[Devel] [PATCH rh7] net: nf_synproxy: Direct conntrack allocation
Kirill Tkhai
ktkhai at virtuozzo.com
Thu Sep 15 08:35:42 PDT 2016
Since synproxy conntrack allow_conntrack_allocation() is executed
from pernet init, loading nf_synproxy_core() module allows conntracks
for all nets.
Fix that by direct allocation of synproxy sample conntrack (and do not
allow conntracks from pernet init).
https://jira.sw.ru/browse/PSBM-52218
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
include/net/netfilter/nf_conntrack.h | 5 +++++
net/netfilter/nf_conntrack_core.c | 11 ++++++-----
net/netfilter/nf_synproxy_core.c | 3 +--
3 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index b0da003..fefe866 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -253,6 +253,11 @@ struct nf_conn *nf_conntrack_alloc(struct net *net, u16 zone,
const struct nf_conntrack_tuple *orig,
const struct nf_conntrack_tuple *repl,
gfp_t gfp);
+struct nf_conn *
+__nf_conntrack_alloc(struct net *net, u16 zone,
+ const struct nf_conntrack_tuple *orig,
+ const struct nf_conntrack_tuple *repl,
+ gfp_t gfp, u32 hash, bool can_alloc);
static inline int nf_ct_is_template(const struct nf_conn *ct)
{
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 15e8479..d46c905 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -832,16 +832,16 @@ void init_nf_conntrack_hash_rnd(void)
cmpxchg(&nf_conntrack_hash_rnd, 0, rand);
}
-static struct nf_conn *
+struct nf_conn *
__nf_conntrack_alloc(struct net *net, u16 zone,
const struct nf_conntrack_tuple *orig,
const struct nf_conntrack_tuple *repl,
- gfp_t gfp, u32 hash)
+ gfp_t gfp, u32 hash, bool can_alloc)
{
unsigned int ct_max = net->ct.max ? net->ct.max : init_net.ct.max;
struct nf_conn *ct;
- if (!net->ct.can_alloc) {
+ if (!net->ct.can_alloc && !can_alloc) {
/* No rules loaded */
return NULL;
}
@@ -915,13 +915,14 @@ __nf_conntrack_alloc(struct net *net, u16 zone,
return ERR_PTR(-ENOMEM);
#endif
}
+EXPORT_SYMBOL_GPL(__nf_conntrack_alloc);
struct nf_conn *nf_conntrack_alloc(struct net *net, u16 zone,
const struct nf_conntrack_tuple *orig,
const struct nf_conntrack_tuple *repl,
gfp_t gfp)
{
- return __nf_conntrack_alloc(net, zone, orig, repl, gfp, 0);
+ return __nf_conntrack_alloc(net, zone, orig, repl, gfp, 0, false);
}
EXPORT_SYMBOL_GPL(nf_conntrack_alloc);
@@ -968,7 +969,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
}
ct = __nf_conntrack_alloc(net, zone, tuple, &repl_tuple, GFP_ATOMIC,
- hash);
+ hash, false);
if (IS_ERR_OR_NULL(ct))
return (struct nf_conntrack_tuple_hash *)ct;
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 779e5a6..3184505 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -353,8 +353,7 @@ static int __net_init synproxy_net_init(struct net *net)
int err = -ENOMEM;
memset(&t, 0, sizeof(t));
- allow_conntrack_allocation(net);
- ct = nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL);
+ ct = __nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL, 0, true);
if (IS_ERR(ct)) {
err = PTR_ERR(ct);
goto err1;
More information about the Devel
mailing list