netfilter: nf_ct_icmp: add namespace support

This patch adds namespace support for ICMPv6 protocol tracker. Acked-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nf_ct_icmp: add namespace support
This patch adds namespace support for ICMPv6 protocol tracker. Acked-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Gao feng · Pablo Neira Ayuso
1 parent 4b626b9c5d
Showing 3 changed files with 26 additions and 2 deletions Side-by-side Diff
include/net/netns/conntrack.h
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
net/netfilter/nf_conntrack_proto.c
@@ -55,6 +55,7 @@
 	struct nf_tcp_net	tcp;
 	struct nf_udp_net	udp;
 	struct nf_icmp_net	icmp;
+	struct nf_icmp_net	icmpv6;
 #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
 	struct ctl_table_header *ctl_table_header;
 	struct ctl_table	*ctl_table;
@@ -29,6 +29,11 @@
  
 static unsigned int nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
  
+static inline struct nf_icmp_net *icmpv6_pernet(struct net *net)
+{
+	return &net->ct.nf_ct_proto.icmpv6;
+}
+
 static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
 				unsigned int dataoff,
 				struct nf_conntrack_tuple *tuple)
@@ -90,7 +95,7 @@
  
 static unsigned int *icmpv6_get_timeouts(struct net *net)
 {
-	return &nf_ct_icmpv6_timeout;
+	return &icmpv6_pernet(net)->timeout;
 }
  
 /* Returns verdict for packet, or -1 for invalid. */
@@ -319,7 +324,6 @@
 static struct ctl_table icmpv6_sysctl_table[] = {
 	{
 		.procname	= "nf_conntrack_icmpv6_timeout",
-		.data		= &nf_ct_icmpv6_timeout,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
@@ -328,6 +332,22 @@
 };
 #endif /* CONFIG_SYSCTL */
  
+static int icmpv6_init_net(struct net *net)
+{
+	struct nf_icmp_net *in = icmpv6_pernet(net);
+	struct nf_proto_net *pn = (struct nf_proto_net *)in;
+	in->timeout = nf_ct_icmpv6_timeout;
+#ifdef CONFIG_SYSCTL
+	pn->ctl_table = kmemdup(icmpv6_sysctl_table,
+				sizeof(icmpv6_sysctl_table),
+				GFP_KERNEL);
+	if (!pn->ctl_table)
+		return -ENOMEM;
+	pn->ctl_table[0].data = &in->timeout;
+#endif
+	return 0;
+}
+
 struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
 {
 	.l3proto		= PF_INET6,
@@ -359,5 +379,6 @@
 	.ctl_table_header	= &icmpv6_sysctl_header,
 	.ctl_table		= icmpv6_sysctl_table,
 #endif
+	.init_net		= icmpv6_init_net,
 };
@@ -309,6 +309,8 @@
 		return (struct nf_proto_net *)&net->ct.nf_ct_proto.udp;
 	case IPPROTO_ICMP:
 		return (struct nf_proto_net *)&net->ct.nf_ct_proto.icmp;
+	case IPPROTO_ICMPV6:
+		return (struct nf_proto_net *)&net->ct.nf_ct_proto.icmpv6;
 	case 255: /* l4proto_generic */
 		return (struct nf_proto_net *)&net->ct.nf_ct_proto.generic;
 	default:
...	...	@@ -55,6 +55,7 @@
55	55	struct nf_tcp_net tcp;
56	56	struct nf_udp_net udp;
57	57	struct nf_icmp_net icmp;
	58	+ struct nf_icmp_net icmpv6;
58	59	#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
59	60	struct ctl_table_header *ctl_table_header;
60	61	struct ctl_table *ctl_table;
...	...	@@ -29,6 +29,11 @@
29	29
30	30	static unsigned int nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
31	31
	32	+static inline struct nf_icmp_net icmpv6_pernet(struct net net)
	33	+{
	34	+ return &net->ct.nf_ct_proto.icmpv6;
	35	+}
	36	+
32	37	static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
33	38	unsigned int dataoff,
34	39	struct nf_conntrack_tuple *tuple)
...	...	@@ -90,7 +95,7 @@
90	95
91	96	static unsigned int icmpv6_get_timeouts(struct net net)
92	97	{
93		- return &nf_ct_icmpv6_timeout;
	98	+ return &icmpv6_pernet(net)->timeout;
94	99	}
95	100
96	101	/* Returns verdict for packet, or -1 for invalid. */
...	...	@@ -319,7 +324,6 @@
319	324	static struct ctl_table icmpv6_sysctl_table[] = {
320	325	{
321	326	.procname = "nf_conntrack_icmpv6_timeout",
322		- .data = &nf_ct_icmpv6_timeout,
323	327	.maxlen = sizeof(unsigned int),
324	328	.mode = 0644,
325	329	.proc_handler = proc_dointvec_jiffies,
...	...	@@ -328,6 +332,22 @@
328	332	};
329	333	#endif /* CONFIG_SYSCTL */
330	334
	335	+static int icmpv6_init_net(struct net *net)
	336	+{
	337	+ struct nf_icmp_net *in = icmpv6_pernet(net);
	338	+ struct nf_proto_net pn = (struct nf_proto_net )in;
	339	+ in->timeout = nf_ct_icmpv6_timeout;
	340	+#ifdef CONFIG_SYSCTL
	341	+ pn->ctl_table = kmemdup(icmpv6_sysctl_table,
	342	+ sizeof(icmpv6_sysctl_table),
	343	+ GFP_KERNEL);
	344	+ if (!pn->ctl_table)
	345	+ return -ENOMEM;
	346	+ pn->ctl_table[0].data = &in->timeout;
	347	+#endif
	348	+ return 0;
	349	+}
	350	+
331	351	struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
332	352	{
333	353	.l3proto = PF_INET6,
...	...	@@ -359,5 +379,6 @@
359	379	.ctl_table_header = &icmpv6_sysctl_header,
360	380	.ctl_table = icmpv6_sysctl_table,
361	381	#endif
	382	+ .init_net = icmpv6_init_net,
362	383	};
...	...	@@ -309,6 +309,8 @@
309	309	return (struct nf_proto_net *)&net->ct.nf_ct_proto.udp;
310	310	case IPPROTO_ICMP:
311	311	return (struct nf_proto_net *)&net->ct.nf_ct_proto.icmp;
	312	+ case IPPROTO_ICMPV6:
	313	+ return (struct nf_proto_net *)&net->ct.nf_ct_proto.icmpv6;
312	314	case 255: /* l4proto_generic */
313	315	return (struct nf_proto_net *)&net->ct.nf_ct_proto.generic;
314	316	default: