* [PATCH nf-next 0/4] netfilter: built-in conntrack support for DCCP, SCTP, UDPlite
@ 2016-11-10 14:46 Davide Caratti
2016-11-10 14:46 ` [PATCH nf-next 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include Davide Caratti
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Davide Caratti @ 2016-11-10 14:46 UTC (permalink / raw)
To: Alexey Kuznetsov, David S . Miller, Florian Westphal,
Hideaki YOSHIFUJI, James Morris, Jozsef Kadlecsik,
Pablo Neira Ayuso, Patrick McHardy, mikko.rapeli
Cc: coreteam, netfilter-devel
When netfilter needs to match traffic made by one of the above protocols,
layer-4 connection tracking functionality will not be available, unless the
user explicly loads it in the kernel (e.g. "modprobe nf_conntrack_proto_sctp")
or modifies the default kernel configuration and rebuilds.
In order to remove such limitation, this series converts
CONFIG_NF_CT_PROTO_{DCCP,SCTP,UDPLITE} from tristate to boolean: in case
conntrack support for these protocols is enabled in the kernel configuration,
it will be built into nf_conntrack.ko.
Patch 1/4 fixes nf_conntrack_tuple_common.h to avoid compile-time errors
when moving module per-net private data.
Patches 2/4 3,4 and 4/4 remove loadable kernel module support from DCCP,
SCTP and UDPlite respectively.
footprint test (nf-next.git, x86_64, RHEL7)
Patches 2/4 to 4/4 in this series have been individually tested on a
nf-next.git kernel with standard RHEL7 configuration on x86_64 architecture,
recording the unstripped binary size after module clean/rebuild:
$ ls -l net/netfilter/nf_conntrack{,_proto_{dccp,sctp,udplite}}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntrack_ipv6.ko
(builtin)|| dccp | sctp | udplite | ipv4 | ipv6 | nf_conntrack
---------++--------+--------+-----------+--------+--------+--------------
none || 469140 | 498243 | 432538 | 828755 | 828676 | 6141434
DCCP || - | 498987 | 432746 | 830566 | 829935 | 6533526
SCTP || 469276 | - | 432690 | 829254 | 829175 | 6547872
UDPlite || 469484 | 498587 | - | 829649 | 829362 | 6498204
all || - | - | - | 831999 | 831104 | 7298358
Davide Caratti (4):
netfilter: nf_conntrack_tuple_common.h: fix #include
netfilter: conntrack: built-in support for DCCP
netfilter: conntrack: built-in support for SCTP
netfilter: conntrack: built-in support for UDPlite
include/linux/netfilter/nf_conntrack_dccp.h | 2 +-
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 9 +++
include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 9 +++
include/net/netns/conntrack.h | 43 ++++++++++++
.../linux/netfilter/nf_conntrack_tuple_common.h | 2 +-
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 9 +++
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 9 +++
net/netfilter/Kconfig | 18 ++---
net/netfilter/Makefile | 7 +-
net/netfilter/nf_conntrack_proto_dccp.c | 79 +++-------------------
net/netfilter/nf_conntrack_proto_sctp.c | 76 +++------------------
net/netfilter/nf_conntrack_proto_udplite.c | 79 +++-------------------
12 files changed, 121 insertions(+), 221 deletions(-)
--
2.7.4
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH nf-next 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include
2016-11-10 14:46 [PATCH nf-next 0/4] netfilter: built-in conntrack support for DCCP, SCTP, UDPlite Davide Caratti
@ 2016-11-10 14:46 ` Davide Caratti
2016-11-11 10:07 ` Mikko Rapeli
2016-11-10 14:46 ` [PATCH nf-next 2/4] netfilter: conntrack: built-in support for DCCP Davide Caratti
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Davide Caratti @ 2016-11-10 14:46 UTC (permalink / raw)
To: Alexey Kuznetsov, David S . Miller, Florian Westphal,
Hideaki YOSHIFUJI, James Morris, Jozsef Kadlecsik,
Pablo Neira Ayuso, Patrick McHardy, mikko.rapeli
Cc: coreteam, netfilter-devel
In commit 1ffad83dffd6 ("netfilter: fix include files for compilation"),
compile-time errors were fixed for userspace programs including UAPI
nf_conntrack_tuple_common.h: this was done by adding a "#include
<linux/netfilter.h>" line to that header file. This patch replaces
"<linux/netfilter.h>" with "<linux/netfilter/nf_conntrack_common.h>"
in nf_conntrack_tuple_common.h to avoid compile-time errors when trying
to use enum ip_conntrack_dir in include/net/netns/conntrack.h, and still
correctly resolve IP_CT_IS_REPLY.
