[PATCH nf-next] netfilter: nf_conntrack: provide modparam to always register conntrack hooks

Wed, 16 Jan 2019 09:12:50 -0800 

The connection tracking hooks can be optionally registered per netns
when conntrack is specifically invoked from the ruleset since
0c66dc1ea3f0 ("netfilter: conntrack: register hooks in netns when needed
by ruleset"). Then, since 4d3a57f23dec ("netfilter: conntrack: do not
enable connection tracking unless needed"), the default behaviour is
changed to always register them on demand.

This patch provides a toggle that allows users to always register them.
Without this toggle, in order to use conntrack for statistics
collection, you need a dummy rule that refers to conntrack, eg.

        iptables -I INPUT -m state --state NEW

This patch allows users to restore the original behaviour via modparam,
ie. always register connection tracking, eg.

        modprobe nf_conntrack enable_hooks=1

Hence, no dummy rule is required.

Reported-by: Laura Garcia <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
---
 net/netfilter/nf_conntrack_standalone.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/net/netfilter/nf_conntrack_standalone.c 
b/net/netfilter/nf_conntrack_standalone.c
index b6177fd73304..a42048055694 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -703,6 +703,10 @@ static void nf_conntrack_standalone_fini_sysctl(struct net 
*net)
 }
 #endif /* CONFIG_SYSCTL */
 
+static bool enable_hooks __read_mostly;
+MODULE_PARM_DESC(enable_hooks, "Always enable conntrack hooks");
+module_param(enable_hooks, bool, 0000);
+
 static int nf_conntrack_pernet_init(struct net *net)
 {
        int ret;
@@ -721,8 +725,17 @@ static int nf_conntrack_pernet_init(struct net *net)
        if (ret < 0)
                goto out_sysctl;
 
+       if (enable_hooks) {
+               ret = nf_ct_netns_get(net, NFPROTO_INET);
+               if (ret < 0) {
+                       goto out_hooks;
+               }
+       }
+
        return 0;
 
+out_hooks:
+       nf_conntrack_standalone_fini_sysctl(net);
 out_sysctl:
        nf_conntrack_standalone_fini_proc(net);
 out_proc:
@@ -736,6 +749,9 @@ static void nf_conntrack_pernet_exit(struct list_head 
*net_exit_list)
        struct net *net;
 
        list_for_each_entry(net, net_exit_list, exit_list) {
+               if (enable_hooks)
+                       nf_ct_netns_put(net, NFPROTO_INET);
+
                nf_conntrack_standalone_fini_sysctl(net);
                nf_conntrack_standalone_fini_proc(net);
        }
-- 
2.11.0

Reply via email to