net/netfilter/nf_conntrack_expect.c

   1 /* Expectation handling for nf_conntrack. */
   2
   3 /* (C) 1999-2001 Paul `Rusty' Russell
   4  * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
   5  * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
   6  *
   7  * This program is free software; you can redistribute it and/or modify
   8  * it under the terms of the GNU General Public License version 2 as
   9  * published by the Free Software Foundation.
  10  */
  11
  12 #include <linux/types.h>
  13 #include <linux/netfilter.h>
  14 #include <linux/skbuff.h>
  15 #include <linux/proc_fs.h>
  16 #include <linux/seq_file.h>
  17 #include <linux/stddef.h>
  18 #include <linux/slab.h>
  19 #include <linux/err.h>
  20 #include <linux/percpu.h>
  21 #include <linux/kernel.h>
  22 #include <linux/jhash.h>
  23 #include <net/net_namespace.h>
  24
  25 #include <net/netfilter/nf_conntrack.h>
  26 #include <net/netfilter/nf_conntrack_core.h>
  27 #include <net/netfilter/nf_conntrack_expect.h>
  28 #include <net/netfilter/nf_conntrack_helper.h>
  29 #include <net/netfilter/nf_conntrack_tuple.h>
  30 #include <net/netfilter/nf_conntrack_zones.h>
  31
  32 unsigned int nf_ct_expect_hsize __read_mostly;
  33 EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
  34
  35 unsigned int nf_ct_expect_max __read_mostly;
  36
  37 static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
  38
  39 static HLIST_HEAD(nf_ct_userspace_expect_list);
  40
  41 /* nf_conntrack_expect helper functions */
  42 void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,
  43                                 u32 pid, int report)
  44 {
  45         struct nf_conn_help *master_help = nfct_help(exp->master);
  46         struct net *net = nf_ct_exp_net(exp);
  47
  48         NF_CT_ASSERT(!timer_pending(&exp->timeout));
  49
  50         hlist_del_rcu(&exp->hnode);
  51         net->ct.expect_count--;
  52
  53         hlist_del(&exp->lnode);
  54         if (!(exp->flags & NF_CT_EXPECT_USERSPACE))
  55                 master_help->expecting[exp->class]--;
  56
  57         nf_ct_expect_event_report(IPEXP_DESTROY, exp, pid, report);
  58         nf_ct_expect_put(exp);
  59
  60         NF_CT_STAT_INC(net, expect_delete);
  61 }
  62 EXPORT_SYMBOL_GPL(nf_ct_unlink_expect_report);
  63
  64 static void nf_ct_expectation_timed_out(unsigned long ul_expect)
  65 {
  66         struct nf_conntrack_expect *exp = (void *)ul_expect;
  67
  68         spin_lock_bh(&nf_conntrack_lock);
  69         nf_ct_unlink_expect(exp);
  70         spin_unlock_bh(&nf_conntrack_lock);
  71         nf_ct_expect_put(exp);
  72 }
  73
  74 static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple)
  75 {
  76         unsigned int hash;
  77
  78         if (unlikely(!nf_conntrack_hash_rnd)) {
  79                 init_nf_conntrack_hash_rnd();
  80         }
  81
  82         hash = jhash2(tuple->dst.u3.all, ARRAY_SIZE(tuple->dst.u3.all),
  83                       (((tuple->dst.protonum ^ tuple->src.l3num) << 16) |
  84                        (__force __u16)tuple->dst.u.all) ^ nf_conntrack_hash_rnd);
  85         return ((u64)hash * nf_ct_expect_hsize) >> 32;
  86 }
  87
  88 struct nf_conntrack_expect *
  89 __nf_ct_expect_find(struct net *net, u16 zone,
  90                     const struct nf_conntrack_tuple *tuple)
  91 {
  92         struct nf_conntrack_expect *i;
  93         struct hlist_node *n;
  94         unsigned int h;
  95
  96         if (!net->ct.expect_count)
  97                 return NULL;
  98
  99         h = nf_ct_expect_dst_hash(tuple);
 100         hlist_for_each_entry_rcu(i, n, &net->ct.expect_hash[h], hnode) {
 101                 if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
 102                     nf_ct_zone(i->master) == zone)
 103                         return i;
 104         }
 105         return NULL;
 106 }
 107 EXPORT_SYMBOL_GPL(__nf_ct_expect_find);
 108
 109 /* Just find a expectation corresponding to a tuple. */
 110 struct nf_conntrack_expect *
 111 nf_ct_expect_find_get(struct net *net, u16 zone,