This accidentally fixes two failures in the output of the script used to
test the above commit [1]:
$ pushd usr/include
$ ../../scripts/headers_compile_test.sh -k | grep FAILED >before.txt
$ sed -i s/netfilter.h/netfilter\/nf_conntrack_common.h/1 \
linux/netfilter/nf_conntrack_tuple_common.h
$ ../../scripts/headers_compile_test.sh -k | grep FAILED >after.txt
$ diff before.txt after.txt
24,25d23
< FAILED: ./linux/netfilter/nf_conntrack_sctp.h
< FAILED: ./linux/netfilter/nf_conntrack_tuple_common.h
$ popd
[1] https://github.com/mcfrisk/linux/blob/headers_test_v05/scripts/headers_compile_test.sh
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
include/uapi/linux/netfilter/nf_conntrack_tuple_common.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
index a9c3834..941e8ea 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
@@ -2,7 +2,7 @@
#define _NF_CONNTRACK_TUPLE_COMMON_H
#include <linux/types.h>
-#include <linux/netfilter.h>
+#include <linux/netfilter/nf_conntrack_common.h>
enum ip_conntrack_dir {
IP_CT_DIR_ORIGINAL,
--
2.7.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH nf-next 2/4] netfilter: conntrack: built-in support for DCCP
2016-11-10 14:46 [PATCH nf-next 0/4] netfilter: built-in conntrack support for DCCP, SCTP, UDPlite Davide Caratti
2016-11-10 14:46 ` [PATCH nf-next 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include Davide Caratti
@ 2016-11-10 14:46 ` Davide Caratti
2016-11-10 14:46 ` [PATCH nf-next 3/4] netfilter: conntrack: built-in support for SCTP Davide Caratti
2016-11-10 14:46 ` [PATCH nf-next 4/4] netfilter: conntrack: built-in support for UDPlite Davide Caratti
3 siblings, 0 replies; 9+ messages in thread
From: Davide Caratti @ 2016-11-10 14:46 UTC (permalink / raw)
To: Alexey Kuznetsov, David S . Miller, Florian Westphal,
Hideaki YOSHIFUJI, James Morris, Jozsef Kadlecsik,
Pablo Neira Ayuso, Patrick McHardy, mikko.rapeli
Cc: coreteam, netfilter-devel
CONFIG_NF_CT_PROTO_DCCP is no more a tristate. When set to y, connection
tracking support for DCCP protocol is built-in into nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_dccp,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntrack_ipv6.ko
(builtin)|| dccp | ipv4 | ipv6 | nf_conntrack
---------++--------+--------+--------+--------------
none || 469140 | 828755 | 828676 | 6141434
DCCP || - | 830566 | 829935 | 6533526
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
include/linux/netfilter/nf_conntrack_dccp.h | 2 +-
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 +
include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 +
include/net/netns/conntrack.h | 14 +++++
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 3 +
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 3 +
net/netfilter/Kconfig | 6 +-
net/netfilter/Makefile | 3 +-
net/netfilter/nf_conntrack_proto_dccp.c | 79 ++++----------------------
9 files changed, 41 insertions(+), 75 deletions(-)
diff --git a/include/linux/netfilter/nf_conntrack_dccp.h b/include/linux/netfilter/nf_conntrack_dccp.h
index 40dcc82..ff721d7 100644
--- a/include/linux/netfilter/nf_conntrack_dccp.h
+++ b/include/linux/netfilter/nf_conntrack_dccp.h
@@ -25,7 +25,7 @@ enum ct_dccp_roles {
#define CT_DCCP_ROLE_MAX (__CT_DCCP_ROLE_MAX - 1)
#ifdef __KERNEL__
-#include <net/netfilter/nf_conntrack_tuple.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
struct nf_ct_dccp {
u_int8_t role[IP_CT_DIR_MAX];
diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
index 981c327..c2f155f 100644
--- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -15,6 +15,9 @@ extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4;
+#endif
int nf_conntrack_ipv4_compat_init(void);
void nf_conntrack_ipv4_compat_fini(void);
diff --git a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
index a4c9936..5ec66c0 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
@@ -6,6 +6,9 @@ extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6;
+#endif
#include <linux/sysctl.h>
extern struct ctl_table nf_ct_ipv6_sysctl_table[];
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index e469e85..b0edb1e 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -6,6 +6,9 @@
#include <linux/atomic.h>
#include <linux/workqueue.h>
#include <linux/netfilter/nf_conntrack_tcp.h>
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+#include <linux/netfilter/nf_conntrack_dccp.h>
+#endif
#include <linux/seqlock.h>
struct ctl_table_header;
@@ -48,12 +51,23 @@ struct nf_icmp_net {
unsigned int timeout;
};
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+struct nf_dccp_net {
+ struct nf_proto_net pn;
+ int dccp_loose;
+ unsigned int dccp_timeout[CT_DCCP_MAX + 1];
+};
+#endif
+
struct nf_ip_net {
struct nf_generic_net generic;
struct nf_tcp_net tcp;
struct nf_udp_net udp;
struct nf_icmp_net icmp;
struct nf_icmp_net icmpv6;
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+ struct nf_dccp_net dccp;
+#endif
};
struct ct_pcpu {
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 7130ed5..cb3cf77 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -340,6 +340,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto4[] = {
&nf_conntrack_l4proto_tcp4,
&nf_conntrack_l4proto_udp4,
&nf_conntrack_l4proto_icmp,
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+ &nf_conntrack_l4proto_dccp4,
+#endif
};
static int ipv4_net_init(struct net *net)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 500be28..f52338d 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -340,6 +340,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto6[] = {
&nf_conntrack_l4proto_tcp6,
&nf_conntrack_l4proto_udp6,
&nf_conntrack_l4proto_icmpv6,
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+ &nf_conntrack_l4proto_dccp6,
+#endif
};
static int ipv6_net_init(struct net *net)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 496e1dc..27a3d8c 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -146,14 +146,14 @@ config NF_CONNTRACK_LABELS
to connection tracking entries. It selected by the connlabel match.
config NF_CT_PROTO_DCCP
- tristate 'DCCP protocol connection tracking support'
+ bool 'DCCP protocol connection tracking support'
depends on NETFILTER_ADVANCED
- default IP_DCCP
+ default y
help
With this option enabled, the layer 3 independent connection
tracking code will be able to do state tracking on DCCP connections.
- If unsure, say 'N'.
+ If unsure, say Y.
config NF_CT_PROTO_GRE
tristate
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 3b97d89..bbd0cc0 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -5,6 +5,7 @@ nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMEOUT) += nf_conntrack_timeout.o
nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMESTAMP) += nf_conntrack_timestamp.o
nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
nf_conntrack-$(CONFIG_NF_CONNTRACK_LABELS) += nf_conntrack_labels.o
+nf_conntrack-$(CONFIG_NF_CT_PROTO_DCCP) += nf_conntrack_proto_dccp.o
obj-$(CONFIG_NETFILTER) = netfilter.o
@@ -16,8 +17,6 @@ obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o
# connection tracking
obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o
-# SCTP protocol connection tracking
-obj-$(CONFIG_NF_CT_PROTO_DCCP) += nf_conntrack_proto_dccp.o
obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o
obj-$(CONFIG_NF_CT_PROTO_SCTP) += nf_conntrack_proto_sctp.o
obj-$(CONFIG_NF_CT_PROTO_UDPLITE) += nf_conntrack_proto_udplite.o
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index ac89769..b68ce6a 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -9,7 +9,6 @@
*
*/
#include <linux/kernel.h>
-#include <linux/module.h>
#include <linux/init.h>
#include <linux/sysctl.h>
#include <linux/spinlock.h>
@@ -384,17 +383,9 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] =
},
};
-/* this module per-net specifics */
-static int dccp_net_id __read_mostly;
-struct dccp_net {
- struct nf_proto_net pn;
- int dccp_loose;
- unsigned int dccp_timeout[CT_DCCP_MAX + 1];
-};
-
-static inline struct dccp_net *dccp_pernet(struct net *net)
+static inline struct nf_dccp_net *dccp_pernet(struct net *net)
{
- return net_generic(net, dccp_net_id);
+ return &net->ct.nf_ct_proto.dccp;
}
static bool dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
@@ -424,7 +415,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
unsigned int dataoff, unsigned int *timeouts)
{
struct net *net = nf_ct_net(ct);
- struct dccp_net *dn;
+ struct nf_dccp_net *dn;
struct dccp_hdr _dh, *dh;
const char *msg;
u_int8_t state;
@@ -719,7 +710,7 @@ static int dccp_nlattr_size(void)
static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
- struct dccp_net *dn = dccp_pernet(net);
+ struct nf_dccp_net *dn = dccp_pernet(net);
unsigned int *timeouts = data;
int i;
@@ -820,7 +811,7 @@ static struct ctl_table dccp_sysctl_table[] = {
#endif /* CONFIG_SYSCTL */
static int dccp_kmemdup_sysctl_table(struct net *net, struct nf_proto_net *pn,
- struct dccp_net *dn)
+ struct nf_dccp_net *dn)
{
#ifdef CONFIG_SYSCTL
if (pn->ctl_table)
@@ -850,7 +841,7 @@ static int dccp_kmemdup_sysctl_table(struct net *net, struct nf_proto_net *pn,
static int dccp_init_net(struct net *net, u_int16_t proto)
{
- struct dccp_net *dn = dccp_pernet(net);
+ struct nf_dccp_net *dn = dccp_pernet(net);
struct nf_proto_net *pn = &dn->pn;
if (!pn->users) {
@@ -868,7 +859,7 @@ static int dccp_init_net(struct net *net, u_int16_t proto)
return dccp_kmemdup_sysctl_table(net, pn, dn);
}
-static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
+struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4 __read_mostly = {
.l3proto = AF_INET,
.l4proto = IPPROTO_DCCP,
.name = "dccp",
@@ -898,11 +889,11 @@ static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
.nla_policy = dccp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
- .net_id = &dccp_net_id,
.init_net = dccp_init_net,
};
+EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_dccp4);
-static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
+struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6 __read_mostly = {
.l3proto = AF_INET6,
.l4proto = IPPROTO_DCCP,
.name = "dccp",
@@ -932,56 +923,6 @@ static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
.nla_policy = dccp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
- .net_id = &dccp_net_id,
.init_net = dccp_init_net,
};
-
-static struct nf_conntrack_l4proto *dccp_proto[] = {
- &dccp_proto4,
- &dccp_proto6,
-};
-
-static __net_init int dccp_net_init(struct net *net)
-{
- return nf_ct_l4proto_pernet_register(net, dccp_proto,
- ARRAY_SIZE(dccp_proto));
-}
-
-static __net_exit void dccp_net_exit(struct net *net)
-{
- nf_ct_l4proto_pernet_unregister(net, dccp_proto,
- ARRAY_SIZE(dccp_proto));
-}
-
-static struct pernet_operations dccp_net_ops = {
- .init = dccp_net_init,
- .exit = dccp_net_exit,
- .id = &dccp_net_id,
- .size = sizeof(struct dccp_net),
-};
-
-static int __init nf_conntrack_proto_dccp_init(void)
-{
- int ret;
-
- ret = register_pernet_subsys(&dccp_net_ops);
- if (ret < 0)
- return ret;
- ret = nf_ct_l4proto_register(dccp_proto, ARRAY_SIZE(dccp_proto));
- if (ret < 0)
- unregister_pernet_subsys(&dccp_net_ops);
- return ret;
-}
-
-static void __exit nf_conntrack_proto_dccp_fini(void)
-{
- nf_ct_l4proto_unregister(dccp_proto, ARRAY_SIZE(dccp_proto));
- unregister_pernet_subsys(&dccp_net_ops);
-}
-
-module_init(nf_conntrack_proto_dccp_init);
-module_exit(nf_conntrack_proto_dccp_fini);
-
-MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("DCCP connection tracking protocol helper");
-MODULE_LICENSE("GPL");
+EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_dccp6);
--
2.7.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH nf-next 3/4] netfilter: conntrack: built-in support for SCTP
2016-11-10 14:46 [PATCH nf-next 0/4] netfilter: built-in conntrack support for DCCP, SCTP, UDPlite Davide Caratti
2016-11-10 14:46 ` [PATCH nf-next 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include Davide Caratti
2016-11-10 14:46 ` [PATCH nf-next 2/4] netfilter: conntrack: built-in support for DCCP Davide Caratti
@ 2016-11-10 14:46 ` Davide Caratti
2016-11-10 14:46 ` [PATCH nf-next 4/4] netfilter: conntrack: built-in support for UDPlite Davide Caratti
3 siblings, 0 replies; 9+ messages in thread
From: Davide Caratti @ 2016-11-10 14:46 UTC (permalink / raw)
To: Alexey Kuznetsov, David S . Miller, Florian Westphal,
Hideaki YOSHIFUJI, James Morris, Jozsef Kadlecsik,
Pablo Neira Ayuso, Patrick McHardy, mikko.rapeli
Cc: coreteam, netfilter-devel
CONFIG_NF_CT_PROTO_SCTP is no more a tristate. When set to y, connection
tracking support for SCTP protocol is built-in into nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_sctp,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntrack_ipv6.ko
(builtin)|| sctp | ipv4 | ipv6 | nf_conntrack
---------++--------+--------+--------+--------------
none || 498243 | 828755 | 828676 | 6141434
SCTP || - | 829254 | 829175 | 6547872
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 +
include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 +
include/net/netns/conntrack.h | 13 +++++
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 3 +
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 3 +
net/netfilter/Kconfig | 7 +--
net/netfilter/Makefile | 2 +-
net/netfilter/nf_conntrack_proto_sctp.c | 76 +++-----------------------
8 files changed, 38 insertions(+), 72 deletions(-)
diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
index c2f155f..5f1fc15 100644
--- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -18,6 +18,9 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
#ifdef CONFIG_NF_CT_PROTO_DCCP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4;
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4;
+#endif
int nf_conntrack_ipv4_compat_init(void);
void nf_conntrack_ipv4_compat_fini(void);
diff --git a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
index 5ec66c0..f70d191 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
@@ -9,6 +9,9 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;
#ifdef CONFIG_NF_CT_PROTO_DCCP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6;
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6;
+#endif
#include <linux/sysctl.h>
extern struct ctl_table nf_ct_ipv6_sysctl_table[];
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index b0edb1e..7f73aa8 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -9,6 +9,9 @@
#ifdef CONFIG_NF_CT_PROTO_DCCP
#include <linux/netfilter/nf_conntrack_dccp.h>
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+#include <linux/netfilter/nf_conntrack_sctp.h>
+#endif
#include <linux/seqlock.h>
struct ctl_table_header;
@@ -59,6 +62,13 @@ struct nf_dccp_net {
};
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+struct nf_sctp_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[SCTP_CONNTRACK_MAX];
+};
+#endif
+
struct nf_ip_net {
struct nf_generic_net generic;
struct nf_tcp_net tcp;
@@ -68,6 +78,9 @@ struct nf_ip_net {
#ifdef CONFIG_NF_CT_PROTO_DCCP
struct nf_dccp_net dccp;
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+ struct nf_sctp_net sctp;
+#endif
};
struct ct_pcpu {
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index cb3cf77..0a9d354 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -343,6 +343,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto4[] = {
#ifdef CONFIG_NF_CT_PROTO_DCCP
&nf_conntrack_l4proto_dccp4,
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+ &nf_conntrack_l4proto_sctp4,
+#endif
};
static int ipv4_net_init(struct net *net)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index f52338d..1d8daaf 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -343,6 +343,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto6[] = {
#ifdef CONFIG_NF_CT_PROTO_DCCP
&nf_conntrack_l4proto_dccp6,
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+ &nf_conntrack_l4proto_sctp6,
+#endif
};
static int ipv6_net_init(struct net *net)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 27a3d8c..29c0bf0 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -159,15 +159,14 @@ config NF_CT_PROTO_GRE
tristate
config NF_CT_PROTO_SCTP
- tristate 'SCTP protocol connection tracking support'
+ bool 'SCTP protocol connection tracking support'
depends on NETFILTER_ADVANCED
- default IP_SCTP
+ default y
help
With this option enabled, the layer 3 independent connection
tracking code will be able to do state tracking on SCTP connections.
- If you want to compile it as a module, say M here and read
- <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
+ If unsure, say Y.
config NF_CT_PROTO_UDPLITE
tristate 'UDP-Lite protocol connection tracking support'
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index bbd0cc0..6545c28 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -6,6 +6,7 @@ nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMESTAMP) += nf_conntrack_timestamp.o
nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
nf_conntrack-$(CONFIG_NF_CONNTRACK_LABELS) += nf_conntrack_labels.o
nf_conntrack-$(CONFIG_NF_CT_PROTO_DCCP) += nf_conntrack_proto_dccp.o
+nf_conntrack-$(CONFIG_NF_CT_PROTO_SCTP) += nf_conntrack_proto_sctp.o
obj-$(CONFIG_NETFILTER) = netfilter.o
@@ -18,7 +19,6 @@ obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o
obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o
obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o
-obj-$(CONFIG_NF_CT_PROTO_SCTP) += nf_conntrack_proto_sctp.o
obj-$(CONFIG_NF_CT_PROTO_UDPLITE) += nf_conntrack_proto_udplite.o
# netlink interface for nf_conntrack
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 17c0ade..a0efde3 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -15,7 +15,6 @@
#include <linux/types.h>
#include <linux/timer.h>
#include <linux/netfilter.h>
-#include <linux/module.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/sctp.h>
@@ -144,15 +143,9 @@ static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
}
};
-static int sctp_net_id __read_mostly;
-struct sctp_net {
- struct nf_proto_net pn;
- unsigned int timeouts[SCTP_CONNTRACK_MAX];
-};
-
-static inline struct sctp_net *sctp_pernet(struct net *net)
+static inline struct nf_sctp_net *sctp_pernet(struct net *net)
{
- return net_generic(net, sctp_net_id);
+ return &net->ct.nf_ct_proto.sctp;
}
static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
@@ -600,7 +593,7 @@ static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
- struct sctp_net *sn = sctp_pernet(net);
+ struct nf_sctp_net *sn = sctp_pernet(net);
int i;
/* set default SCTP timeouts. */
@@ -708,7 +701,7 @@ static struct ctl_table sctp_sysctl_table[] = {
#endif
static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
- struct sctp_net *sn)
+ struct nf_sctp_net *sn)
{
#ifdef CONFIG_SYSCTL
if (pn->ctl_table)
@@ -735,7 +728,7 @@ static int sctp_kmemdup_sysctl_table(struct nf_proto_net *pn,
static int sctp_init_net(struct net *net, u_int16_t proto)
{
- struct sctp_net *sn = sctp_pernet(net);
+ struct nf_sctp_net *sn = sctp_pernet(net);
struct nf_proto_net *pn = &sn->pn;
if (!pn->users) {
@@ -748,7 +741,7 @@ static int sctp_init_net(struct net *net, u_int16_t proto)
return sctp_kmemdup_sysctl_table(pn, sn);
}
-static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
+struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
.l3proto = PF_INET,
.l4proto = IPPROTO_SCTP,
.name = "sctp",
