From: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com> Series: This series brings to vz7 all the nf_conntrack sysctl's, which are available in vz6.
https://jira.sw.ru/browse/PSBM-40044 This sysctl table contains only one entry: "/proc/sys/net/nf_conntrack_max". This is now visible inside ct. However, have to say, that "/proc/sys/net/netfilter/nf_conntrack_max" and friends (despite on they are containerized) arebehind init_user_ns. Signed-off-by: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com> Reviewed-by: Kirill Tkhai <ktk...@virtuozzo.com> (cherry picked from commit 9d3a8c692557f097d2ee916769c9e3c5503804cd) TODO: take a look on nf_conntrack_buckets MS sysctl VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783 Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com> --- include/net/netns/conntrack.h | 1 + net/netfilter/nf_conntrack_standalone.c | 69 +++++++++++++++++++------ 2 files changed, 53 insertions(+), 17 deletions(-) diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index 447c3ec738da..19bcf4173ccb 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h @@ -114,6 +114,7 @@ struct netns_ct { #endif unsigned int expect_max; #ifdef CONFIG_SYSCTL + struct ctl_table_header *netfilter_header; struct ctl_table_header *sysctl_header; struct ctl_table_header *acct_sysctl_header; struct ctl_table_header *tstamp_sysctl_header; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 567d92b53016..61aa2a7a8182 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -515,8 +515,6 @@ nf_conntrack_hash_sysctl(struct ctl_table *table, int write, return ret; } -static struct ctl_table_header *nf_ct_netfilter_header; - static struct ctl_table nf_ct_sysctl_table[] = { { .procname = "nf_conntrack_max", @@ -578,6 +576,42 @@ static struct ctl_table nf_ct_netfilter_table[] = { static int zero; +static int nf_conntrack_netfilter_init_sysctl(struct net *net) +{ + struct ctl_table *table; + + table = kmemdup(nf_ct_netfilter_table, sizeof(nf_ct_netfilter_table), + GFP_KERNEL); + if (!table) + goto out_kmemdup; + + table[0].data = &net->ct.max; + + /* Don't export sysctls to unprivileged users */ + if (ve_net_hide_sysctl(net)) + table[0].procname = NULL; + + net->ct.netfilter_header = register_net_sysctl(net, "net", table); + if (!net->ct.netfilter_header) + goto out_unregister_netfilter; + + return 0; + +out_unregister_netfilter: + kfree(table); +out_kmemdup: + return -ENOMEM; +} + +static void nf_conntrack_netfilter_fini_sysctl(struct net *net) +{ + struct ctl_table *table; + + table = net->ct.netfilter_header->ctl_table_arg; + unregister_net_sysctl_table(net->ct.netfilter_header); + kfree(table); +} + static int nf_conntrack_standalone_init_sysctl(struct net *net) { struct ctl_table *table; @@ -625,6 +659,15 @@ static void nf_conntrack_standalone_fini_sysctl(struct net *net) kfree(table); } #else +static int nf_conntrack_netfilter_init_sysctl(struct net *net) +{ + return 0; +} + +static void nf_conntrack_netfilter_fini_sysctl(struct net *net) +{ +} + static int nf_conntrack_standalone_init_sysctl(struct net *net) { return 0; @@ -653,8 +696,14 @@ static int nf_conntrack_pernet_init(struct net *net) if (ret < 0) goto out_sysctl; + ret = nf_conntrack_netfilter_init_sysctl(net); + if (ret < 0) + goto out_netfilter_sysctl; + return 0; +out_netfilter_sysctl: + nf_conntrack_standalone_fini_sysctl(net); out_sysctl: nf_conntrack_standalone_fini_proc(net); out_proc: @@ -668,6 +717,7 @@ static void nf_conntrack_pernet_exit(struct list_head *net_exit_list) struct net *net; list_for_each_entry(net, net_exit_list, exit_list) { + nf_conntrack_netfilter_fini_sysctl(net); nf_conntrack_standalone_fini_sysctl(net); nf_conntrack_standalone_fini_proc(net); } @@ -691,14 +741,6 @@ static int __init nf_conntrack_standalone_init(void) BUILD_BUG_ON(NFCT_INFOMASK <= IP_CT_NUMBER); #ifdef CONFIG_SYSCTL - nf_ct_netfilter_header = - register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); - if (!nf_ct_netfilter_header) { - pr_err("nf_conntrack: can't register to sysctl.\n"); - ret = -ENOMEM; - goto out_sysctl; - } - nf_conntrack_htable_size_user = nf_conntrack_htable_size; #endif @@ -710,10 +752,6 @@ static int __init nf_conntrack_standalone_init(void) return 0; out_pernet: -#ifdef CONFIG_SYSCTL - unregister_net_sysctl_table(nf_ct_netfilter_header); -out_sysctl: -#endif nf_conntrack_cleanup_end(); out_start: return ret; @@ -723,9 +761,6 @@ static void __exit nf_conntrack_standalone_fini(void) { nf_conntrack_cleanup_start(); unregister_pernet_subsys(&nf_conntrack_net_ops); -#ifdef CONFIG_SYSCTL - unregister_net_sysctl_table(nf_ct_netfilter_header); -#endif nf_conntrack_cleanup_end(); } -- 2.28.0 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
