[Devel] [PATCH 07/13] ve/nf_conntrack: expose "nf_conntrack_max" in containers

Konstantin Khorenko khorenko at virtuozzo.com
Mon May 24 16:17:29 MSK 2021 

Merged into ("ve/netfilter: Implement pernet net->ct.max / virtualize "nf_conntrack_max" sysctl")

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 05/18/2021 08:54 PM, Alexander Mikhalitsyn wrote:
> From: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
>
> Series:
> This series brings to vz7 all the nf_conntrack sysctl's,
> which are available in vz6.
>
> https://jira.sw.ru/browse/PSBM-40044
>
> This sysctl table contains only one entry: "/proc/sys/net/nf_conntrack_max".
> This is now visible inside ct.
> However, have to say, that "/proc/sys/net/netfilter/nf_conntrack_max" and
> friends (despite on they are containerized) arebehind init_user_ns.
>
> Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
> Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
> (cherry picked from commit 9d3a8c692557f097d2ee916769c9e3c5503804cd)
>
> VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783
>
> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
> ---
>  include/net/netns/conntrack.h           |  1 +
>  net/netfilter/nf_conntrack_standalone.c | 69 +++++++++++++++++++------
>  2 files changed, 53 insertions(+), 17 deletions(-)
>
> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
> index 447c3ec738da..19bcf4173ccb 100644
> --- a/include/net/netns/conntrack.h
> +++ b/include/net/netns/conntrack.h
> @@ -114,6 +114,7 @@ struct netns_ct {
>  #endif
>  	unsigned int		expect_max;
>  #ifdef CONFIG_SYSCTL
> +	struct ctl_table_header	*netfilter_header;
>  	struct ctl_table_header	*sysctl_header;
>  	struct ctl_table_header	*acct_sysctl_header;
>  	struct ctl_table_header	*tstamp_sysctl_header;
> diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
> index 567d92b53016..61aa2a7a8182 100644
> --- a/net/netfilter/nf_conntrack_standalone.c
> +++ b/net/netfilter/nf_conntrack_standalone.c
> @@ -515,8 +515,6 @@ nf_conntrack_hash_sysctl(struct ctl_table *table, int write,
>  	return ret;
>  }
>
> -static struct ctl_table_header *nf_ct_netfilter_header;
> -
>  static struct ctl_table nf_ct_sysctl_table[] = {
>  	{
>  		.procname	= "nf_conntrack_max",
> @@ -578,6 +576,42 @@ static struct ctl_table nf_ct_netfilter_table[] = {
>
>  static int zero;
>
> +static int nf_conntrack_netfilter_init_sysctl(struct net *net)
> +{
> +	struct ctl_table *table;
> +
> +	table = kmemdup(nf_ct_netfilter_table, sizeof(nf_ct_netfilter_table),
> +			GFP_KERNEL);
> +	if (!table)
> +		goto out_kmemdup;
> +
> +	table[0].data = &net->ct.max;
> +
> +	/* Don't export sysctls to unprivileged users */
> +	if (ve_net_hide_sysctl(net))
> +		table[0].procname = NULL;
> +
> +	net->ct.netfilter_header = register_net_sysctl(net, "net", table);
> +	if (!net->ct.netfilter_header)
> +		goto out_unregister_netfilter;
> +
> +	return 0;
> +
> +out_unregister_netfilter:
> +	kfree(table);
> +out_kmemdup:
> +	return -ENOMEM;
> +}
> +
> +static void nf_conntrack_netfilter_fini_sysctl(struct net *net)
> +{
> +	struct ctl_table *table;
> +
> +	table = net->ct.netfilter_header->ctl_table_arg;
> +	unregister_net_sysctl_table(net->ct.netfilter_header);
> +	kfree(table);
> +}
> +
>  static int nf_conntrack_standalone_init_sysctl(struct net *net)
>  {
>  	struct ctl_table *table;
> @@ -625,6 +659,15 @@ static void nf_conntrack_standalone_fini_sysctl(struct net *net)
>  	kfree(table);
>  }
>  #else
> +static int nf_conntrack_netfilter_init_sysctl(struct net *net)
> +{
> +	return 0;
> +}
> +
> +static void nf_conntrack_netfilter_fini_sysctl(struct net *net)
> +{
> +}
> +
>  static int nf_conntrack_standalone_init_sysctl(struct net *net)
>  {
>  	return 0;
> @@ -653,8 +696,14 @@ static int nf_conntrack_pernet_init(struct net *net)
>  	if (ret < 0)
>  		goto out_sysctl;
>
> +	ret = nf_conntrack_netfilter_init_sysctl(net);
> +	if (ret < 0)
> +		goto out_netfilter_sysctl;
> +
>  	return 0;
>
> +out_netfilter_sysctl:
> +	nf_conntrack_standalone_fini_sysctl(net);
>  out_sysctl:
>  	nf_conntrack_standalone_fini_proc(net);
>  out_proc:
> @@ -668,6 +717,7 @@ static void nf_conntrack_pernet_exit(struct list_head *net_exit_list)
>  	struct net *net;
>
>  	list_for_each_entry(net, net_exit_list, exit_list) {
> +		nf_conntrack_netfilter_fini_sysctl(net);
>  		nf_conntrack_standalone_fini_sysctl(net);
>  		nf_conntrack_standalone_fini_proc(net);
>  	}
> @@ -691,14 +741,6 @@ static int __init nf_conntrack_standalone_init(void)
>  	BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER);
>
>  #ifdef CONFIG_SYSCTL
> -	nf_ct_netfilter_header =
> -		register_net_sysctl(&init_net, "net", nf_ct_netfilter_table);
> -	if (!nf_ct_netfilter_header) {
> -		pr_err("nf_conntrack: can't register to sysctl.\n");
> -		ret = -ENOMEM;
> -		goto out_sysctl;
> -	}
> -
>  	nf_conntrack_htable_size_user = nf_conntrack_htable_size;
>  #endif
>
> @@ -710,10 +752,6 @@ static int __init nf_conntrack_standalone_init(void)
>  	return 0;
>
>  out_pernet:
> -#ifdef CONFIG_SYSCTL
> -	unregister_net_sysctl_table(nf_ct_netfilter_header);
> -out_sysctl:
> -#endif
>  	nf_conntrack_cleanup_end();
>  out_start:
>  	return ret;
> @@ -723,9 +761,6 @@ static void __exit nf_conntrack_standalone_fini(void)
>  {
>  	nf_conntrack_cleanup_start();
>  	unregister_pernet_subsys(&nf_conntrack_net_ops);
> -#ifdef CONFIG_SYSCTL
> -	unregister_net_sysctl_table(nf_ct_netfilter_header);
> -#endif
>  	nf_conntrack_cleanup_end();
>  }
>
>

More information about the Devel mailing list