mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-08-28 03:40:04 +00:00
834184b1f3
nf_defrag modules for ipv4 and ipv6 export an empty stub function. Any module that needs the defragmentation hooks registered simply 'calls' this empty function to create a phony module dependency -- modprobe will then load the defrag module too. This extends netfilter ipv4/ipv6 defragmentation modules to delay the hook registration until the functionality is requested within a network namespace instead of module load time for all namespaces. Hooks are only un-registered on module unload or when a namespace that used such defrag functionality exits. We have to use struct net for this as the register hooks can be called before netns initialization here from the ipv4/ipv6 conntrack module init path. There is no unregister functionality support, defrag will always be active once it was requested inside a net namespace. The reason is that defrag has impact on nft and iptables rulesets (without defrag we might see framents). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
27 lines
648 B
C
27 lines
648 B
C
#ifndef __NETNS_NETFILTER_H
|
|
#define __NETNS_NETFILTER_H
|
|
|
|
#include <linux/netfilter_defs.h>
|
|
|
|
struct proc_dir_entry;
|
|
struct nf_logger;
|
|
struct nf_queue_handler;
|
|
|
|
struct netns_nf {
|
|
#if defined CONFIG_PROC_FS
|
|
struct proc_dir_entry *proc_netfilter;
|
|
#endif
|
|
const struct nf_queue_handler __rcu *queue_handler;
|
|
const struct nf_logger __rcu *nf_loggers[NFPROTO_NUMPROTO];
|
|
#ifdef CONFIG_SYSCTL
|
|
struct ctl_table_header *nf_log_dir_header;
|
|
#endif
|
|
struct nf_hook_entry __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
|
|
#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4)
|
|
bool defrag_ipv4;
|
|
#endif
|
|
#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
|
|
bool defrag_ipv6;
|
|
#endif
|
|
};
|
|
#endif
|