netfilter: netns nf_conntrack: per-netns unconfirmed list
authorAlexey Dobriyan <adobriyan@gmail.com>
Wed, 8 Oct 2008 09:35:04 +0000 (11:35 +0200)
committerPatrick McHardy <kaber@trash.net>
Wed, 8 Oct 2008 09:35:04 +0000 (11:35 +0200)
What is confirmed connection in one netns can very well be unconfirmed
in another one.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
include/net/netfilter/nf_conntrack_core.h
include/net/netns/conntrack.h
net/netfilter/nf_conntrack_core.c
net/netfilter/nf_conntrack_helper.c

index 1c373564396a6e1477ae3f61b99a50d8e3c00e2e..b4b45c541da6ce9321654106619db94264ea2f2b 100644 (file)
@@ -72,6 +72,5 @@ print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,
             const struct nf_conntrack_l4proto *proto);
 
 extern spinlock_t nf_conntrack_lock ;
-extern struct hlist_head unconfirmed;
 
 #endif /* _NF_CONNTRACK_CORE_H */
index e453a33f3e93501fce1b1067791d2fb107c685f6..6ddf58e142a94aac6da4f465c6960b9c88480469 100644 (file)
@@ -1,6 +1,7 @@
 #ifndef __NETNS_CONNTRACK_H
 #define __NETNS_CONNTRACK_H
 
+#include <linux/list.h>
 #include <asm/atomic.h>
 
 struct netns_ct {
@@ -8,6 +9,7 @@ struct netns_ct {
        unsigned int            expect_count;
        struct hlist_head       *hash;
        struct hlist_head       *expect_hash;
+       struct hlist_head       unconfirmed;
        int                     hash_vmalloc;
        int                     expect_vmalloc;
 };
index c188edea24921f4644af6183943023ea22d4545c..2a105db1330761f67030c3218f1243e848a820e7 100644 (file)
@@ -54,7 +54,6 @@ struct nf_conn nf_conntrack_untracked __read_mostly;
 EXPORT_SYMBOL_GPL(nf_conntrack_untracked);
 
 unsigned int nf_ct_log_invalid __read_mostly;
-HLIST_HEAD(unconfirmed);
 static struct kmem_cache *nf_conntrack_cachep __read_mostly;
 
 DEFINE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat);
@@ -596,7 +595,8 @@ init_conntrack(struct net *net,
        }
 
        /* Overload tuple linked list to put us in unconfirmed list. */
-       hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode, &unconfirmed);
+       hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode,
+                      &net->ct.unconfirmed);
 
        spin_unlock_bh(&nf_conntrack_lock);
 
@@ -957,7 +957,7 @@ get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data),
                                goto found;
                }
        }
-       hlist_for_each_entry(h, n, &unconfirmed, hnode) {
+       hlist_for_each_entry(h, n, &net->ct.unconfirmed, hnode) {
                ct = nf_ct_tuplehash_to_ctrack(h);
                if (iter(ct, data))
                        set_bit(IPS_DYING_BIT, &ct->status);
@@ -1154,6 +1154,7 @@ int nf_conntrack_init(struct net *net)
                printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
                goto err_out;
        }
+       INIT_HLIST_HEAD(&net->ct.unconfirmed);
 
        nf_conntrack_max = max_factor * nf_conntrack_htable_size;
 
index c793db810cd527c42284fbc1738943fd7462e4c7..920e778539a9b1bb1cd222ba26d5d89209d0be93 100644 (file)
@@ -156,7 +156,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
        }
 
        /* Get rid of expecteds, set helpers to NULL. */
-       hlist_for_each_entry(h, n, &unconfirmed, hnode)
+       hlist_for_each_entry(h, n, &init_net.ct.unconfirmed, hnode)
                unhelp(h, me);
        for (i = 0; i < nf_conntrack_htable_size; i++) {
                hlist_for_each_entry(h, n, &init_net.ct.hash[i], hnode)