net_device *,
+ struct ethtool_ringparam *);
+ void (*get_pauseparam)(struct net_device *,
+ struct ethtool_pauseparam*);
+ int (*set_pauseparam)(struct net_device *,
+ struct ethtool_pauseparam*);
+ void (*self_test)(struct net_device *, struct ethtool_test *, u64 *);
+ void (*get_strings)(struct net_device *, u32 stringset, u8 *);
+ int (*set_phys_id)(struct net_device *, enum ethtool_phys_id_state);
+ void (*get_ethtool_stats)(struct net_device *,
+ struct ethtool_stats *, u64 *);
+ int (*begin)(struct net_device *);
+ void (*complete)(struct net_device *);
+ u32 (*get_priv_flags)(struct net_device *);
+ int (*set_priv_flags)(struct net_device *, u32);
+ int (*get_sset_count)(struct net_device *, int);
+ int (*get_rxnfc)(struct net_device *,
+ struct ethtool_rxnfc *, u32 *rule_locs);
+ int (*set_rxnfc)(struct net_device *, struct ethtool_rxnfc *);
+ int (*flash_device)(struct net_device *, struct ethtool_flash *);
+ int (*reset)(struct net_device *, u32 *);
+ u32 (*get_rxfh_indir_size)(struct net_device *);
+ int (*get_rxfh_indir)(struct net_device *, u32 *);
+ int (*set_rxfh_indir)(struct net_device *, const u32 *);
+ void (*get_channels)(struct net_device *, struct ethtool_channels *);
+ int (*set_channels)(struct net_device *, struct ethtool_channels *);
+ int (*get_dump_flag)(struct net_device *, struct ethtool_dump *);
+ int (*get_dump_data)(struct net_device *,
+ struct ethtool_dump *, void *);
+ int (*set_dump)(struct net_device *, struct ethtool_dump *);
+ int (*get_ts_info)(struct net_device *, struct ethtool_ts_info *);
+ int (*get_module_info)(struct net_device *,
+ struct ethtool_modinfo *);
+ int (*get_module_eeprom)(struct net_device *,
+ struct ethtool_eeprom *, u8 *);
+
+
+};
+#endif /* __KERNEL__ */
/* CMDs currently supported */
#define ETHTOOL_GSET 0x00000001 /* Get settings. */
@@ -786,6 +1081,9 @@ enum ethtool_sfeatures_retval_bits {
#define ETHTOOL_SET_DUMP 0x0000003e /* Set dump settings */
#define ETHTOOL_GET_DUMP_FLAG 0x0000003f /* Get dump settings */
#define ETHTOOL_GET_DUMP_DATA 0x00000040 /* Get dump data */
+#define ETHTOOL_GET_TS_INFO 0x00000041 /* Get time stamping and PHC info */
+#define ETHTOOL_GMODULEINFO 0x00000042 /* Get plug-in module information */
+#define ETHTOOL_GMODULEEEPROM 0x00000043 /* Get plug-in module eeprom */
/* compatibility with older code */
#define SPARC_ETH_GSET ETHTOOL_GSET
@@ -935,6 +1233,12 @@ enum ethtool_sfeatures_retval_bits {
#define RX_CLS_LOC_FIRST 0xfffffffe
#define RX_CLS_LOC_LAST 0xfffffffd
+/* EEPROM Standards for plug in modules */
+#define ETH_MODULE_SFF_8079 0x1
+#define ETH_MODULE_SFF_8079_LEN 256
+#define ETH_MODULE_SFF_8472 0x2
+#define ETH_MODULE_SFF_8472_LEN 512
+
/* Reset flags */
/* The reset() operation must clear the flags for the components which
* were actually reset. On successful return, the flags indicate the
diff --git a/ethtool.8.in b/ethtool.8.in
index 63d5d48..470fd8d 100644
--- a/ethtool.8.in
+++ b/ethtool.8.in
@@ -325,6 +325,13 @@ ethtool \- query or control network driver and hardware settings
.I devname flag
.A1 on off
.RB ...
+.HP
+.B ethtool \-m|\-\-mod\-eeprom\-dump
+.I devname
+.B2 raw on off
+.BN offset
+.BN length
+.HP
.
.\" Adjust lines (i.e. full justification) and hyphenate.
.ad
@@ -800,6 +807,19 @@ Sets the device's private flags as specified.
.I flag
.A1 on off
Sets the state of the named private flag.
+.TP
+.B \-m \-\-mod\-eeprom\-dump
+Retrieves and prints module (SFP+, XFP, ...) EEPROMs dump for the specified network device.
+Default is to dump the entire EEPROM.
+.TP
+.BI raw \ on|off
+Dumps the raw EEPROM data to stdout.
+.TP
+.BI offset \ N
+Start address of module EEPROM dump.
+.TP
+.BI length \ N
+Length of module EEPROM dump.
.SH BUGS
Not supported (in part or whole) on all network drivers.
.SH AUTHOR
@@ -815,7 +835,8 @@ Eli Kupermann,
Scott Feldman,
Andi Kleen,
Alexander Duyck,
-Sucheta Chakraborty.
+Sucheta Chakraborty,
+Yaniv Rosner.
.SH AVAILABILITY
.B ethtool
is available from
diff --git a/ethtool.c b/ethtool.c
index e80b38b..6d022c3 100644
--- a/ethtool.c
+++ b/ethtool.c
@@ -2214,6 +2214,64 @@ static int do_nway_rst(struct cmd_context *ctx)
return err;
}
+static int do_gmoduleeeprom(struct cmd_context *ctx)
+{
+ int geeprom_changed = 0;
+ int geeprom_dump_raw = 0;
+ u32 geeprom_offset = 0;
+ u32 geeprom_length = -1;
+ struct cmdline_info cmdline_geeprom[] = {
+ { "offset", CMDL_U32, &geeprom_offset, NULL },
+ { "length", CMDL_U32, &geeprom_length, NULL },
+ { "raw", CMDL_BOOL, &geeprom_dump_raw, NULL },
+ };
+ int err;
+ struct ethtool_modinfo modinfo;
+ struct ethtool_eeprom *eeprom;
+ struct ethtool_drvinfo drvinfo;
+
+ parse_generic_cmdline(ctx, &geeprom_changed,
+ cmdline_geeprom, ARRAY_SIZE(cmdline_geeprom));
+
+ drvinfo.cmd = ETHTOOL_GDRVINFO;
+ err = send_ioctl(ctx, &drvinfo);
+ if (err < 0) {
+ perror("Cannot get driver information");
+ return 74;
+ }
+
+ modinfo.cmd = ETHTOOL_GMODULEINFO;
+ err = send_ioctl(ctx, &modinfo);
+ if (err < 0) {
+ perror("Cannot get driver information");
+ return 74;
+ }
+
+ if (geeprom_length == -1)
+ geeprom_length = modinfo.eeprom_len;
+
+ if (modinfo.eeprom_len < geeprom_offset + geeprom_length)
+ geeprom_length = modinfo.eeprom_len - geeprom_offset;
+ eeprom = calloc(1, sizeof(*eeprom)+geeprom_length);
+ if (!eeprom) {
+ perror("Cannot allocate memory for EEPROM data");
+ return 75;
+ }
+ eeprom->cmd = ETHTOOL_GMODULEEEPROM;
+ eeprom->len = geeprom_length;
+ eeprom->offset = geeprom_offset;
+ err = send_ioctl(ctx, eeprom);
+ if (err < 0) {
+ perror("Cannot get EEPROM data");
+ free(eeprom);
+ return 74;
+ }
+ err = dump_eeprom(geeprom_dump_raw, &drvinfo, eeprom);
+ free(eeprom);
+
+ return err;
+}
+
static int do_geeprom(struct cmd_context *ctx)
{
int geeprom_changed = 0;
@@ -3231,6 +3289,11 @@ static const struct option {
{ "--show-priv-flags" , 1, do_gprivflags, "Query private flags" },
{ "--set-priv-flags", 1, do_sprivflags, "Set private flags",
" FLAG on|off ...\n" },
+ { "-m|--mod-eeprom-dump", 1, do_gmoduleeeprom,
+ "Dumps SFP+ module EEPROM",
+ " [ raw on|off ]\n"
+ " [ offset N ]\n"
+ " [ length N ]\n" },
{ "-h|--help", 0, show_usage, "Show this help" },
{ "--version", 0, do_version, "Show version number" },
{}
--
1.7.7.1
^ permalink raw reply related
* Kernel consistently panicing on br_parse_ip_options
From: Massimo Cetra @ 2012-05-14 12:37 UTC (permalink / raw)
To: linux-kernel, netdev
[-- Attachment #1: Type: text/plain, Size: 691 bytes --]
Hello,
I had already filed similar panics a month ago.
Today i upgraded to 3.2.16 and nothing seems to be changed (and i don't
see anything related in .17).
The server (a Dell R410 with a couple of bnx2 ethernet cards) has two
bridges onboard.
Each bridge is connected to a different switch and has 2 uses:
- one bridge is connecting an internal network and the KVM hosts that
run on the same machine
- one bridge connects the server to the public network along with
another bunch of kvm servers whose interfaces bridges
The bug can be easily triggered adding or removing (with heartbeat) a
virtual address (br0:1, for example) .
Is there any known fix or patch ?
Thanks
Massimo
[-- Attachment #2: panic1.txt --]
[-- Type: text/plain, Size: 23913 bytes --]
May 14 14:14:28 172.30.1.2 [ 426.318698] BUG: unable to handle kernel
May 14 14:14:28 172.30.1.2 [ 426.334484] IP:
May 14 14:14:28 172.30.1.2 [ 426.348653] PGD 0
May 14 14:14:28 172.30.1.2
May 14 14:14:28 172.30.1.2 [ 426.352753] Oops: 0000 [#1]
May 14 14:14:28 172.30.1.2 SMP
May 14 14:14:28 172.30.1.2
May 14 14:14:28 172.30.1.2 [ 426.359335] CPU 0
May 14 14:14:28 172.30.1.2
May 14 14:14:28 172.30.1.2 [ 426.363033] Modules linked in:
May 14 14:14:28 172.30.1.2
May 14 14:14:28 172.30.1.2 [ 426.505401]
May 14 14:14:28 172.30.1.2 [ 426.508406] Pid: 3831, comm: kvm Not tainted 3.2.0-2-amd64 #1
May 14 14:14:28 172.30.1.2 /0N051F
May 14 14:14:28 172.30.1.2
May 14 14:14:28 172.30.1.2 [ 426.525620] RIP: 0010:[<ffffffffa0248336>]
May 14 14:14:28 172.30.1.2 [ 426.544639] RSP: 0018:ffff88042fc03b18 EFLAGS: 00010293
May 14 14:14:28 172.30.1.2 [ 426.555288] RAX: 0000000000000000 RBX: ffff88042517ed80 RCX: 0000000100007b59
May 14 14:14:28 172.30.1.2 [ 426.569579] RDX: ffffffffa0248308 RSI: 0000000000000282 RDI: ffff88042517ed80
May 14 14:14:28 172.30.1.2 [ 426.583872] RBP: ffff8804263ca000 R08: 0000000000000000 R09: ffff88042fc03ad0
May 14 14:14:28 172.30.1.2 [ 426.598162] R10: ffffffff8165aac0 R11: ffffffff8165aac0 R12: 0000000000000000
May 14 14:14:28 172.30.1.2 [ 426.612453] R13: ffff8804250a8002 R14: ffff8803d6f2f600 R15: ffff8804250a8000
May 14 14:14:28 172.30.1.2 [ 426.626747] FS: 00007f87688e6900(0000) GS:ffff88042fc00000(0000) knlGS:0000000000000000
May 14 14:14:28 172.30.1.2 [ 426.642961] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
May 14 14:14:28 172.30.1.2 [ 426.654477] CR2: 0000000000000018 CR3: 00000004231e6000 CR4: 00000000000026e0
May 14 14:14:28 172.30.1.2 [ 426.668770] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
May 14 14:14:28 172.30.1.2 [ 426.683063] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
May 14 14:14:28 172.30.1.2 [ 426.697356] Process kvm (pid: 3831, threadinfo ffff8804232ae000, task ffff8804261bc8f0)
May 14 14:14:28 172.30.1.2 [ 426.713396] Stack:
May 14 14:14:28 172.30.1.2 [ 426.717457] ffffffff80000000
May 14 14:14:28 172.30.1.2
May 14 14:14:28 172.30.1.2 [ 426.732504] ffff880227a60000
May 14 14:14:28 172.30.1.2
May 14 14:14:28 172.30.1.2 [ 426.747550] ffff88042517ed80
May 14 14:14:28 172.30.1.2
May 14 14:14:28 172.30.1.2 [ 426.762595] Call Trace:
May 14 14:14:28 172.30.1.2 [ 426.767521] <IRQ>
May 14 14:14:28 172.30.1.2
May 14 14:14:28 172.30.1.2 [ 426.771812] [<ffffffffa02486db>] ? br_parse_ip_options+0x3d/0x19a [bridge]
May 14 14:14:28 172.30.1.2 [ 426.785762] [<ffffffffa0248a67>] ? br_nf_forward_ip+0x1c0/0x1d4 [bridge]
May 14 14:14:28 172.30.1.2 [ 426.799365] [<ffffffff812ac039>] ? nf_iterate+0x41/0x77
May 14 14:14:28 172.30.1.2 [ 426.810018] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:28 172.30.1.2 [ 426.822578] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:28 172.30.1.2 [ 426.835139] [<ffffffff812ac0d7>] ? nf_hook_slow+0x68/0x101
May 14 14:14:28 172.30.1.2 [ 426.846313] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:29 172.30.1.2 [ 426.858873] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:29 172.30.1.2 [ 426.872647] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:29 172.30.1.2 [ 426.885206] [<ffffffffa024385e>] ? NF_HOOK.constprop.8+0x3c/0x56 [bridge]
May 14 14:14:29 172.30.1.2 [ 426.898980] [<ffffffffa02439f2>] ? br_forward+0x16/0x5a [bridge]
May 14 14:14:29 172.30.1.2 [ 426.911195] [<ffffffffa024451b>] ? br_handle_frame_finish+0x1a1/0x20f [bridge]
May 14 14:14:29 172.30.1.2 [ 426.925851] [<ffffffffa02485ff>] ? br_nf_pre_routing_finish+0x1d0/0x1dd [bridge]
May 14 14:14:29 172.30.1.2 [ 426.940856] [<ffffffffa0247ff0>] ? NF_HOOK_THRESH+0x3b/0x55 [bridge]
May 14 14:14:29 172.30.1.2 [ 426.953763] [<ffffffffa0248f58>] ? br_nf_pre_routing+0x3e8/0x3f5 [bridge]
May 14 14:14:29 172.30.1.2 [ 426.967536] [<ffffffff812ac039>] ? nf_iterate+0x41/0x77
May 14 14:14:29 172.30.1.2 [ 426.978191] [<ffffffff8128ad1d>] ? netif_receive_skb+0x63/0x69
May 14 14:14:29 172.30.1.2 [ 426.990056] [<ffffffff8128b1ef>] ? napi_gro_receive+0x1d/0x2b
May 14 14:14:29 172.30.1.2 [ 427.001751] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:29 172.30.1.2 [ 427.015525] [<ffffffff812ac0d7>] ? nf_hook_slow+0x68/0x101
May 14 14:14:29 172.30.1.2 [ 427.026699] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:29 172.30.1.2 [ 427.040474] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:29 172.30.1.2 [ 427.054249] [<ffffffffa0244360>] ? NF_HOOK.constprop.4+0x3c/0x56 [bridge]
May 14 14:14:29 172.30.1.2 [ 427.068025] [<ffffffff810135ad>] ? paravirt_read_tsc+0x5/0x8
May 14 14:14:29 172.30.1.2 [ 427.079542] [<ffffffff81013622>] ? read_tsc+0x5/0x14
May 14 14:14:29 172.30.1.2 [ 427.089674] [<ffffffffa024473c>] ? br_handle_frame+0x1b3/0x1cb [bridge]
May 14 14:14:29 172.30.1.2 [ 427.103103] [<ffffffffa0244589>] ? br_handle_frame_finish+0x20f/0x20f [bridge]
May 14 14:14:29 172.30.1.2 [ 427.117759] [<ffffffff812892c0>] ? __netif_receive_skb+0x324/0x41f
May 14 14:14:29 172.30.1.2 [ 427.130319] [<ffffffff81289427>] ? process_backlog+0x6c/0x123
May 14 14:14:29 172.30.1.2 [ 427.142012] [<ffffffff8128b30d>] ? net_rx_action+0xa1/0x1af
May 14 14:14:29 172.30.1.2 [ 427.153360] [<ffffffff81036fab>] ? test_tsk_need_resched+0xa/0x13
May 14 14:14:29 172.30.1.2 [ 427.165748] [<ffffffff8104be30>] ? __do_softirq+0xb9/0x177
May 14 14:14:29 172.30.1.2 [ 427.176924] [<ffffffff8135046c>] ? call_softirq+0x1c/0x30
May 14 14:14:29 172.30.1.2 [ 427.187920] <EOI>
May 14 14:14:29 172.30.1.2
May 14 14:14:29 172.30.1.2 [ 427.192210] [<ffffffff8100f8e5>] ? do_softirq+0x3c/0x7b
May 14 14:14:29 172.30.1.2 [ 427.202862] [<ffffffff8128b5fd>] ? netif_rx_ni+0x1e/0x27
May 14 14:14:29 172.30.1.2 [ 427.213688] [<ffffffffa02a7721>] ? tun_get_user+0x39a/0x3c2 [tun]
May 14 14:14:29 172.30.1.2 [ 427.226074] [<ffffffffa02a7a66>] ? tun_chr_poll+0xcd/0xcd [tun]
May 14 14:14:29 172.30.1.2 [ 427.238114] [<ffffffffa02a7ac4>] ? tun_chr_aio_write+0x5e/0x79 [tun]
May 14 14:14:29 172.30.1.2 [ 427.251024] [<ffffffff810f9594>] ? do_sync_readv_writev+0x9a/0xd7
May 14 14:14:29 172.30.1.2 [ 427.263408] [<ffffffff810363c7>] ? should_resched+0x5/0x23
May 14 14:14:29 172.30.1.2 [ 427.274580] [<ffffffff810f8c16>] ? do_sync_read+0xab/0xe3
May 14 14:14:29 172.30.1.2 [ 427.285578] [<ffffffff810363c7>] ? should_resched+0x5/0x23
May 14 14:14:29 172.30.1.2 [ 427.296754] [<ffffffff811626a1>] ? security_file_permission+0x16/0x2d
May 14 14:14:29 172.30.1.2 [ 427.309833] [<ffffffff810f97f8>] ? do_readv_writev+0xaf/0x11c
May 14 14:14:29 172.30.1.2 [ 427.321527] [<ffffffff8112ab7e>] ? eventfd_ctx_read+0x162/0x174
May 14 14:14:29 172.30.1.2 [ 427.333570] [<ffffffff8103f3ff>] ? try_to_wake_up+0x197/0x197
May 14 14:14:29 172.30.1.2 [ 427.345261] [<ffffffff810f99cd>] ? sys_writev+0x45/0x90
May 14 14:14:29 172.30.1.2 [ 427.355914] [<ffffffff8134e212>] ? system_call_fastpath+0x16/0x1b
May 14 14:14:29 172.30.1.2 [ 427.368297] Code:
May 14 14:14:29 172.30.1.2 53
May 14 14:14:29 172.30.1.2 48
May 14 14:14:29 172.30.1.2 89
May 14 14:14:29 172.30.1.2 fb
May 14 14:14:29 172.30.1.2 48
May 14 14:14:29 172.30.1.2 83
May 14 14:14:29 172.30.1.2 ec
May 14 14:14:29 172.30.1.2 10
May 14 14:14:29 172.30.1.2 66
May 14 14:14:29 172.30.1.2 81
May 14 14:14:29 172.30.1.2 7f
May 14 14:14:29 172.30.1.2 7e
May 14 14:14:29 172.30.1.2 08
May 14 14:14:29 172.30.1.2 06
May 14 14:14:29 172.30.1.2 4c
May 14 14:14:29 172.30.1.2 8b
May 14 14:14:29 172.30.1.2 a7
May 14 14:14:29 172.30.1.2 98
May 14 14:14:29 172.30.1.2 00
May 14 14:14:29 172.30.1.2 00
May 14 14:14:29 172.30.1.2 00
May 14 14:14:29 172.30.1.2 74
May 14 14:14:29 172.30.1.2 3d
May 14 14:14:29 172.30.1.2 e8
May 14 14:14:29 172.30.1.2 07
May 14 14:14:29 172.30.1.2 fe
May 14 14:14:29 172.30.1.2 ff
May 14 14:14:29 172.30.1.2 ff
May 14 14:14:29 172.30.1.2 66
May 14 14:14:29 172.30.1.2 3d
May 14 14:14:29 172.30.1.2 08
May 14 14:14:29 172.30.1.2 06
May 14 14:14:29 172.30.1.2 75
May 14 14:14:29 172.30.1.2 09
May 14 14:14:29 172.30.1.2 83
May 14 14:14:29 172.30.1.2 3d
May 14 14:14:29 172.30.1.2 98
May 14 14:14:29 172.30.1.2 6a
May 14 14:14:29 172.30.1.2 00
May 14 14:14:29 172.30.1.2 00
May 14 14:14:29 172.30.1.2 00
May 14 14:14:29 172.30.1.2 75
May 14 14:14:29 172.30.1.2 29
May 14 14:14:29 172.30.1.2
May 14 14:14:29 172.30.1.2 f6
May 14 14:14:29 172.30.1.2 44
May 14 14:14:29 172.30.1.2 24
May 14 14:14:29 172.30.1.2 18
May 14 14:14:29 172.30.1.2 01
May 14 14:14:29 172.30.1.2 49
May 14 14:14:29 172.30.1.2 8b
May 14 14:14:29 172.30.1.2 6c
May 14 14:14:29 172.30.1.2 24
May 14 14:14:29 172.30.1.2 08
May 14 14:14:29 172.30.1.2 74
May 14 14:14:29 172.30.1.2
May 14 14:14:29 172.30.1.2 [ 427.403992] ------------[ cut here ]------------
May 14 14:14:29 172.30.1.2 [ 427.403995] WARNING: at /build/buildd-linux-2.6_3.2.16-1-amd64-AZNfko/linux-2.6-3.2.16/debian/build/source_amd64_none/kernel/softirq.c:159 _local_bh_enable_ip.isra.11+0x3d/0x88()
May 14 14:14:29 172.30.1.2 [ 427.403998] Hardware name: PowerEdge R410
May 14 14:14:29 172.30.1.2 [ 427.403999] Modules linked in: ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 ip6table_filter ip6_tables iptable_filter ip_tables x_tables ip_vs_rr ip_vs nf_conntrack crc32c libcrc32c drbd lru_cache cn tun bridge stp virtio_net virtio_blk virtio_rng rng_core virtio_pci virtio_ring virtio kvm_intel kvm ipmi_devintf ipmi_poweroff ipmi_si ipmi_watchdog ipmi_msghandler netconsole configfs loop snd_pcm snd_page_alloc snd_timer snd i7core_edac edac_core psmouse soundcore processor joydev iTCO_wdt iTCO_vendor_support button serio_raw thermal_sys dcdbas evdev pcspkr ext3 mbcache jbd dm_mod sr_mod cdrom sd_mod ses usbhid hid enclosure crc_t10dif ata_generic uhci_hcd ata_piix ehci_hcd libata megaraid_sas usbcore bnx2 scsi_mod usb_common [last unloaded: scsi_wait_scan]
May 14 14:14:29 172.30.1.2 [ 427.404034] Pid: 3831, comm: kvm Not tainted 3.2.0-2-amd64 #1
May 14 14:14:29 172.30.1.2 [ 427.404035] Call Trace:
May 14 14:14:29 172.30.1.2 [ 427.404036] <IRQ> [<ffffffff81046811>] ? warn_slowpath_common+0x78/0x8c
May 14 14:14:29 172.30.1.2 [ 427.404043] [<ffffffff8104bd22>] ? _local_bh_enable_ip.isra.11+0x3d/0x88
May 14 14:14:29 172.30.1.2 [ 427.404049] [<ffffffffa0000748>] ? bnx2_reg_rd_ind+0x31/0x38 [bnx2]
May 14 14:14:29 172.30.1.2 [ 427.404055] [<ffffffffa00097d7>] ? bnx2_poll+0x1b7/0x1c4 [bnx2]
May 14 14:14:29 172.30.1.2 [ 427.404061] [<ffffffff8129b155>] ? netpoll_poll_dev.part.16+0x9b/0x499
May 14 14:14:29 172.30.1.2 [ 427.404065] [<ffffffff8129b66d>] ? netpoll_send_skb_on_dev+0x11a/0x201
May 14 14:14:29 172.30.1.2 [ 427.404070] [<ffffffffa024231a>] ? br_dev_xmit+0x12e/0x142 [bridge]
May 14 14:14:29 172.30.1.2 [ 427.404073] [<ffffffff8129b61e>] ? netpoll_send_skb_on_dev+0xcb/0x201
May 14 14:14:29 172.30.1.2 [ 427.404077] [<ffffffffa012225c>] ? write_msg+0x98/0xf3 [netconsole]
May 14 14:14:29 172.30.1.2 [ 427.404080] [<ffffffff8104695a>] ? __call_console_drivers+0x72/0x83
May 14 14:14:29 172.30.1.2 [ 427.404083] [<ffffffff81047026>] ? console_unlock+0x144/0x1e8
May 14 14:14:29 172.30.1.2 [ 427.404086] [<ffffffff81047549>] ? vprintk+0x396/0x3d9
May 14 14:14:29 172.30.1.2 [ 427.404092] [<ffffffffa0248342>] ? br_nf_forward_finish+0x3a/0x95 [bridge]
May 14 14:14:29 172.30.1.2 [ 427.404097] [<ffffffffa024830b>] ? br_nf_forward_finish+0x3/0x95 [bridge]
May 14 14:14:29 172.30.1.2 [ 427.404103] [<ffffffff81342c8e>] ? printk+0x43/0x48
May 14 14:14:29 172.30.1.2 [ 427.404106] [<ffffffff8100fe6a>] ? show_registers+0x1de/0x20a
May 14 14:14:29 172.30.1.2 [ 427.404112] [<ffffffff8134a11e>] ? __die+0x8b/0xc8
May 14 14:14:29 172.30.1.2 [ 427.404115] [<ffffffff8134245e>] ? no_context+0x1d6/0x20e
