Commit ba3fbe663635ae7b33a2d972c5d2def036258e42
1 parent
4a60dc748d
netfilter: nf_conntrack: provide modparam to always register conntrack hooks
The connection tracking hooks can be optionally registered per netns when conntrack is specifically invoked from the ruleset since 0c66dc1ea3f0 ("netfilter: conntrack: register hooks in netns when needed by ruleset"). Then, since 4d3a57f23dec ("netfilter: conntrack: do not enable connection tracking unless needed"), the default behaviour is changed to always register them on demand. This patch provides a toggle that allows users to always register them. Without this toggle, in order to use conntrack for statistics collection, you need a dummy rule that refers to conntrack, eg. iptables -I INPUT -m state --state NEW This patch allows users to restore the original behaviour via modparam, ie. always register connection tracking, eg. modprobe nf_conntrack enable_hooks=1 Hence, no dummy rule is required. Reported-by: Laura Garcia <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Showing 1 changed file with 24 additions and 4 deletions Side-by-side Diff
net/netfilter/nf_conntrack_standalone.c
| ... | ... | @@ -24,6 +24,10 @@ |
| 24 | 24 | #include <net/netfilter/nf_conntrack_timestamp.h> |
| 25 | 25 | #include <linux/rculist_nulls.h> |
| 26 | 26 | |
| 27 | +static bool enable_hooks __read_mostly; | |
| 28 | +MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks"); | |
| 29 | +module_param(enable_hooks, bool, 0000); | |
| 30 | + | |
| 27 | 31 | unsigned int nf_conntrack_net_id __read_mostly; |
| 28 | 32 | |
| 29 | 33 | #ifdef CONFIG_NF_CONNTRACK_PROCFS |
| ... | ... | @@ -1075,6 +1079,15 @@ |
| 1075 | 1079 | } |
| 1076 | 1080 | #endif /* CONFIG_SYSCTL */ |
| 1077 | 1081 | |
| 1082 | +static void nf_conntrack_fini_net(struct net *net) | |
| 1083 | +{ | |
| 1084 | + if (enable_hooks) | |
| 1085 | + nf_ct_netns_put(net, NFPROTO_INET); | |
| 1086 | + | |
| 1087 | + nf_conntrack_standalone_fini_proc(net); | |
| 1088 | + nf_conntrack_standalone_fini_sysctl(net); | |
| 1089 | +} | |
| 1090 | + | |
| 1078 | 1091 | static int nf_conntrack_pernet_init(struct net *net) |
| 1079 | 1092 | { |
| 1080 | 1093 | int ret; |
| 1081 | 1094 | |
| ... | ... | @@ -1093,8 +1106,16 @@ |
| 1093 | 1106 | if (ret < 0) |
| 1094 | 1107 | goto out_init_net; |
| 1095 | 1108 | |
| 1109 | + if (enable_hooks) { | |
| 1110 | + ret = nf_ct_netns_get(net, NFPROTO_INET); | |
| 1111 | + if (ret < 0) | |
| 1112 | + goto out_hooks; | |
| 1113 | + } | |
| 1114 | + | |
| 1096 | 1115 | return 0; |
| 1097 | 1116 | |
| 1117 | +out_hooks: | |
| 1118 | + nf_conntrack_fini_net(net); | |
| 1098 | 1119 | out_init_net: |
| 1099 | 1120 | nf_conntrack_standalone_fini_proc(net); |
| 1100 | 1121 | out_proc: |
| ... | ... | @@ -1106,10 +1127,9 @@ |
| 1106 | 1127 | { |
| 1107 | 1128 | struct net *net; |
| 1108 | 1129 | |
| 1109 | - list_for_each_entry(net, net_exit_list, exit_list) { | |
| 1110 | - nf_conntrack_standalone_fini_sysctl(net); | |
| 1111 | - nf_conntrack_standalone_fini_proc(net); | |
| 1112 | - } | |
| 1130 | + list_for_each_entry(net, net_exit_list, exit_list) | |
| 1131 | + nf_conntrack_fini_net(net); | |
| 1132 | + | |
| 1113 | 1133 | nf_conntrack_cleanup_net_list(net_exit_list); |
| 1114 | 1134 | } |
| 1115 | 1135 |