[Devel,rh7,4/4] net: Mark conntrack users in nftables

Submitted by Kirill Tkhai on Sept. 6, 2016, 6:31 a.m.

Details

Message ID 147314351111.331.14676625847859106586.stgit@pro
State New
Series "Create conntrack structures only if they are really needed"
Headers show

Commit Message

Kirill Tkhai Sept. 6, 2016, 6:31 a.m.
Allow conntracks to be allocated in case of these
rules are inserted.

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
---
 net/netfilter/nft_ct.c  |    3 +++
 net/netfilter/nft_nat.c |    9 +++++++++
 2 files changed, 12 insertions(+)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index cc56030..b6834e5 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -278,6 +278,8 @@  static int nft_ct_get_init(const struct nft_ctx *ctx,
 	if (err < 0)
 		return err;
 
+	inc_conntrack_users(ctx->net);
+
 	return 0;
 }
 
@@ -313,6 +315,7 @@  static int nft_ct_set_init(const struct nft_ctx *ctx,
 static void nft_ct_destroy(const struct nft_ctx *ctx,
 			   const struct nft_expr *expr)
 {
+	dec_conntrack_users(ctx->net);
 	nft_ct_l3proto_module_put(ctx->afi->family);
 }
 
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 799550b..4638d91 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -159,9 +159,17 @@  static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
 			return -EINVAL;
 	}
 
+	inc_conntrack_users(ctx->net);
+
 	return 0;
 }
 
+static void nft_nat_destroy(const struct nft_ctx *ctx,
+			    const struct nft_expr *expr)
+{
+	dec_conntrack_users(ctx->net);
+}
+
 static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
 {
 	const struct nft_nat *priv = nft_expr_priv(expr);
@@ -211,6 +219,7 @@  static const struct nft_expr_ops nft_nat_ops = {
 	.size           = NFT_EXPR_SIZE(sizeof(struct nft_nat)),
 	.eval           = nft_nat_eval,
 	.init           = nft_nat_init,
+	.destroy	= nft_nat_destroy,
 	.dump           = nft_nat_dump,
 };