From: Kirill Tkhai <ktk...@virtuozzo.com> Allow conntracks to be allocated in case of these rules are inserted.
https://jira.sw.ru/browse/PSBM-51050 Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com> Reviewed-by: Andrei Vagin <ava...@virtuozzo.com> vz8 rebase notes: ================= (cherry picked from vz7 commit 60931ce1ffcf ("net: Mark conntrack users in nftables")) Modules which require conntrack call: nf_ct_netns_get(struct net *net, u8 nfproto) in struct xt_entry .checkentry callback. $ grep -Inr 'nf_ct_netns_get' net/netfilter net/ipv4/netfilter net/ipv6/netfilter is useful to find all modules Added: net/netfilter/nft_connlimit.c net/netfilter/nft_masq.c net/netfilter/nft_redir.c VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783 Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com> Ported vz8 commit a334320a31e2 ("net: Mark conntrack users in nftables"). Repeated the above procedure to ensure coverage. Added: net/netfilter/nft_flow_offload.c net/netfilter/nft_synproxy.c Signed-off-by: Nikita Yushchenko <nikita.yushche...@virtuozzo.com> --- net/netfilter/nft_connlimit.c | 7 ++++++- net/netfilter/nft_ct.c | 2 ++ net/netfilter/nft_flow_offload.c | 6 +++++- net/netfilter/nft_masq.c | 6 +++++- net/netfilter/nft_nat.c | 6 +++++- net/netfilter/nft_redir.c | 6 +++++- net/netfilter/nft_synproxy.c | 1 + 7 files changed, 29 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c index 7d0761fad37e..fba41b4927ca 100644 --- a/net/netfilter/nft_connlimit.c +++ b/net/netfilter/nft_connlimit.c @@ -62,6 +62,7 @@ static int nft_connlimit_do_init(const struct nft_ctx *ctx, { bool invert = false; u32 flags, limit; + int err; if (!tb[NFTA_CONNLIMIT_COUNT]) return -EINVAL; @@ -80,7 +81,11 @@ static int nft_connlimit_do_init(const struct nft_ctx *ctx, priv->limit = limit; priv->invert = invert; - return nf_ct_netns_get(ctx->net, ctx->family); + err = nf_ct_netns_get(ctx->net, ctx->family); + if (err == 0) + allow_conntrack_allocation(ctx->net); + + return err; } static void nft_connlimit_do_destroy(const struct nft_ctx *ctx, diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 337e22d8b40b..7fac1b0bfcf5 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -512,6 +512,8 @@ static int nft_ct_get_init(const struct nft_ctx *ctx, priv->key == NFT_CT_AVGPKT) nf_ct_set_acct(ctx->net, true); + allow_conntrack_allocation(ctx->net); + return 0; } diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 0af34ad41479..11a70415e23d 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -366,6 +366,7 @@ static int nft_flow_offload_init(const struct nft_ctx *ctx, struct nft_flow_offload *priv = nft_expr_priv(expr); u8 genmask = nft_genmask_next(ctx->net); struct nft_flowtable *flowtable; + int ret; if (!tb[NFTA_FLOW_TABLE_NAME]) return -EINVAL; @@ -378,7 +379,10 @@ static int nft_flow_offload_init(const struct nft_ctx *ctx, priv->flowtable = flowtable; flowtable->use++; - return nf_ct_netns_get(ctx->net, ctx->family); + ret = nf_ct_netns_get(ctx->net, ctx->family); + if (ret == 0) + allow_conntrack_allocation(ctx->net); + return ret; } static void nft_flow_offload_deactivate(const struct nft_ctx *ctx, diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c index 9953e8053753..93c97d2e1b4d 100644 --- a/net/netfilter/nft_masq.c +++ b/net/netfilter/nft_masq.c @@ -70,7 +70,11 @@ static int nft_masq_init(const struct nft_ctx *ctx, } } - return nf_ct_netns_get(ctx->net, ctx->family); + err = nf_ct_netns_get(ctx->net, ctx->family); + if (err == 0) + allow_conntrack_allocation(ctx->net); + + return err; } static int nft_masq_dump(struct sk_buff *skb, const struct nft_expr *expr) diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c index be1595d6979d..1681f331673b 100644 --- a/net/netfilter/nft_nat.c +++ b/net/netfilter/nft_nat.c @@ -252,7 +252,11 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, return -EOPNOTSUPP; } - return nf_ct_netns_get(ctx->net, family); + err = nf_ct_netns_get(ctx->net, family); + if (err == 0) + allow_conntrack_allocation(ctx->net); + + return err; } static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr) diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c index ba09890dddb5..16bf92fcf211 100644 --- a/net/netfilter/nft_redir.c +++ b/net/netfilter/nft_redir.c @@ -72,7 +72,11 @@ static int nft_redir_init(const struct nft_ctx *ctx, return -EINVAL; } - return nf_ct_netns_get(ctx->net, ctx->family); + err = nf_ct_netns_get(ctx->net, ctx->family); + if (err == 0) + allow_conntrack_allocation(ctx->net); + + return err; } static int nft_redir_dump(struct sk_buff *skb, const struct nft_expr *expr) diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c index a0109fa1e92d..96e2b0aaf59f 100644 --- a/net/netfilter/nft_synproxy.c +++ b/net/netfilter/nft_synproxy.c @@ -196,6 +196,7 @@ static int nft_synproxy_do_init(const struct nft_ctx *ctx, break; } + allow_conntrack_allocation(ctx->net); return 0; nf_ct_failure: -- 2.30.2 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
