1. 07 Dec, 2016 14 commits
  2. 06 Dec, 2016 17 commits
  3. 04 Dec, 2016 9 commits
    • Florian Westphal's avatar
      netfilter: conntrack: add nf_conntrack_default_on sysctl · 481fa373
      Florian Westphal authored
      This switch (default on) can be used to disable automatic registration
      of connection tracking functionality in newly created network
      namespaces.
      
      This means that when net namespace goes down (or the tracker protocol
      module is unloaded) we *might* have to unregister the hooks.
      
      We can either add another per-netns variable that tells if
      the hooks got registered by default, or, alternatively, just call
      the protocol _put() function and have the callee deal with a possible
      'extra' put() operation that doesn't pair with a get() one.
      
      This uses the latter approach, i.e. a put() without a get has no effect.
      
      Conntrack is still enabled automatically regardless of the new sysctl
      setting if the new net namespace requires connection tracking, e.g. when
      NAT rules are created.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      481fa373
    • Florian Westphal's avatar
      netfilter: conntrack: register hooks in netns when needed by ruleset · 0c66dc1e
      Florian Westphal authored
      This makes use of nf_ct_netns_get/put added in previous patch.
      We add get/put functions to nf_conntrack_l3proto structure, ipv4 and ipv6
      then implement use-count to track how many users (nft or xtables modules)
      have a dependency on ipv4 and/or ipv6 connection tracking functionality.
      
      When count reaches zero, the hooks are unregistered.
      
      This delays activation of connection tracking inside a namespace until
      stateful firewall rule or nat rule gets added.
      
      This patch breaks backwards compatibility in the sense that connection
      tracking won't be active anymore when the protocol tracker module is
      loaded.  This breaks e.g. setups that ctnetlink for flow accounting and
      the like, without any '-m conntrack' packet filter rules.
      
      Followup patch restores old behavour and makes new delayed scheme
      optional via sysctl.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0c66dc1e
    • Florian Westphal's avatar
      netfilter: nf_tables: add conntrack dependencies for nat/masq/redir expressions · 20afd423
      Florian Westphal authored
      so that conntrack core will add the needed hooks in this namespace.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      20afd423
    • Florian Westphal's avatar
      netfilter: nat: add dependencies on conntrack module · a357b3f8
      Florian Westphal authored
      MASQUERADE, S/DNAT and REDIRECT already call functions that depend on the
      conntrack module.
      
      However, since the conntrack hooks are now registered in a lazy fashion
      (i.e., only when needed) a symbol reference is not enough.
      
      Thus, when something is added to a nat table, make sure that it will see
      packets by calling nf_ct_netns_get() which will register the conntrack
      hooks in the current netns.
      
      An alternative would be to add these dependencies to the NAT table.
      
      However, that has problems when using non-modular builds -- we might
      register e.g. ipv6 conntrack before its initcall has run, leading to NULL
      deref crashes since its per-netns storage has not yet been allocated.
      
      Adding the dependency in the modules instead has the advantage that nat
      table also does not register its hooks until rules are added.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a357b3f8
    • Florian Westphal's avatar
      netfilter: add and use nf_ct_netns_get/put · ecb2421b
      Florian Westphal authored
      currently aliased to try_module_get/_put.
      Will be changed in next patch when we add functions to make use of ->net
      argument to store usercount per l3proto tracker.
      
      This is needed to avoid registering the conntrack hooks in all netns and
      later only enable connection tracking in those that need conntrack.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ecb2421b
    • Florian Westphal's avatar
      netfilter: conntrack: remove unused init_net hook · a379854d
      Florian Westphal authored
      since adf05168 ("netfilter: remove ip_conntrack* sysctl compat code")
      the only user (ipv4 tracker) sets this to an empty stub function.
      
      After this change nf_ct_l3proto_pernet_register() is also empty,
      but this will change in a followup patch to add conditional register
      of the hooks.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a379854d
    • Davide Caratti's avatar
      netfilter: conntrack: built-in support for UDPlite · 9b91c96c
      Davide Caratti authored
      CONFIG_NF_CT_PROTO_UDPLITE is no more a tristate. When set to y,
      connection tracking support for UDPlite protocol is built-in into
      nf_conntrack.ko.
      
      footprint test:
      $ ls -l net/netfilter/nf_conntrack{_proto_udplite,}.ko \
              net/ipv4/netfilter/nf_conntrack_ipv4.ko \
              net/ipv6/netfilter/nf_conntrack_ipv6.ko
      
      (builtin)|| udplite|  ipv4  |  ipv6  |nf_conntrack
      ---------++--------+--------+--------+--------------
      none     || 432538 | 828755 | 828676 | 6141434
      UDPlite  ||   -    | 829649 | 829362 | 6498204
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9b91c96c
    • Davide Caratti's avatar
      netfilter: conntrack: built-in support for SCTP · a85406af
      Davide Caratti authored
      CONFIG_NF_CT_PROTO_SCTP is no more a tristate. When set to y, connection
      tracking support for SCTP protocol is built-in into nf_conntrack.ko.
      
      footprint test:
      $ ls -l net/netfilter/nf_conntrack{_proto_sctp,}.ko \
              net/ipv4/netfilter/nf_conntrack_ipv4.ko \
              net/ipv6/netfilter/nf_conntrack_ipv6.ko
      
      (builtin)||  sctp  |  ipv4  |  ipv6  | nf_conntrack
      ---------++--------+--------+--------+--------------
      none     || 498243 | 828755 | 828676 | 6141434
      SCTP     ||   -    | 829254 | 829175 | 6547872
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a85406af
    • Davide Caratti's avatar
      netfilter: conntrack: built-in support for DCCP · c51d3901
      Davide Caratti authored
      CONFIG_NF_CT_PROTO_DCCP is no more a tristate. When set to y, connection
      tracking support for DCCP protocol is built-in into nf_conntrack.ko.
      
      footprint test:
      $ ls -l net/netfilter/nf_conntrack{_proto_dccp,}.ko \
              net/ipv4/netfilter/nf_conntrack_ipv4.ko \
              net/ipv6/netfilter/nf_conntrack_ipv6.ko
      
      (builtin)||  dccp  |  ipv4  |  ipv6  | nf_conntrack
      ---------++--------+--------+--------+--------------
      none     || 469140 | 828755 | 828676 | 6141434
      DCCP     ||   -    | 830566 | 829935 | 6533526
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c51d3901