netfilter: Export nf_ct_{set,destroy}_timeout()
This patch exports nf_ct_set_timeout() and nf_ct_destroy_timeout(). The two functions are derived from xt_ct_destroy_timeout() and xt_ct_set_timeout() in xt_CT.c, and moved to nf_conntrack_timeout.c without any functional change. It would be useful for other users (i.e. OVS) that utilizes the finer-grain conntrack timeout feature. CC: Pablo Neira Ayuso <pablo@netfilter.org> CC: Pravin Shelar <pshelar@ovn.org> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
c63d11ba52
commit
717700d183
|
@ -88,6 +88,9 @@ static inline unsigned int *nf_ct_timeout_lookup(const struct nf_conn *ct)
|
||||||
int nf_conntrack_timeout_init(void);
|
int nf_conntrack_timeout_init(void);
|
||||||
void nf_conntrack_timeout_fini(void);
|
void nf_conntrack_timeout_fini(void);
|
||||||
void nf_ct_untimeout(struct net *net, struct nf_ct_timeout *timeout);
|
void nf_ct_untimeout(struct net *net, struct nf_ct_timeout *timeout);
|
||||||
|
int nf_ct_set_timeout(struct net *net, struct nf_conn *ct, u8 l3num, u8 l4num,
|
||||||
|
const char *timeout_name);
|
||||||
|
void nf_ct_destroy_timeout(struct nf_conn *ct);
|
||||||
#else
|
#else
|
||||||
static inline int nf_conntrack_timeout_init(void)
|
static inline int nf_conntrack_timeout_init(void)
|
||||||
{
|
{
|
||||||
|
@ -98,6 +101,18 @@ static inline void nf_conntrack_timeout_fini(void)
|
||||||
{
|
{
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline int nf_ct_set_timeout(struct net *net, struct nf_conn *ct,
|
||||||
|
u8 l3num, u8 l4num,
|
||||||
|
const char *timeout_name)
|
||||||
|
{
|
||||||
|
return -EOPNOTSUPP;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void nf_ct_destroy_timeout(struct nf_conn *ct)
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
|
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
|
||||||
|
|
||||||
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
|
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
|
||||||
|
|
|
@ -48,6 +48,95 @@ void nf_ct_untimeout(struct net *net, struct nf_ct_timeout *timeout)
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(nf_ct_untimeout);
|
EXPORT_SYMBOL_GPL(nf_ct_untimeout);
|
||||||
|
|
||||||
|
static void __nf_ct_timeout_put(struct nf_ct_timeout *timeout)
|
||||||
|
{
|
||||||
|
typeof(nf_ct_timeout_put_hook) timeout_put;
|
||||||
|
|
||||||
|
timeout_put = rcu_dereference(nf_ct_timeout_put_hook);
|
||||||
|
if (timeout_put)
|
||||||
|
timeout_put(timeout);
|
||||||
|
}
|
||||||
|
|
||||||
|
int nf_ct_set_timeout(struct net *net, struct nf_conn *ct,
|
||||||
|
u8 l3num, u8 l4num, const char *timeout_name)
|
||||||
|
{
|
||||||
|
typeof(nf_ct_timeout_find_get_hook) timeout_find_get;
|
||||||
|
struct nf_ct_timeout *timeout;
|
||||||
|
struct nf_conn_timeout *timeout_ext;
|
||||||
|
const char *errmsg = NULL;
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
rcu_read_lock();
|
||||||
|
timeout_find_get = rcu_dereference(nf_ct_timeout_find_get_hook);
|
||||||
|
if (!timeout_find_get) {
|
||||||
|
ret = -ENOENT;
|
||||||
|
errmsg = "Timeout policy base is empty";
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
timeout = timeout_find_get(net, timeout_name);
|
||||||
|
if (!timeout) {
|
||||||
|
ret = -ENOENT;
|
||||||
|
pr_info_ratelimited("No such timeout policy \"%s\"\n",
|
||||||
|
timeout_name);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (timeout->l3num != l3num) {
|
||||||
|
ret = -EINVAL;
|
||||||
|
pr_info_ratelimited("Timeout policy `%s' can only be used by "
|
||||||
|
"L%d protocol number %d\n",
|
||||||
|
timeout_name, 3, timeout->l3num);
|
||||||
|
goto err_put_timeout;
|
||||||
|
}
|
||||||
|
/* Make sure the timeout policy matches any existing protocol tracker,
|
||||||
|
* otherwise default to generic.
|
||||||
|
*/
|
||||||
|
if (timeout->l4proto->l4proto != l4num) {
|
||||||
|
ret = -EINVAL;
|
||||||
|
pr_info_ratelimited("Timeout policy `%s' can only be used by "
|
||||||
|
"L%d protocol number %d\n",
|
||||||
|
timeout_name, 4, timeout->l4proto->l4proto);
|
||||||
|
goto err_put_timeout;
|
||||||
|
}
|
||||||
|
timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC);
|
||||||
|
if (!timeout_ext) {
|
||||||
|
ret = -ENOMEM;
|
||||||
|
goto err_put_timeout;
|
||||||
|
}
|
||||||
|
|
||||||
|
rcu_read_unlock();
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
err_put_timeout:
|
||||||
|
__nf_ct_timeout_put(timeout);
|
||||||
|
out:
|
||||||
|
rcu_read_unlock();
|
||||||
|
if (errmsg)
|
||||||
|
pr_info_ratelimited("%s\n", errmsg);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL_GPL(nf_ct_set_timeout);
|
||||||
|
|
||||||
|
void nf_ct_destroy_timeout(struct nf_conn *ct)
|
||||||
|
{
|
||||||
|
struct nf_conn_timeout *timeout_ext;
|
||||||
|
typeof(nf_ct_timeout_put_hook) timeout_put;
|
||||||
|
|
||||||
|
rcu_read_lock();
|
||||||
|
timeout_put = rcu_dereference(nf_ct_timeout_put_hook);
|
||||||
|
|
||||||
|
if (timeout_put) {
|
||||||
|
timeout_ext = nf_ct_timeout_find(ct);
|
||||||
|
if (timeout_ext) {
|
||||||
|
timeout_put(timeout_ext->timeout);
|
||||||
|
RCU_INIT_POINTER(timeout_ext->timeout, NULL);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
rcu_read_unlock();
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL_GPL(nf_ct_destroy_timeout);
|
||||||
|
|
||||||
static const struct nf_ct_ext_type timeout_extend = {
|
static const struct nf_ct_ext_type timeout_extend = {
|
||||||
.len = sizeof(struct nf_conn_timeout),
|
.len = sizeof(struct nf_conn_timeout),
|
||||||
.align = __alignof__(struct nf_conn_timeout),
|
.align = __alignof__(struct nf_conn_timeout),
|
||||||
|
|
|
@ -103,85 +103,24 @@ xt_ct_set_helper(struct nf_conn *ct, const char *helper_name,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
|
|
||||||
static void __xt_ct_tg_timeout_put(struct nf_ct_timeout *timeout)
|
|
||||||
{
|
|
||||||
typeof(nf_ct_timeout_put_hook) timeout_put;
|
|
||||||
|
|
||||||
timeout_put = rcu_dereference(nf_ct_timeout_put_hook);
|
|
||||||
if (timeout_put)
|
|
||||||
timeout_put(timeout);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
|
xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
|
||||||
const char *timeout_name)
|
const char *timeout_name)
|
||||||
{
|
{
|
||||||
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
|
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
|
||||||
typeof(nf_ct_timeout_find_get_hook) timeout_find_get;
|
|
||||||
const struct nf_conntrack_l4proto *l4proto;
|
const struct nf_conntrack_l4proto *l4proto;
|
||||||
struct nf_ct_timeout *timeout;
|
|
||||||
struct nf_conn_timeout *timeout_ext;
|
|
||||||
const char *errmsg = NULL;
|
|
||||||
int ret = 0;
|
|
||||||
u8 proto;
|
u8 proto;
|
||||||
|
|
||||||
rcu_read_lock();
|
|
||||||
timeout_find_get = rcu_dereference(nf_ct_timeout_find_get_hook);
|
|
||||||
if (timeout_find_get == NULL) {
|
|
||||||
ret = -ENOENT;
|
|
||||||
errmsg = "Timeout policy base is empty";
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
proto = xt_ct_find_proto(par);
|
proto = xt_ct_find_proto(par);
|
||||||
if (!proto) {
|
if (!proto) {
|
||||||
ret = -EINVAL;
|
pr_info_ratelimited("You must specify a L4 protocol and not "
|
||||||
errmsg = "You must specify a L4 protocol and not use inversions on it";
|
"use inversions on it");
|
||||||
goto out;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
timeout = timeout_find_get(par->net, timeout_name);
|
|
||||||
if (timeout == NULL) {
|
|
||||||
ret = -ENOENT;
|
|
||||||
pr_info_ratelimited("No such timeout policy \"%s\"\n",
|
|
||||||
timeout_name);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (timeout->l3num != par->family) {
|
|
||||||
ret = -EINVAL;
|
|
||||||
pr_info_ratelimited("Timeout policy `%s' can only be used by L%d protocol number %d\n",
|
|
||||||
timeout_name, 3, timeout->l3num);
|
|
||||||
goto err_put_timeout;
|
|
||||||
}
|
|
||||||
/* Make sure the timeout policy matches any existing protocol tracker,
|
|
||||||
* otherwise default to generic.
|
|
||||||
*/
|
|
||||||
l4proto = nf_ct_l4proto_find(proto);
|
l4proto = nf_ct_l4proto_find(proto);
|
||||||
if (timeout->l4proto->l4proto != l4proto->l4proto) {
|
return nf_ct_set_timeout(par->net, ct, par->family, l4proto->l4proto,
|
||||||
ret = -EINVAL;
|
timeout_name);
|
||||||
pr_info_ratelimited("Timeout policy `%s' can only be used by L%d protocol number %d\n",
|
|
||||||
timeout_name, 4, timeout->l4proto->l4proto);
|
|
||||||
goto err_put_timeout;
|
|
||||||
}
|
|
||||||
timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC);
|
|
||||||
if (!timeout_ext) {
|
|
||||||
ret = -ENOMEM;
|
|
||||||
goto err_put_timeout;
|
|
||||||
}
|
|
||||||
|
|
||||||
rcu_read_unlock();
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
err_put_timeout:
|
|
||||||
__xt_ct_tg_timeout_put(timeout);
|
|
||||||
out:
|
|
||||||
rcu_read_unlock();
|
|
||||||
if (errmsg)
|
|
||||||
pr_info_ratelimited("%s\n", errmsg);
|
|
||||||
return ret;
|
|
||||||
#else
|
#else
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
#endif
|
#endif
|
||||||
|
@ -328,26 +267,6 @@ static int xt_ct_tg_check_v2(const struct xt_tgchk_param *par)
|
||||||
return xt_ct_tg_check(par, par->targinfo);
|
return xt_ct_tg_check(par, par->targinfo);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void xt_ct_destroy_timeout(struct nf_conn *ct)
|
|
||||||
{
|
|
||||||
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
|
|
||||||
struct nf_conn_timeout *timeout_ext;
|
|
||||||
typeof(nf_ct_timeout_put_hook) timeout_put;
|
|
||||||
|
|
||||||
rcu_read_lock();
|
|
||||||
timeout_put = rcu_dereference(nf_ct_timeout_put_hook);
|
|
||||||
|
|
||||||
if (timeout_put) {
|
|
||||||
timeout_ext = nf_ct_timeout_find(ct);
|
|
||||||
if (timeout_ext) {
|
|
||||||
timeout_put(timeout_ext->timeout);
|
|
||||||
RCU_INIT_POINTER(timeout_ext->timeout, NULL);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
rcu_read_unlock();
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
|
static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
|
||||||
struct xt_ct_target_info_v1 *info)
|
struct xt_ct_target_info_v1 *info)
|
||||||
{
|
{
|
||||||
|
@ -361,7 +280,7 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
|
||||||
|
|
||||||
nf_ct_netns_put(par->net, par->family);
|
nf_ct_netns_put(par->net, par->family);
|
||||||
|
|
||||||
xt_ct_destroy_timeout(ct);
|
nf_ct_destroy_timeout(ct);
|
||||||
nf_ct_put(info->ct);
|
nf_ct_put(info->ct);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue