On Tue, Sep 18, 2012 at 09:45:08PM +0800, Cong Wang wrote:
> As pointed by Michal, it is necessary to add a new
> namespace for nf_conntrack_reasm code, this prepares
> for the second patch.
>
> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Cc: Michal Kubeček <mkubecek@xxxxxxx>
> Cc: David Miller <davem@xxxxxxxxxxxxx>
> Cc: Patrick McHardy <kaber@xxxxxxxxx>
> Cc: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Cc: netfilter-devel@xxxxxxxxxxxxxxx
> Signed-off-by: Cong Wang <amwang@xxxxxxxxxx>
> ---
> include/net/net_namespace.h | 3 +
> include/net/netns/ipv6.h | 8 ++
> net/ipv6/netfilter/nf_conntrack_reasm.c | 135 +++++++++++++++++++++----------
> 3 files changed, 104 insertions(+), 42 deletions(-)
>
> diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
> index 5ae57f1..d61e2b3 100644
> --- a/include/net/net_namespace.h
> +++ b/include/net/net_namespace.h
> @@ -93,6 +93,9 @@ struct net {
> #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
> struct netns_ct ct;
> #endif
> +#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
> + struct netns_nf_frag nf_frag;
> +#endif
> struct sock *nfnl;
> struct sock *nfnl_stash;
> #endif
> diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
> index 0318104..214cb0a 100644
> --- a/include/net/netns/ipv6.h
> +++ b/include/net/netns/ipv6.h
> @@ -71,4 +71,12 @@ struct netns_ipv6 {
> #endif
> #endif
> };
> +
> +#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
> +struct netns_nf_frag {
> + struct netns_sysctl_ipv6 sysctl;
> + struct netns_frags frags;
> +};
> +#endif
> +
> #endif
> diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
> index f94fb3a..d28c067 100644
> --- a/net/ipv6/netfilter/nf_conntrack_reasm.c
> +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
> @@ -71,27 +71,26 @@ struct nf_ct_frag6_queue
> };
>
> static struct inet_frags nf_frags;
> -static struct netns_frags nf_init_frags;
>
> #ifdef CONFIG_SYSCTL
> static struct ctl_table nf_ct_frag6_sysctl_table[] = {
> {
> .procname = "nf_conntrack_frag6_timeout",
> - .data = &nf_init_frags.timeout,
> + .data = &init_net.nf_frag.frags.timeout,
> .maxlen = sizeof(unsigned int),
> .mode = 0644,
> .proc_handler = proc_dointvec_jiffies,
> },
> {
> .procname = "nf_conntrack_frag6_low_thresh",
> - .data = &nf_init_frags.low_thresh,
> + .data = &init_net.nf_frag.frags.low_thresh,
> .maxlen = sizeof(unsigned int),
> .mode = 0644,
> .proc_handler = proc_dointvec,
> },
> {
> .procname = "nf_conntrack_frag6_high_thresh",
> - .data = &nf_init_frags.high_thresh,
> + .data = &init_net.nf_frag.frags.high_thresh,
> .maxlen = sizeof(unsigned int),
> .mode = 0644,
> .proc_handler = proc_dointvec,
> @@ -99,7 +98,54 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = {
> { }
> };
>
> -static struct ctl_table_header *nf_ct_frag6_sysctl_header;
> +static int __net_init nf_ct_frag6_sysctl_register(struct net *net)
> +{
> + struct ctl_table *table;
> + struct ctl_table_header *hdr;
> +
> + table = nf_ct_frag6_sysctl_table;
> + if (!net_eq(net, &init_net)) {
> + table = kmemdup(table, sizeof(nf_ct_frag6_sysctl_table), GFP_KERNEL);
Sorry, you have to break lines at 80 chars.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
