Commit 4a65798a94089f31883eee705f580e4b2d734ecf
Committed by
Pablo Neira Ayuso
1 parent
4b216e21cf
netfilter: conntrack: add mnemonics for sysctl table
Its a bit hard to see what table[3] really lines up with, so add human-readable mnemonics and use them for initialisation. This makes it easier to see e.g. which sysctls are not exported to unprivileged userns. objdiff shows no changes. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Showing 1 changed file with 20 additions and 11 deletions Side-by-side Diff
net/netfilter/nf_conntrack_standalone.c
... | ... | @@ -532,36 +532,45 @@ |
532 | 532 | |
533 | 533 | static struct ctl_table_header *nf_ct_netfilter_header; |
534 | 534 | |
535 | +enum nf_ct_sysctl_index { | |
536 | + NF_SYSCTL_CT_MAX, | |
537 | + NF_SYSCTL_CT_COUNT, | |
538 | + NF_SYSCTL_CT_BUCKETS, | |
539 | + NF_SYSCTL_CT_CHECKSUM, | |
540 | + NF_SYSCTL_CT_LOG_INVALID, | |
541 | + NF_SYSCTL_CT_EXPECT_MAX, | |
542 | +}; | |
543 | + | |
535 | 544 | static struct ctl_table nf_ct_sysctl_table[] = { |
536 | - { | |
545 | + [NF_SYSCTL_CT_MAX] = { | |
537 | 546 | .procname = "nf_conntrack_max", |
538 | 547 | .data = &nf_conntrack_max, |
539 | 548 | .maxlen = sizeof(int), |
540 | 549 | .mode = 0644, |
541 | 550 | .proc_handler = proc_dointvec, |
542 | 551 | }, |
543 | - { | |
552 | + [NF_SYSCTL_CT_COUNT] = { | |
544 | 553 | .procname = "nf_conntrack_count", |
545 | 554 | .data = &init_net.ct.count, |
546 | 555 | .maxlen = sizeof(int), |
547 | 556 | .mode = 0444, |
548 | 557 | .proc_handler = proc_dointvec, |
549 | 558 | }, |
550 | - { | |
559 | + [NF_SYSCTL_CT_BUCKETS] = { | |
551 | 560 | .procname = "nf_conntrack_buckets", |
552 | 561 | .data = &nf_conntrack_htable_size_user, |
553 | 562 | .maxlen = sizeof(unsigned int), |
554 | 563 | .mode = 0644, |
555 | 564 | .proc_handler = nf_conntrack_hash_sysctl, |
556 | 565 | }, |
557 | - { | |
566 | + [NF_SYSCTL_CT_CHECKSUM] = { | |
558 | 567 | .procname = "nf_conntrack_checksum", |
559 | 568 | .data = &init_net.ct.sysctl_checksum, |
560 | 569 | .maxlen = sizeof(unsigned int), |
561 | 570 | .mode = 0644, |
562 | 571 | .proc_handler = proc_dointvec, |
563 | 572 | }, |
564 | - { | |
573 | + [NF_SYSCTL_CT_LOG_INVALID] = { | |
565 | 574 | .procname = "nf_conntrack_log_invalid", |
566 | 575 | .data = &init_net.ct.sysctl_log_invalid, |
567 | 576 | .maxlen = sizeof(unsigned int), |
... | ... | @@ -570,7 +579,7 @@ |
570 | 579 | .extra1 = &log_invalid_proto_min, |
571 | 580 | .extra2 = &log_invalid_proto_max, |
572 | 581 | }, |
573 | - { | |
582 | + [NF_SYSCTL_CT_EXPECT_MAX] = { | |
574 | 583 | .procname = "nf_conntrack_expect_max", |
575 | 584 | .data = &nf_ct_expect_max, |
576 | 585 | .maxlen = sizeof(int), |
577 | 586 | |
578 | 587 | |
... | ... | @@ -600,16 +609,16 @@ |
600 | 609 | if (!table) |
601 | 610 | goto out_kmemdup; |
602 | 611 | |
603 | - table[1].data = &net->ct.count; | |
604 | - table[3].data = &net->ct.sysctl_checksum; | |
605 | - table[4].data = &net->ct.sysctl_log_invalid; | |
612 | + table[NF_SYSCTL_CT_COUNT].data = &net->ct.count; | |
613 | + table[NF_SYSCTL_CT_CHECKSUM].data = &net->ct.sysctl_checksum; | |
614 | + table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; | |
606 | 615 | |
607 | 616 | /* Don't export sysctls to unprivileged users */ |
608 | 617 | if (net->user_ns != &init_user_ns) |
609 | - table[0].procname = NULL; | |
618 | + table[NF_SYSCTL_CT_MAX].procname = NULL; | |
610 | 619 | |
611 | 620 | if (!net_eq(&init_net, net)) |
612 | - table[2].mode = 0444; | |
621 | + table[NF_SYSCTL_CT_BUCKETS].mode = 0444; | |
613 | 622 | |
614 | 623 | net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table); |
615 | 624 | if (!net->ct.sysctl_header) |