May 14 14:14:29 172.30.1.2 [ 427.404118] [<ffffffff81052262>] ? __mod_timer+0x139/0x14b
May 14 14:14:29 172.30.1.2 [ 427.404121] [<ffffffff8134c099>] ? do_page_fault+0x1a8/0x337
May 14 14:14:29 172.30.1.2 [ 427.404126] [<ffffffffa03e0f06>] ? ip_vs_conn_put+0x28/0x32 [ip_vs]
May 14 14:14:30 172.30.1.2 [ 427.404131] [<ffffffffa03e30e0>] ? ip_vs_out+0x2bd/0x432 [ip_vs]
May 14 14:14:30 172.30.1.2 [ 427.404134] [<ffffffff8128c0e2>] ? dev_hard_start_xmit+0x3fc/0x543
May 14 14:14:30 172.30.1.2 [ 427.404137] [<ffffffff813497f5>] ? page_fault+0x25/0x30
May 14 14:14:30 172.30.1.2 [ 427.404143] [<ffffffffa0248308>] ? nf_bridge_update_protocol+0x20/0x20 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404148] [<ffffffffa0248336>] ? br_nf_forward_finish+0x2e/0x95 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404153] [<ffffffffa0248327>] ? br_nf_forward_finish+0x1f/0x95 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404158] [<ffffffffa02486db>] ? br_parse_ip_options+0x3d/0x19a [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404164] [<ffffffffa0248a67>] ? br_nf_forward_ip+0x1c0/0x1d4 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404167] [<ffffffff812ac039>] ? nf_iterate+0x41/0x77
May 14 14:14:30 172.30.1.2 [ 427.404171] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404176] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404178] [<ffffffff812ac0d7>] ? nf_hook_slow+0x68/0x101
May 14 14:14:30 172.30.1.2 [ 427.404183] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404187] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404192] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404196] [<ffffffffa024385e>] ? NF_HOOK.constprop.8+0x3c/0x56 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404200] [<ffffffffa02439f2>] ? br_forward+0x16/0x5a [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404205] [<ffffffffa024451b>] ? br_handle_frame_finish+0x1a1/0x20f [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404210] [<ffffffffa02485ff>] ? br_nf_pre_routing_finish+0x1d0/0x1dd [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404215] [<ffffffffa0247ff0>] ? NF_HOOK_THRESH+0x3b/0x55 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404221] [<ffffffffa0248f58>] ? br_nf_pre_routing+0x3e8/0x3f5 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404223] [<ffffffff812ac039>] ? nf_iterate+0x41/0x77
May 14 14:14:30 172.30.1.2 [ 427.404226] [<ffffffff8128ad1d>] ? netif_receive_skb+0x63/0x69
May 14 14:14:30 172.30.1.2 [ 427.404229] [<ffffffff8128b1ef>] ? napi_gro_receive+0x1d/0x2b
May 14 14:14:30 172.30.1.2 [ 427.404234] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404237] [<ffffffff812ac0d7>] ? nf_hook_slow+0x68/0x101
May 14 14:14:30 172.30.1.2 [ 427.404241] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404246] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404251] [<ffffffffa0244360>] ? NF_HOOK.constprop.4+0x3c/0x56 [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404254] [<ffffffff810135ad>] ? paravirt_read_tsc+0x5/0x8
May 14 14:14:30 172.30.1.2 [ 427.404256] [<ffffffff81013622>] ? read_tsc+0x5/0x14
May 14 14:14:30 172.30.1.2 [ 427.404261] [<ffffffffa024473c>] ? br_handle_frame+0x1b3/0x1cb [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404265] [<ffffffffa0244589>] ? br_handle_frame_finish+0x20f/0x20f [bridge]
May 14 14:14:30 172.30.1.2 [ 427.404269] [<ffffffff812892c0>] ? __netif_receive_skb+0x324/0x41f
May 14 14:14:30 172.30.1.2 [ 427.404272] [<ffffffff81289427>] ? process_backlog+0x6c/0x123
May 14 14:14:30 172.30.1.2 [ 427.404275] [<ffffffff8128b30d>] ? net_rx_action+0xa1/0x1af
May 14 14:14:30 172.30.1.2 [ 427.404277] [<ffffffff81036fab>] ? test_tsk_need_resched+0xa/0x13
May 14 14:14:30 172.30.1.2 [ 427.404280] [<ffffffff8104be30>] ? __do_softirq+0xb9/0x177
May 14 14:14:30 172.30.1.2 [ 427.404283] [<ffffffff8135046c>] ? call_softirq+0x1c/0x30
