net/netfilter/nf_conntrack_expect.c

   1 /* Expectation handling for nf_conntrack. */
   2
   3 /* (C) 1999-2001 Paul `Rusty' Russell
   4  * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
   5  * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
   6  *
   7  * This program is free software; you can redistribute it and/or modify
   8  * it under the terms of the GNU General Public License version 2 as
   9  * published by the Free Software Foundation.
  10  */
  11
  12 #include <linux/types.h>
  13 #include <linux/netfilter.h>
  14 #include <linux/skbuff.h>
  15 #include <linux/proc_fs.h>
  16 #include <linux/seq_file.h>
  17 #include <linux/stddef.h>
  18 #include <linux/slab.h>
  19 #include <linux/err.h>
  20 #include <linux/percpu.h>
  21 #include <linux/kernel.h>
  22 #include <linux/jhash.h>
  23 #include <net/net_namespace.h>
  24
  25 #include <net/netfilter/nf_conntrack.h>
  26 #include <net/netfilter/nf_conntrack_core.h>
  27 #include <net/netfilter/nf_conntrack_expect.h>
  28 #include <net/netfilter/nf_conntrack_helper.h>
  29 #include <net/netfilter/nf_conntrack_tuple.h>
  30
  31 unsigned int nf_ct_expect_hsize __read_mostly;
  32 EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
  33
  34 static unsigned int nf_ct_expect_hash_rnd __read_mostly;
  35 unsigned int nf_ct_expect_max __read_mostly;
  36 static int nf_ct_expect_hash_rnd_initted __read_mostly;
  37
  38 static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
  39
  40 /* nf_conntrack_expect helper functions */
  41 void nf_ct_unlink_expect(struct nf_conntrack_expect *exp)
  42 {
  43         struct nf_conn_help *master_help = nfct_help(exp->master);
  44         struct net *net = nf_ct_exp_net(exp);
  45
  46         NF_CT_ASSERT(master_help);
  47         NF_CT_ASSERT(!timer_pending(&exp->timeout));
  48
  49         hlist_del_rcu(&exp->hnode);
  50         net->ct.expect_count--;
  51
  52         hlist_del(&exp->lnode);
  53         master_help->expecting[exp->class]--;
  54         nf_ct_expect_put(exp);
  55
  56         NF_CT_STAT_INC(net, expect_delete);
  57 }
  58 EXPORT_SYMBOL_GPL(nf_ct_unlink_expect);
  59
  60 static void nf_ct_expectation_timed_out(unsigned long ul_expect)
  61 {
  62         struct nf_conntrack_expect *exp = (void *)ul_expect;
  63
  64         spin_lock_bh(&nf_conntrack_lock);
  65         nf_ct_unlink_expect(exp);
  66         spin_unlock_bh(&nf_conntrack_lock);
  67         nf_ct_expect_put(exp);
  68 }
  69
  70 static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple)
  71 {
  72         unsigned int hash;
  73
  74         if (unlikely(!nf_ct_expect_hash_rnd_initted)) {
  75                 get_random_bytes(&nf_ct_expect_hash_rnd,
  76                                  sizeof(nf_ct_expect_hash_rnd));
  77                 nf_ct_expect_hash_rnd_initted = 1;
  78         }
  79
  80         hash = jhash2(tuple->dst.u3.all, ARRAY_SIZE(tuple->dst.u3.all),
  81                       (((tuple->dst.protonum ^ tuple->src.l3num) << 16) |
  82                        (__force __u16)tuple->dst.u.all) ^ nf_ct_expect_hash_rnd);
  83         return ((u64)hash * nf_ct_expect_hsize) >> 32;
  84 }
  85
  86 struct nf_conntrack_expect *
  87 __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple)
  88 {
  89         struct nf_conntrack_expect *i;
  90         struct hlist_node *n;
  91         unsigned int h;
  92
  93         if (!net->ct.expect_count)
  94                 return NULL;
  95
  96         h = nf_ct_expect_dst_hash(tuple);
  97         hlist_for_each_entry_rcu(i, n, &net->ct.expect_hash[h], hnode) {
  98                 if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask))
  99                         return i;
 100         }
 101         return NULL;
 102 }
 103 EXPORT_SYMBOL_GPL(__nf_ct_expect_find);
 104
 105 /* Just find a expectation corresponding to a tuple. */
 106 struct nf_conntrack_expect *
 107 nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple)
 108 {
 109         struct nf_conntrack_expect *i;
 110
 111         rcu_read_lock();
 112         i = __nf_ct_expect_find(net, tuple);
 113         if (i && !atomic_inc_not_zero(&i->use))
 114                 i = NULL;
 115         rcu_read_unlock();
 116
 117         return i;
 118 }
 119 EXPORT_SYMBOL_GPL(nf_ct_expect_find_get);
 120
 121 /* If an expectation for this connection is found, it gets delete from
 122  * global list then returned. */
 123 struct nf_conntrack_expect *
 124 nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple)
 125 {
 126         struct nf_conntrack_expect *i, *exp = NULL;
 127         struct hlist_node *n;
 128         unsigned int h;
 129
 130         if (!net->ct.expect_count)
 131                 return NULL;
 132
 133         h = nf_ct_expect_dst_hash(tuple);
 134         hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
 135                 if (!(i->flags & NF_CT_EXPECT_INACTIVE) &&
 136                     nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) {
 137                         exp = i;
 138                         break;
 139                 }
 140         }
 141         if (!exp)
 142                 return NULL;
 143
 144         /* If master is not in hash table yet (ie. packet hasn't left
 145            this machine yet), how can other end know about expected?
 146            Hence these are not the droids you are looking for (if
 147            master ct never got confirmed, we'd hold a reference to it
 148            and weird things would happen to future packets). */
 149         if (!nf_ct_is_confirmed(exp->master))
 150                 return NULL;
 151
 152         if (exp->flags & NF_CT_EXPECT_PERMANENT) {
 153                 atomic_inc(&exp->use);
 154                 return exp;
 155         } else if (del_timer(&exp->timeout)) {
 156                 nf_ct_unlink_expect(exp);
 157                 return exp;
 158         }
 159
 160         return NULL;
 161 }
 162
 163 /* delete all expectations for this conntrack */
 164 void nf_ct_remove_expectations(struct nf_conn *ct)
 165 {
 166         struct nf_conn_help *help = nfct_help(ct);
 167         struct nf_conntrack_expect *exp;
 168         struct hlist_node *n, *next;
 169
 170         /* Optimization: most connection never expect any others. */
 171         if (!help)
 172                 return;
 173
 174         hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
 175                 if (del_timer(&exp->timeout)) {
 176                         nf_ct_unlink_expect(exp);
 177                         nf_ct_expect_put(exp);
 178                 }
 179         }
 180 }
 181 EXPORT_SYMBOL_GPL(nf_ct_remove_expectations);
 182
 183 /* Would two expected things clash? */
 184 static inline int expect_clash(const struct nf_conntrack_expect *a,
 185                                const struct nf_conntrack_expect *b)
 186 {
 187         /* Part covered by intersection of masks must be unequal,
 188            otherwise they clash */
 189         struct nf_conntrack_tuple_mask intersect_mask;
 190         int count;
 191
 192         intersect_mask.src.u.all = a->mask.src.u.all & b->mask.src.u.all;
 193
 194         for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
 195                 intersect_mask.src.u3.all[count] =
 196                         a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
 197         }
 198
 199         return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
 200 }
 201
 202 static inline int expect_matches(const struct nf_conntrack_expect *a,
 203                                  const struct nf_conntrack_expect *b)
 204 {
 205         return a->master == b->master && a->class == b->class
 206                 && nf_ct_tuple_equal(&a->tuple, &b->tuple)
 207                 && nf_ct_tuple_mask_equal(&a->mask, &b->mask);
 208 }
 209
 210 /* Generally a bad idea to call this: could have matched already. */
 211 void nf_ct_unexpect_related(struct nf_conntrack_expect *exp)
 212 {
 213         spin_lock_bh(&nf_conntrack_lock);
 214         if (del_timer(&exp->timeout)) {
 215                 nf_ct_unlink_expect(exp);
 216                 nf_ct_expect_put(exp);
 217         }
 218         spin_unlock_bh(&nf_conntrack_lock);
 219 }
 220 EXPORT_SYMBOL_GPL(nf_ct_unexpect_related);
 221
 222 /* We don't increase the master conntrack refcount for non-fulfilled
 223  * conntracks. During the conntrack destruction, the expectations are
 224  * always killed before the conntrack itself */
 225 struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me)
 226 {
 227         struct nf_conntrack_expect *new;
 228
 229         new = kmem_cache_alloc(nf_ct_expect_cachep, GFP_ATOMIC);
 230         if (!new)
 231                 return NULL;
 232
 233         new->master = me;
 234         atomic_set(&new->use, 1);
 235         INIT_RCU_HEAD(&new->rcu);
 236         return new;
 237 }
 238 EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
 239
 240 void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,
 241                        u_int8_t family,
 242                        const union nf_inet_addr *saddr,
 243                        const union nf_inet_addr *daddr,
 244                        u_int8_t proto, const __be16 *src, const __be16 *dst)
 245 {
 246         int len;
 247
 248         if (family == AF_INET)
 249                 len = 4;
 250         else
 251                 len = 16;
 252
 253         exp->flags = 0;
 254         exp->class = class;
 255         exp->expectfn = NULL;
 256         exp->helper = NULL;
 257         exp->tuple.src.l3num = family;
 258         exp->tuple.dst.protonum = proto;
 259
 260         if (saddr) {
 261                 memcpy(&exp->tuple.src.u3, saddr, len);
 262                 if (sizeof(exp->tuple.src.u3) > len)
 263                         /* address needs to be cleared for nf_ct_tuple_equal */
 264                         memset((void *)&exp->tuple.src.u3 + len, 0x00,
 265                                sizeof(exp->tuple.src.u3) - len);
 266                 memset(&exp->mask.src.u3, 0xFF, len);
 267                 if (sizeof(exp->mask.src.u3) > len)
 268                         memset((void *)&exp->mask.src.u3 + len, 0x00,
 269                                sizeof(exp->mask.src.u3) - len);
 270         } else {
 271                 memset(&exp->tuple.src.u3, 0x00, sizeof(exp->tuple.src.u3));
 272                 memset(&exp->mask.src.u3, 0x00, sizeof(exp->mask.src.u3));
 273         }
 274
 275         if (src) {
 276                 exp->tuple.src.u.all = *src;
 277                 exp->mask.src.u.all = htons(0xFFFF);
 278         } else {
 279                 exp->tuple.src.u.all = 0;
 280                 exp->mask.src.u.all = 0;
 281         }
 282
 283         memcpy(&exp->tuple.dst.u3, daddr, len);
 284         if (sizeof(exp->tuple.dst.u3) > len)
 285                 /* address needs to be cleared for nf_ct_tuple_equal */
 286                 memset((void *)&exp->tuple.dst.u3 + len, 0x00,
 287                        sizeof(exp->tuple.dst.u3) - len);
 288
 289         exp->tuple.dst.u.all = *dst;
 290 }
 291 EXPORT_SYMBOL_GPL(nf_ct_expect_init);
 292
 293 static void nf_ct_expect_free_rcu(struct rcu_head *head)
 294 {
 295         struct nf_conntrack_expect *exp;
 296
 297         exp = container_of(head, struct nf_conntrack_expect, rcu);
 298         kmem_cache_free(nf_ct_expect_cachep, exp);
 299 }
 300
 301 void nf_ct_expect_put(struct nf_conntrack_expect *exp)
 302 {
 303         if (atomic_dec_and_test(&exp->use))
 304                 call_rcu(&exp->rcu, nf_ct_expect_free_rcu);
 305 }
 306 EXPORT_SYMBOL_GPL(nf_ct_expect_put);
 307
 308 static void nf_ct_expect_insert(struct nf_conntrack_expect *exp)
 309 {
 310         struct nf_conn_help *master_help = nfct_help(exp->master);
 311         struct net *net = nf_ct_exp_net(exp);
 312         const struct nf_conntrack_expect_policy *p;
 313         unsigned int h = nf_ct_expect_dst_hash(&exp->tuple);
 314
 315         atomic_inc(&exp->use);
 316
 317         hlist_add_head(&exp->lnode, &master_help->expectations);
 318         master_help->expecting[exp->class]++;
 319
 320         hlist_add_head_rcu(&exp->hnode, &net->ct.expect_hash[h]);
 321         net->ct.expect_count++;
 322
 323         setup_timer(&exp->timeout, nf_ct_expectation_timed_out,
 324                     (unsigned long)exp);
 325         p = &master_help->helper->expect_policy[exp->class];
 326         exp->timeout.expires = jiffies + p->timeout * HZ;
 327         add_timer(&exp->timeout);
 328
 329         atomic_inc(&exp->use);
 330         NF_CT_STAT_INC(net, expect_create);
 331 }
 332
 333 /* Race with expectations being used means we could have none to find; OK. */
 334 static void evict_oldest_expect(struct nf_conn *master,
 335                                 struct nf_conntrack_expect *new)
 336 {
 337         struct nf_conn_help *master_help = nfct_help(master);
 338         struct nf_conntrack_expect *exp, *last = NULL;
 339         struct hlist_node *n;
 340
 341         hlist_for_each_entry(exp, n, &master_help->expectations, lnode) {
 342                 if (exp->class == new->class)
 343                         last = exp;
 344         }
 345
 346         if (last && del_timer(&last->timeout)) {
 347                 nf_ct_unlink_expect(last);
 348                 nf_ct_expect_put(last);
 349         }
 350 }
 351
 352 static inline int refresh_timer(struct nf_conntrack_expect *i)
 353 {
 354         struct nf_conn_help *master_help = nfct_help(i->master);
 355         const struct nf_conntrack_expect_policy *p;
 356
 357         if (!del_timer(&i->timeout))
 358                 return 0;
 359
 360         p = &master_help->helper->expect_policy[i->class];
 361         i->timeout.expires = jiffies + p->timeout * HZ;
 362         add_timer(&i->timeout);
 363         return 1;
 364 }
 365
 366 static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
 367 {
 368         const struct nf_conntrack_expect_policy *p;
 369         struct nf_conntrack_expect *i;
 370         struct nf_conn *master = expect->master;
 371         struct nf_conn_help *master_help = nfct_help(master);
 372         struct net *net = nf_ct_exp_net(expect);
 373         struct hlist_node *n;
 374         unsigned int h;
 375         int ret = 0;
 376
 377         if (!master_help->helper) {
 378                 ret = -ESHUTDOWN;
 379                 goto out;
 380         }
 381         h = nf_ct_expect_dst_hash(&expect->tuple);
 382         hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
 383                 if (expect_matches(i, expect)) {
 384                         /* Refresh timer: if it's dying, ignore.. */
 385                         if (refresh_timer(i)) {
 386                                 ret = 0;
 387                                 goto out;
 388                         }
 389                 } else if (expect_clash(i, expect)) {
 390                         ret = -EBUSY;
 391                         goto out;
 392                 }
 393         }
 394         /* Will be over limit? */
 395         p = &master_help->helper->expect_policy[expect->class];
 396         if (p->max_expected &&
 397             master_help->expecting[expect->class] >= p->max_expected) {
 398                 evict_oldest_expect(master, expect);
 399                 if (master_help->expecting[expect->class] >= p->max_expected) {
 400                         ret = -EMFILE;
 401                         goto out;
 402                 }
 403         }
 404
 405         if (net->ct.expect_count >= nf_ct_expect_max) {
 406                 if (net_ratelimit())
 407                         printk(KERN_WARNING
 408                                "nf_conntrack: expectation table full\n");
 409                 ret = -EMFILE;
 410         }
 411 out:
 412         return ret;
 413 }
 414
 415 int nf_ct_expect_related(struct nf_conntrack_expect *expect)
 416 {
 417         int ret;
 418
 419         spin_lock_bh(&nf_conntrack_lock);
 420         ret = __nf_ct_expect_check(expect);
 421         if (ret < 0)
 422                 goto out;
 423
 424         nf_ct_expect_insert(expect);
 425         atomic_inc(&expect->use);
 426         spin_unlock_bh(&nf_conntrack_lock);
 427         nf_ct_expect_event(IPEXP_NEW, expect);
 428         nf_ct_expect_put(expect);
 429         return ret;
 430 out:
 431         spin_unlock_bh(&nf_conntrack_lock);
 432         return ret;
 433 }
 434 EXPORT_SYMBOL_GPL(nf_ct_expect_related);
 435
 436 int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
 437                                 u32 pid, int report)
 438 {
 439         int ret;
 440
 441         spin_lock_bh(&nf_conntrack_lock);
 442         ret = __nf_ct_expect_check(expect);
 443         if (ret < 0)
 444                 goto out;
 445         nf_ct_expect_insert(expect);
 446 out:
 447         spin_unlock_bh(&nf_conntrack_lock);
 448         if (ret == 0)
 449                 nf_ct_expect_event_report(IPEXP_NEW, expect, pid, report);
 450         return ret;
 451 }
 452 EXPORT_SYMBOL_GPL(nf_ct_expect_related_report);
 453
 454 #ifdef CONFIG_PROC_FS
 455 struct ct_expect_iter_state {
 456         struct seq_net_private p;
 457         unsigned int bucket;
 458 };
 459
 460 static struct hlist_node *ct_expect_get_first(struct seq_file *seq)
 461 {
 462         struct net *net = seq_file_net(seq);
 463         struct ct_expect_iter_state *st = seq->private;
 464         struct hlist_node *n;
 465
 466         for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) {
 467                 n = rcu_dereference(net->ct.expect_hash[st->bucket].first);
 468                 if (n)
 469                         return n;
 470         }
 471         return NULL;
 472 }
 473
 474 static struct hlist_node *ct_expect_get_next(struct seq_file *seq,
 475                                              struct hlist_node *head)
 476 {
 477         struct net *net = seq_file_net(seq);
 478         struct ct_expect_iter_state *st = seq->private;
 479
 480         head = rcu_dereference(head->next);
 481         while (head == NULL) {
 482                 if (++st->bucket >= nf_ct_expect_hsize)
 483                         return NULL;
 484                 head = rcu_dereference(net->ct.expect_hash[st->bucket].first);
 485         }
 486         return head;
 487 }
 488
 489 static struct hlist_node *ct_expect_get_idx(struct seq_file *seq, loff_t pos)
 490 {
 491         struct hlist_node *head = ct_expect_get_first(seq);
 492
 493         if (head)
 494                 while (pos && (head = ct_expect_get_next(seq, head)))
 495                         pos--;
 496         return pos ? NULL : head;
 497 }
 498
 499 static void *exp_seq_start(struct seq_file *seq, loff_t *pos)
 500         __acquires(RCU)
 501 {
 502         rcu_read_lock();
 503         return ct_expect_get_idx(seq, *pos);
 504 }
 505
 506 static void *exp_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 507 {
 508         (*pos)++;
 509         return ct_expect_get_next(seq, v);
 510 }
 511
 512 static void exp_seq_stop(struct seq_file *seq, void *v)
 513         __releases(RCU)
 514 {
 515         rcu_read_unlock();
 516 }
 517
 518 static int exp_seq_show(struct seq_file *s, void *v)
 519 {
 520         struct nf_conntrack_expect *expect;
 521         struct hlist_node *n = v;
 522         char *delim = "";
 523
 524         expect = hlist_entry(n, struct nf_conntrack_expect, hnode);
 525
 526         if (expect->timeout.function)
 527                 seq_printf(s, "%ld ", timer_pending(&expect->timeout)
 528                            ? (long)(expect->timeout.expires - jiffies)/HZ : 0);
 529         else
 530                 seq_printf(s, "- ");
 531         seq_printf(s, "l3proto = %u proto=%u ",
 532                    expect->tuple.src.l3num,
 533                    expect->tuple.dst.protonum);
 534         print_tuple(s, &expect->tuple,
 535                     __nf_ct_l3proto_find(expect->tuple.src.l3num),
 536                     __nf_ct_l4proto_find(expect->tuple.src.l3num,
 537                                        expect->tuple.dst.protonum));
 538
 539         if (expect->flags & NF_CT_EXPECT_PERMANENT) {
 540                 seq_printf(s, "PERMANENT");
 541                 delim = ",";
 542         }
 543         if (expect->flags & NF_CT_EXPECT_INACTIVE)
 544                 seq_printf(s, "%sINACTIVE", delim);
 545
 546         return seq_putc(s, '\n');
 547 }
 548
 549 static const struct seq_operations exp_seq_ops = {
 550         .start = exp_seq_start,
 551         .next = exp_seq_next,
 552         .stop = exp_seq_stop,
 553         .show = exp_seq_show
 554 };
 555
 556 static int exp_open(struct inode *inode, struct file *file)
 557 {
 558         return seq_open_net(inode, file, &exp_seq_ops,
 559                         sizeof(struct ct_expect_iter_state));
 560 }
 561
 562 static const struct file_operations exp_file_ops = {
 563         .owner   = THIS_MODULE,
 564         .open    = exp_open,
 565         .read    = seq_read,
 566         .llseek  = seq_lseek,
 567         .release = seq_release_net,
 568 };
 569 #endif /* CONFIG_PROC_FS */
 570
 571 static int exp_proc_init(struct net *net)
 572 {
 573 #ifdef CONFIG_PROC_FS
 574         struct proc_dir_entry *proc;
 575
 576         proc = proc_net_fops_create(net, "nf_conntrack_expect", 0440, &exp_file_ops);
 577         if (!proc)
 578                 return -ENOMEM;
 579 #endif /* CONFIG_PROC_FS */
 580         return 0;
 581 }
 582
 583 static void exp_proc_remove(struct net *net)
 584 {
 585 #ifdef CONFIG_PROC_FS
 586         proc_net_remove(net, "nf_conntrack_expect");
 587 #endif /* CONFIG_PROC_FS */
 588 }
 589
 590 module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600);
 591
 592 int nf_conntrack_expect_init(struct net *net)
 593 {
 594         int err = -ENOMEM;
 595
 596         if (net_eq(net, &init_net)) {
 597                 if (!nf_ct_expect_hsize) {
 598                         nf_ct_expect_hsize = nf_conntrack_htable_size / 256;
 599                         if (!nf_ct_expect_hsize)
 600                                 nf_ct_expect_hsize = 1;
 601                 }
 602                 nf_ct_expect_max = nf_ct_expect_hsize * 4;
 603         }
 604
 605         net->ct.expect_count = 0;
 606         net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
 607                                                   &net->ct.expect_vmalloc, 0);
 608         if (net->ct.expect_hash == NULL)
 609                 goto err1;
 610
 611         if (net_eq(net, &init_net)) {
 612                 nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
 613                                         sizeof(struct nf_conntrack_expect),
 614                                         0, 0, NULL);
 615                 if (!nf_ct_expect_cachep)
 616                         goto err2;
 617         }
 618
 619         err = exp_proc_init(net);
 620         if (err < 0)
 621                 goto err3;
 622
 623         return 0;
 624
 625 err3:
 626         if (net_eq(net, &init_net))
 627                 kmem_cache_destroy(nf_ct_expect_cachep);
 628 err2:
 629         nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
 630                              nf_ct_expect_hsize);
 631 err1:
 632         return err;
 633 }
 634
 635 void nf_conntrack_expect_fini(struct net *net)
 636 {
 637         exp_proc_remove(net);
 638         if (net_eq(net, &init_net))
 639                 kmem_cache_destroy(nf_ct_expect_cachep);
 640         nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
 641                              nf_ct_expect_hsize);
 642 }