Commit 400dad39 authored by Alexey Dobriyan's avatar Alexey Dobriyan Committed by Patrick McHardy
Browse files

netfilter: netns nf_conntrack: per-netns conntrack hash 



* make per-netns conntrack hash

  Other solution is to add ->ct_net pointer to tuplehashes and still has one
  hash, I tried that it's ugly and requires more code deep down in protocol
  modules et al.

* propagate netns pointer to where needed, e. g. to conntrack iterators.

Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 49ac8713

include/net/netfilter/nf_conntrack.h

+3 −3
Original line number Diff line number Diff line
@@ -195,11 +195,11 @@ extern void nf_ct_free_hashtable(struct hlist_head *hash, int vmalloced, 
				 unsigned int size);



extern struct nf_conntrack_tuple_hash *

__nf_conntrack_find(const struct nf_conntrack_tuple *tuple);

__nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple);



extern void nf_conntrack_hash_insert(struct nf_conn *ct);



extern void nf_conntrack_flush(void);

extern void nf_conntrack_flush(struct net *net);



extern bool nf_ct_get_tuplepr(const struct sk_buff *skb,

			      unsigned int nhoff, u_int16_t l3num,
@@ -261,7 +261,7 @@ extern struct nf_conn nf_conntrack_untracked; 


/* Iterate over all conntracks: if iter returns true, it's deleted. */

extern void

nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data);

nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data);

extern void nf_conntrack_free(struct nf_conn *ct);

extern struct nf_conn *

nf_conntrack_alloc(struct net *net,

include/net/netfilter/nf_conntrack_core.h

+1 −2
Original line number Diff line number Diff line
@@ -48,7 +48,7 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, 


/* Find a connection corresponding to a tuple. */

extern struct nf_conntrack_tuple_hash *

nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple);

nf_conntrack_find_get(struct net *net, const struct nf_conntrack_tuple *tuple);



extern int __nf_conntrack_confirm(struct sk_buff *skb);
@@ -71,7 +71,6 @@ print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple, 
            const struct nf_conntrack_l3proto *l3proto,

            const struct nf_conntrack_l4proto *proto);



extern struct hlist_head *nf_conntrack_hash;

extern spinlock_t nf_conntrack_lock ;

extern struct hlist_head unconfirmed;

include/net/netns/conntrack.h

+2 −0
Original line number Diff line number Diff line
@@ -5,5 +5,7 @@ 


struct netns_ct {

	atomic_t		count;

	struct hlist_head	*hash;

	int			hash_vmalloc;

};

#endif

net/ipv4/netfilter/ipt_MASQUERADE.c

+2 −1
Original line number Diff line number Diff line
@@ -129,7 +129,8 @@ static int masq_device_event(struct notifier_block *this, 
		   and forget them. */

		NF_CT_ASSERT(dev->ifindex != 0);



		nf_ct_iterate_cleanup(device_cmp, (void *)(long)dev->ifindex);

		nf_ct_iterate_cleanup(&init_net, device_cmp,

				      (void *)(long)dev->ifindex);

	}



	return NOTIFY_DONE;

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c

+1 −1
Original line number Diff line number Diff line
@@ -323,7 +323,7 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len) 
		return -EINVAL;

	}



	h = nf_conntrack_find_get(&tuple);

	h = nf_conntrack_find_get(sock_net(sk), &tuple);

	if (h) {

		struct sockaddr_in sin;

		struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);

CRA Git | Maintained and supported by SUSTech CRA and CCSE