@@ -778,11 +771,11 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
.nla_policy = sctp_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
- .net_id = &sctp_net_id,
.init_net = sctp_init_net,
};
+EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
-static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
+struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
.l3proto = PF_INET6,
.l4proto = IPPROTO_SCTP,
.name = "sctp",
@@ -812,57 +805,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
#endif
- .net_id = &sctp_net_id,
.init_net = sctp_init_net,
};
-
-static struct nf_conntrack_l4proto *sctp_proto[] = {
- &nf_conntrack_l4proto_sctp4,
- &nf_conntrack_l4proto_sctp6,
-};
-
-static int sctp_net_init(struct net *net)
-{
- return nf_ct_l4proto_pernet_register(net, sctp_proto,
- ARRAY_SIZE(sctp_proto));
-}
-
-static void sctp_net_exit(struct net *net)
-{
- nf_ct_l4proto_pernet_unregister(net, sctp_proto,
- ARRAY_SIZE(sctp_proto));
-}
-
-static struct pernet_operations sctp_net_ops = {
- .init = sctp_net_init,
- .exit = sctp_net_exit,
- .id = &sctp_net_id,
- .size = sizeof(struct sctp_net),
-};
-
-static int __init nf_conntrack_proto_sctp_init(void)
-{
- int ret;
-
- ret = register_pernet_subsys(&sctp_net_ops);
- if (ret < 0)
- return ret;
- ret = nf_ct_l4proto_register(sctp_proto, ARRAY_SIZE(sctp_proto));
- if (ret < 0)
- unregister_pernet_subsys(&sctp_net_ops);
- return ret;
-}
-
-static void __exit nf_conntrack_proto_sctp_fini(void)
-{
- nf_ct_l4proto_unregister(sctp_proto, ARRAY_SIZE(sctp_proto));
- unregister_pernet_subsys(&sctp_net_ops);
-}
-
-module_init(nf_conntrack_proto_sctp_init);
-module_exit(nf_conntrack_proto_sctp_fini);
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Kiran Kumar Immidi");
-MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP");
-MODULE_ALIAS("ip_conntrack_proto_sctp");
+EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
--
2.7.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH nf-next 4/4] netfilter: conntrack: built-in support for UDPlite
2016-11-10 14:46 [PATCH nf-next 0/4] netfilter: built-in conntrack support for DCCP, SCTP, UDPlite Davide Caratti
` (2 preceding siblings ...)
2016-11-10 14:46 ` [PATCH nf-next 3/4] netfilter: conntrack: built-in support for SCTP Davide Caratti
@ 2016-11-10 14:46 ` Davide Caratti
3 siblings, 0 replies; 9+ messages in thread
From: Davide Caratti @ 2016-11-10 14:46 UTC (permalink / raw)
To: Alexey Kuznetsov, David S . Miller, Florian Westphal,
Hideaki YOSHIFUJI, James Morris, Jozsef Kadlecsik,
Pablo Neira Ayuso, Patrick McHardy, mikko.rapeli
Cc: coreteam, netfilter-devel
CONFIG_NF_CT_PROTO_UDPLITE is no more a tristate. When set to y,
connection tracking support for UDPlite protocol is built-in into
nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_udplite,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntrack_ipv6.ko
(builtin)|| udplite| ipv4 | ipv6 |nf_conntrack
---------++--------+--------+--------+--------------
none || 432538 | 828755 | 828676 | 6141434
UDPlite || - | 829649 | 829362 | 6498204
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 +
include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 +
include/net/netns/conntrack.h | 16 ++++++
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 3 +
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 3 +
net/netfilter/Kconfig | 5 +-
net/netfilter/Makefile | 2 +-
net/netfilter/nf_conntrack_proto_udplite.c | 79 +++-----------------------
8 files changed, 41 insertions(+), 73 deletions(-)
diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
index 5f1fc15..919e4e8 100644
--- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -21,6 +21,9 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4;
#ifdef CONFIG_NF_CT_PROTO_SCTP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4;
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4;
+#endif
int nf_conntrack_ipv4_compat_init(void);
void nf_conntrack_ipv4_compat_fini(void);
diff --git a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
index f70d191..eaea968 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
@@ -12,6 +12,9 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6;
#ifdef CONFIG_NF_CT_PROTO_SCTP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6;
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6;
+#endif
#include <linux/sysctl.h>
extern struct ctl_table nf_ct_ipv6_sysctl_table[];
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 7f73aa8..d5e1452 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -69,6 +69,19 @@ struct nf_sctp_net {
};
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+enum udplite_conntrack {
+ UDPLITE_CT_UNREPLIED,
+ UDPLITE_CT_REPLIED,
+ UDPLITE_CT_MAX
+};
+
+struct nf_udplite_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[UDPLITE_CT_MAX];
+};
+#endif
+
struct nf_ip_net {
struct nf_generic_net generic;
struct nf_tcp_net tcp;
@@ -81,6 +94,9 @@ struct nf_ip_net {
#ifdef CONFIG_NF_CT_PROTO_SCTP
struct nf_sctp_net sctp;
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+ struct nf_udplite_net udplite;
+#endif
};
struct ct_pcpu {
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 0a9d354..22fce4f 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -346,6 +346,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto4[] = {
#ifdef CONFIG_NF_CT_PROTO_SCTP
&nf_conntrack_l4proto_sctp4,
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+ &nf_conntrack_l4proto_udplite4,
+#endif
};
static int ipv4_net_init(struct net *net)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 1d8daaf..389f712 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -346,6 +346,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto6[] = {
#ifdef CONFIG_NF_CT_PROTO_SCTP
&nf_conntrack_l4proto_sctp6,
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+ &nf_conntrack_l4proto_udplite6,
+#endif
};
static int ipv6_net_init(struct net *net)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 29c0bf0..def4be0 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -169,14 +169,15 @@ config NF_CT_PROTO_SCTP
If unsure, say Y.
config NF_CT_PROTO_UDPLITE
- tristate 'UDP-Lite protocol connection tracking support'
+ bool 'UDP-Lite protocol connection tracking support'
depends on NETFILTER_ADVANCED
+ default y
help
With this option enabled, the layer 3 independent connection
tracking code will be able to do state tracking on UDP-Lite
connections.
- To compile it as a module, choose M here. If unsure, say N.
