* nf-next-2.6 pull request, Complete deprecation of CONFIG_NF_CT_ACCT (V4) @ 2010-06-25 12:31 Tim Gardner 2010-06-25 12:31 ` [PATCH V4 1/2] netfilter: xt_connbytes: Force CT accounting to be enabled Tim Gardner 2010-06-25 12:31 ` [PATCH V4 2/2] netfilter: Complete the deprecation of CONFIG_NF_CT_ACCT Tim Gardner 0 siblings, 2 replies; 7+ messages in thread From: Tim Gardner @ 2010-06-25 12:31 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel The first patch adds some functionality to CT accounting that allows xt_connbytes to check and/or enable CT accounting, a feature upon which the filter depends. CT accounting is currently enforced by a 'SELECT CONFIG_NF_CT_ACCT' in the xt_connbytes Kconfig entry. All this in preparation for deprecating CONFIG_NF_CT_ACCT which happens in the second patch. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH V4 1/2] netfilter: xt_connbytes: Force CT accounting to be enabled 2010-06-25 12:31 nf-next-2.6 pull request, Complete deprecation of CONFIG_NF_CT_ACCT (V4) Tim Gardner @ 2010-06-25 12:31 ` Tim Gardner 2010-06-25 12:44 ` Patrick McHardy 2010-06-25 12:31 ` [PATCH V4 2/2] netfilter: Complete the deprecation of CONFIG_NF_CT_ACCT Tim Gardner 1 sibling, 1 reply; 7+ messages in thread From: Tim Gardner @ 2010-06-25 12:31 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel, Tim Gardner Check at rule install time that CT accounting is enabled. Force it to be enabled if not while also emitting a warning since this is not the default state. This is in preparation for deprecating CONFIG_NF_CT_ACCT upon which CONFIG_NETFILTER_XT_MATCH_CONNBYTES depended being set. Added 2 CT accounting support functions: nf_ct_acct_enabled() - Get CT accounting state. nf_ct_set_acct() - Enable/disable CT accountuing. Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Jan Engelhardt <jengelh@medozas.de> --- include/net/netfilter/nf_conntrack_acct.h | 12 ++++++++++++ net/netfilter/xt_connbytes.c | 10 ++++++++++ 2 files changed, 22 insertions(+), 0 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h index 03e218f..4e9c63a 100644 --- a/include/net/netfilter/nf_conntrack_acct.h +++ b/include/net/netfilter/nf_conntrack_acct.h @@ -45,6 +45,18 @@ struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) extern unsigned int seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir); +/* Check if connection tracking accounting is enabled */ +static inline bool nf_ct_acct_enabled(struct net *net) +{ + return net->ct.sysctl_acct != 0; +} + +/* Enable/disable connection tracking accounting */ +static inline void nf_ct_set_acct(struct net *net, bool enable) +{ + net->ct.sysctl_acct = enable; +} + extern int nf_conntrack_acct_init(struct net *net); extern void nf_conntrack_acct_fini(struct net *net); diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c index 7351783..5b13850 100644 --- a/net/netfilter/xt_connbytes.c +++ b/net/netfilter/xt_connbytes.c @@ -112,6 +112,16 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info("cannot load conntrack support for proto=%u\n", par->family); + + /* + * This filter cannot function correctly unless connection tracking + * accounting is enabled, so complain in the hope that someone notices. + */ + if (!nf_ct_acct_enabled(par->net)) { + pr_warning("Forcing CT accounting to be enabled\n"); + nf_ct_set_acct(par->net, true); + } + return ret; } -- 1.7.0.4 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH V4 1/2] netfilter: xt_connbytes: Force CT accounting to be enabled 2010-06-25 12:31 ` [PATCH V4 1/2] netfilter: xt_connbytes: Force CT accounting to be enabled Tim Gardner @ 2010-06-25 12:44 ` Patrick McHardy 0 siblings, 0 replies; 7+ messages in thread From: Patrick McHardy @ 2010-06-25 12:44 UTC (permalink / raw) To: Tim Gardner; +Cc: netfilter-devel Tim Gardner wrote: > Check at rule install time that CT accounting is enabled. Force it > to be enabled if not while also emitting a warning since this is not > the default state. > > This is in preparation for deprecating CONFIG_NF_CT_ACCT upon which > CONFIG_NETFILTER_XT_MATCH_CONNBYTES depended being set. > > Added 2 CT accounting support functions: > > nf_ct_acct_enabled() - Get CT accounting state. > nf_ct_set_acct() - Enable/disable CT accountuing. > > Applied, thanks Tim. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH V4 2/2] netfilter: Complete the deprecation of CONFIG_NF_CT_ACCT 2010-06-25 12:31 nf-next-2.6 pull request, Complete deprecation of CONFIG_NF_CT_ACCT (V4) Tim Gardner 2010-06-25 12:31 ` [PATCH V4 1/2] netfilter: xt_connbytes: Force CT accounting to be enabled Tim Gardner @ 2010-06-25 12:31 ` Tim Gardner 2010-06-25 12:38 ` Patrick McHardy 2010-06-25 12:48 ` Patrick McHardy 1 sibling, 2 replies; 7+ messages in thread From: Tim Gardner @ 2010-06-25 12:31 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel, Tim Gardner CONFIG_NF_CT_ACCT has been deprecated for awhile and was originally scheduled for removal by 2.6.29. Removing support for this config option also stops this deprecation warning message in the kernel log. [ 61.669627] nf_conntrack version 0.5.0 (16384 buckets, 65536 max) [ 61.669850] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use [ 61.669852] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or [ 61.669853] sysctl net.netfilter.nf_conntrack_acct=1 to enable it. Signed-off-by: Tim Gardner <tim.gardner@canonical.com> --- Documentation/feature-removal-schedule.txt | 9 --------- Documentation/kernel-parameters.txt | 3 +-- net/netfilter/Kconfig | 22 ---------------------- net/netfilter/nf_conntrack_acct.c | 10 ---------- 4 files changed, 1 insertions(+), 43 deletions(-) diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt index 672be01..92f021a 100644 --- a/Documentation/feature-removal-schedule.txt +++ b/Documentation/feature-removal-schedule.txt @@ -303,15 +303,6 @@ Who: Johannes Berg <johannes@sipsolutions.net> --------------------------- -What: CONFIG_NF_CT_ACCT -When: 2.6.29 -Why: Accounting can now be enabled/disabled without kernel recompilation. - Currently used only to set a default value for a feature that is also - controlled by a kernel/module/sysfs/sysctl parameter. -Who: Krzysztof Piotr Oledzki <ole@ans.pl> - ---------------------------- - What: sysfs ui for changing p4-clockmod parameters When: September 2009 Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 1808f11..a7279d0 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -1597,8 +1597,7 @@ and is between 256 and 4096 characters. It is defined in the file [NETFILTER] Enable connection tracking flow accounting 0 to disable accounting 1 to enable accounting - Default value depends on CONFIG_NF_CT_ACCT that is - going to be removed in 2.6.29. + Default value is 1 nfsaddrs= [NFS] See Documentation/filesystems/nfs/nfsroot.txt. diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 21be535..aa2f106 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -40,27 +40,6 @@ config NF_CONNTRACK if NF_CONNTRACK -config NF_CT_ACCT - bool "Connection tracking flow accounting" - depends on NETFILTER_ADVANCED - help - If this option is enabled, the connection tracking code will - keep per-flow packet and byte counters. - - Those counters can be used for flow-based accounting or the - `connbytes' match. - - Please note that currently this option only sets a default state. - You may change it at boot time with nf_conntrack.acct=0/1 kernel - parameter or by loading the nf_conntrack module with acct=0/1. - - You may also disable/enable it on a running system with: - sysctl net.netfilter.nf_conntrack_acct=0/1 - - This option will be removed in 2.6.29. - - If unsure, say `N'. - config NF_CONNTRACK_MARK bool 'Connection mark tracking support' depends on NETFILTER_ADVANCED @@ -630,7 +609,6 @@ config NETFILTER_XT_MATCH_CONNBYTES tristate '"connbytes" per-connection counter match support' depends on NF_CONNTRACK depends on NETFILTER_ADVANCED - select NF_CT_ACCT help This option adds a `connbytes' match, which allows you to match the number of bytes and/or packets for each direction within a connection. diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c index ab81b38..57059aa 100644 --- a/net/netfilter/nf_conntrack_acct.c +++ b/net/netfilter/nf_conntrack_acct.c @@ -17,11 +17,7 @@ #include <net/netfilter/nf_conntrack_extend.h> #include <net/netfilter/nf_conntrack_acct.h> -#ifdef CONFIG_NF_CT_ACCT #define NF_CT_ACCT_DEFAULT 1 -#else -#define NF_CT_ACCT_DEFAULT 0 -#endif static int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT; @@ -114,12 +110,6 @@ int nf_conntrack_acct_init(struct net *net) net->ct.sysctl_acct = nf_ct_acct; if (net_eq(net, &init_net)) { -#ifdef CONFIG_NF_CT_ACCT - printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use\n"); - printk(KERN_WARNING "nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or\n"); - printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n"); -#endif - ret = nf_ct_extend_register(&acct_extend); if (ret < 0) { printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n"); -- 1.7.0.4 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH V4 2/2] netfilter: Complete the deprecation of CONFIG_NF_CT_ACCT 2010-06-25 12:31 ` [PATCH V4 2/2] netfilter: Complete the deprecation of CONFIG_NF_CT_ACCT Tim Gardner @ 2010-06-25 12:38 ` Patrick McHardy 2010-06-25 12:59 ` Tim Gardner 2010-06-25 12:48 ` Patrick McHardy 1 sibling, 1 reply; 7+ messages in thread From: Patrick McHardy @ 2010-06-25 12:38 UTC (permalink / raw) To: Tim Gardner; +Cc: netfilter-devel Tim Gardner wrote: > CONFIG_NF_CT_ACCT has been deprecated for awhile and > was originally scheduled for removal by 2.6.29. > Thanks, looks fine. > [ 61.669627] nf_conntrack version 0.5.0 (16384 buckets, 65536 max) > [ 61.669850] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use > [ 61.669852] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or > [ 61.669853] sysctl net.netfilter.nf_conntrack_acct=1 to enable it. > > --- a/Documentation/kernel-parameters.txt > +++ b/Documentation/kernel-parameters.txt > @@ -1597,8 +1597,7 @@ and is between 256 and 4096 characters. It is defined in the file > [NETFILTER] Enable connection tracking flow accounting > 0 to disable accounting > 1 to enable accounting > - Default value depends on CONFIG_NF_CT_ACCT that is > - going to be removed in 2.6.29. > + Default value is 1 > The default should be off though, that was the point of the warning message, people using it are supposed to manually enable it. No need to resend, I'll manually change this when applying the patches. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH V4 2/2] netfilter: Complete the deprecation of CONFIG_NF_CT_ACCT 2010-06-25 12:38 ` Patrick McHardy @ 2010-06-25 12:59 ` Tim Gardner 0 siblings, 0 replies; 7+ messages in thread From: Tim Gardner @ 2010-06-25 12:59 UTC (permalink / raw) To: Patrick McHardy; +Cc: netfilter-devel On 06/25/2010 06:38 AM, Patrick McHardy wrote: > Tim Gardner wrote: >> CONFIG_NF_CT_ACCT has been deprecated for awhile and >> was originally scheduled for removal by 2.6.29. > > Thanks, looks fine. >> [ 61.669627] nf_conntrack version 0.5.0 (16384 buckets, 65536 max) >> [ 61.669850] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. >> Please use >> [ 61.669852] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack >> module option or >> [ 61.669853] sysctl net.netfilter.nf_conntrack_acct=1 to enable it. >> >> --- a/Documentation/kernel-parameters.txt >> +++ b/Documentation/kernel-parameters.txt >> @@ -1597,8 +1597,7 @@ and is between 256 and 4096 characters. It is >> defined in the file >> [NETFILTER] Enable connection tracking flow accounting >> 0 to disable accounting >> 1 to enable accounting >> - Default value depends on CONFIG_NF_CT_ACCT that is >> - going to be removed in 2.6.29. >> + Default value is 1 > The default should be off though, that was the point of the warning > message, > people using it are supposed to manually enable it. No need to resend, I'll > manually change this when applying the patches. > -- Works for me. Thanks. rtg -- Tim Gardner tim.gardner@canonical.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH V4 2/2] netfilter: Complete the deprecation of CONFIG_NF_CT_ACCT 2010-06-25 12:31 ` [PATCH V4 2/2] netfilter: Complete the deprecation of CONFIG_NF_CT_ACCT Tim Gardner 2010-06-25 12:38 ` Patrick McHardy @ 2010-06-25 12:48 ` Patrick McHardy 1 sibling, 0 replies; 7+ messages in thread From: Patrick McHardy @ 2010-06-25 12:48 UTC (permalink / raw) To: Tim Gardner; +Cc: netfilter-devel [-- Attachment #1: Type: text/plain, Size: 655 bytes --] Tim Gardner wrote: > CONFIG_NF_CT_ACCT has been deprecated for awhile and > was originally scheduled for removal by 2.6.29. > > Removing support for this config option also stops > this deprecation warning message in the kernel log. > > [ 61.669627] nf_conntrack version 0.5.0 (16384 buckets, 65536 max) > [ 61.669850] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use > [ 61.669852] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or > [ 61.669853] sysctl net.netfilter.nf_conntrack_acct=1 to enable it. Applied with the default changed to 0 (attached for reference). Thanks for taking care of this. [-- Attachment #2: 02.diff --] [-- Type: text/x-diff, Size: 4883 bytes --] commit d70a011dbbaa6335a19deb63ec3eb613f48faafd Author: Tim Gardner <tim.gardner@canonical.com> Date: Fri Jun 25 14:46:56 2010 +0200 netfilter: complete the deprecation of CONFIG_NF_CT_ACCT CONFIG_NF_CT_ACCT has been deprecated for awhile and was originally scheduled for removal by 2.6.29. Removing support for this config option also stops this deprecation warning message in the kernel log. [ 61.669627] nf_conntrack version 0.5.0 (16384 buckets, 65536 max) [ 61.669850] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use [ 61.669852] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or [ 61.669853] sysctl net.netfilter.nf_conntrack_acct=1 to enable it. Signed-off-by: Tim Gardner <tim.gardner@canonical.com> [Patrick: changed default value to 0] Signed-off-by: Patrick McHardy <kaber@trash.net> diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt index 672be01..92f021a 100644 --- a/Documentation/feature-removal-schedule.txt +++ b/Documentation/feature-removal-schedule.txt @@ -303,15 +303,6 @@ Who: Johannes Berg <johannes@sipsolutions.net> --------------------------- -What: CONFIG_NF_CT_ACCT -When: 2.6.29 -Why: Accounting can now be enabled/disabled without kernel recompilation. - Currently used only to set a default value for a feature that is also - controlled by a kernel/module/sysfs/sysctl parameter. -Who: Krzysztof Piotr Oledzki <ole@ans.pl> - ---------------------------- - What: sysfs ui for changing p4-clockmod parameters When: September 2009 Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 1808f11..cee6251 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -1597,8 +1597,7 @@ and is between 256 and 4096 characters. It is defined in the file [NETFILTER] Enable connection tracking flow accounting 0 to disable accounting 1 to enable accounting - Default value depends on CONFIG_NF_CT_ACCT that is - going to be removed in 2.6.29. + Default value is 0. nfsaddrs= [NFS] See Documentation/filesystems/nfs/nfsroot.txt. diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 21be535..aa2f106 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -40,27 +40,6 @@ config NF_CONNTRACK if NF_CONNTRACK -config NF_CT_ACCT - bool "Connection tracking flow accounting" - depends on NETFILTER_ADVANCED - help - If this option is enabled, the connection tracking code will - keep per-flow packet and byte counters. - - Those counters can be used for flow-based accounting or the - `connbytes' match. - - Please note that currently this option only sets a default state. - You may change it at boot time with nf_conntrack.acct=0/1 kernel - parameter or by loading the nf_conntrack module with acct=0/1. - - You may also disable/enable it on a running system with: - sysctl net.netfilter.nf_conntrack_acct=0/1 - - This option will be removed in 2.6.29. - - If unsure, say `N'. - config NF_CONNTRACK_MARK bool 'Connection mark tracking support' depends on NETFILTER_ADVANCED @@ -630,7 +609,6 @@ config NETFILTER_XT_MATCH_CONNBYTES tristate '"connbytes" per-connection counter match support' depends on NF_CONNTRACK depends on NETFILTER_ADVANCED - select NF_CT_ACCT help This option adds a `connbytes' match, which allows you to match the number of bytes and/or packets for each direction within a connection. diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c index ab81b38..5178c69 100644 --- a/net/netfilter/nf_conntrack_acct.c +++ b/net/netfilter/nf_conntrack_acct.c @@ -17,13 +17,7 @@ #include <net/netfilter/nf_conntrack_extend.h> #include <net/netfilter/nf_conntrack_acct.h> -#ifdef CONFIG_NF_CT_ACCT -#define NF_CT_ACCT_DEFAULT 1 -#else -#define NF_CT_ACCT_DEFAULT 0 -#endif - -static int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT; +static int nf_ct_acct __read_mostly; module_param_named(acct, nf_ct_acct, bool, 0644); MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting."); @@ -114,12 +108,6 @@ int nf_conntrack_acct_init(struct net *net) net->ct.sysctl_acct = nf_ct_acct; if (net_eq(net, &init_net)) { -#ifdef CONFIG_NF_CT_ACCT - printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use\n"); - printk(KERN_WARNING "nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or\n"); - printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n"); -#endif - ret = nf_ct_extend_register(&acct_extend); if (ret < 0) { printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n"); ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-06-25 13:00 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-06-25 12:31 nf-next-2.6 pull request, Complete deprecation of CONFIG_NF_CT_ACCT (V4) Tim Gardner 2010-06-25 12:31 ` [PATCH V4 1/2] netfilter: xt_connbytes: Force CT accounting to be enabled Tim Gardner 2010-06-25 12:44 ` Patrick McHardy 2010-06-25 12:31 ` [PATCH V4 2/2] netfilter: Complete the deprecation of CONFIG_NF_CT_ACCT Tim Gardner 2010-06-25 12:38 ` Patrick McHardy 2010-06-25 12:59 ` Tim Gardner 2010-06-25 12:48 ` Patrick McHardy
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).