Re: [PATCH] netfilter: remove ip_conntrack* sysctl compat code

2016-08-13 Thread Liping Zhang 
Hi Pablo,
2016-08-12 19:47 GMT+08:00 Pablo Neira Ayuso :
> diff --git a/net/netfilter/nf_conntrack_core.c 
> b/net/netfilter/nf_conntrack_core.c
> index dd2c43a..22558b7 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -161,10 +161,7 @@ static void nf_conntrack_all_unlock(void)
>  }
>
>  unsigned int nf_conntrack_htable_size __read_mostly;
> -EXPORT_SYMBOL_GPL(nf_conntrack_htable_size);

We still need to export nf_conntrack_htable_size, otherwise:

ERROR: "nf_conntrack_htable_size"
[net/netfilter/nfnetlink_cttimeout.ko] undefined!
ERROR: "nf_conntrack_htable_size"
[net/netfilter/nf_conntrack_netlink.ko] undefined!
ERROR: "nf_conntrack_htable_size"
[net/ipv4/netfilter/nf_conntrack_ipv4.ko] undefined!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] netfilter: remove ip_conntrack* sysctl compat code

2016-08-12 Thread Pablo Neira Ayuso 
This backward compatibility has been around for more than ten years,
since Yasuyuki Kozakai introduced IPv6 in conntrack. These days, we have
alternate /proc/net/nf_conntrack* entries, the ctnetlink interface and
the conntrack utility got adopted by many people in the user community
according to what I observed on the netfilter user mailing list.

So let's get rid of this.

Note that nf_conntrack_htable_size and unsigned int nf_conntrack_max do
not need to be exported as symbol anymore.

Signed-off-by: Pablo Neira Ayuso 
---
 include/net/netfilter/nf_conntrack_l4proto.h   |   8 -
 include/net/netns/conntrack.h  |   8 -
 net/ipv4/netfilter/Kconfig |  11 -
 net/ipv4/netfilter/Makefile|   5 -
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |  70 ---
 .../netfilter/nf_conntrack_l3proto_ipv4_compat.c   | 491 -
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c   |  39 +-
 net/netfilter/nf_conntrack_core.c  |   3 -
 net/netfilter/nf_conntrack_proto.c |  81 +---
 net/netfilter/nf_conntrack_proto_generic.c |  39 +-
 net/netfilter/nf_conntrack_proto_sctp.c|  85 +---
 net/netfilter/nf_conntrack_proto_tcp.c | 127 +-
 net/netfilter/nf_conntrack_proto_udp.c |  49 +-
 13 files changed, 7 insertions(+), 1009 deletions(-)
 delete mode 100644 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c

diff --git a/include/net/netfilter/nf_conntrack_l4proto.h 
b/include/net/netfilter/nf_conntrack_l4proto.h
index 1a5fb36..de629f1 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -134,14 +134,6 @@ void nf_ct_l4proto_pernet_unregister(struct net *net,
 int nf_ct_l4proto_register(struct nf_conntrack_l4proto *proto);
 void nf_ct_l4proto_unregister(struct nf_conntrack_l4proto *proto);
 
-static inline void nf_ct_kfree_compat_sysctl_table(struct nf_proto_net *pn)
-{
-#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
-   kfree(pn->ctl_compat_table);
-   pn->ctl_compat_table = NULL;
-#endif
-}
-
 /* Generic netlink helpers */
 int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
   const struct nf_conntrack_tuple *tuple);
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 38b1a80..e469e85 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -15,10 +15,6 @@ struct nf_proto_net {
 #ifdef CONFIG_SYSCTL
struct ctl_table_header *ctl_table_header;
struct ctl_table*ctl_table;
-#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
-   struct ctl_table_header *ctl_compat_header;
-   struct ctl_table*ctl_compat_table;
-#endif
 #endif
unsigned intusers;
 };
@@ -58,10 +54,6 @@ struct nf_ip_net {
struct nf_udp_net   udp;
struct nf_icmp_net  icmp;
struct nf_icmp_net  icmpv6;
-#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
-   struct ctl_table_header *ctl_table_header;
-   struct ctl_table*ctl_table;
-#endif
 };
 
 struct ct_pcpu {
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index c187c60..d613309 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -25,17 +25,6 @@ config NF_CONNTRACK_IPV4
 
  To compile it as a module, choose M here.  If unsure, say N.
 
-config NF_CONNTRACK_PROC_COMPAT
-   bool "proc/sysctl compatibility with old connection tracking"
-   depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
-   default y
-   help
- This option enables /proc and sysctl compatibility with the old
- layer 3 dependent connection tracking. This is needed to keep
- old programs that have not been adapted to the new names working.
-
- If unsure, say Y.
-
 if NF_TABLES
 
 config NF_TABLES_IPV4
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 87b073d..853328f 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -4,11 +4,6 @@
 
 # objects for l3 independent conntrack
 nf_conntrack_ipv4-y:=  nf_conntrack_l3proto_ipv4.o 
nf_conntrack_proto_icmp.o
-ifeq ($(CONFIG_NF_CONNTRACK_PROC_COMPAT),y)
-ifeq ($(CONFIG_PROC_FS),y)
-nf_conntrack_ipv4-objs += nf_conntrack_l3proto_ipv4_compat.o
-endif
-endif
 
 # connection tracking
 obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c 
b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index ae1a71a..870aebd 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -202,47 +202,6 @@ static struct nf_hook_ops ipv4_conntrack_ops[] 
__read_mostly = {
},
 };
 
-#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
-static int log_invalid_proto_min =