+ If unsure, say Y.
config NF_CONNTRACK_AMANDA
tristate "Amanda backup protocol support"
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 6545c28..e4c8c1d 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -7,6 +7,7 @@ nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
nf_conntrack-$(CONFIG_NF_CONNTRACK_LABELS) += nf_conntrack_labels.o
nf_conntrack-$(CONFIG_NF_CT_PROTO_DCCP) += nf_conntrack_proto_dccp.o
nf_conntrack-$(CONFIG_NF_CT_PROTO_SCTP) += nf_conntrack_proto_sctp.o
+nf_conntrack-$(CONFIG_NF_CT_PROTO_UDPLITE) += nf_conntrack_proto_udplite.o
obj-$(CONFIG_NETFILTER) = netfilter.o
@@ -19,7 +20,6 @@ obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o
obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o
obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o
-obj-$(CONFIG_NF_CT_PROTO_UDPLITE) += nf_conntrack_proto_udplite.o
# netlink interface for nf_conntrack
obj-$(CONFIG_NF_CT_NETLINK) += nf_conntrack_netlink.o
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 8cdb4b1..c35f7bf 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -9,7 +9,6 @@
#include <linux/types.h>
#include <linux/timer.h>
-#include <linux/module.h>
#include <linux/udp.h>
#include <linux/seq_file.h>
#include <linux/skbuff.h>
@@ -24,26 +23,14 @@
#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_log.h>
-enum udplite_conntrack {
- UDPLITE_CT_UNREPLIED,
- UDPLITE_CT_REPLIED,
- UDPLITE_CT_MAX
-};
-
static unsigned int udplite_timeouts[UDPLITE_CT_MAX] = {
[UDPLITE_CT_UNREPLIED] = 30*HZ,
[UDPLITE_CT_REPLIED] = 180*HZ,
};
-static int udplite_net_id __read_mostly;
-struct udplite_net {
- struct nf_proto_net pn;
- unsigned int timeouts[UDPLITE_CT_MAX];
-};
-
-static inline struct udplite_net *udplite_pernet(struct net *net)
+static inline struct nf_udplite_net *udplite_pernet(struct net *net)
{
- return net_generic(net, udplite_net_id);
+ return &net->ct.nf_ct_proto.udplite;
}
static bool udplite_pkt_to_tuple(const struct sk_buff *skb,
@@ -178,7 +165,7 @@ static int udplite_timeout_nlattr_to_obj(struct nlattr *tb[],
struct net *net, void *data)
{
unsigned int *timeouts = data;
- struct udplite_net *un = udplite_pernet(net);
+ struct nf_udplite_net *un = udplite_pernet(net);
/* set default timeouts for UDPlite. */
timeouts[UDPLITE_CT_UNREPLIED] = un->timeouts[UDPLITE_CT_UNREPLIED];
@@ -237,7 +224,7 @@ static struct ctl_table udplite_sysctl_table[] = {
#endif /* CONFIG_SYSCTL */
static int udplite_kmemdup_sysctl_table(struct nf_proto_net *pn,
- struct udplite_net *un)
+ struct nf_udplite_net *un)
{
#ifdef CONFIG_SYSCTL
if (pn->ctl_table)
@@ -257,7 +244,7 @@ static int udplite_kmemdup_sysctl_table(struct nf_proto_net *pn,
static int udplite_init_net(struct net *net, u_int16_t proto)
{
- struct udplite_net *un = udplite_pernet(net);
+ struct nf_udplite_net *un = udplite_pernet(net);
struct nf_proto_net *pn = &un->pn;
if (!pn->users) {
@@ -270,7 +257,7 @@ static int udplite_init_net(struct net *net, u_int16_t proto)
return udplite_kmemdup_sysctl_table(pn, un);
}
-static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
+struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
{
.l3proto = PF_INET,
.l4proto = IPPROTO_UDPLITE,
@@ -299,11 +286,11 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
.nla_policy = udplite_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
- .net_id = &udplite_net_id,
.init_net = udplite_init_net,
};
+EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite4);
-static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
+struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
{
.l3proto = PF_INET6,
.l4proto = IPPROTO_UDPLITE,
@@ -332,54 +319,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
.nla_policy = udplite_timeout_nla_policy,
},
#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
- .net_id = &udplite_net_id,
.init_net = udplite_init_net,
};
-
-static struct nf_conntrack_l4proto *udplite_proto[] = {
- &nf_conntrack_l4proto_udplite4,
- &nf_conntrack_l4proto_udplite6,
-};
-
-static int udplite_net_init(struct net *net)
-{
- return nf_ct_l4proto_pernet_register(net, udplite_proto,
- ARRAY_SIZE(udplite_proto));
-}
-
-static void udplite_net_exit(struct net *net)
-{
- nf_ct_l4proto_pernet_unregister(net, udplite_proto,
- ARRAY_SIZE(udplite_proto));
-}
-
-static struct pernet_operations udplite_net_ops = {
- .init = udplite_net_init,
- .exit = udplite_net_exit,
- .id = &udplite_net_id,
- .size = sizeof(struct udplite_net),
-};
-
-static int __init nf_conntrack_proto_udplite_init(void)
-{
- int ret;
-
- ret = register_pernet_subsys(&udplite_net_ops);
- if (ret < 0)
- return ret;
- ret = nf_ct_l4proto_register(udplite_proto, ARRAY_SIZE(udplite_proto));
- if (ret < 0)
- unregister_pernet_subsys(&udplite_net_ops);
- return ret;
-}
-
-static void __exit nf_conntrack_proto_udplite_exit(void)
-{
- nf_ct_l4proto_unregister(udplite_proto, ARRAY_SIZE(udplite_proto));
- unregister_pernet_subsys(&udplite_net_ops);
-}
-
-module_init(nf_conntrack_proto_udplite_init);
-module_exit(nf_conntrack_proto_udplite_exit);
-
-MODULE_LICENSE("GPL");
+EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite6);
--
2.7.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH nf-next 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include
2016-11-10 14:46 ` [PATCH nf-next 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include Davide Caratti
@ 2016-11-11 10:07 ` Mikko Rapeli
2016-11-11 12:02 ` Davide Caratti
0 siblings, 1 reply; 9+ messages in thread
From: Mikko Rapeli @ 2016-11-11 10:07 UTC (permalink / raw)
To: Davide Caratti
Cc: Alexey Kuznetsov, David S . Miller, Florian Westphal,
Hideaki YOSHIFUJI, James Morris, Jozsef Kadlecsik,
Pablo Neira Ayuso, Patrick McHardy, coreteam, netfilter-devel
Hi,
On Thu, Nov 10, 2016 at 03:46:25PM +0100, Davide Caratti wrote:
> In commit 1ffad83dffd6 ("netfilter: fix include files for compilation"),
> compile-time errors were fixed for userspace programs including UAPI
> nf_conntrack_tuple_common.h: this was done by adding a "#include
> <linux/netfilter.h>" line to that header file. This patch replaces
> "<linux/netfilter.h>" with "<linux/netfilter/nf_conntrack_common.h>"
> in nf_conntrack_tuple_common.h to avoid compile-time errors when trying
> to use enum ip_conntrack_dir in include/net/netns/conntrack.h, and still
> correctly resolve IP_CT_IS_REPLY.
I assume also with this change it is ok to include both <linux/netfilter.h>
and <linux/netfilter/nf_conntrack_tuple_common.h> userspace but what was the
kernel compile error with include/net/netns/conntrack.h and ip_conntrack_dir?
Is there a kernel side conflict between uapi and net/netns headers?
Could the fix be confined into the kernel side private headers somehow to avoid
changes visible to userspace?
I kind of like the pattern that netfilter uapi headers include
<linux/netfilter.h> and get what they need from there. Maybe maintainers
disagree though.
-Mikko
> This accidentally fixes two failures in the output of the script used to
> test the above commit [1]:
>
> $ pushd usr/include
> $ ../../scripts/headers_compile_test.sh -k | grep FAILED >before.txt
> $ sed -i s/netfilter.h/netfilter\/nf_conntrack_common.h/1 \
> linux/netfilter/nf_conntrack_tuple_common.h
> $ ../../scripts/headers_compile_test.sh -k | grep FAILED >after.txt
> $ diff before.txt after.txt
> 24,25d23
> < FAILED: ./linux/netfilter/nf_conntrack_sctp.h
> < FAILED: ./linux/netfilter/nf_conntrack_tuple_common.h
> $ popd
>
> [1] https://github.com/mcfrisk/linux/blob/headers_test_v05/scripts/headers_compile_test.sh
>
> Signed-off-by: Davide Caratti <dcaratti@redhat.com>
> ---
> include/uapi/linux/netfilter/nf_conntrack_tuple_common.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
> index a9c3834..941e8ea 100644
> --- a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
> +++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
> @@ -2,7 +2,7 @@
> #define _NF_CONNTRACK_TUPLE_COMMON_H
>
> #include <linux/types.h>
> -#include <linux/netfilter.h>
> +#include <linux/netfilter/nf_conntrack_common.h>
>
> enum ip_conntrack_dir {
> IP_CT_DIR_ORIGINAL,
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nf-next 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include
2016-11-11 10:07 ` Mikko Rapeli
@ 2016-11-11 12:02 ` Davide Caratti
2016-11-14 14:01 ` Davide Caratti
0 siblings, 1 reply; 9+ messages in thread
From: Davide Caratti @ 2016-11-11 12:02 UTC (permalink / raw)
To: Mikko Rapeli
Cc: Alexey Kuznetsov, David S . Miller, Florian Westphal,
Hideaki YOSHIFUJI, James Morris, Jozsef Kadlecsik,
Pablo Neira Ayuso, Patrick McHardy, coreteam, netfilter-devel
On Fri, 2016-11-11 at 12:07 +0200, Mikko Rapeli wrote:
> I assume also with this change it is ok to include both
> <linux/netfilter.h>
> and <linux/netfilter/nf_conntrack_tuple_common.h> userspace but what was
> the
> kernel compile error with include/net/netns/conntrack.h and
> ip_conntrack_dir?
hi Mikko, thank you for looking at this!
The problem is in patch 3/4 as I added #include
<linux/netfilter/nf_conntrack_sctp.h> in include/net/netns/conntrack.h,
but I saw similar things also with DCCP.
<...>
CC kernel/sysctl_binary.o
In file included from ./include/linux/netfilter.h:14:0,
from ./include/uapi/linux/netfilter/nf_conntrack_tuple_common.h:5,
from ./include/uapi/linux/netfilter/nf_conntrack_sctp.h:5,
from ./include/linux/netfilter/nf_conntrack_sctp.h:5,
from ./include/net/netns/conntrack.h:13,
from ./include/net/net_namespace.h:25,
from ./include/linux/init_task.h:15,
from init/init_task.c:1:
./include/linux/netdevice.h:1859:2: error: unknown type name ‘possible_net_t’
possible_net_t nd_net;
^
(possile_net_t is in net_namespace.h).
> Is there a kernel side conflict between uapi and net/netns headers?
Looks like a circular dependency is here, or nf_conntrack_tuple_common.h
is including the wrong netfilter.h. From within net/netns/conntrack.h I
can include only those UAPI files that don't include <linux/netfilter.h>
(for example, nf_conntrack_tcp.h that uses '2' instead of IP_CT_DIR_MAX).
Do you have any suggestion?
thank you in advance,
--
davide
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nf-next 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include
2016-11-11 12:02 ` Davide Caratti
@ 2016-11-14 14:01 ` Davide Caratti
2016-11-14 17:59 ` mikko.rapeli
0 siblings, 1 reply; 9+ messages in thread
From: Davide Caratti @ 2016-11-14 14:01 UTC (permalink / raw)
To: Mikko Rapeli
Cc: Alexey Kuznetsov, David S . Miller, Florian Westphal,
Hideaki YOSHIFUJI, James Morris, Jozsef Kadlecsik,
Pablo Neira Ayuso, Patrick McHardy, coreteam, netfilter-devel
On Fri, 2016-11-11 at 13:02 +0100, Davide Caratti wrote:
>
> > Is there a kernel side conflict between uapi and net/netns headers?
>
> Looks like a circular dependency is here, or nf_conntrack_tuple_common.h
> is including the wrong netfilter.h. From within net/netns/conntrack.h I
> can include only those UAPI files that don't include <linux/netfilter.h>
> (for example, nf_conntrack_tcp.h that uses '2' instead of
> IP_CT_DIR_MAX).
hello Mikko,
I looked at the dependency issue:
current include/linux/netfilter.h needs include/net/net_namespace.h (i.e.
nf_hook() needs struct net), and include/net/net_namespace.h needs
include/net/netns/conntrack.h (i.e. struct net needs struct netns_ct).
That's why it's not possible to do #include <linux/netfilter.h> in
include/net/netns/conntrack.h, and it's not possible in
include/net/netns/conntrack.h to include any linux/netfilter/*.h UAPI
header where #include <linux/netfilter.h> line is present: the
preprocessor will prefer including include/linux/netfilter.h before
include/uapi/linux/netfilter.h, thus generating the dependency error.
One possible fix for the above issue is to modify
include/uapi/nf_conntrack_tuple_common.h in a way that it avoids including
<linux/netfilter.h> when kernel sources are being built, and still exposes
to userspace applications the same contents as commit 1ffad83dffd6
("netfilter: fix include files for compilation"):
<...>
#include <linux/types.h>
#ifndef __KERNEL__
#include <linux/netfilter.h>
#endif
#include <linux/netfilter/nf_conntrack_common.h> /* for IP_CT_IS_REPLY */
<...>
BTW, include/uapi/linux/capi.h apparently does something similar with
linux/kernelcapi.h. With the above change, also the output of
$ pushd usr/include
$ ../../scripts/headers_compile_test.sh -k | grep FAILED
$ popd
is preserved.
Are you ok if I post a v2 where the above change (and a minor fix: use
_UAPI_NF_CONNTRACK_TUPLE_COMMON_H in place of NF_CONNTRACK_TUPLE_COMMON_H
on the first lines) is done to nf_conntrack_tuple_common.h?
regards,
--
davide
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nf-next 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include
2016-11-14 14:01 ` Davide Caratti
@ 2016-11-14 17:59 ` mikko.rapeli
0 siblings, 0 replies; 9+ messages in thread
From: mikko.rapeli @ 2016-11-14 17:59 UTC (permalink / raw)
To: dcaratti
Cc: davem, fw, yoshfuji, jmorris, kadlec, pablo, kaber, coreteam,
netfilter-devel, kuznet
Hi,
Am Mo. Nov. 14 15:01:57 2016 GMT+0100 schrieb Davide Caratti:
> On Fri, 2016-11-11 at 13:02 +0100, Davide Caratti wrote:
> >
> > > Is there a kernel side conflict between uapi and net/netns headers?
> >
> > Looks like a circular dependency is here, or nf_conntrack_tuple_common.h
> > is including the wrong netfilter.h. From within net/netns/conntrack.h I
> > can include only those UAPI files that don't include <linux/netfilter.h>
> > (for example, nf_conntrack_tcp.h that uses '2' instead of
> > IP_CT_DIR_MAX).
>
> hello Mikko,
>
> I looked at the dependency issue:
>
> current include/linux/netfilter.h needs include/net/net_namespace.h (i.e.
> nf_hook() needs struct net), and include/net/net_namespace.h needs
> include/net/netns/conntrack.h (i.e. struct net needs struct netns_ct).
>
> That's why it's not possible to do #include <linux/netfilter.h> in
> include/net/netns/conntrack.h, and it's not possible in
> include/net/netns/conntrack.h to include any linux/netfilter/*.h UAPI
> header where #include <linux/netfilter.h> line is present: the
> preprocessor will prefer including include/linux/netfilter.h before
> include/uapi/linux/netfilter.h, thus generating the dependency error.
Thanks for digging into this. In many other subsystems the kernel side headers start by including the matching uapi header and then add the kernel side stuff. It seems netfilter has not done this and the split to uapi is not always clear.
> One possible fix for the above issue is to modify
> include/uapi/nf_conntrack_tuple_common.h in a way that it avoids including
> <linux/netfilter.h> when kernel sources are being built, and still exposes
> to userspace applications the same contents as commit 1ffad83dffd6
> ("netfilter: fix include files for compilation"):
>
> <...>
> #include <linux/types.h>
> #ifndef __KERNEL__
> #include <linux/netfilter.h>
> #endif
> #include <linux/netfilter/nf_conntrack_common.h> /* for IP_CT_IS_REPLY */
> <...>
>
> BTW, include/uapi/linux/capi.h apparently does something similar with
> linux/kernelcapi.h. With the above change, also the output of
>
> $ pushd usr/include
> $ ../../scripts/headers_compile_test.sh -k | grep FAILED
> $ popd
>
> is preserved.
>
> Are you ok if I post a v2 where the above change (and a minor fix: use
> _UAPI_NF_CONNTRACK_TUPLE_COMMON_H in place of NF_CONNTRACK_TUPLE_COMMON_H
> on the first lines) is done to nf_conntrack_tuple_common.h?
Yes, this looks ok for me.
-Mikko
> regards,
> --
> davide
>
>
--
Sent from my Jolla
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-11-14 18:00 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-10 14:46 [PATCH nf-next 0/4] netfilter: built-in conntrack support for DCCP, SCTP, UDPlite Davide Caratti
2016-11-10 14:46 ` [PATCH nf-next 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include Davide Caratti
2016-11-11 10:07 ` Mikko Rapeli
2016-11-11 12:02 ` Davide Caratti
2016-11-14 14:01 ` Davide Caratti
2016-11-14 17:59 ` mikko.rapeli
2016-11-10 14:46 ` [PATCH nf-next 2/4] netfilter: conntrack: built-in support for DCCP Davide Caratti
2016-11-10 14:46 ` [PATCH nf-next 3/4] netfilter: conntrack: built-in support for SCTP Davide Caratti
2016-11-10 14:46 ` [PATCH nf-next 4/4] netfilter: conntrack: built-in support for UDPlite Davide Caratti
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).