[Devel] [PATCH vz9 14/20] ve/netfilter: Implement pernet expect_max / virtualize "net.netfilter.nf_conntrack_expect_max" sysctl

Wed Oct 13 18:26:25 MSK 2021

From: Konstantin Khorenko <khorenko at virtuozzo.com>

Rebasing and splitting netfilters sybsystem
(port 66-diff-ve-net-netfilter-combined).
Part 1.

https://jira.sw.ru/browse/PSBM-18322

* diff-ve-nf-make-nf_ct_expect_max-sysctl-virtual
Author: Pavel Emelyanov
Subject: [PATCH rh6] ve: Make nf_ct_expect_max "virtualized"
Date: Wed, 06 Jul 2011 17:36:45 +0400

Make the respective sysctl be per-ct only. Real limit is still taken from
ve0 (init_net). Need to look at how this will work in the mainline.
https://jira.sw.ru/browse/PCLIN-29578

Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>

(cherry picked from vz7 commit 2cabd3c5f1a7 ("ve/netfilter: Implement pernet
expect_max / virtualize "net.netfilter.nf_conntrack_expect_max" sysctl"))

VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783

Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>

Ported vz8 commit 845371488332 ("ve/netfilter: Implement pernet expect_max /
virtualize "net.netfilter.nf_conntrack_expect_max" sysctl").

Enabled usage of per-net expect_max for real.
(in vz7/vz8, per-net value was settable but init_net value was always
used)

Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 include/net/netfilter/nf_conntrack.h        | 1 +
 include/net/netfilter/nf_conntrack_expect.h | 1 -
 net/netfilter/nf_conntrack_expect.c         | 9 ++++++---
 net/netfilter/nf_conntrack_standalone.c     | 3 +--
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index cc663c68ddc4..42dd967fdfbb 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -47,6 +47,7 @@ struct nf_conntrack_net {
 	/* only used when new connection is allocated: */
 	atomic_t count;
 	unsigned int expect_count;
+	unsigned int expect_max;
 	u8 sysctl_auto_assign_helper;
 	bool auto_assign_helper_warned;
 
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 0855b60fba17..1e7b0b82b4d0 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -12,7 +12,6 @@
 #include <net/netfilter/nf_conntrack_zones.h>
 
 extern unsigned int nf_ct_expect_hsize;
-extern unsigned int nf_ct_expect_max;
 extern struct hlist_head *nf_ct_expect_hash;
 
 struct nf_conntrack_expect {
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 5523aa53492b..529f93817a57 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -40,11 +40,11 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
 struct hlist_head *nf_ct_expect_hash __read_mostly;
 EXPORT_SYMBOL_GPL(nf_ct_expect_hash);
 
-unsigned int nf_ct_expect_max __read_mostly;
-
 static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
 static unsigned int nf_ct_expect_hashrnd __read_mostly;
 
+static unsigned int nf_ct_expect_max __ro_after_init;
+
 /* nf_conntrack_expect helper functions */
 void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,
 				u32 portid, int report)
@@ -469,7 +469,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect,
 	}
 
 	cnet = nf_ct_pernet(net);
-	if (cnet->expect_count >= nf_ct_expect_max) {
+	if (cnet->expect_count >= cnet->expect_max) {
 		net_veboth_ratelimited(KERN_WARNING "VE%s "
 					"nf_conntrack: expectation table full\n",
 					net->owner_ve->ve_name);
@@ -699,6 +699,9 @@ module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
 
 int nf_conntrack_expect_pernet_init(struct net *net)
 {
+	struct nf_conntrack_net *cnet = nf_ct_pernet(net);
+
+	cnet->expect_max = nf_ct_expect_max;
 	return exp_proc_init(net);
 }
 
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 615ecfa32a4a..9340a3c993f0 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -657,7 +657,6 @@ static struct ctl_table nf_ct_sysctl_table[] = {
 	},
 	[NF_SYSCTL_CT_EXPECT_MAX] = {
 		.procname	= "nf_conntrack_expect_max",
-		.data		= &nf_ct_expect_max,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
@@ -1083,6 +1082,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net)
 	table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid;
 	table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct;
 	table[NF_SYSCTL_CT_HELPER].data = &cnet->sysctl_auto_assign_helper;
+	table[NF_SYSCTL_CT_EXPECT_MAX].data = &cnet->expect_max;
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 	table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events;
 #endif
@@ -1106,7 +1106,6 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net)
 	/* Don't allow non-init_net ns to alter global sysctls */
 	if (!net_eq(&init_net, net)) {
 		table[NF_SYSCTL_CT_MAX].mode = 0444;
-		table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444;
 		table[NF_SYSCTL_CT_BUCKETS].mode = 0444;
 	}
 
-- 
2.30.2

