Commit 2843fb69 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: conntrack: add nf_ct_iterate_destroy

sledgehammer to be used on module unload (to remove affected conntracks
from all namespaces).

It will also flag all unconfirmed conntracks as dying, i.e. they will
not be committed to main table.
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent b0feacaa
...@@ -229,6 +229,10 @@ void nf_ct_iterate_cleanup_net(struct net *net, ...@@ -229,6 +229,10 @@ void nf_ct_iterate_cleanup_net(struct net *net,
int (*iter)(struct nf_conn *i, void *data), int (*iter)(struct nf_conn *i, void *data),
void *data, u32 portid, int report); void *data, u32 portid, int report);
/* also set unconfirmed conntracks as dying. Only use in module exit path. */
void nf_ct_iterate_destroy(int (*iter)(struct nf_conn *i, void *data),
void *data);
struct nf_conntrack_zone; struct nf_conntrack_zone;
void nf_conntrack_free(struct nf_conn *ct); void nf_conntrack_free(struct nf_conn *ct);
......
...@@ -1586,7 +1586,7 @@ static void nf_conntrack_attach(struct sk_buff *nskb, const struct sk_buff *skb) ...@@ -1586,7 +1586,7 @@ static void nf_conntrack_attach(struct sk_buff *nskb, const struct sk_buff *skb)
/* Bring out ya dead! */ /* Bring out ya dead! */
static struct nf_conn * static struct nf_conn *
get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data), get_next_corpse(int (*iter)(struct nf_conn *i, void *data),
void *data, unsigned int *bucket) void *data, unsigned int *bucket)
{ {
struct nf_conntrack_tuple_hash *h; struct nf_conntrack_tuple_hash *h;
...@@ -1603,8 +1603,7 @@ get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data), ...@@ -1603,8 +1603,7 @@ get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data),
if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
continue; continue;
ct = nf_ct_tuplehash_to_ctrack(h); ct = nf_ct_tuplehash_to_ctrack(h);
if (net_eq(nf_ct_net(ct), net) && if (iter(ct, data))
iter(ct, data))
goto found; goto found;
} }
} }
...@@ -1621,6 +1620,39 @@ get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data), ...@@ -1621,6 +1620,39 @@ get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data),
return ct; return ct;
} }
static void nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data),
void *data, u32 portid, int report)
{
struct nf_conn *ct;
unsigned int bucket = 0;
might_sleep();
while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) {
/* Time to push up daises... */
nf_ct_delete(ct, portid, report);
nf_ct_put(ct);
cond_resched();
}
}
struct iter_data {
int (*iter)(struct nf_conn *i, void *data);
void *data;
struct net *net;
};
static int iter_net_only(struct nf_conn *i, void *data)
{
struct iter_data *d = data;
if (!net_eq(d->net, nf_ct_net(i)))
return 0;
return d->iter(i, d->data);
}
static void static void
__nf_ct_unconfirmed_destroy(struct net *net) __nf_ct_unconfirmed_destroy(struct net *net)
{ {
...@@ -1653,8 +1685,7 @@ void nf_ct_iterate_cleanup_net(struct net *net, ...@@ -1653,8 +1685,7 @@ void nf_ct_iterate_cleanup_net(struct net *net,
int (*iter)(struct nf_conn *i, void *data), int (*iter)(struct nf_conn *i, void *data),
void *data, u32 portid, int report) void *data, u32 portid, int report)
{ {
struct nf_conn *ct; struct iter_data d;
unsigned int bucket = 0;
might_sleep(); might_sleep();
...@@ -1663,21 +1694,51 @@ void nf_ct_iterate_cleanup_net(struct net *net, ...@@ -1663,21 +1694,51 @@ void nf_ct_iterate_cleanup_net(struct net *net,
__nf_ct_unconfirmed_destroy(net); __nf_ct_unconfirmed_destroy(net);
d.iter = iter;
d.data = data;
d.net = net;
synchronize_net(); synchronize_net();
while ((ct = get_next_corpse(net, iter, data, &bucket)) != NULL) { nf_ct_iterate_cleanup(iter_net_only, &d, portid, report);
/* Time to push up daises... */ }
EXPORT_SYMBOL_GPL(nf_ct_iterate_cleanup_net);
nf_ct_delete(ct, portid, report); /**
nf_ct_put(ct); * nf_ct_iterate_destroy - destroy unconfirmed conntracks and iterate table
cond_resched(); * @iter: callback to invoke for each conntrack
* @data: data to pass to @iter
*
* Like nf_ct_iterate_cleanup, but first marks conntracks on the
* unconfirmed list as dying (so they will not be inserted into
* main table).
*/
void
nf_ct_iterate_destroy(int (*iter)(struct nf_conn *i, void *data), void *data)
{
struct net *net;
rtnl_lock();
for_each_net(net) {
if (atomic_read(&net->ct.count) == 0)
continue;
__nf_ct_unconfirmed_destroy(net);
} }
rtnl_unlock();
/* a conntrack could have been unlinked from unconfirmed list
* before we grabbed pcpu lock in __nf_ct_unconfirmed_destroy().
* This makes sure its inserted into conntrack table.
*/
synchronize_net();
nf_ct_iterate_cleanup(iter, data, 0, 0);
} }
EXPORT_SYMBOL_GPL(nf_ct_iterate_cleanup_net); EXPORT_SYMBOL_GPL(nf_ct_iterate_destroy);
static int kill_all(struct nf_conn *i, void *data) static int kill_all(struct nf_conn *i, void *data)
{ {
return 1; return net_eq(nf_ct_net(i), data);
} }
void nf_ct_free_hashtable(void *hash, unsigned int size) void nf_ct_free_hashtable(void *hash, unsigned int size)
...@@ -1742,7 +1803,7 @@ void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list) ...@@ -1742,7 +1803,7 @@ void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
i_see_dead_people: i_see_dead_people:
busy = 0; busy = 0;
list_for_each_entry(net, net_exit_list, exit_list) { list_for_each_entry(net, net_exit_list, exit_list) {
nf_ct_iterate_cleanup_net(net, kill_all, NULL, 0, 0); nf_ct_iterate_cleanup(kill_all, net, 0, 0);
if (atomic_read(&net->ct.count) != 0) if (atomic_read(&net->ct.count) != 0)
busy = 1; busy = 1;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment