Commit 63c9a262 authored by Alexey Dobriyan's avatar Alexey Dobriyan Committed by Patrick McHardy

netfilter: netns nf_conntrack: per-netns unconfirmed list

What is confirmed connection in one netns can very well be unconfirmed
in another one.
Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 9b03f38d
...@@ -72,6 +72,5 @@ print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, ...@@ -72,6 +72,5 @@ print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,
const struct nf_conntrack_l4proto *proto); const struct nf_conntrack_l4proto *proto);
extern spinlock_t nf_conntrack_lock ; extern spinlock_t nf_conntrack_lock ;
extern struct hlist_head unconfirmed;
#endif /* _NF_CONNTRACK_CORE_H */ #endif /* _NF_CONNTRACK_CORE_H */
#ifndef __NETNS_CONNTRACK_H #ifndef __NETNS_CONNTRACK_H
#define __NETNS_CONNTRACK_H #define __NETNS_CONNTRACK_H
#include <linux/list.h>
#include <asm/atomic.h> #include <asm/atomic.h>
struct netns_ct { struct netns_ct {
...@@ -8,6 +9,7 @@ struct netns_ct { ...@@ -8,6 +9,7 @@ struct netns_ct {
unsigned int expect_count; unsigned int expect_count;
struct hlist_head *hash; struct hlist_head *hash;
struct hlist_head *expect_hash; struct hlist_head *expect_hash;
struct hlist_head unconfirmed;
int hash_vmalloc; int hash_vmalloc;
int expect_vmalloc; int expect_vmalloc;
}; };
......
...@@ -54,7 +54,6 @@ struct nf_conn nf_conntrack_untracked __read_mostly; ...@@ -54,7 +54,6 @@ struct nf_conn nf_conntrack_untracked __read_mostly;
EXPORT_SYMBOL_GPL(nf_conntrack_untracked); EXPORT_SYMBOL_GPL(nf_conntrack_untracked);
unsigned int nf_ct_log_invalid __read_mostly; unsigned int nf_ct_log_invalid __read_mostly;
HLIST_HEAD(unconfirmed);
static struct kmem_cache *nf_conntrack_cachep __read_mostly; static struct kmem_cache *nf_conntrack_cachep __read_mostly;
DEFINE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat); DEFINE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat);
...@@ -596,7 +595,8 @@ init_conntrack(struct net *net, ...@@ -596,7 +595,8 @@ init_conntrack(struct net *net,
} }
/* Overload tuple linked list to put us in unconfirmed list. */ /* Overload tuple linked list to put us in unconfirmed list. */
hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode, &unconfirmed); hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode,
&net->ct.unconfirmed);
spin_unlock_bh(&nf_conntrack_lock); spin_unlock_bh(&nf_conntrack_lock);
...@@ -957,7 +957,7 @@ get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data), ...@@ -957,7 +957,7 @@ get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data),
goto found; goto found;
} }
} }
hlist_for_each_entry(h, n, &unconfirmed, hnode) { hlist_for_each_entry(h, n, &net->ct.unconfirmed, hnode) {
ct = nf_ct_tuplehash_to_ctrack(h); ct = nf_ct_tuplehash_to_ctrack(h);
if (iter(ct, data)) if (iter(ct, data))
set_bit(IPS_DYING_BIT, &ct->status); set_bit(IPS_DYING_BIT, &ct->status);
...@@ -1154,6 +1154,7 @@ int nf_conntrack_init(struct net *net) ...@@ -1154,6 +1154,7 @@ int nf_conntrack_init(struct net *net)
printk(KERN_ERR "Unable to create nf_conntrack_hash\n"); printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
goto err_out; goto err_out;
} }
INIT_HLIST_HEAD(&net->ct.unconfirmed);
nf_conntrack_max = max_factor * nf_conntrack_htable_size; nf_conntrack_max = max_factor * nf_conntrack_htable_size;
......
...@@ -156,7 +156,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me) ...@@ -156,7 +156,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
} }
/* Get rid of expecteds, set helpers to NULL. */ /* Get rid of expecteds, set helpers to NULL. */
hlist_for_each_entry(h, n, &unconfirmed, hnode) hlist_for_each_entry(h, n, &init_net.ct.unconfirmed, hnode)
unhelp(h, me); unhelp(h, me);
for (i = 0; i < nf_conntrack_htable_size; i++) { for (i = 0; i < nf_conntrack_htable_size; i++) {
hlist_for_each_entry(h, n, &init_net.ct.hash[i], hnode) hlist_for_each_entry(h, n, &init_net.ct.hash[i], hnode)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment