netfilter: conntrack: merge acct and helper sysctl table with main one

Needless copy&paste, just handle all in one. Next patch will handle acct and timestamp, which have similar functions. Intentionally leaves cruft behind, will be cleaned up in a followup patch. The obsolete sysctl pointers in netns_ct struct are left in place and removed in a single change, as changes to netns trigger rebuild of almost all files. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: conntrack: merge acct and helper sysctl table with main one
Needless copy&paste, just handle all in one. Next patch will handle acct and timestamp, which have similar functions. Intentionally leaves cruft behind, will be cleaned up in a followup patch. The obsolete sysctl pointers in netns_ct struct are left in place and removed in a single change, as changes to netns trigger rebuild of almost all files. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal · Pablo Neira Ayuso
1 parent 4a65798a94
Showing 3 changed files with 22 additions and 128 deletions Side-by-side Diff
net/netfilter/nf_conntrack_acct.c
net/netfilter/nf_conntrack_helper.c
net/netfilter/nf_conntrack_standalone.c
@@ -25,83 +25,20 @@
 module_param_named(acct, nf_ct_acct, bool, 0644);
 MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting.");
  
-#ifdef CONFIG_SYSCTL
-static struct ctl_table acct_sysctl_table[] = {
-	{
-		.procname	= "nf_conntrack_acct",
-		.data		= &init_net.ct.sysctl_acct,
-		.maxlen		= sizeof(unsigned int),
-		.mode		= 0644,
-		.proc_handler	= proc_dointvec,
-	},
-	{}
-};
-#endif /* CONFIG_SYSCTL */
-
 static const struct nf_ct_ext_type acct_extend = {
 	.len	= sizeof(struct nf_conn_acct),
 	.align	= __alignof__(struct nf_conn_acct),
 	.id	= NF_CT_EXT_ACCT,
 };
  
-#ifdef CONFIG_SYSCTL
-static int nf_conntrack_acct_init_sysctl(struct net *net)
-{
-	struct ctl_table *table;
-
-	table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
-			GFP_KERNEL);
-	if (!table)
-		goto out;
-
-	table[0].data = &net->ct.sysctl_acct;
-
-	/* Don't export sysctls to unprivileged users */
-	if (net->user_ns != &init_user_ns)
-		table[0].procname = NULL;
-
-	net->ct.acct_sysctl_header = register_net_sysctl(net, "net/netfilter",
-							 table);
-	if (!net->ct.acct_sysctl_header) {
-		pr_err("can't register to sysctl\n");
-		goto out_register;
-	}
-	return 0;
-
-out_register:
-	kfree(table);
-out:
-	return -ENOMEM;
-}
-
-static void nf_conntrack_acct_fini_sysctl(struct net *net)
-{
-	struct ctl_table *table;
-
-	table = net->ct.acct_sysctl_header->ctl_table_arg;
-	unregister_net_sysctl_table(net->ct.acct_sysctl_header);
-	kfree(table);
-}
-#else
-static int nf_conntrack_acct_init_sysctl(struct net *net)
-{
-	return 0;
-}
-
-static void nf_conntrack_acct_fini_sysctl(struct net *net)
-{
-}
-#endif
-
 int nf_conntrack_acct_pernet_init(struct net *net)
 {
 	net->ct.sysctl_acct = nf_ct_acct;
-	return nf_conntrack_acct_init_sysctl(net);
+	return 0;
 }
  
 void nf_conntrack_acct_pernet_fini(struct net *net)
 {
-	nf_conntrack_acct_fini_sysctl(net);
 }
  
 int nf_conntrack_acct_init(void)
@@ -42,67 +42,6 @@
 MODULE_PARM_DESC(nf_conntrack_helper,
 		 "Enable automatic conntrack helper assignment (default 0)");
  
-#ifdef CONFIG_SYSCTL
-static struct ctl_table helper_sysctl_table[] = {
-	{
-		.procname	= "nf_conntrack_helper",
-		.data		= &init_net.ct.sysctl_auto_assign_helper,
-		.maxlen		= sizeof(unsigned int),
-		.mode		= 0644,
-		.proc_handler	= proc_dointvec,
-	},
-	{}
-};
-
-static int nf_conntrack_helper_init_sysctl(struct net *net)
-{
-	struct ctl_table *table;
-
-	table = kmemdup(helper_sysctl_table, sizeof(helper_sysctl_table),
-			GFP_KERNEL);
-	if (!table)
-		goto out;
-
-	table[0].data = &net->ct.sysctl_auto_assign_helper;
-
-	/* Don't export sysctls to unprivileged users */
-	if (net->user_ns != &init_user_ns)
-		table[0].procname = NULL;
-
-	net->ct.helper_sysctl_header =
-		register_net_sysctl(net, "net/netfilter", table);
-
-	if (!net->ct.helper_sysctl_header) {
-		pr_err("nf_conntrack_helper: can't register to sysctl.\n");
-		goto out_register;
-	}
-	return 0;
-
-out_register:
-	kfree(table);
-out:
-	return -ENOMEM;
-}
-
-static void nf_conntrack_helper_fini_sysctl(struct net *net)
-{
-	struct ctl_table *table;
-
-	table = net->ct.helper_sysctl_header->ctl_table_arg;
-	unregister_net_sysctl_table(net->ct.helper_sysctl_header);
-	kfree(table);
-}
-#else
-static int nf_conntrack_helper_init_sysctl(struct net *net)
-{
-	return 0;
-}
-
-static void nf_conntrack_helper_fini_sysctl(struct net *net)
-{
-}
-#endif /* CONFIG_SYSCTL */
-
 /* Stupid hash, but collision free for the default registrations of the
  * helpers currently in the kernel. */
 static unsigned int helper_hash(const struct nf_conntrack_tuple *tuple)
  
@@ -537,12 +476,11 @@
 {
 	net->ct.auto_assign_helper_warned = false;
 	net->ct.sysctl_auto_assign_helper = nf_ct_auto_assign_helper;
-	return nf_conntrack_helper_init_sysctl(net);
+	return 0;
 }
  
 void nf_conntrack_helper_pernet_fini(struct net *net)
 {
-	nf_conntrack_helper_fini_sysctl(net);
 }
  
 int nf_conntrack_helper_init(void)
@@ -539,6 +539,8 @@
 	NF_SYSCTL_CT_CHECKSUM,
 	NF_SYSCTL_CT_LOG_INVALID,
 	NF_SYSCTL_CT_EXPECT_MAX,
+	NF_SYSCTL_CT_ACCT,
+	NF_SYSCTL_CT_HELPER,
 };
  
 static struct ctl_table nf_ct_sysctl_table[] = {
@@ -586,6 +588,20 @@
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
+	[NF_SYSCTL_CT_ACCT] = {
+		.procname	= "nf_conntrack_acct",
+		.data		= &init_net.ct.sysctl_acct,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec,
+	},
+	[NF_SYSCTL_CT_HELPER] = {
+		.procname	= "nf_conntrack_helper",
+		.data		= &init_net.ct.sysctl_auto_assign_helper,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec,
+	},
 	{ }
 };
  
  
@@ -614,8 +630,11 @@
 	table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid;
  
 	/* Don't export sysctls to unprivileged users */
-	if (net->user_ns != &init_user_ns)
+	if (net->user_ns != &init_user_ns) {
 		table[NF_SYSCTL_CT_MAX].procname = NULL;
+		table[NF_SYSCTL_CT_ACCT].procname = NULL;
+		table[NF_SYSCTL_CT_HELPER].procname = NULL;
+	}
  
 	if (!net_eq(&init_net, net))
 		table[NF_SYSCTL_CT_BUCKETS].mode = 0444;
...	...	@@ -25,83 +25,20 @@
25	25	module_param_named(acct, nf_ct_acct, bool, 0644);
26	26	MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting.");
27	27
28		-#ifdef CONFIG_SYSCTL
29		-static struct ctl_table acct_sysctl_table[] = {
30		- {
31		- .procname = "nf_conntrack_acct",
32		- .data = &init_net.ct.sysctl_acct,
33		- .maxlen = sizeof(unsigned int),
34		- .mode = 0644,
35		- .proc_handler = proc_dointvec,
36		- },
37		- {}
38		-};
39		-#endif /* CONFIG_SYSCTL */
40		-
41	28	static const struct nf_ct_ext_type acct_extend = {
42	29	.len = sizeof(struct nf_conn_acct),
43	30	.align = __alignof__(struct nf_conn_acct),
44	31	.id = NF_CT_EXT_ACCT,
45	32	};
46	33
47		-#ifdef CONFIG_SYSCTL
48		-static int nf_conntrack_acct_init_sysctl(struct net *net)
49		-{
50		- struct ctl_table *table;
51		-
52		- table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
53		- GFP_KERNEL);
54		- if (!table)
55		- goto out;
56		-
57		- table[0].data = &net->ct.sysctl_acct;
58		-
59		- /* Don't export sysctls to unprivileged users */
60		- if (net->user_ns != &init_user_ns)
61		- table[0].procname = NULL;
62		-
63		- net->ct.acct_sysctl_header = register_net_sysctl(net, "net/netfilter",
64		- table);
65		- if (!net->ct.acct_sysctl_header) {
66		- pr_err("can't register to sysctl\n");
67		- goto out_register;
68		- }
69		- return 0;
70		-
71		-out_register:
72		- kfree(table);
73		-out:
74		- return -ENOMEM;
75		-}
76		-
77		-static void nf_conntrack_acct_fini_sysctl(struct net *net)
78		-{
79		- struct ctl_table *table;
80		-
81		- table = net->ct.acct_sysctl_header->ctl_table_arg;
82		- unregister_net_sysctl_table(net->ct.acct_sysctl_header);
83		- kfree(table);
84		-}
85		-#else
86		-static int nf_conntrack_acct_init_sysctl(struct net *net)
87		-{
88		- return 0;
89		-}
90		-
91		-static void nf_conntrack_acct_fini_sysctl(struct net *net)
92		-{
93		-}
94		-#endif
95		-
96	34	int nf_conntrack_acct_pernet_init(struct net *net)
97	35	{
98	36	net->ct.sysctl_acct = nf_ct_acct;
99		- return nf_conntrack_acct_init_sysctl(net);
	37	+ return 0;
100	38	}
101	39
102	40	void nf_conntrack_acct_pernet_fini(struct net *net)
103	41	{
104		- nf_conntrack_acct_fini_sysctl(net);
105	42	}
106	43
107	44	int nf_conntrack_acct_init(void)
...	...	@@ -42,67 +42,6 @@
42	42	MODULE_PARM_DESC(nf_conntrack_helper,
43	43	"Enable automatic conntrack helper assignment (default 0)");
44	44
45		-#ifdef CONFIG_SYSCTL
46		-static struct ctl_table helper_sysctl_table[] = {
47		- {
48		- .procname = "nf_conntrack_helper",
49		- .data = &init_net.ct.sysctl_auto_assign_helper,
50		- .maxlen = sizeof(unsigned int),
51		- .mode = 0644,
52		- .proc_handler = proc_dointvec,
53		- },
54		- {}
55		-};
56		-
57		-static int nf_conntrack_helper_init_sysctl(struct net *net)
58		-{
59		- struct ctl_table *table;
60		-
61		- table = kmemdup(helper_sysctl_table, sizeof(helper_sysctl_table),
62		- GFP_KERNEL);
63		- if (!table)
64		- goto out;
65		-
66		- table[0].data = &net->ct.sysctl_auto_assign_helper;
67		-
68		- /* Don't export sysctls to unprivileged users */
69		- if (net->user_ns != &init_user_ns)
70		- table[0].procname = NULL;
71		-
72		- net->ct.helper_sysctl_header =
73		- register_net_sysctl(net, "net/netfilter", table);
74		-
75		- if (!net->ct.helper_sysctl_header) {
76		- pr_err("nf_conntrack_helper: can't register to sysctl.\n");
77		- goto out_register;
78		- }
79		- return 0;
80		-
81		-out_register:
82		- kfree(table);
83		-out:
84		- return -ENOMEM;
85		-}
86		-
87		-static void nf_conntrack_helper_fini_sysctl(struct net *net)
88		-{
89		- struct ctl_table *table;
90		-
91		- table = net->ct.helper_sysctl_header->ctl_table_arg;
92		- unregister_net_sysctl_table(net->ct.helper_sysctl_header);
93		- kfree(table);
94		-}
95		-#else
96		-static int nf_conntrack_helper_init_sysctl(struct net *net)
97		-{
98		- return 0;
99		-}
100		-
101		-static void nf_conntrack_helper_fini_sysctl(struct net *net)
102		-{
103		-}
104		-#endif /* CONFIG_SYSCTL */
105		-
106	45	/* Stupid hash, but collision free for the default registrations of the
107	46	* helpers currently in the kernel. */
108	47	static unsigned int helper_hash(const struct nf_conntrack_tuple *tuple)
109	48
...	...	@@ -537,12 +476,11 @@
537	476	{
538	477	net->ct.auto_assign_helper_warned = false;
539	478	net->ct.sysctl_auto_assign_helper = nf_ct_auto_assign_helper;
540		- return nf_conntrack_helper_init_sysctl(net);
	479	+ return 0;
541	480	}
542	481
543	482	void nf_conntrack_helper_pernet_fini(struct net *net)
544	483	{
545		- nf_conntrack_helper_fini_sysctl(net);
546	484	}
547	485
548	486	int nf_conntrack_helper_init(void)
...	...	@@ -539,6 +539,8 @@
539	539	NF_SYSCTL_CT_CHECKSUM,
540	540	NF_SYSCTL_CT_LOG_INVALID,
541	541	NF_SYSCTL_CT_EXPECT_MAX,
	542	+ NF_SYSCTL_CT_ACCT,
	543	+ NF_SYSCTL_CT_HELPER,
542	544	};
543	545
544	546	static struct ctl_table nf_ct_sysctl_table[] = {
...	...	@@ -586,6 +588,20 @@
586	588	.mode = 0644,
587	589	.proc_handler = proc_dointvec,
588	590	},
	591	+ [NF_SYSCTL_CT_ACCT] = {
	592	+ .procname = "nf_conntrack_acct",
	593	+ .data = &init_net.ct.sysctl_acct,
	594	+ .maxlen = sizeof(unsigned int),
	595	+ .mode = 0644,
	596	+ .proc_handler = proc_dointvec,
	597	+ },
	598	+ [NF_SYSCTL_CT_HELPER] = {
	599	+ .procname = "nf_conntrack_helper",
	600	+ .data = &init_net.ct.sysctl_auto_assign_helper,
	601	+ .maxlen = sizeof(unsigned int),
	602	+ .mode = 0644,
	603	+ .proc_handler = proc_dointvec,
	604	+ },
589	605	{ }
590	606	};
591	607
592	608
...	...	@@ -614,8 +630,11 @@
614	630	table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid;
615	631
616	632	/* Don't export sysctls to unprivileged users */
617		- if (net->user_ns != &init_user_ns)
	633	+ if (net->user_ns != &init_user_ns) {
618	634	table[NF_SYSCTL_CT_MAX].procname = NULL;
	635	+ table[NF_SYSCTL_CT_ACCT].procname = NULL;
	636	+ table[NF_SYSCTL_CT_HELPER].procname = NULL;
	637	+ }
619	638
620	639	if (!net_eq(&init_net, net))
621	640	table[NF_SYSCTL_CT_BUCKETS].mode = 0444;