[Devel] [PATCH 07/13] ve/nf_conntrack: expose "nf_conntrack_max" in containers

Alexander Mikhalitsyn alexander.mikhalitsyn at virtuozzo.com
Tue May 18 20:54:21 MSK 2021 

From: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>

Series:
This series brings to vz7 all the nf_conntrack sysctl's,
which are available in vz6.

https://jira.sw.ru/browse/PSBM-40044

This sysctl table contains only one entry: "/proc/sys/net/nf_conntrack_max".
This is now visible inside ct.
However, have to say, that "/proc/sys/net/netfilter/nf_conntrack_max" and
friends (despite on they are containerized) arebehind init_user_ns.

Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
(cherry picked from commit 9d3a8c692557f097d2ee916769c9e3c5503804cd)

VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783

Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
---
 include/net/netns/conntrack.h           |  1 +
 net/netfilter/nf_conntrack_standalone.c | 69 +++++++++++++++++++------
 2 files changed, 53 insertions(+), 17 deletions(-)

diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 447c3ec738da..19bcf4173ccb 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -114,6 +114,7 @@ struct netns_ct {
 #endif
 	unsigned int		expect_max;
 #ifdef CONFIG_SYSCTL
+	struct ctl_table_header	*netfilter_header;
 	struct ctl_table_header	*sysctl_header;
 	struct ctl_table_header	*acct_sysctl_header;
 	struct ctl_table_header	*tstamp_sysctl_header;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 567d92b53016..61aa2a7a8182 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -515,8 +515,6 @@ nf_conntrack_hash_sysctl(struct ctl_table *table, int write,
 	return ret;
 }
 
-static struct ctl_table_header *nf_ct_netfilter_header;
-
 static struct ctl_table nf_ct_sysctl_table[] = {
 	{
 		.procname	= "nf_conntrack_max",
@@ -578,6 +576,42 @@ static struct ctl_table nf_ct_netfilter_table[] = {
 
 static int zero;
 
+static int nf_conntrack_netfilter_init_sysctl(struct net *net)
+{
+	struct ctl_table *table;
+
+	table = kmemdup(nf_ct_netfilter_table, sizeof(nf_ct_netfilter_table),
+			GFP_KERNEL);
+	if (!table)
+		goto out_kmemdup;
+
+	table[0].data = &net->ct.max;
+
+	/* Don't export sysctls to unprivileged users */
+	if (ve_net_hide_sysctl(net))
+		table[0].procname = NULL;
+
+	net->ct.netfilter_header = register_net_sysctl(net, "net", table);
+	if (!net->ct.netfilter_header)
+		goto out_unregister_netfilter;
+
+	return 0;
+
+out_unregister_netfilter:
+	kfree(table);
+out_kmemdup:
+	return -ENOMEM;
+}
+
+static void nf_conntrack_netfilter_fini_sysctl(struct net *net)
+{
+	struct ctl_table *table;
+
+	table = net->ct.netfilter_header->ctl_table_arg;
+	unregister_net_sysctl_table(net->ct.netfilter_header);
+	kfree(table);
+}
+
 static int nf_conntrack_standalone_init_sysctl(struct net *net)
 {
 	struct ctl_table *table;
@@ -625,6 +659,15 @@ static void nf_conntrack_standalone_fini_sysctl(struct net *net)
 	kfree(table);
 }
 #else
+static int nf_conntrack_netfilter_init_sysctl(struct net *net)
+{
+	return 0;
+}
+
+static void nf_conntrack_netfilter_fini_sysctl(struct net *net)
+{
+}
+
 static int nf_conntrack_standalone_init_sysctl(struct net *net)
 {
 	return 0;
@@ -653,8 +696,14 @@ static int nf_conntrack_pernet_init(struct net *net)
 	if (ret < 0)
 		goto out_sysctl;
 
+	ret = nf_conntrack_netfilter_init_sysctl(net);
+	if (ret < 0)
+		goto out_netfilter_sysctl;
+
 	return 0;
 
+out_netfilter_sysctl:
+	nf_conntrack_standalone_fini_sysctl(net);
 out_sysctl:
 	nf_conntrack_standalone_fini_proc(net);
 out_proc:
@@ -668,6 +717,7 @@ static void nf_conntrack_pernet_exit(struct list_head *net_exit_list)
 	struct net *net;
 
 	list_for_each_entry(net, net_exit_list, exit_list) {
+		nf_conntrack_netfilter_fini_sysctl(net);
 		nf_conntrack_standalone_fini_sysctl(net);
 		nf_conntrack_standalone_fini_proc(net);
 	}
@@ -691,14 +741,6 @@ static int __init nf_conntrack_standalone_init(void)
 	BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER);
 
 #ifdef CONFIG_SYSCTL
-	nf_ct_netfilter_header =
-		register_net_sysctl(&init_net, "net", nf_ct_netfilter_table);
-	if (!nf_ct_netfilter_header) {
-		pr_err("nf_conntrack: can't register to sysctl.\n");
-		ret = -ENOMEM;
-		goto out_sysctl;
-	}
-
 	nf_conntrack_htable_size_user = nf_conntrack_htable_size;
 #endif
 
@@ -710,10 +752,6 @@ static int __init nf_conntrack_standalone_init(void)
 	return 0;
 
 out_pernet:
-#ifdef CONFIG_SYSCTL
-	unregister_net_sysctl_table(nf_ct_netfilter_header);
-out_sysctl:
-#endif
 	nf_conntrack_cleanup_end();
 out_start:
 	return ret;
@@ -723,9 +761,6 @@ static void __exit nf_conntrack_standalone_fini(void)
 {
 	nf_conntrack_cleanup_start();
 	unregister_pernet_subsys(&nf_conntrack_net_ops);
-#ifdef CONFIG_SYSCTL
-	unregister_net_sysctl_table(nf_ct_netfilter_header);
-#endif
 	nf_conntrack_cleanup_end();
 }
 
-- 
2.28.0

More information about the Devel mailing list