Commit 0e6e75af authored by Alexey Dobriyan's avatar Alexey Dobriyan Committed by Patrick McHardy

netfilter: netns nf_conntrack: PPTP conntracking in netns

Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 3bb0d1c0
...@@ -98,6 +98,7 @@ EXPORT_SYMBOL(pptp_msg_name); ...@@ -98,6 +98,7 @@ EXPORT_SYMBOL(pptp_msg_name);
static void pptp_expectfn(struct nf_conn *ct, static void pptp_expectfn(struct nf_conn *ct,
struct nf_conntrack_expect *exp) struct nf_conntrack_expect *exp)
{ {
struct net *net = nf_ct_net(ct);
typeof(nf_nat_pptp_hook_expectfn) nf_nat_pptp_expectfn; typeof(nf_nat_pptp_hook_expectfn) nf_nat_pptp_expectfn;
pr_debug("increasing timeouts\n"); pr_debug("increasing timeouts\n");
...@@ -121,7 +122,7 @@ static void pptp_expectfn(struct nf_conn *ct, ...@@ -121,7 +122,7 @@ static void pptp_expectfn(struct nf_conn *ct,
pr_debug("trying to unexpect other dir: "); pr_debug("trying to unexpect other dir: ");
nf_ct_dump_tuple(&inv_t); nf_ct_dump_tuple(&inv_t);
exp_other = nf_ct_expect_find_get(&init_net, &inv_t); exp_other = nf_ct_expect_find_get(net, &inv_t);
if (exp_other) { if (exp_other) {
/* delete other expectation. */ /* delete other expectation. */
pr_debug("found\n"); pr_debug("found\n");
...@@ -134,7 +135,8 @@ static void pptp_expectfn(struct nf_conn *ct, ...@@ -134,7 +135,8 @@ static void pptp_expectfn(struct nf_conn *ct,
rcu_read_unlock(); rcu_read_unlock();
} }
static int destroy_sibling_or_exp(const struct nf_conntrack_tuple *t) static int destroy_sibling_or_exp(struct net *net,
const struct nf_conntrack_tuple *t)
{ {
const struct nf_conntrack_tuple_hash *h; const struct nf_conntrack_tuple_hash *h;
struct nf_conntrack_expect *exp; struct nf_conntrack_expect *exp;
...@@ -143,7 +145,7 @@ static int destroy_sibling_or_exp(const struct nf_conntrack_tuple *t) ...@@ -143,7 +145,7 @@ static int destroy_sibling_or_exp(const struct nf_conntrack_tuple *t)
pr_debug("trying to timeout ct or exp for tuple "); pr_debug("trying to timeout ct or exp for tuple ");
nf_ct_dump_tuple(t); nf_ct_dump_tuple(t);
h = nf_conntrack_find_get(&init_net, t); h = nf_conntrack_find_get(net, t);
if (h) { if (h) {
sibling = nf_ct_tuplehash_to_ctrack(h); sibling = nf_ct_tuplehash_to_ctrack(h);
pr_debug("setting timeout of conntrack %p to 0\n", sibling); pr_debug("setting timeout of conntrack %p to 0\n", sibling);
...@@ -154,7 +156,7 @@ static int destroy_sibling_or_exp(const struct nf_conntrack_tuple *t) ...@@ -154,7 +156,7 @@ static int destroy_sibling_or_exp(const struct nf_conntrack_tuple *t)
nf_ct_put(sibling); nf_ct_put(sibling);
return 1; return 1;
} else { } else {
exp = nf_ct_expect_find_get(&init_net, t); exp = nf_ct_expect_find_get(net, t);
if (exp) { if (exp) {
pr_debug("unexpect_related of expect %p\n", exp); pr_debug("unexpect_related of expect %p\n", exp);
nf_ct_unexpect_related(exp); nf_ct_unexpect_related(exp);
...@@ -168,6 +170,7 @@ static int destroy_sibling_or_exp(const struct nf_conntrack_tuple *t) ...@@ -168,6 +170,7 @@ static int destroy_sibling_or_exp(const struct nf_conntrack_tuple *t)
/* timeout GRE data connections */ /* timeout GRE data connections */
static void pptp_destroy_siblings(struct nf_conn *ct) static void pptp_destroy_siblings(struct nf_conn *ct)
{ {
struct net *net = nf_ct_net(ct);
const struct nf_conn_help *help = nfct_help(ct); const struct nf_conn_help *help = nfct_help(ct);
struct nf_conntrack_tuple t; struct nf_conntrack_tuple t;
...@@ -178,7 +181,7 @@ static void pptp_destroy_siblings(struct nf_conn *ct) ...@@ -178,7 +181,7 @@ static void pptp_destroy_siblings(struct nf_conn *ct)
t.dst.protonum = IPPROTO_GRE; t.dst.protonum = IPPROTO_GRE;
t.src.u.gre.key = help->help.ct_pptp_info.pns_call_id; t.src.u.gre.key = help->help.ct_pptp_info.pns_call_id;
t.dst.u.gre.key = help->help.ct_pptp_info.pac_call_id; t.dst.u.gre.key = help->help.ct_pptp_info.pac_call_id;
if (!destroy_sibling_or_exp(&t)) if (!destroy_sibling_or_exp(net, &t))
pr_debug("failed to timeout original pns->pac ct/exp\n"); pr_debug("failed to timeout original pns->pac ct/exp\n");
/* try reply (pac->pns) tuple */ /* try reply (pac->pns) tuple */
...@@ -186,7 +189,7 @@ static void pptp_destroy_siblings(struct nf_conn *ct) ...@@ -186,7 +189,7 @@ static void pptp_destroy_siblings(struct nf_conn *ct)
t.dst.protonum = IPPROTO_GRE; t.dst.protonum = IPPROTO_GRE;
t.src.u.gre.key = help->help.ct_pptp_info.pac_call_id; t.src.u.gre.key = help->help.ct_pptp_info.pac_call_id;
t.dst.u.gre.key = help->help.ct_pptp_info.pns_call_id; t.dst.u.gre.key = help->help.ct_pptp_info.pns_call_id;
if (!destroy_sibling_or_exp(&t)) if (!destroy_sibling_or_exp(net, &t))
pr_debug("failed to timeout reply pac->pns ct/exp\n"); pr_debug("failed to timeout reply pac->pns ct/exp\n");
} }
...@@ -594,15 +597,32 @@ static struct nf_conntrack_helper pptp __read_mostly = { ...@@ -594,15 +597,32 @@ static struct nf_conntrack_helper pptp __read_mostly = {
.expect_policy = &pptp_exp_policy, .expect_policy = &pptp_exp_policy,
}; };
static void nf_conntrack_pptp_net_exit(struct net *net)
{
nf_ct_gre_keymap_flush(net);
}
static struct pernet_operations nf_conntrack_pptp_net_ops = {
.exit = nf_conntrack_pptp_net_exit,
};
static int __init nf_conntrack_pptp_init(void) static int __init nf_conntrack_pptp_init(void)
{ {
return nf_conntrack_helper_register(&pptp); int rv;
rv = nf_conntrack_helper_register(&pptp);
if (rv < 0)
return rv;
rv = register_pernet_subsys(&nf_conntrack_pptp_net_ops);
if (rv < 0)
nf_conntrack_helper_unregister(&pptp);
return rv;
} }
static void __exit nf_conntrack_pptp_fini(void) static void __exit nf_conntrack_pptp_fini(void)
{ {
nf_conntrack_helper_unregister(&pptp); nf_conntrack_helper_unregister(&pptp);
nf_ct_gre_keymap_flush(&init_net); unregister_pernet_subsys(&nf_conntrack_pptp_net_ops);
} }
module_init(nf_conntrack_pptp_init); module_init(nf_conntrack_pptp_init);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment