netfilter: netns nf_conntrack: per-netns unconfirmed list
What is confirmed connection in one netns can very well be unconfirmed in another one. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
9b03f38d04
commit
63c9a26264
4 changed files with 7 additions and 5 deletions
|
@ -72,6 +72,5 @@ print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,
|
|||
const struct nf_conntrack_l4proto *proto);
|
||||
|
||||
extern spinlock_t nf_conntrack_lock ;
|
||||
extern struct hlist_head unconfirmed;
|
||||
|
||||
#endif /* _NF_CONNTRACK_CORE_H */
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
#ifndef __NETNS_CONNTRACK_H
|
||||
#define __NETNS_CONNTRACK_H
|
||||
|
||||
#include <linux/list.h>
|
||||
#include <asm/atomic.h>
|
||||
|
||||
struct netns_ct {
|
||||
|
@ -8,6 +9,7 @@ struct netns_ct {
|
|||
unsigned int expect_count;
|
||||
struct hlist_head *hash;
|
||||
struct hlist_head *expect_hash;
|
||||
struct hlist_head unconfirmed;
|
||||
int hash_vmalloc;
|
||||
int expect_vmalloc;
|
||||
};
|
||||
|
|
|
@ -54,7 +54,6 @@ struct nf_conn nf_conntrack_untracked __read_mostly;
|
|||
EXPORT_SYMBOL_GPL(nf_conntrack_untracked);
|
||||
|
||||
unsigned int nf_ct_log_invalid __read_mostly;
|
||||
HLIST_HEAD(unconfirmed);
|
||||
static struct kmem_cache *nf_conntrack_cachep __read_mostly;
|
||||
|
||||
DEFINE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat);
|
||||
|
@ -596,7 +595,8 @@ init_conntrack(struct net *net,
|
|||
}
|
||||
|
||||
/* Overload tuple linked list to put us in unconfirmed list. */
|
||||
hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode, &unconfirmed);
|
||||
hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode,
|
||||
&net->ct.unconfirmed);
|
||||
|
||||
spin_unlock_bh(&nf_conntrack_lock);
|
||||
|
||||
|
@ -957,7 +957,7 @@ get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data),
|
|||
goto found;
|
||||
}
|
||||
}
|
||||
hlist_for_each_entry(h, n, &unconfirmed, hnode) {
|
||||
hlist_for_each_entry(h, n, &net->ct.unconfirmed, hnode) {
|
||||
ct = nf_ct_tuplehash_to_ctrack(h);
|
||||
if (iter(ct, data))
|
||||
set_bit(IPS_DYING_BIT, &ct->status);
|
||||
|
@ -1154,6 +1154,7 @@ int nf_conntrack_init(struct net *net)
|
|||
printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
|
||||
goto err_out;
|
||||
}
|
||||
INIT_HLIST_HEAD(&net->ct.unconfirmed);
|
||||
|
||||
nf_conntrack_max = max_factor * nf_conntrack_htable_size;
|
||||
|
||||
|
|
|
@ -156,7 +156,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
|
|||
}
|
||||
|
||||
/* Get rid of expecteds, set helpers to NULL. */
|
||||
hlist_for_each_entry(h, n, &unconfirmed, hnode)
|
||||
hlist_for_each_entry(h, n, &init_net.ct.unconfirmed, hnode)
|
||||
unhelp(h, me);
|
||||
for (i = 0; i < nf_conntrack_htable_size; i++) {
|
||||
hlist_for_each_entry(h, n, &init_net.ct.hash[i], hnode)
|
||||
|
|
Loading…
Reference in a new issue