Commit a999e683 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: nf_conntrack: sysctl compatibility with old connection tracking 



This patch adds an option to keep the connection tracking sysctls visible
under their old names.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 933a41e7

include/net/netfilter/nf_conntrack_l4proto.h

+5 −1
Original line number Diff line number Diff line
@@ -80,7 +80,11 @@ struct nf_conntrack_l4proto 
	struct ctl_table_header	**ctl_table_header;

	struct ctl_table	*ctl_table;

	unsigned int		*ctl_table_users;

#endif /* CONFIG_SYSCTL */

#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT

	struct ctl_table_header	*ctl_compat_table_header;

	struct ctl_table	*ctl_compat_table;

#endif

#endif



	/* Module (if any) which this is connected to. */

	struct module *me;

net/ipv4/netfilter/Kconfig

+11 −0
Original line number Diff line number Diff line
@@ -19,6 +19,17 @@ config NF_CONNTRACK_IPV4 


	  To compile it as a module, choose M here.  If unsure, say N.



config NF_CONNTRACK_PROC_COMPAT

	bool "proc/sysctl compatibility with old connection tracking"

	depends on NF_CONNTRACK

	default y

	help

	  This option enables /proc and sysctl compatibility with the old

	  layer 3 dependant connection tracking. This is needed to keep

	  old programs that have not been adapted to the new names working.



	  If unsure, say Y.



# connection tracking, helpers and protocols

config IP_NF_CONNTRACK

	tristate "Connection tracking (required for masq/NAT)"

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c

+58 −0
Original line number Diff line number Diff line
@@ -266,6 +266,60 @@ static struct nf_hook_ops ipv4_conntrack_ops[] = { 
	},

};



#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)

static int log_invalid_proto_min = 0;

static int log_invalid_proto_max = 255;



static ctl_table ip_ct_sysctl_table[] = {

	{

		.ctl_name	= NET_IPV4_NF_CONNTRACK_MAX,

		.procname	= "ip_conntrack_max",

		.data		= &nf_conntrack_max,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= &proc_dointvec,

	},

	{

		.ctl_name	= NET_IPV4_NF_CONNTRACK_COUNT,

		.procname	= "ip_conntrack_count",

		.data		= &nf_conntrack_count,

		.maxlen		= sizeof(int),

		.mode		= 0444,

		.proc_handler	= &proc_dointvec,

	},

	{

		.ctl_name	= NET_IPV4_NF_CONNTRACK_BUCKETS,

		.procname	= "ip_conntrack_buckets",

		.data		= &nf_conntrack_htable_size,

		.maxlen		= sizeof(unsigned int),

		.mode		= 0444,

		.proc_handler	= &proc_dointvec,

	},

	{

		.ctl_name	= NET_IPV4_NF_CONNTRACK_CHECKSUM,

		.procname	= "ip_conntrack_checksum",

		.data		= &nf_conntrack_checksum,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= &proc_dointvec,

	},

	{

		.ctl_name	= NET_IPV4_NF_CONNTRACK_LOG_INVALID,

		.procname	= "ip_conntrack_log_invalid",

		.data		= &nf_ct_log_invalid,

		.maxlen		= sizeof(unsigned int),

		.mode		= 0644,

		.proc_handler	= &proc_dointvec_minmax,

		.strategy	= &sysctl_intvec,

		.extra1		= &log_invalid_proto_min,

		.extra2		= &log_invalid_proto_max,

	},

	{

		.ctl_name	= 0

	}

};

#endif /* CONFIG_SYSCTL && CONFIG_NF_CONNTRACK_PROC_COMPAT */



/* Fast function for those who don't want to parse /proc (and I don't

   blame them). */

/* Reversing the socket's dst/src point of view gives us the reply
@@ -385,6 +439,10 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 = { 
    defined(CONFIG_NF_CT_NETLINK_MODULE)

	.tuple_to_nfattr = ipv4_tuple_to_nfattr,

	.nfattr_to_tuple = ipv4_nfattr_to_tuple,

#endif

#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)

	.ctl_table_path  = nf_net_ipv4_netfilter_sysctl_path,

	.ctl_table	 = ip_ct_sysctl_table,

#endif

	.me		 = THIS_MODULE,

};

net/ipv4/netfilter/nf_conntrack_proto_icmp.c

+18 −0
Original line number Diff line number Diff line
@@ -336,6 +336,21 @@ static struct ctl_table icmp_sysctl_table[] = { 
		.ctl_name = 0

	}

};

#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT

static struct ctl_table icmp_compat_sysctl_table[] = {

	{

		.ctl_name	= NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT,

		.procname	= "ip_conntrack_icmp_timeout",

		.data		= &nf_ct_icmp_timeout,

		.maxlen		= sizeof(unsigned int),

		.mode		= 0644,

		.proc_handler	= &proc_dointvec_jiffies,

	},

        {

		.ctl_name = 0

	}

};

#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */

#endif /* CONFIG_SYSCTL */



struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
@@ -360,6 +375,9 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp = 
#ifdef CONFIG_SYSCTL

	.ctl_table_header	= &icmp_sysctl_header,

	.ctl_table		= icmp_sysctl_table,

#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT

	.ctl_compat_table	= icmp_compat_sysctl_table,

#endif

#endif

};

net/netfilter/nf_conntrack_core.c

+2 −0
Original line number Diff line number Diff line
@@ -66,10 +66,12 @@ DEFINE_RWLOCK(nf_conntrack_lock); 


/* nf_conntrack_standalone needs this */

atomic_t nf_conntrack_count = ATOMIC_INIT(0);

EXPORT_SYMBOL_GPL(nf_conntrack_count);



void (*nf_conntrack_destroyed)(struct nf_conn *conntrack) = NULL;

unsigned int nf_conntrack_htable_size __read_mostly;

int nf_conntrack_max __read_mostly;

EXPORT_SYMBOL_GPL(nf_conntrack_max);

struct list_head *nf_conntrack_hash __read_mostly;

struct nf_conn nf_conntrack_untracked __read_mostly;

unsigned int nf_ct_log_invalid __read_mostly;