Commit 50978462 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: add cttimeout infrastructure for fine timeout tuning 



This patch adds the infrastructure to add fine timeout tuning
over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT
subsystem to create/delete/dump timeout objects that contain some
specific timeout policy for one flow.

The follow up patches will allow you attach timeout policy object
to conntrack via the CT target and the conntrack extension
infrastructure.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 2c8503f5

include/linux/netfilter/Kbuild

+1 −0
Original line number Diff line number Diff line
@@ -10,6 +10,7 @@ header-y += nfnetlink.h 
header-y += nfnetlink_acct.h

header-y += nfnetlink_compat.h

header-y += nfnetlink_conntrack.h

header-y += nfnetlink_cttimeout.h

header-y += nfnetlink_log.h

header-y += nfnetlink_queue.h

header-y += x_tables.h

include/linux/netfilter/nfnetlink.h

+2 −1
Original line number Diff line number Diff line
@@ -49,7 +49,8 @@ struct nfgenmsg { 
#define NFNL_SUBSYS_OSF			5

#define NFNL_SUBSYS_IPSET		6

#define NFNL_SUBSYS_ACCT		7

#define NFNL_SUBSYS_COUNT		8

#define NFNL_SUBSYS_CTNETLINK_TIMEOUT	8

#define NFNL_SUBSYS_COUNT		9



#ifdef __KERNEL__

include/linux/netfilter/nfnetlink_cttimeout.h

0 → 100644
+114 −0
Original line number Diff line number Diff line 
#ifndef _CTTIMEOUT_NETLINK_H

#define _CTTIMEOUT_NETLINK_H

#include <linux/netfilter/nfnetlink.h>



enum ctnl_timeout_msg_types {

	IPCTNL_MSG_TIMEOUT_NEW,

	IPCTNL_MSG_TIMEOUT_GET,

	IPCTNL_MSG_TIMEOUT_DELETE,



	IPCTNL_MSG_TIMEOUT_MAX

};



enum ctattr_timeout {

	CTA_TIMEOUT_UNSPEC,

	CTA_TIMEOUT_NAME,

	CTA_TIMEOUT_L3PROTO,

	CTA_TIMEOUT_L4PROTO,

	CTA_TIMEOUT_DATA,

	CTA_TIMEOUT_USE,

	__CTA_TIMEOUT_MAX

};

#define CTA_TIMEOUT_MAX (__CTA_TIMEOUT_MAX - 1)



enum ctattr_timeout_generic {

	CTA_TIMEOUT_GENERIC_UNSPEC,

	CTA_TIMEOUT_GENERIC_TIMEOUT,

	__CTA_TIMEOUT_GENERIC_MAX

};

#define CTA_TIMEOUT_GENERIC_MAX (__CTA_TIMEOUT_GENERIC_MAX - 1)



enum ctattr_timeout_tcp {

	CTA_TIMEOUT_TCP_UNSPEC,

	CTA_TIMEOUT_TCP_SYN_SENT,

	CTA_TIMEOUT_TCP_SYN_RECV,

	CTA_TIMEOUT_TCP_ESTABLISHED,

	CTA_TIMEOUT_TCP_FIN_WAIT,

	CTA_TIMEOUT_TCP_CLOSE_WAIT,

	CTA_TIMEOUT_TCP_LAST_ACK,

	CTA_TIMEOUT_TCP_TIME_WAIT,

	CTA_TIMEOUT_TCP_CLOSE,

	CTA_TIMEOUT_TCP_SYN_SENT2,

	CTA_TIMEOUT_TCP_RETRANS,

	CTA_TIMEOUT_TCP_UNACK,

	__CTA_TIMEOUT_TCP_MAX

};

#define CTA_TIMEOUT_TCP_MAX (__CTA_TIMEOUT_TCP_MAX - 1)



enum ctattr_timeout_udp {

	CTA_TIMEOUT_UDP_UNSPEC,

	CTA_TIMEOUT_UDP_UNREPLIED,

	CTA_TIMEOUT_UDP_REPLIED,

	__CTA_TIMEOUT_UDP_MAX

};

#define CTA_TIMEOUT_UDP_MAX (__CTA_TIMEOUT_UDP_MAX - 1)



enum ctattr_timeout_udplite {

	CTA_TIMEOUT_UDPLITE_UNSPEC,

	CTA_TIMEOUT_UDPLITE_UNREPLIED,

	CTA_TIMEOUT_UDPLITE_REPLIED,

	__CTA_TIMEOUT_UDPLITE_MAX

};

#define CTA_TIMEOUT_UDPLITE_MAX (__CTA_TIMEOUT_UDPLITE_MAX - 1)



enum ctattr_timeout_icmp {

	CTA_TIMEOUT_ICMP_UNSPEC,

	CTA_TIMEOUT_ICMP_TIMEOUT,

	__CTA_TIMEOUT_ICMP_MAX

};

#define CTA_TIMEOUT_ICMP_MAX (__CTA_TIMEOUT_ICMP_MAX - 1)



enum ctattr_timeout_dccp {

	CTA_TIMEOUT_DCCP_UNSPEC,

	CTA_TIMEOUT_DCCP_REQUEST,

	CTA_TIMEOUT_DCCP_RESPOND,

	CTA_TIMEOUT_DCCP_PARTOPEN,

	CTA_TIMEOUT_DCCP_OPEN,

	CTA_TIMEOUT_DCCP_CLOSEREQ,

	CTA_TIMEOUT_DCCP_CLOSING,

	CTA_TIMEOUT_DCCP_TIMEWAIT,

	__CTA_TIMEOUT_DCCP_MAX

};

#define CTA_TIMEOUT_DCCP_MAX (__CTA_TIMEOUT_DCCP_MAX - 1)



enum ctattr_timeout_sctp {

	CTA_TIMEOUT_SCTP_UNSPEC,

	CTA_TIMEOUT_SCTP_CLOSED,

	CTA_TIMEOUT_SCTP_COOKIE_WAIT,

	CTA_TIMEOUT_SCTP_COOKIE_ECHOED,

	CTA_TIMEOUT_SCTP_ESTABLISHED,

	CTA_TIMEOUT_SCTP_SHUTDOWN_SENT,

	CTA_TIMEOUT_SCTP_SHUTDOWN_RECD,

	CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,

	__CTA_TIMEOUT_SCTP_MAX

};

#define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1)



enum ctattr_timeout_icmpv6 {

	CTA_TIMEOUT_ICMPV6_UNSPEC,

	CTA_TIMEOUT_ICMPV6_TIMEOUT,

	__CTA_TIMEOUT_ICMPV6_MAX

};

#define CTA_TIMEOUT_ICMPV6_MAX (__CTA_TIMEOUT_ICMPV6_MAX - 1)



enum ctattr_timeout_gre {

	CTA_TIMEOUT_GRE_UNSPEC,

	CTA_TIMEOUT_GRE_UNREPLIED,

	CTA_TIMEOUT_GRE_REPLIED,

	__CTA_TIMEOUT_GRE_MAX

};

#define CTA_TIMEOUT_GRE_MAX (__CTA_TIMEOUT_GRE_MAX - 1)



#define CTNL_TIMEOUT_NAME_MAX	32



#endif

include/net/netfilter/nf_conntrack_l4proto.h

+11 −0
Original line number Diff line number Diff line
@@ -83,6 +83,17 @@ struct nf_conntrack_l4proto { 


	size_t nla_size;



#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)

	struct {

		size_t obj_size;

		int (*nlattr_to_obj)(struct nlattr *tb[], void *data);

		int (*obj_to_nlattr)(struct sk_buff *skb, const void *data);



		unsigned int nlattr_max;

		const struct nla_policy *nla_policy;

	} ctnl_timeout;

#endif



#ifdef CONFIG_SYSCTL

	struct ctl_table_header	**ctl_table_header;

	struct ctl_table	*ctl_table;

net/ipv4/netfilter/nf_conntrack_proto_icmp.c

+47 −0
Original line number Diff line number Diff line
@@ -269,6 +269,44 @@ static int icmp_nlattr_tuple_size(void) 
}

#endif



#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)



#include <linux/netfilter/nfnetlink.h>

#include <linux/netfilter/nfnetlink_cttimeout.h>



static int icmp_timeout_nlattr_to_obj(struct nlattr *tb[], void *data)

{

	unsigned int *timeout = data;



	if (tb[CTA_TIMEOUT_ICMP_TIMEOUT]) {

		*timeout =

			ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMP_TIMEOUT])) * HZ;

	} else {

		/* Set default ICMP timeout. */

		*timeout = nf_ct_icmp_timeout;

	}

	return 0;

}



static int

icmp_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)

{

	const unsigned int *timeout = data;



	NLA_PUT_BE32(skb, CTA_TIMEOUT_ICMP_TIMEOUT, htonl(*timeout / HZ));



	return 0;



nla_put_failure:

	return -ENOSPC;

}



static const struct nla_policy

icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = {

	[CTA_TIMEOUT_ICMP_TIMEOUT]	= { .type = NLA_U32 },

};

#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */



#ifdef CONFIG_SYSCTL

static struct ctl_table_header *icmp_sysctl_header;

static struct ctl_table icmp_sysctl_table[] = {
@@ -315,6 +353,15 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly = 
	.nlattr_to_tuple	= icmp_nlattr_to_tuple,

	.nla_policy		= icmp_nla_policy,

#endif

#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)

	.ctnl_timeout		= {

		.nlattr_to_obj	= icmp_timeout_nlattr_to_obj,

		.obj_to_nlattr	= icmp_timeout_obj_to_nlattr,

		.nlattr_max	= CTA_TIMEOUT_ICMP_MAX,

		.obj_size	= sizeof(unsigned int),

		.nla_policy	= icmp_timeout_nla_policy,

	},

#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */

#ifdef CONFIG_SYSCTL

	.ctl_table_header	= &icmp_sysctl_header,

	.ctl_table		= icmp_sysctl_table,

CRA Git | Maintained and supported by SUSTech CRA and CCSE