[NETFILTER]: nf_conntrack: move conntrack protocol sysctls to individual modules
authorPatrick McHardy <kaber@trash.net>
Wed, 29 Nov 2006 01:35:18 +0000 (02:35 +0100)
committerDavid S. Miller <davem@sunset.davemloft.net>
Sun, 3 Dec 2006 05:31:18 +0000 (21:31 -0800)
Signed-off-by: Patrick McHardy <kaber@trash.net>
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
net/netfilter/nf_conntrack_core.c
net/netfilter/nf_conntrack_proto.c
net/netfilter/nf_conntrack_proto_generic.c
net/netfilter/nf_conntrack_proto_sctp.c
net/netfilter/nf_conntrack_proto_tcp.c
net/netfilter/nf_conntrack_proto_udp.c
net/netfilter/nf_conntrack_standalone.c

index d1907082d7d645f24284d20c23a1bca9bed15717..786c4ce96cdfc306e21d7e3d65e1aef2edef27c8 100644 (file)
@@ -266,44 +266,6 @@ static struct nf_hook_ops ipv4_conntrack_ops[] = {
        },
 };
 
-#ifdef CONFIG_SYSCTL
-/* From nf_conntrack_proto_icmp.c */
-extern unsigned int nf_ct_icmp_timeout;
-static struct ctl_table_header *nf_ct_ipv4_sysctl_header;
-
-static ctl_table nf_ct_sysctl_table[] = {
-       {
-               .ctl_name       = NET_NF_CONNTRACK_ICMP_TIMEOUT,
-               .procname       = "nf_conntrack_icmp_timeout",
-               .data           = &nf_ct_icmp_timeout,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-        { .ctl_name = 0 }
-};
-
-static ctl_table nf_ct_netfilter_table[] = {
-       {
-               .ctl_name       = NET_NETFILTER,
-               .procname       = "netfilter",
-               .mode           = 0555,
-               .child          = nf_ct_sysctl_table,
-       },
-       { .ctl_name = 0 }
-};
-
-static ctl_table nf_ct_net_table[] = {
-       {
-               .ctl_name       = CTL_NET,
-               .procname       = "net",
-               .mode           = 0555,
-               .child          = nf_ct_netfilter_table,
-       },
-       { .ctl_name = 0 }
-};
-#endif
-
 /* Fast function for those who don't want to parse /proc (and I don't
    blame them). */
 /* Reversing the socket's dst/src point of view gives us the reply
@@ -472,20 +434,8 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
                printk("nf_conntrack_ipv4: can't register hooks.\n");
                goto cleanup_ipv4;
        }
-#ifdef CONFIG_SYSCTL
-       nf_ct_ipv4_sysctl_header = register_sysctl_table(nf_ct_net_table, 0);
-       if (nf_ct_ipv4_sysctl_header == NULL) {
-               printk("nf_conntrack: can't register to sysctl.\n");
-               ret = -ENOMEM;
-               goto cleanup_hooks;
-       }
-#endif
        return ret;
 
-#ifdef CONFIG_SYSCTL
- cleanup_hooks:
-       nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
-#endif
  cleanup_ipv4:
        nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
  cleanup_icmp:
@@ -502,9 +452,6 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
 static void __exit nf_conntrack_l3proto_ipv4_fini(void)
 {
        synchronize_net();
-#ifdef CONFIG_SYSCTL
-       unregister_sysctl_table(nf_ct_ipv4_sysctl_header);
-#endif
        nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
        nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
        nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmp);
index 95fc22b496947ba1cd15d01c3cb72fa37c7da376..c59f28193a3972daf12246b361eddf5fdb2f5975 100644 (file)
@@ -25,7 +25,7 @@
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_core.h>
 
-unsigned long nf_ct_icmp_timeout __read_mostly = 30*HZ;
+static unsigned long nf_ct_icmp_timeout __read_mostly = 30*HZ;
 
 #if 0
 #define DEBUGP printk
@@ -321,6 +321,23 @@ static int icmp_nfattr_to_tuple(struct nfattr *tb[],
 }
 #endif
 
+#ifdef CONFIG_SYSCTL
+static struct ctl_table_header *icmp_sysctl_header;
+static struct ctl_table icmp_sysctl_table[] = {
+       {
+               .ctl_name       = NET_NF_CONNTRACK_ICMP_TIMEOUT,
+               .procname       = "nf_conntrack_icmp_timeout",
+               .data           = &nf_ct_icmp_timeout,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+        {
+               .ctl_name = 0
+       }
+};
+#endif /* CONFIG_SYSCTL */
+
 struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
 {
        .l3proto                = PF_INET,
@@ -340,6 +357,10 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
        .tuple_to_nfattr        = icmp_tuple_to_nfattr,
        .nfattr_to_tuple        = icmp_nfattr_to_tuple,
 #endif
+#ifdef CONFIG_SYSCTL
+       .ctl_table_header       = &icmp_sysctl_header,
+       .ctl_table              = icmp_sysctl_table,
+#endif
 };
 
 EXPORT_SYMBOL(nf_conntrack_l4proto_icmp);
index 9108ecc22beafc64e61e6a42954e7984fd537640..a20615ffccffe8dae47cb88a635a5603c86c1588 100644 (file)
@@ -324,21 +324,7 @@ static struct nf_hook_ops ipv6_conntrack_ops[] = {
 };
 
 #ifdef CONFIG_SYSCTL
-
-/* From nf_conntrack_proto_icmpv6.c */
-extern unsigned int nf_ct_icmpv6_timeout;
-
-static struct ctl_table_header *nf_ct_ipv6_sysctl_header;
-
-static ctl_table nf_ct_sysctl_table[] = {
-       {
-               .ctl_name       = NET_NF_CONNTRACK_ICMPV6_TIMEOUT,
-               .procname       = "nf_conntrack_icmpv6_timeout",
-               .data           = &nf_ct_icmpv6_timeout,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
+static ctl_table nf_ct_ipv6_sysctl_table[] = {
        {
                .ctl_name       = NET_NF_CONNTRACK_FRAG6_TIMEOUT,
                .procname       = "nf_conntrack_frag6_timeout",
@@ -365,26 +351,6 @@ static ctl_table nf_ct_sysctl_table[] = {
        },
         { .ctl_name = 0 }
 };
-
-static ctl_table nf_ct_netfilter_table[] = {
-       {
-               .ctl_name       = NET_NETFILTER,
-               .procname       = "netfilter",
-               .mode           = 0555,
-               .child          = nf_ct_sysctl_table,
-       },
-       { .ctl_name = 0 }
-};
-
-static ctl_table nf_ct_net_table[] = {
-       {
-               .ctl_name       = CTL_NET,
-               .procname       = "net",
-               .mode           = 0555,
-               .child          = nf_ct_netfilter_table,
-       },
-       { .ctl_name = 0 }
-};
 #endif
 
 #if defined(CONFIG_NF_CT_NETLINK) || \
@@ -441,6 +407,10 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 = {
     defined(CONFIG_NF_CT_NETLINK_MODULE)
        .tuple_to_nfattr        = ipv6_tuple_to_nfattr,
        .nfattr_to_tuple        = ipv6_nfattr_to_tuple,
+#endif
+#ifdef CONFIG_SYSCTL
+       .ctl_table_path         = nf_net_netfilter_sysctl_path,
+       .ctl_table              = nf_ct_ipv6_sysctl_table,
 #endif
        .get_features           = ipv6_get_features,
        .me                     = THIS_MODULE,
@@ -492,20 +462,8 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
                       "hook.\n");
                goto cleanup_ipv6;
        }
-#ifdef CONFIG_SYSCTL
-       nf_ct_ipv6_sysctl_header = register_sysctl_table(nf_ct_net_table, 0);
-       if (nf_ct_ipv6_sysctl_header == NULL) {
-               printk("nf_conntrack: can't register to sysctl.\n");
-               ret = -ENOMEM;
-               goto cleanup_hooks;
-       }
-#endif
        return ret;
 
-#ifdef CONFIG_SYSCTL
- cleanup_hooks:
-       nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
-#endif
  cleanup_ipv6:
        nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
  cleanup_icmpv6:
@@ -522,9 +480,6 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
 static void __exit nf_conntrack_l3proto_ipv6_fini(void)
 {
        synchronize_net();
-#ifdef CONFIG_SYSCTL
-       unregister_sysctl_table(nf_ct_ipv6_sysctl_header);
-#endif
        nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
        nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
        nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);
index b3b468c0ef7aa827cb43a99bacd1ac60db08cadf..1e8e700f6135adae324aee594a291cacd10de49f 100644 (file)
@@ -33,7 +33,7 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
 
-unsigned long nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
+static unsigned long nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
 
 #if 0
 #define DEBUGP printk
@@ -298,6 +298,23 @@ static int icmpv6_nfattr_to_tuple(struct nfattr *tb[],
 }
 #endif
 
+#ifdef CONFIG_SYSCTL
+static struct ctl_table_header *icmpv6_sysctl_header;
+static struct ctl_table icmpv6_sysctl_table[] = {
+       {
+               .ctl_name       = NET_NF_CONNTRACK_ICMPV6_TIMEOUT,
+               .procname       = "nf_conntrack_icmpv6_timeout",
+               .data           = &nf_ct_icmpv6_timeout,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = 0
+       }
+};
+#endif /* CONFIG_SYSCTL */
+
 struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 =
 {
        .l3proto                = PF_INET6,
@@ -315,6 +332,10 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 =
        .tuple_to_nfattr        = icmpv6_tuple_to_nfattr,
        .nfattr_to_tuple        = icmpv6_nfattr_to_tuple,
 #endif
+#ifdef CONFIG_SYSCTL
+       .ctl_table_header       = &icmpv6_sysctl_header,
+       .ctl_table              = icmpv6_sysctl_table,
+#endif
 };
 
 EXPORT_SYMBOL(nf_conntrack_l4proto_icmpv6);
index 3e7c0a90003a4bb942583a7b3ac67d873ba86781..4b972791149decabed7616b3a04d5e88b0a018fe 100644 (file)
@@ -1070,6 +1070,8 @@ void nf_conntrack_cleanup(void)
        free_conntrack_hash(nf_conntrack_hash, nf_conntrack_vmalloc,
                            nf_conntrack_htable_size);
 
+       nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_generic);
+
        /* free l3proto protocol tables */
        for (i = 0; i < PF_MAX; i++)
                if (nf_ct_protos[i]) {
@@ -1195,6 +1197,10 @@ int __init nf_conntrack_init(void)
                goto err_free_conntrack_slab;
        }
 
+       ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_generic);
+       if (ret < 0)
+               goto out_free_expect_slab;
+
        /* Don't NEED lock here, but good form anyway. */
        write_lock_bh(&nf_conntrack_lock);
         for (i = 0; i < AF_MAX; i++)
@@ -1212,6 +1218,8 @@ int __init nf_conntrack_init(void)
 
        return ret;
 
+out_free_expect_slab:
+       kmem_cache_destroy(nf_conntrack_expect_cachep);
 err_free_conntrack_slab:
        nf_conntrack_unregister_cache(NF_CT_F_BASIC);
 err_free_hash:
index 941b5c3754af10e06907ef71fae3636c4a30239f..891c9c56c3198d20e247a8a0252c9edd5d13ac2f 100644 (file)
@@ -252,7 +252,7 @@ static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)
                                            l4proto->ctl_table_users);
        }
        mutex_unlock(&nf_ct_proto_sysctl_mutex);
-#endif
+#endif /* CONFIG_SYSCTL */
        return err;
 }
 
@@ -266,7 +266,7 @@ static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto
                                        l4proto->ctl_table,
                                        l4proto->ctl_table_users);
        mutex_unlock(&nf_ct_proto_sysctl_mutex);
-#endif
+#endif /* CONFIG_SYSCTL */
 }
 
 /* FIXME: Allow NULL functions and sub in pointers to generic for
@@ -280,6 +280,9 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
                goto out;
        }
 
+       if (l4proto == &nf_conntrack_l4proto_generic)
+               return nf_ct_l4proto_register_sysctl(l4proto);
+
 retry:
        write_lock_bh(&nf_conntrack_lock);
        if (nf_ct_protos[l4proto->l3proto]) {
@@ -346,6 +349,11 @@ int nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)
                goto out;
        }
 