May 14 14:14:30 172.30.1.2 [ 427.404285] <EOI> [<ffffffff8100f8e5>] ? do_softirq+0x3c/0x7b
May 14 14:14:30 172.30.1.2 [ 427.404289] [<ffffffff8128b5fd>] ? netif_rx_ni+0x1e/0x27
May 14 14:14:30 172.30.1.2 [ 427.404292] [<ffffffffa02a7721>] ? tun_get_user+0x39a/0x3c2 [tun]
May 14 14:14:30 172.30.1.2 [ 427.404296] [<ffffffffa02a7a66>] ? tun_chr_poll+0xcd/0xcd [tun]
May 14 14:14:30 172.30.1.2 [ 427.404299] [<ffffffffa02a7ac4>] ? tun_chr_aio_write+0x5e/0x79 [tun]
May 14 14:14:30 172.30.1.2 [ 427.404302] [<ffffffff810f9594>] ? do_sync_readv_writev+0x9a/0xd7
May 14 14:14:30 172.30.1.2 [ 427.404305] [<ffffffff810363c7>] ? should_resched+0x5/0x23
May 14 14:14:30 172.30.1.2 [ 427.404307] [<ffffffff810f8c16>] ? do_sync_read+0xab/0xe3
May 14 14:14:30 172.30.1.2 [ 427.404310] [<ffffffff810363c7>] ? should_resched+0x5/0x23
May 14 14:14:30 172.30.1.2 [ 427.404313] [<ffffffff811626a1>] ? security_file_permission+0x16/0x2d
May 14 14:14:30 172.30.1.2 [ 427.404316] [<ffffffff810f97f8>] ? do_readv_writev+0xaf/0x11c
May 14 14:14:30 172.30.1.2 [ 427.404319] [<ffffffff8112ab7e>] ? eventfd_ctx_read+0x162/0x174
May 14 14:14:30 172.30.1.2 [ 427.404322] [<ffffffff8103f3ff>] ? try_to_wake_up+0x197/0x197
May 14 14:14:30 172.30.1.2 [ 427.404325] [<ffffffff810f99cd>] ? sys_writev+0x45/0x90
May 14 14:14:30 172.30.1.2 [ 427.404327] [<ffffffff8134e212>] ? system_call_fastpath+0x16/0x1b
May 14 14:14:30 172.30.1.2 [ 427.404329] ---[ end trace 438338d42c34dda1 ]---
May 14 14:14:30 172.30.1.2 [ 428.546182] 12
May 14 14:14:30 172.30.1.2 8a
May 14 14:14:30 172.30.1.2 43
May 14 14:14:30 172.30.1.2 7d
May 14 14:14:30 172.30.1.2 83
May 14 14:14:30 172.30.1.2 e0
May 14 14:14:30 172.30.1.2 f8
May 14 14:14:30 172.30.1.2 83
May 14 14:14:30 172.30.1.2 c8
May 14 14:14:30 172.30.1.2
May 14 14:14:30 172.30.1.2 [ 428.554377] RIP
May 14 14:14:30 172.30.1.2 [ 428.568728] RSP <ffff88042fc03b18>
May 14 14:14:30 172.30.1.2 [ 428.575736] CR2: 0000000000000018
May 14 14:14:30 172.30.1.2 [ 428.582882] ---[ end trace 438338d42c34dda2 ]---
May 14 14:14:30 172.30.1.2 [ 428.597671] Kernel panic - not syncing: Fatal exception in interrupt
May 14 14:14:30 172.30.1.2 [ 428.610756] Pid: 3831, comm: kvm Tainted: G D W 3.2.0-2-amd64 #1
May 14 14:14:30 172.30.1.2 [ 428.624515] Call Trace:
May 14 14:14:30 172.30.1.2 [ 428.629824] <IRQ>
May 14 14:14:30 172.30.1.2 [ 428.641612] [<ffffffff8134a086>] ? oops_end+0xa9/0xb6
May 14 14:14:30 172.30.1.2 [ 428.652191] [<ffffffff81342487>] ? no_context+0x1ff/0x20e
May 14 14:14:30 172.30.1.2 [ 428.663450] [<ffffffff81052262>] ? __mod_timer+0x139/0x14b
May 14 14:14:30 172.30.1.2 [ 428.674900] [<ffffffff8134c099>] ? do_page_fault+0x1a8/0x337
May 14 14:14:30 172.30.1.2 [ 428.686700] [<ffffffffa03e0f06>] ? ip_vs_conn_put+0x28/0x32 [ip_vs]
May 14 14:14:30 172.30.1.2 [ 428.699763] [<ffffffffa03e30e0>] ? ip_vs_out+0x2bd/0x432 [ip_vs]
May 14 14:14:30 172.30.1.2 [ 428.712251] [<ffffffff8128c0e2>] ? dev_hard_start_xmit+0x3fc/0x543
May 14 14:14:30 172.30.1.2 [ 428.725155] [<ffffffff813497f5>] ? page_fault+0x25/0x30
May 14 14:14:30 172.30.1.2 [ 428.736101] [<ffffffffa0248308>] ? nf_bridge_update_protocol+0x20/0x20 [bridge]
May 14 14:14:30 172.30.1.2 [ 428.751403] [<ffffffffa0248336>] ? br_nf_forward_finish+0x2e/0x95 [bridge]
May 14 14:14:30 172.30.1.2 [ 428.765714] [<ffffffffa0248327>] ? br_nf_forward_finish+0x1f/0x95 [bridge]
May 14 14:14:30 172.30.1.2 [ 428.779943] [<ffffffffa02486db>] ? br_parse_ip_options+0x3d/0x19a [bridge]
May 14 14:14:30 172.30.1.2 [ 428.794381] [<ffffffffa0248a67>] ? br_nf_forward_ip+0x1c0/0x1d4 [bridge]
May 14 14:14:30 172.30.1.2 [ 428.808378] [<ffffffff812ac039>] ? nf_iterate+0x41/0x77
May 14 14:14:30 172.30.1.2 [ 428.819313] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:30 172.30.1.2 [ 428.832151] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:30 172.30.1.2 [ 428.845076] [<ffffffff812ac0d7>] ? nf_hook_slow+0x68/0x101
May 14 14:14:30 172.30.1.2 [ 428.856526] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:31 172.30.1.2 [ 428.869365] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:31 172.30.1.2 [ 428.883411] [<ffffffffa0243918>] ? __br_deliver+0xa0/0xa0 [bridge]
May 14 14:14:31 172.30.1.2 [ 428.896251] [<ffffffffa024385e>] ? NF_HOOK.constprop.8+0x3c/0x56 [bridge]
May 14 14:14:31 172.30.1.2 [ 428.910400] [<ffffffffa02439f2>] ? br_forward+0x16/0x5a [bridge]
May 14 14:14:31 172.30.1.2 [ 428.922898] [<ffffffffa024451b>] ? br_handle_frame_finish+0x1a1/0x20f [bridge]
May 14 14:14:31 172.30.1.2 [ 428.937870] [<ffffffffa02485ff>] ? br_nf_pre_routing_finish+0x1d0/0x1dd [bridge]
May 14 14:14:31 172.30.1.2 [ 428.953341] [<ffffffffa0247ff0>] ? NF_HOOK_THRESH+0x3b/0x55 [bridge]
May 14 14:14:31 172.30.1.2 [ 428.966524] [<ffffffffa0248f58>] ? br_nf_pre_routing+0x3e8/0x3f5 [bridge]
May 14 14:14:31 172.30.1.2 [ 428.980827] [<ffffffff812ac039>] ? nf_iterate+0x41/0x77
May 14 14:14:31 172.30.1.2 [ 428.991795] [<ffffffff8128ad1d>] ? netif_receive_skb+0x63/0x69
May 14 14:14:31 172.30.1.2 [ 429.003984] [<ffffffff8128b1ef>] ? napi_gro_receive+0x1d/0x2b
May 14 14:14:31 172.30.1.2 [ 429.016105] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:31 172.30.1.2 [ 429.030151] [<ffffffff812ac0d7>] ? nf_hook_slow+0x68/0x101
May 14 14:14:31 172.30.1.2 [ 429.041651] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:31 172.30.1.2 [ 429.055762] [<ffffffffa024437a>] ? NF_HOOK.constprop.4+0x56/0x56 [bridge]
May 14 14:14:31 172.30.1.2 [ 429.069893] [<ffffffffa0244360>] ? NF_HOOK.constprop.4+0x3c/0x56 [bridge]
May 14 14:14:31 172.30.1.2 [ 429.084064] [<ffffffff810135ad>] ? paravirt_read_tsc+0x5/0x8
May 14 14:14:31 172.30.1.2 [ 429.095991] [<ffffffff81013622>] ? read_tsc+0x5/0x14
May 14 14:14:31 172.30.1.2 [ 429.106499] [<ffffffffa024473c>] ? br_handle_frame+0x1b3/0x1cb [bridge]
May 14 14:14:31 172.30.1.2 [ 429.120298] [<ffffffffa0244589>] ? br_handle_frame_finish+0x20f/0x20f [bridge]
May 14 14:14:31 172.30.1.2 [ 429.135325] [<ffffffff812892c0>] ? __netif_receive_skb+0x324/0x41f
May 14 14:14:31 172.30.1.2 [ 429.148167] [<ffffffff81289427>] ? process_backlog+0x6c/0x123
May 14 14:14:31 172.30.1.2 [ 429.160129] [<ffffffff8128b30d>] ? net_rx_action+0xa1/0x1af
May 14 14:14:31 172.30.1.2 [ 429.171840] [<ffffffff81036fab>] ? test_tsk_need_resched+0xa/0x13
May 14 14:14:31 172.30.1.2 [ 429.184495] [<ffffffff8104be30>] ? __do_softirq+0xb9/0x177
May 14 14:14:31 172.30.1.2 [ 429.195945] [<ffffffff8135046c>] ? call_softirq+0x1c/0x30
May 14 14:14:31 172.30.1.2 [ 429.207337] <EOI>
May 14 14:14:31 172.30.1.2 [ 429.219918] [<ffffffff8128b5fd>] ? netif_rx_ni+0x1e/0x27
May 14 14:14:31 172.30.1.2 [ 429.231115] [<ffffffffa02a7721>] ? tun_get_user+0x39a/0x3c2 [tun]
May 14 14:14:31 172.30.1.2 [ 429.243773] [<ffffffffa02a7a66>] ? tun_chr_poll+0xcd/0xcd [tun]
May 14 14:14:31 172.30.1.2 [ 429.256130] [<ffffffffa02a7ac4>] ? tun_chr_aio_write+0x5e/0x79 [tun]
May 14 14:14:31 172.30.1.2 [ 429.269368] [<ffffffff810f9594>] ? do_sync_readv_writev+0x9a/0xd7
May 14 14:14:31 172.30.1.2 [ 429.282027] [<ffffffff810363c7>] ? should_resched+0x5/0x23
May 14 14:14:31 172.30.1.2 [ 429.293475] [<ffffffff810f8c16>] ? do_sync_read+0xab/0xe3
May 14 14:14:31 172.30.1.2 [ 429.304745] [<ffffffff810363c7>] ? should_resched+0x5/0x23
May 14 14:14:31 172.30.1.2 [ 429.316190] [<ffffffff811626a1>] ? security_file_permission+0x16/0x2d
May 14 14:14:31 172.30.1.2 [ 429.329545] [<ffffffff810f97f8>] ? do_readv_writev+0xaf/0x11c
May 14 14:14:31 172.30.1.2 [ 429.341562] [<ffffffff8112ab7e>] ? eventfd_ctx_read+0x162/0x174
May 14 14:14:31 172.30.1.2 [ 429.353976] [<ffffffff8103f3ff>] ? try_to_wake_up+0x197/0x197
May 14 14:14:31 172.30.1.2 [ 429.365984] [<ffffffff810f99cd>] ? sys_writev+0x45/0x90
May 14 14:14:31 172.30.1.2 [ 429.377080] [<ffffffff8134e212>] ? system_call_fastpath+0x16/0x1b
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox