netfilter: conntrack: add mnemonics for sysctl table

Its a bit hard to see what table[3] really lines up with, so add human-readable mnemonics and use them for initialisation. This makes it easier to see e.g. which sysctls are not exported to unprivileged userns. objdiff shows no changes. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: conntrack: add mnemonics for sysctl table
Its a bit hard to see what table[3] really lines up with, so add human-readable mnemonics and use them for initialisation. This makes it easier to see e.g. which sysctls are not exported to unprivileged userns. objdiff shows no changes. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal · Pablo Neira Ayuso
1 parent 4b216e21cf
Showing 1 changed file with 20 additions and 11 deletions Side-by-side Diff
net/netfilter/nf_conntrack_standalone.c
@@ -532,36 +532,45 @@
  
 static struct ctl_table_header *nf_ct_netfilter_header;
  
+enum nf_ct_sysctl_index {
+	NF_SYSCTL_CT_MAX,
+	NF_SYSCTL_CT_COUNT,
+	NF_SYSCTL_CT_BUCKETS,
+	NF_SYSCTL_CT_CHECKSUM,
+	NF_SYSCTL_CT_LOG_INVALID,
+	NF_SYSCTL_CT_EXPECT_MAX,
+};
+
 static struct ctl_table nf_ct_sysctl_table[] = {
-	{
+	[NF_SYSCTL_CT_MAX] = {
 		.procname	= "nf_conntrack_max",
 		.data		= &nf_conntrack_max,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
-	{
+	[NF_SYSCTL_CT_COUNT] = {
 		.procname	= "nf_conntrack_count",
 		.data		= &init_net.ct.count,
 		.maxlen		= sizeof(int),
 		.mode		= 0444,
 		.proc_handler	= proc_dointvec,
 	},
-	{
+	[NF_SYSCTL_CT_BUCKETS] = {
 		.procname       = "nf_conntrack_buckets",
 		.data           = &nf_conntrack_htable_size_user,
 		.maxlen         = sizeof(unsigned int),
 		.mode           = 0644,
 		.proc_handler   = nf_conntrack_hash_sysctl,
 	},
-	{
+	[NF_SYSCTL_CT_CHECKSUM] = {
 		.procname	= "nf_conntrack_checksum",
 		.data		= &init_net.ct.sysctl_checksum,
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
-	{
+	[NF_SYSCTL_CT_LOG_INVALID] = {
 		.procname	= "nf_conntrack_log_invalid",
 		.data		= &init_net.ct.sysctl_log_invalid,
 		.maxlen		= sizeof(unsigned int),
@@ -570,7 +579,7 @@
 		.extra1		= &log_invalid_proto_min,
 		.extra2		= &log_invalid_proto_max,
 	},
-	{
+	[NF_SYSCTL_CT_EXPECT_MAX] = {
 		.procname	= "nf_conntrack_expect_max",
 		.data		= &nf_ct_expect_max,
 		.maxlen		= sizeof(int),
  
  
@@ -600,16 +609,16 @@
 	if (!table)
 		goto out_kmemdup;
  
-	table[1].data = &net->ct.count;
-	table[3].data = &net->ct.sysctl_checksum;
-	table[4].data = &net->ct.sysctl_log_invalid;
+	table[NF_SYSCTL_CT_COUNT].data = &net->ct.count;
+	table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum;
+	table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid;
  
 	/* Don't export sysctls to unprivileged users */
 	if (net->user_ns != &init_user_ns)
-		table[0].procname = NULL;
+		table[NF_SYSCTL_CT_MAX].procname = NULL;
  
 	if (!net_eq(&init_net, net))
-		table[2].mode = 0444;
+		table[NF_SYSCTL_CT_BUCKETS].mode = 0444;
  
 	net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table);
 	if (!net->ct.sysctl_header)
...	...	@@ -532,36 +532,45 @@
532	532
533	533	static struct ctl_table_header *nf_ct_netfilter_header;
534	534
	535	+enum nf_ct_sysctl_index {
	536	+ NF_SYSCTL_CT_MAX,
	537	+ NF_SYSCTL_CT_COUNT,
	538	+ NF_SYSCTL_CT_BUCKETS,
	539	+ NF_SYSCTL_CT_CHECKSUM,
	540	+ NF_SYSCTL_CT_LOG_INVALID,
	541	+ NF_SYSCTL_CT_EXPECT_MAX,
	542	+};
	543	+
535	544	static struct ctl_table nf_ct_sysctl_table[] = {
536		- {
	545	+ [NF_SYSCTL_CT_MAX] = {
537	546	.procname = "nf_conntrack_max",
538	547	.data = &nf_conntrack_max,
539	548	.maxlen = sizeof(int),
540	549	.mode = 0644,
541	550	.proc_handler = proc_dointvec,
542	551	},
543		- {
	552	+ [NF_SYSCTL_CT_COUNT] = {
544	553	.procname = "nf_conntrack_count",
545	554	.data = &init_net.ct.count,
546	555	.maxlen = sizeof(int),
547	556	.mode = 0444,
548	557	.proc_handler = proc_dointvec,
549	558	},
550		- {
	559	+ [NF_SYSCTL_CT_BUCKETS] = {
551	560	.procname = "nf_conntrack_buckets",
552	561	.data = &nf_conntrack_htable_size_user,
553	562	.maxlen = sizeof(unsigned int),
554	563	.mode = 0644,
555	564	.proc_handler = nf_conntrack_hash_sysctl,
556	565	},
557		- {
	566	+ [NF_SYSCTL_CT_CHECKSUM] = {
558	567	.procname = "nf_conntrack_checksum",
559	568	.data = &init_net.ct.sysctl_checksum,
560	569	.maxlen = sizeof(unsigned int),
561	570	.mode = 0644,
562	571	.proc_handler = proc_dointvec,
563	572	},
564		- {
	573	+ [NF_SYSCTL_CT_LOG_INVALID] = {
565	574	.procname = "nf_conntrack_log_invalid",
566	575	.data = &init_net.ct.sysctl_log_invalid,
567	576	.maxlen = sizeof(unsigned int),
...	...	@@ -570,7 +579,7 @@
570	579	.extra1 = &log_invalid_proto_min,
571	580	.extra2 = &log_invalid_proto_max,
572	581	},
573		- {
	582	+ [NF_SYSCTL_CT_EXPECT_MAX] = {
574	583	.procname = "nf_conntrack_expect_max",
575	584	.data = &nf_ct_expect_max,
576	585	.maxlen = sizeof(int),
577	586
578	587
...	...	@@ -600,16 +609,16 @@
600	609	if (!table)
601	610	goto out_kmemdup;
602	611
603		- table[1].data = &net->ct.count;
604		- table[3].data = &net->ct.sysctl_checksum;
605		- table[4].data = &net->ct.sysctl_log_invalid;
	612	+ table[NF_SYSCTL_CT_COUNT].data = &net->ct.count;
	613	+ table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum;
	614	+ table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid;
606	615
607	616	/* Don't export sysctls to unprivileged users */
608	617	if (net->user_ns != &init_user_ns)
609		- table[0].procname = NULL;
	618	+ table[NF_SYSCTL_CT_MAX].procname = NULL;
610	619
611	620	if (!net_eq(&init_net, net))
612		- table[2].mode = 0444;
	621	+ table[NF_SYSCTL_CT_BUCKETS].mode = 0444;
613	622
614	623	net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table);
615	624	if (!net->ct.sysctl_header)