git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 15 Nov 2016 20:36:43 +0000 (21:36 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sun, 4 Dec 2016 20:17:24 +0000 (21:17 +0100)
commit	dddb9e72030eaf238d54f590242d3b8160255733
tree	11fd93933ed8b0170c80291db63e0c86220b611a	tree \| snapshot
parent	8a713b253c96b8848670c22dccd99735da7dd8df	commit \| diff

netfilter: conntrack: register hooks in netns when needed by ruleset

This makes use of nf_ct_netns_get/put added in previous patch.
We add get/put functions to nf_conntrack_l3proto structure, ipv4 and ipv6
then implement use-count to track how many users (nft or xtables modules)
have a dependency on ipv4 and/or ipv6 connection tracking functionality.

When count reaches zero, the hooks are unregistered.

This delays activation of connection tracking inside a namespace until
stateful firewall rule or nat rule gets added.

This patch breaks backwards compatibility in the sense that connection
tracking won't be active anymore when the protocol tracker module is
loaded. This breaks e.g. setups that ctnetlink for flow accounting and
the like, without any '-m conntrack' packet filter rules.

Followup patch restores old behavour and makes new delayed scheme
optional via sysctl.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_conntrack_l3proto.h		diff \| blob \| history
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c		diff \| blob \| history
net/netfilter/nf_conntrack_proto.c		diff \| blob \| history