[Devel,rh7] net: nf_synproxy: Direct conntrack allocation

Submitted by Kirill Tkhai on Sept. 15, 2016, 3:35 p.m.

Details

Message ID 147395370011.17812.15840556661243945977.stgit@pro
State New
Series "net: nf_synproxy: Direct conntrack allocation"
Headers show

Commit Message

Kirill Tkhai Sept. 15, 2016, 3:35 p.m.
Since synproxy conntrack allow_conntrack_allocation() is executed
from pernet init, loading nf_synproxy_core() module allows conntracks
for all nets.

Fix that by direct allocation of synproxy sample conntrack (and do not
allow conntracks from pernet init).

https://jira.sw.ru/browse/PSBM-52218

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
---
 include/net/netfilter/nf_conntrack.h |    5 +++++
 net/netfilter/nf_conntrack_core.c    |   11 ++++++-----
 net/netfilter/nf_synproxy_core.c     |    3 +--
 3 files changed, 12 insertions(+), 7 deletions(-)

Patch hide | download patch | download mbox

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index b0da003..fefe866 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -253,6 +253,11 @@  struct nf_conn *nf_conntrack_alloc(struct net *net, u16 zone,
 				   const struct nf_conntrack_tuple *orig,
 				   const struct nf_conntrack_tuple *repl,
 				   gfp_t gfp);
+struct nf_conn *
+__nf_conntrack_alloc(struct net *net, u16 zone,
+		     const struct nf_conntrack_tuple *orig,
+		     const struct nf_conntrack_tuple *repl,
+		     gfp_t gfp, u32 hash, bool can_alloc);
 
 static inline int nf_ct_is_template(const struct nf_conn *ct)
 {
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 15e8479..d46c905 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -832,16 +832,16 @@  void init_nf_conntrack_hash_rnd(void)
 	cmpxchg(&nf_conntrack_hash_rnd, 0, rand);
 }
 
-static struct nf_conn *
+struct nf_conn *
 __nf_conntrack_alloc(struct net *net, u16 zone,
 		     const struct nf_conntrack_tuple *orig,
 		     const struct nf_conntrack_tuple *repl,
-		     gfp_t gfp, u32 hash)
+		     gfp_t gfp, u32 hash, bool can_alloc)
 {
 	unsigned int ct_max = net->ct.max ? net->ct.max : init_net.ct.max;
 	struct nf_conn *ct;
 
-	if (!net->ct.can_alloc) {
+	if (!net->ct.can_alloc && !can_alloc) {
 		/* No rules loaded */
 		return NULL;
 	}
@@ -915,13 +915,14 @@  __nf_conntrack_alloc(struct net *net, u16 zone,
 	return ERR_PTR(-ENOMEM);
 #endif
 }
+EXPORT_SYMBOL_GPL(__nf_conntrack_alloc);
 
 struct nf_conn *nf_conntrack_alloc(struct net *net, u16 zone,
 				   const struct nf_conntrack_tuple *orig,
 				   const struct nf_conntrack_tuple *repl,
 				   gfp_t gfp)
 {
-	return __nf_conntrack_alloc(net, zone, orig, repl, gfp, 0);
+	return __nf_conntrack_alloc(net, zone, orig, repl, gfp, 0, false);
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_alloc);
 
@@ -968,7 +969,7 @@  init_conntrack(struct net *net, struct nf_conn *tmpl,
 	}
 
 	ct = __nf_conntrack_alloc(net, zone, tuple, &repl_tuple, GFP_ATOMIC,
-				  hash);
+				  hash, false);
 	if (IS_ERR_OR_NULL(ct))
 		return (struct nf_conntrack_tuple_hash *)ct;
 
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 779e5a6..3184505 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -353,8 +353,7 @@  static int __net_init synproxy_net_init(struct net *net)
 	int err = -ENOMEM;
 
 	memset(&t, 0, sizeof(t));
-	allow_conntrack_allocation(net);
-	ct = nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL);
+	ct = __nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL, 0, true);
 	if (IS_ERR(ct)) {
 		err = PTR_ERR(ct);
 		goto err1;

Comments

Andrey Vagin Sept. 16, 2016, 6:41 a.m.
On Thu, Sep 15, 2016 at 06:35:42PM +0300, Kirill Tkhai wrote:
> Since synproxy conntrack allow_conntrack_allocation() is executed
> from pernet init, loading nf_synproxy_core() module allows conntracks
> for all nets.
> 
> Fix that by direct allocation of synproxy sample conntrack (and do not
> allow conntracks from pernet init).
> 
> https://jira.sw.ru/browse/PSBM-52218
> 

Acked-by: Andrei Vagin <avagin@virtuozzo.com>


> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
> ---
>  include/net/netfilter/nf_conntrack.h |    5 +++++
>  net/netfilter/nf_conntrack_core.c    |   11 ++++++-----
>  net/netfilter/nf_synproxy_core.c     |    3 +--
>  3 files changed, 12 insertions(+), 7 deletions(-)
> 
> diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
> index b0da003..fefe866 100644
> --- a/include/net/netfilter/nf_conntrack.h
> +++ b/include/net/netfilter/nf_conntrack.h
> @@ -253,6 +253,11 @@ struct nf_conn *nf_conntrack_alloc(struct net *net, u16 zone,
>  				   const struct nf_conntrack_tuple *orig,
>  				   const struct nf_conntrack_tuple *repl,
>  				   gfp_t gfp);
> +struct nf_conn *
> +__nf_conntrack_alloc(struct net *net, u16 zone,
> +		     const struct nf_conntrack_tuple *orig,
> +		     const struct nf_conntrack_tuple *repl,
> +		     gfp_t gfp, u32 hash, bool can_alloc);
>  
>  static inline int nf_ct_is_template(const struct nf_conn *ct)
>  {
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index 15e8479..d46c905 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -832,16 +832,16 @@ void init_nf_conntrack_hash_rnd(void)
>  	cmpxchg(&nf_conntrack_hash_rnd, 0, rand);
>  }
>  
> -static struct nf_conn *
> +struct nf_conn *
>  __nf_conntrack_alloc(struct net *net, u16 zone,
>  		     const struct nf_conntrack_tuple *orig,
>  		     const struct nf_conntrack_tuple *repl,
> -		     gfp_t gfp, u32 hash)
> +		     gfp_t gfp, u32 hash, bool can_alloc)
>  {
>  	unsigned int ct_max = net->ct.max ? net->ct.max : init_net.ct.max;
>  	struct nf_conn *ct;
>  
> -	if (!net->ct.can_alloc) {
> +	if (!net->ct.can_alloc && !can_alloc) {
>  		/* No rules loaded */
>  		return NULL;
>  	}
> @@ -915,13 +915,14 @@ __nf_conntrack_alloc(struct net *net, u16 zone,
>  	return ERR_PTR(-ENOMEM);
>  #endif
>  }
> +EXPORT_SYMBOL_GPL(__nf_conntrack_alloc);
>  
>  struct nf_conn *nf_conntrack_alloc(struct net *net, u16 zone,
>  				   const struct nf_conntrack_tuple *orig,
>  				   const struct nf_conntrack_tuple *repl,
>  				   gfp_t gfp)
>  {
> -	return __nf_conntrack_alloc(net, zone, orig, repl, gfp, 0);
> +	return __nf_conntrack_alloc(net, zone, orig, repl, gfp, 0, false);
>  }
>  EXPORT_SYMBOL_GPL(nf_conntrack_alloc);
>  
> @@ -968,7 +969,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
>  	}
>  
>  	ct = __nf_conntrack_alloc(net, zone, tuple, &repl_tuple, GFP_ATOMIC,
> -				  hash);
> +				  hash, false);
>  	if (IS_ERR_OR_NULL(ct))
>  		return (struct nf_conntrack_tuple_hash *)ct;
>  
> diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
> index 779e5a6..3184505 100644
> --- a/net/netfilter/nf_synproxy_core.c
> +++ b/net/netfilter/nf_synproxy_core.c
> @@ -353,8 +353,7 @@ static int __net_init synproxy_net_init(struct net *net)
>  	int err = -ENOMEM;
>  
>  	memset(&t, 0, sizeof(t));
> -	allow_conntrack_allocation(net);
> -	ct = nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL);
> +	ct = __nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL, 0, true);
>  	if (IS_ERR(ct)) {
>  		err = PTR_ERR(ct);
>  		goto err1;
>