+       if (l4proto == &nf_conntrack_l4proto_generic) {
+               nf_ct_l4proto_unregister_sysctl(l4proto);
+               goto out;
+       }
+
        write_lock_bh(&nf_conntrack_lock);
        if (nf_ct_protos[l4proto->l3proto][l4proto->l4proto]
            != l4proto) {
index f44811e0b47519ed791911645e470745774c5569..15306b952510bcfb9bb0a1bb5ebc2a05a3c480ff 100644 (file)
@@ -17,7 +17,7 @@
 #include <linux/netfilter.h>
 #include <net/netfilter/nf_conntrack_l4proto.h>
 
-unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
+static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
 
 static int generic_pkt_to_tuple(const struct sk_buff *skb,
                                unsigned int dataoff,
@@ -71,6 +71,23 @@ static int new(struct nf_conn *conntrack, const struct sk_buff *skb,
        return 1;
 }
 
+#ifdef CONFIG_SYSCTL
+static struct ctl_table_header *generic_sysctl_header;
+static struct ctl_table generic_sysctl_table[] = {
+       {
+               .ctl_name       = NET_NF_CONNTRACK_GENERIC_TIMEOUT,
+               .procname       = "nf_conntrack_generic_timeout",
+               .data           = &nf_ct_generic_timeout,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = 0
+       }
+};
+#endif /* CONFIG_SYSCTL */
+
 struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =
 {
        .l3proto                = PF_UNSPEC,
@@ -82,4 +99,8 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =
        .print_conntrack        = generic_print_conntrack,
        .packet                 = packet,
        .new                    = new,
+#ifdef CONFIG_SYSCTL
+       .ctl_table_header       = &generic_sysctl_header,
+       .ctl_table              = generic_sysctl_table,
+#endif
 };
index 5115619138e4d775b9a5dab88f93d872769c7c84..cc693308878f09c09d2ccb14f1b88eac5fbbe04c 100644 (file)
@@ -509,36 +509,10 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
        return 1;
 }
 
-struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
-       .l3proto         = PF_INET,
-       .l4proto         = IPPROTO_SCTP,
-       .name            = "sctp",
-       .pkt_to_tuple    = sctp_pkt_to_tuple, 
-       .invert_tuple    = sctp_invert_tuple, 
-       .print_tuple     = sctp_print_tuple, 
-       .print_conntrack = sctp_print_conntrack,
-       .packet          = sctp_packet, 
-       .new             = sctp_new, 
-       .destroy         = NULL, 
-       .me              = THIS_MODULE 
-};
-
-struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 = {
-       .l3proto         = PF_INET6,
-       .l4proto         = IPPROTO_SCTP,
-       .name            = "sctp",
-       .pkt_to_tuple    = sctp_pkt_to_tuple, 
-       .invert_tuple    = sctp_invert_tuple, 
-       .print_tuple     = sctp_print_tuple, 
-       .print_conntrack = sctp_print_conntrack,
-       .packet          = sctp_packet, 
-       .new             = sctp_new, 
-       .destroy         = NULL, 
-       .me              = THIS_MODULE 
-};
-
 #ifdef CONFIG_SYSCTL
-static ctl_table nf_ct_sysctl_table[] = {
+static unsigned int sctp_sysctl_table_users;
+static struct ctl_table_header *sctp_sysctl_header;
+static struct ctl_table sctp_sysctl_table[] = {
        {
                .ctl_name       = NET_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED,
                .procname       = "nf_conntrack_sctp_timeout_closed",
@@ -595,31 +569,47 @@ static ctl_table nf_ct_sysctl_table[] = {
                .mode           = 0644,
                .proc_handler   = &proc_dointvec_jiffies,
        },
-       { .ctl_name = 0 }
-};
-
-static ctl_table nf_ct_netfilter_table[] = {
        {
-               .ctl_name       = NET_NETFILTER,
-               .procname       = "netfilter",
-               .mode           = 0555,
-               .child          = nf_ct_sysctl_table,
-       },
-       { .ctl_name = 0 }
+               .ctl_name = 0
+       }
 };
+#endif
 
-static ctl_table nf_ct_net_table[] = {
-       {
-               .ctl_name       = CTL_NET,
-               .procname       = "net",
-               .mode           = 0555, 
-               .child          = nf_ct_netfilter_table,
-       },
-       { .ctl_name = 0 }
+struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
+       .l3proto                = PF_INET,
+       .l4proto                = IPPROTO_SCTP,
+       .name                   = "sctp",
+       .pkt_to_tuple           = sctp_pkt_to_tuple,
+       .invert_tuple           = sctp_invert_tuple,
+       .print_tuple            = sctp_print_tuple,
+       .print_conntrack        = sctp_print_conntrack,
+       .packet                 = sctp_packet,
+       .new                    = sctp_new,
+       .me                     = THIS_MODULE,
+#ifdef CONFIG_SYSCTL
+       .ctl_table_users        = &sctp_sysctl_table_users,
+       .ctl_table_header       = &sctp_sysctl_header,
+       .ctl_table              = sctp_sysctl_table,
+#endif
 };
 
-static struct ctl_table_header *nf_ct_sysctl_header;
+struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 = {
+       .l3proto                = PF_INET6,
+       .l4proto                = IPPROTO_SCTP,
+       .name                   = "sctp",
+       .pkt_to_tuple           = sctp_pkt_to_tuple,
+       .invert_tuple           = sctp_invert_tuple,
+       .print_tuple            = sctp_print_tuple,
+       .print_conntrack        = sctp_print_conntrack,
+       .packet                 = sctp_packet,
+       .new                    = sctp_new,
+       .me                     = THIS_MODULE,
+#ifdef CONFIG_SYSCTL
+       .ctl_table_users        = &sctp_sysctl_table_users,
+       .ctl_table_header       = &sctp_sysctl_header,
+       .ctl_table              = sctp_sysctl_table,
 #endif
+};
 
 int __init nf_conntrack_proto_sctp_init(void)
 {
@@ -636,20 +626,8 @@ int __init nf_conntrack_proto_sctp_init(void)
                goto cleanup_sctp4;
        }
 
-#ifdef CONFIG_SYSCTL
-       nf_ct_sysctl_header = register_sysctl_table(nf_ct_net_table, 0);
-       if (nf_ct_sysctl_header == NULL) {
-               printk("nf_conntrack_proto_sctp: can't register to sysctl.\n");
-               goto cleanup;
-       }
-#endif
-
        return ret;
 
-#ifdef CONFIG_SYSCTL
- cleanup:
-       nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
-#endif
  cleanup_sctp4:
        nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
  out:
@@ -662,9 +640,6 @@ void __exit nf_conntrack_proto_sctp_fini(void)
 {
        nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
        nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
-#ifdef CONFIG_SYSCTL
-       unregister_sysctl_table(nf_ct_sysctl_header);
-#endif
        DEBUGP("SCTP conntrack module unloaded\n");
 }
 
index 32b88b7efc465d5dbd186731dfbf8e8ad52c73cf..6f6f9a061e76e99ee294671dd65f8cab4645a799 100644 (file)
@@ -93,22 +93,22 @@ static const char *tcp_conntrack_names[] = {
 #define HOURS * 60 MINS
 #define DAYS * 24 HOURS
 
-unsigned int nf_ct_tcp_timeout_syn_sent __read_mostly =      2 MINS;
-unsigned int nf_ct_tcp_timeout_syn_recv __read_mostly =     60 SECS;
-unsigned int nf_ct_tcp_timeout_established __read_mostly =   5 DAYS;
-unsigned int nf_ct_tcp_timeout_fin_wait __read_mostly =      2 MINS;
-unsigned int nf_ct_tcp_timeout_close_wait __read_mostly =   60 SECS;
-unsigned int nf_ct_tcp_timeout_last_ack __read_mostly =     30 SECS;
-unsigned int nf_ct_tcp_timeout_time_wait __read_mostly =     2 MINS;
-unsigned int nf_ct_tcp_timeout_close __read_mostly =        10 SECS;
+static unsigned int nf_ct_tcp_timeout_syn_sent __read_mostly =      2 MINS;
+static unsigned int nf_ct_tcp_timeout_syn_recv __read_mostly =     60 SECS;
+static unsigned int nf_ct_tcp_timeout_established __read_mostly =   5 DAYS;
+static unsigned int nf_ct_tcp_timeout_fin_wait __read_mostly =      2 MINS;
+static unsigned int nf_ct_tcp_timeout_close_wait __read_mostly =   60 SECS;
+static unsigned int nf_ct_tcp_timeout_last_ack __read_mostly =     30 SECS;
+static unsigned int nf_ct_tcp_timeout_time_wait __read_mostly =     2 MINS;
+static unsigned int nf_ct_tcp_timeout_close __read_mostly =        10 SECS;
 
 /* RFC1122 says the R2 limit should be at least 100 seconds.
    Linux uses 15 packets as limit, which corresponds 
    to ~13-30min depending on RTO. */
-unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly =   5 MINS;
+static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly =   5 MINS;
  
-static unsigned int * tcp_timeouts[]
-= { NULL,                              /* TCP_CONNTRACK_NONE */
+static unsigned int * tcp_timeouts[] = {
+    NULL,                              /* TCP_CONNTRACK_NONE */
     &nf_ct_tcp_timeout_syn_sent,       /* TCP_CONNTRACK_SYN_SENT, */
     &nf_ct_tcp_timeout_syn_recv,       /* TCP_CONNTRACK_SYN_RECV, */
     &nf_ct_tcp_timeout_established,    /* TCP_CONNTRACK_ESTABLISHED, */
@@ -1168,7 +1168,113 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct nf_conn *ct)
        return 0;
 }
 #endif
-  
+
+#ifdef CONFIG_SYSCTL
+static unsigned int tcp_sysctl_table_users;
+static struct ctl_table_header *tcp_sysctl_header;
+static struct ctl_table tcp_sysctl_table[] = {
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT,
+               .procname       = "nf_conntrack_tcp_timeout_syn_sent",
+               .data           = &nf_ct_tcp_timeout_syn_sent,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV,
+               .procname       = "nf_conntrack_tcp_timeout_syn_recv",
+               .data           = &nf_ct_tcp_timeout_syn_recv,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED,
+               .procname       = "nf_conntrack_tcp_timeout_established",
+               .data           = &nf_ct_tcp_timeout_established,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT,
+               .procname       = "nf_conntrack_tcp_timeout_fin_wait",
+               .data           = &nf_ct_tcp_timeout_fin_wait,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT,
+               .procname       = "nf_conntrack_tcp_timeout_close_wait",
+               .data           = &nf_ct_tcp_timeout_close_wait,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK,
+               .procname       = "nf_conntrack_tcp_timeout_last_ack",
+               .data           = &nf_ct_tcp_timeout_last_ack,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT,
+               .procname       = "nf_conntrack_tcp_timeout_time_wait",
+               .data           = &nf_ct_tcp_timeout_time_wait,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE,
+               .procname       = "nf_conntrack_tcp_timeout_close",
+               .data           = &nf_ct_tcp_timeout_close,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS,
+               .procname       = "nf_conntrack_tcp_timeout_max_retrans",
+               .data           = &nf_ct_tcp_timeout_max_retrans,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_LOOSE,
+               .procname       = "nf_conntrack_tcp_loose",
+               .data           = &nf_ct_tcp_loose,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_BE_LIBERAL,
+               .procname       = "nf_conntrack_tcp_be_liberal",
+               .data           = &nf_ct_tcp_be_liberal,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_TCP_MAX_RETRANS,
+               .procname       = "nf_conntrack_tcp_max_retrans",
+               .data           = &nf_ct_tcp_max_retrans,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec,
+       },
+       {
+               .ctl_name       = 0
+       }
+};
+#endif /* CONFIG_SYSCTL */
+
 struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
 {
        .l3proto                = PF_INET,
@@ -1188,6 +1294,11 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
        .tuple_to_nfattr        = nf_ct_port_tuple_to_nfattr,
        .nfattr_to_tuple        = nf_ct_port_nfattr_to_tuple,
 #endif
+#ifdef CONFIG_SYSCTL
+       .ctl_table_users        = &tcp_sysctl_table_users,
+       .ctl_table_header       = &tcp_sysctl_header,
+       .ctl_table              = tcp_sysctl_table,
+#endif
 };
 
 struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 =
@@ -1209,6 +1320,11 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 =
        .tuple_to_nfattr        = nf_ct_port_tuple_to_nfattr,
        .nfattr_to_tuple        = nf_ct_port_nfattr_to_tuple,
 #endif
+#ifdef CONFIG_SYSCTL
+       .ctl_table_users        = &tcp_sysctl_table_users,
+       .ctl_table_header       = &tcp_sysctl_header,
+       .ctl_table              = tcp_sysctl_table,
+#endif
 };
 
 EXPORT_SYMBOL(nf_conntrack_l4proto_tcp4);
index 200d7d324362e0c93889fe8169ada973d0885561..d86749cb4a46f3a05f27bae4dd8c49fd28d0b80c 100644 (file)
@@ -29,8 +29,8 @@
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_ecache.h>
 
-unsigned int nf_ct_udp_timeout __read_mostly = 30*HZ;
-unsigned int nf_ct_udp_timeout_stream __read_mostly = 180*HZ;
+static unsigned int nf_ct_udp_timeout __read_mostly = 30*HZ;
+static unsigned int nf_ct_udp_timeout_stream __read_mostly = 180*HZ;
 
 static int udp_pkt_to_tuple(const struct sk_buff *skb,
                             unsigned int dataoff,
@@ -148,6 +148,32 @@ static int udp_error(struct sk_buff *skb, unsigned int dataoff,
        return NF_ACCEPT;
 }
 
+#ifdef CONFIG_SYSCTL
+static unsigned int udp_sysctl_table_users;
+static struct ctl_table_header *udp_sysctl_header;
+static struct ctl_table udp_sysctl_table[] = {
+       {
+               .ctl_name       = NET_NF_CONNTRACK_UDP_TIMEOUT,
+               .procname       = "nf_conntrack_udp_timeout",
+               .data           = &nf_ct_udp_timeout,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = NET_NF_CONNTRACK_UDP_TIMEOUT_STREAM,
+               .procname       = "nf_conntrack_udp_timeout_stream",
+               .data           = &nf_ct_udp_timeout_stream,
+               .maxlen         = sizeof(unsigned int),
+               .mode           = 0644,
+               .proc_handler   = &proc_dointvec_jiffies,
+       },
+       {
+               .ctl_name       = 0
+       }
+};
+#endif /* CONFIG_SYSCTL */
+
 struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
 {
        .l3proto                = PF_INET,
@@ -165,6 +191,11 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
        .tuple_to_nfattr        = nf_ct_port_tuple_to_nfattr,
        .nfattr_to_tuple        = nf_ct_port_nfattr_to_tuple,
 #endif
+#ifdef CONFIG_SYSCTL
+       .ctl_table_users        = &udp_sysctl_table_users,
+       .ctl_table_header       = &udp_sysctl_header,
+       .ctl_table              = udp_sysctl_table,
+#endif
 };
 
 struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 =
@@ -184,6 +215,11 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 =
        .tuple_to_nfattr        = nf_ct_port_tuple_to_nfattr,
        .nfattr_to_tuple        = nf_ct_port_nfattr_to_tuple,
 #endif
+#ifdef CONFIG_SYSCTL
+       .ctl_table_users        = &udp_sysctl_table_users,
+       .ctl_table_header       = &udp_sysctl_header,
+       .ctl_table              = udp_sysctl_table,
+#endif
 };
 
 EXPORT_SYMBOL(nf_conntrack_l4proto_udp4);
index 2283a268694989cc19edd41ad31786e09676382d..9d8906848b98e27d42a9311859637b4bde1c3c90 100644 (file)
@@ -330,28 +330,6 @@ static struct file_operations ct_cpu_seq_fops = {
 int nf_conntrack_checksum __read_mostly = 1;
 
 #ifdef CONFIG_SYSCTL
-
-/* From nf_conntrack_proto_tcp.c */
-extern unsigned int nf_ct_tcp_timeout_syn_sent;
-extern unsigned int nf_ct_tcp_timeout_syn_recv;
-extern unsigned int nf_ct_tcp_timeout_established;
-extern unsigned int nf_ct_tcp_timeout_fin_wait;
-extern unsigned int nf_ct_tcp_timeout_close_wait;
-extern unsigned int nf_ct_tcp_timeout_last_ack;
-extern unsigned int nf_ct_tcp_timeout_time_wait;
-extern unsigned int nf_ct_tcp_timeout_close;
-extern unsigned int nf_ct_tcp_timeout_max_retrans;
-extern int nf_ct_tcp_loose;
-extern int nf_ct_tcp_be_liberal;
-extern int nf_ct_tcp_max_retrans;
-
-/* From nf_conntrack_proto_udp.c */
-extern unsigned int nf_ct_udp_timeout;
-extern unsigned int nf_ct_udp_timeout_stream;
-
-/* From nf_conntrack_proto_generic.c */
-extern unsigned int nf_ct_generic_timeout;
-
 /* Log invalid packets of a given protocol */
 static int log_invalid_proto_min = 0;
 static int log_invalid_proto_max = 255;
@@ -391,94 +369,6 @@ static ctl_table nf_ct_sysctl_table[] = {
                .mode           = 0644,
                .proc_handler   = &proc_dointvec,
        },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT,
-               .procname       = "nf_conntrack_tcp_timeout_syn_sent",
-               .data           = &nf_ct_tcp_timeout_syn_sent,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV,
-               .procname       = "nf_conntrack_tcp_timeout_syn_recv",
-               .data           = &nf_ct_tcp_timeout_syn_recv,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED,
-               .procname       = "nf_conntrack_tcp_timeout_established",
-               .data           = &nf_ct_tcp_timeout_established,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT,
-               .procname       = "nf_conntrack_tcp_timeout_fin_wait",
-               .data           = &nf_ct_tcp_timeout_fin_wait,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT,
-               .procname       = "nf_conntrack_tcp_timeout_close_wait",
-               .data           = &nf_ct_tcp_timeout_close_wait,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK,
-               .procname       = "nf_conntrack_tcp_timeout_last_ack",
-               .data           = &nf_ct_tcp_timeout_last_ack,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT,
-               .procname       = "nf_conntrack_tcp_timeout_time_wait",
-               .data           = &nf_ct_tcp_timeout_time_wait,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE,
-               .procname       = "nf_conntrack_tcp_timeout_close",
-               .data           = &nf_ct_tcp_timeout_close,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_UDP_TIMEOUT,
-               .procname       = "nf_conntrack_udp_timeout",
-               .data           = &nf_ct_udp_timeout,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_UDP_TIMEOUT_STREAM,
-               .procname       = "nf_conntrack_udp_timeout_stream",
-               .data           = &nf_ct_udp_timeout_stream,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_GENERIC_TIMEOUT,
-               .procname       = "nf_conntrack_generic_timeout",
-               .data           = &nf_ct_generic_timeout,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
        {
                .ctl_name       = NET_NF_CONNTRACK_LOG_INVALID,
                .procname       = "nf_conntrack_log_invalid",
@@ -490,38 +380,6 @@ static ctl_table nf_ct_sysctl_table[] = {
                .extra1         = &log_invalid_proto_min,
                .extra2         = &log_invalid_proto_max,
        },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS,
-               .procname       = "nf_conntrack_tcp_timeout_max_retrans",
-               .data           = &nf_ct_tcp_timeout_max_retrans,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec_jiffies,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_LOOSE,
-               .procname       = "nf_conntrack_tcp_loose",
-               .data           = &nf_ct_tcp_loose,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_BE_LIBERAL,
-               .procname       = "nf_conntrack_tcp_be_liberal",
-               .data           = &nf_ct_tcp_be_liberal,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec,
-       },
-       {
-               .ctl_name       = NET_NF_CONNTRACK_TCP_MAX_RETRANS,
-               .procname       = "nf_conntrack_tcp_max_retrans",
-               .data           = &nf_ct_tcp_max_retrans,
-               .maxlen         = sizeof(unsigned int),
-               .mode           = 0644,
-               .proc_handler   = &proc_dointvec,
-       },
 
        { .ctl_name = 0 }
 };