 112                       const struct nf_conntrack_tuple *tuple)
 113 {
 114         struct nf_conntrack_expect *i;
 115
 116         rcu_read_lock();
 117         i = __nf_ct_expect_find(net, zone, tuple);
 118         if (i && !atomic_inc_not_zero(&i->use))
 119                 i = NULL;
 120         rcu_read_unlock();
 121
 122         return i;
 123 }
 124 EXPORT_SYMBOL_GPL(nf_ct_expect_find_get);
 125
 126 /* If an expectation for this connection is found, it gets delete from
 127  * global list then returned. */
 128 struct nf_conntrack_expect *
 129 nf_ct_find_expectation(struct net *net, u16 zone,
 130                        const struct nf_conntrack_tuple *tuple)
 131 {
 132         struct nf_conntrack_expect *i, *exp = NULL;
 133         struct hlist_node *n;
 134         unsigned int h;
 135
 136         if (!net->ct.expect_count)
 137                 return NULL;
 138
 139         h = nf_ct_expect_dst_hash(tuple);
 140         hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
 141                 if (!(i->flags & NF_CT_EXPECT_INACTIVE) &&
 142                     nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
 143                     nf_ct_zone(i->master) == zone) {
 144                         exp = i;
 145                         break;
 146                 }
 147         }
 148         if (!exp)
 149                 return NULL;
 150
 151         /* If master is not in hash table yet (ie. packet hasn't left
 152            this machine yet), how can other end know about expected?
 153            Hence these are not the droids you are looking for (if
 154            master ct never got confirmed, we'd hold a reference to it
 155            and weird things would happen to future packets). */
 156         if (!nf_ct_is_confirmed(exp->master))
 157                 return NULL;
 158
 159         if (exp->flags & NF_CT_EXPECT_PERMANENT) {
 160                 atomic_inc(&exp->use);
 161                 return exp;
 162         } else if (del_timer(&exp->timeout)) {
 163                 nf_ct_unlink_expect(exp);
 164                 return exp;
 165         }
 166
 167         return NULL;
 168 }
 169
 170 /* delete all expectations for this conntrack */
 171 void nf_ct_remove_expectations(struct nf_conn *ct)
 172 {
 173         struct nf_conn_help *help = nfct_help(ct);
 174         struct nf_conntrack_expect *exp;
 175         struct hlist_node *n, *next;
 176
 177         /* Optimization: most connection never expect any others. */
 178         if (!help)
 179                 return;
 180
 181         hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
 182                 if (del_timer(&exp->timeout)) {
 183                         nf_ct_unlink_expect(exp);
 184                         nf_ct_expect_put(exp);
 185                 }
 186         }
 187 }
 188 EXPORT_SYMBOL_GPL(nf_ct_remove_expectations);
 189
 190 /* Would two expected things clash? */
 191 static inline int expect_clash(const struct nf_conntrack_expect *a,
 192                                const struct nf_conntrack_expect *b)
 193 {
 194         /* Part covered by intersection of masks must be unequal,
 195            otherwise they clash */
 196         struct nf_conntrack_tuple_mask intersect_mask;
 197         int count;
 198
 199         intersect_mask.src.u.all = a->mask.src.u.all & b->mask.src.u.all;
 200
 201         for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
 202                 intersect_mask.src.u3.all[count] =
 203                         a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
 204         }
 205
 206         return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
 207 }
 208
 209 static inline int expect_matches(const struct nf_conntrack_expect *a,
 210                                  const struct nf_conntrack_expect *b)
 211 {
 212         return a->master == b->master && a->class == b->class &&
 213                 nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
 214                 nf_ct_tuple_mask_equal(&a->mask, &b->mask) &&
 215                 nf_ct_zone(a->master) == nf_ct_zone(b->master);
 216 }
 217
 218 /* Generally a bad idea to call this: could have matched already. */
 219 void nf_ct_unexpect_related(struct nf_conntrack_expect *exp)
 220 {
 221         spin_lock_bh(&nf_conntrack_lock);
 222         if (del_timer(&exp->timeout)) {
 223                 nf_ct_unlink_expect(exp);
 224                 nf_ct_expect_put(exp);
 225         }
 226         spin_unlock_bh(&nf_conntrack_lock);
 227 }
 228 EXPORT_SYMBOL_GPL(nf_ct_unexpect_related);
 229
 230 /* We don't increase the master conntrack refcount for non-fulfilled
 231  * conntracks. During the conntrack destruction, the expectations are
 232  * always killed before the conntrack itself */
 233 struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me)
 234 {
 235         struct nf_conntrack_expect *new;
 236
 237         new = kmem_cache_alloc(nf_ct_expect_cachep, GFP_ATOMIC);
 238         if (!new)
 239                 return NULL;
 240
 241         new->master = me;
 242         atomic_set(&new->use, 1);
 243         return new;
 244 }
 245 EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
 246
 247 void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,
 248                        u_int8_t family,
 249                        const union nf_inet_addr *saddr,
 250                        const union nf_inet_addr *daddr,
 251                        u_int8_t proto, const __be16 *src, const __be16 *dst)
 252 {
 253         int len;
 254
 255         if (family == AF_INET)
 256                 len = 4;
 257         else
 258                 len = 16;
 259
 260         exp->flags = 0;
 261         exp->class = class;
 262         exp->expectfn = NULL;
 263         exp->helper = NULL;
 264         exp->tuple.src.l3num = family;
 265         exp->tuple.dst.protonum = proto;
 266
 267         if (saddr) {
 268                 memcpy(&exp->tuple.src.u3, saddr, len);
 269                 if (sizeof(exp->tuple.src.u3) > len)
 270                         /* address needs to be cleared for nf_ct_tuple_equal */
 271                         memset((void *)&exp->tuple.src.u3 + len, 0x00,
 272                                sizeof(exp->tuple.src.u3) - len);
 273                 memset(&exp->mask.src.u3, 0xFF, len);
 274                 if (sizeof(exp->mask.src.u3) > len)
 275                         memset((void *)&exp->mask.src.u3 + len, 0x00,
 276                                sizeof(exp->mask.src.u3) - len);
 277         } else {
 278                 memset(&exp->tuple.src.u3, 0x00, sizeof(exp->tuple.src.u3));
 279                 memset(&exp->mask.src.u3, 0x00, sizeof(exp->mask.src.u3));
 280         }
 281
 282         if (src) {
 283                 exp->tuple.src.u.all = *src;
 284                 exp->mask.src.u.all = htons(0xFFFF);
 285         } else {
 286                 exp->tuple.src.u.all = 0;
 287                 exp->mask.src.u.all = 0;
 288         }
 289
 290         memcpy(&exp->tuple.dst.u3, daddr, len);
 291         if (sizeof(exp->tuple.dst.u3) > len)
 292                 /* address needs to be cleared for nf_ct_tuple_equal */
 293                 memset((void *)&exp->tuple.dst.u3 + len, 0x00,
 294                        sizeof(exp->tuple.dst.u3) - len);
 295
 296         exp->tuple.dst.u.all = *dst;
 297 }
 298 EXPORT_SYMBOL_GPL(nf_ct_expect_init);
 299
 300 static void nf_ct_expect_free_rcu(struct rcu_head *head)
 301 {
 302         struct nf_conntrack_expect *exp;
 303
 304         exp = container_of(head, struct nf_conntrack_expect, rcu);
 305         kmem_cache_free(nf_ct_expect_cachep, exp);
 306 }
 307
 308 void nf_ct_expect_put(struct nf_conntrack_expect *exp)
 309 {
 310         if (atomic_dec_and_test(&exp->use))
 311                 call_rcu(&exp->rcu, nf_ct_expect_free_rcu);
 312 }
 313 EXPORT_SYMBOL_GPL(nf_ct_expect_put);
 314
 315 static void nf_ct_expect_insert(struct nf_conntrack_expect *exp)
 316 {
 317         struct nf_conn_help *master_help = nfct_help(exp->master);
 318         struct net *net = nf_ct_exp_net(exp);
 319         const struct nf_conntrack_expect_policy *p;
 320         unsigned int h = nf_ct_expect_dst_hash(&exp->tuple);
 321
 322         /* two references : one for hash insert, one for the timer */
 323         atomic_add(2, &exp->use);
 324
 325         if (master_help) {
 326                 hlist_add_head(&exp->lnode, &master_help->expectations);
 327                 master_help->expecting[exp->class]++;
 328         } else if (exp->flags & NF_CT_EXPECT_USERSPACE)
 329                 hlist_add_head(&exp->lnode, &nf_ct_userspace_expect_list);
 330
 331         hlist_add_head_rcu(&exp->hnode, &net->ct.expect_hash[h]);
 332         net->ct.expect_count++;
 333
 334         setup_timer(&exp->timeout, nf_ct_expectation_timed_out,
 335                     (unsigned long)exp);
 336         if (master_help) {
 337                 p = &rcu_dereference_protected(
 338                                 master_help->helper,
 339                                 lockdep_is_held(&nf_conntrack_lock)
 340                                 )->expect_policy[exp->class];
 341                 exp->timeout.expires = jiffies + p->timeout * HZ;
 342         }
 343         add_timer(&exp->timeout);
 344
 345         NF_CT_STAT_INC(net, expect_create);
 346 }
 347
 348 /* Race with expectations being used means we could have none to find; OK. */
 349 static void evict_oldest_expect(struct nf_conn *master,
 350                                 struct nf_conntrack_expect *new)
 351 {
 352         struct nf_conn_help *master_help = nfct_help(master);
 353         struct nf_conntrack_expect *exp, *last = NULL;
 354         struct hlist_node *n;
 355
 356         hlist_for_each_entry(exp, n, &master_help->expectations, lnode) {
 357                 if (exp->class == new->class)
 358                         last = exp;
 359         }
 360
 361         if (last && del_timer(&last->timeout)) {
 362                 nf_ct_unlink_expect(last);
 363                 nf_ct_expect_put(last);
 364         }
 365 }
 366
 367 static inline int refresh_timer(struct nf_conntrack_expect *i)
 368 {
 369         struct nf_conn_help *master_help = nfct_help(i->master);
 370         const struct nf_conntrack_expect_policy *p;
 371
 372         if (!del_timer(&i->timeout))
 373                 return 0;
 374
 375         p = &rcu_dereference_protected(
 376                 master_help->helper,
 377                 lockdep_is_held(&nf_conntrack_lock)
 378                 )->expect_policy[i->class];
 379         i->timeout.expires = jiffies + p->timeout * HZ;
 380         add_timer(&i->timeout);
 381         return 1;
 382 }
 383
 384 static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
 385 {
 386         const struct nf_conntrack_expect_policy *p;
 387         struct nf_conntrack_expect *i;
 388         struct nf_conn *master = expect->master;
 389         struct nf_conn_help *master_help = nfct_help(master);
 390         struct net *net = nf_ct_exp_net(expect);
 391         struct hlist_node *n;
 392         unsigned int h;
 393         int ret = 1;
 394
 395         /* Don't allow expectations created from kernel-space with no helper */
 396         if (!(expect->flags & NF_CT_EXPECT_USERSPACE) &&
 397             (!master_help || (master_help && !master_help->helper))) {
 398                 ret = -ESHUTDOWN;
 399                 goto out;
 400         }
 401         h = nf_ct_expect_dst_hash(&expect->tuple);
 402         hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
 403                 if (expect_matches(i, expect)) {
 404                         /* Refresh timer: if it's dying, ignore.. */
 405                         if (refresh_timer(i)) {
 406                                 ret = 0;
 407                                 goto out;
 408                         }
 409                 } else if (expect_clash(i, expect)) {
 410                         ret = -EBUSY;
 411                         goto out;
 412                 }
 413         }
 414         /* Will be over limit? */
 415         if (master_help) {
 416                 p = &rcu_dereference_protected(
 417                         master_help->helper,
 418                         lockdep_is_held(&nf_conntrack_lock)
 419                         )->expect_policy[expect->class];
 420                 if (p->max_expected &&
 421                     master_help->expecting[expect->class] >= p->max_expected) {
 422                         evict_oldest_expect(master, expect);
 423                         if (master_help->expecting[expect->class]
 424                                                 >= p->max_expected) {
 425                                 ret = -EMFILE;
 426                                 goto out;
 427                         }
 428                 }
 429         }
 430
 431         if (net->ct.expect_count >= nf_ct_expect_max) {
 432                 if (net_ratelimit())
 433                         printk(KERN_WARNING
 434                                "nf_conntrack: expectation table full\n");
 435                 ret = -EMFILE;
 436         }
 437 out:
 438         return ret;
 439 }
 440
 441 int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
 442                                 u32 pid, int report)
 443 {
 444         int ret;
 445
 446         spin_lock_bh(&nf_conntrack_lock);
 447         ret = __nf_ct_expect_check(expect);
 448         if (ret <= 0)
 449                 goto out;
 450
 451         ret = 0;
 452         nf_ct_expect_insert(expect);
 453         spin_unlock_bh(&nf_conntrack_lock);
 454         nf_ct_expect_event_report(IPEXP_NEW, expect, pid, report);
 455         return ret;
 456 out:
 457         spin_unlock_bh(&nf_conntrack_lock);
 458         return ret;
 459 }
 460 EXPORT_SYMBOL_GPL(nf_ct_expect_related_report);
 461
 462 void nf_ct_remove_userspace_expectations(void)
 463 {
 464         struct nf_conntrack_expect *exp;
 465         struct hlist_node *n, *next;
 466
 467         hlist_for_each_entry_safe(exp, n, next,
 468                                   &nf_ct_userspace_expect_list, lnode) {
 469                 if (del_timer(&exp->timeout)) {
 470                         nf_ct_unlink_expect(exp);
 471                         nf_ct_expect_put(exp);
 472                 }
 473         }
 474 }
 475 EXPORT_SYMBOL_GPL(nf_ct_remove_userspace_expectations);
 476
 477 #ifdef CONFIG_PROC_FS
 478 struct ct_expect_iter_state {
 479         struct seq_net_private p;
 480         unsigned int bucket;
 481 };
 482
 483 static struct hlist_node *ct_expect_get_first(struct seq_file *seq)
 484 {
 485         struct net *net = seq_file_net(seq);
 486         struct ct_expect_iter_state *st = seq->private;
 487         struct hlist_node *n;
 488
 489         for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) {
 490                 n = rcu_dereference(hlist_first_rcu(&net->ct.expect_hash[st->bucket]));
 491                 if (n)
 492                         return n;
 493         }
 494         return NULL;
 495 }
 496
 497 static struct hlist_node *ct_expect_get_next(struct seq_file *seq,
 498                                              struct hlist_node *head)
 499 {
 500         struct net *net = seq_file_net(seq);
 501         struct ct_expect_iter_state *st = seq->private;
 502
 503         head = rcu_dereference(hlist_next_rcu(head));
 504         while (head == NULL) {
 505                 if (++st->bucket >= nf_ct_expect_hsize)
 506                         return NULL;
 507                 head = rcu_dereference(hlist_first_rcu(&net->ct.expect_hash[st->bucket]));
 508         }
 509         return head;
 510 }
 511
 512 static struct hlist_node *ct_expect_get_idx(struct seq_file *seq, loff_t pos)
 513 {
 514         struct hlist_node *head = ct_expect_get_first(seq);
 515
 516         if (head)
 517                 while (pos && (head = ct_expect_get_next(seq, head)))
 518                         pos--;
 519         return pos ? NULL : head;
 520 }
 521
 522 static void *exp_seq_start(struct seq_file *seq, loff_t *pos)
 523         __acquires(RCU)
 524 {
 525         rcu_read_lock();
 526         return ct_expect_get_idx(seq, *pos);
 527 }
 528
 529 static void *exp_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 530 {
 531         (*pos)++;
 532         return ct_expect_get_next(seq, v);
 533 }
 534
 535 static void exp_seq_stop(struct seq_file *seq, void *v)
 536         __releases(RCU)
 537 {
 538         rcu_read_unlock();
 539 }
 540
 541 static int exp_seq_show(struct seq_file *s, void *v)
 542 {
 543         struct nf_conntrack_expect *expect;
 544         struct nf_conntrack_helper *helper;
 545         struct hlist_node *n = v;
 546         char *delim = "";
 547
 548         expect = hlist_entry(n, struct nf_conntrack_expect, hnode);
 549
 550         if (expect->timeout.function)
 551                 seq_printf(s, "%ld ", timer_pending(&expect->timeout)
 552                            ? (long)(expect->timeout.expires - jiffies)/HZ : 0);
 553         else
 554                 seq_printf(s, "- ");
 555         seq_printf(s, "l3proto = %u proto=%u ",
 556                    expect->tuple.src.l3num,
 557                    expect->tuple.dst.protonum);
 558         print_tuple(s, &expect->tuple,
 559                     __nf_ct_l3proto_find(expect->tuple.src.l3num),
 560                     __nf_ct_l4proto_find(expect->tuple.src.l3num,
 561                                        expect->tuple.dst.protonum));
 562
 563         if (expect->flags & NF_CT_EXPECT_PERMANENT) {
 564                 seq_printf(s, "PERMANENT");
 565                 delim = ",";
 566         }
 567         if (expect->flags & NF_CT_EXPECT_INACTIVE) {
 568                 seq_printf(s, "%sINACTIVE", delim);
 569                 delim = ",";
 570         }
 571         if (expect->flags & NF_CT_EXPECT_USERSPACE)
 572                 seq_printf(s, "%sUSERSPACE", delim);
 573
 574         helper = rcu_dereference(nfct_help(expect->master)->helper);
 575         if (helper) {
 576                 seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name);
 577                 if (helper->expect_policy[expect->class].name)
 578                         seq_printf(s, "/%s",
 579                                    helper->expect_policy[expect->class].name);
 580         }
 581
 582         return seq_putc(s, '\n');
 583 }
 584
 585 static const struct seq_operations exp_seq_ops = {
 586         .start = exp_seq_start,
 587         .next = exp_seq_next,
 588         .stop = exp_seq_stop,
 589         .show = exp_seq_show
 590 };
 591
 592 static int exp_open(struct inode *inode, struct file *file)
 593 {
 594         return seq_open_net(inode, file, &exp_seq_ops,
 595                         sizeof(struct ct_expect_iter_state));
 596 }
 597
 598 static const struct file_operations exp_file_ops = {
 599         .owner   = THIS_MODULE,
 600         .open    = exp_open,
 601         .read    = seq_read,
 602         .llseek  = seq_lseek,
 603         .release = seq_release_net,
 604 };
 605 #endif /* CONFIG_PROC_FS */
 606
 607 static int exp_proc_init(struct net *net)
 608 {
 609 #ifdef CONFIG_PROC_FS
 610         struct proc_dir_entry *proc;
 611
 612         proc = proc_net_fops_create(net, "nf_conntrack_expect", 0440, &exp_file_ops);
 613         if (!proc)
 614                 return -ENOMEM;
 615 #endif /* CONFIG_PROC_FS */
 616         return 0;
 617 }
 618
 619 static void exp_proc_remove(struct net *net)
 620 {
 621 #ifdef CONFIG_PROC_FS
 622         proc_net_remove(net, "nf_conntrack_expect");
 623 #endif /* CONFIG_PROC_FS */
 624 }
 625
 626 module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
 627
 628 int nf_conntrack_expect_init(struct net *net)
 629 {
 630         int err = -ENOMEM;
 631
 632         if (net_eq(net, &init_net)) {
 633                 if (!nf_ct_expect_hsize) {
 634                         nf_ct_expect_hsize = net->ct.htable_size / 256;
 635                         if (!nf_ct_expect_hsize)
 636                                 nf_ct_expect_hsize = 1;
 637                 }
 638                 nf_ct_expect_max = nf_ct_expect_hsize * 4;
 639         }
 640
 641         net->ct.expect_count = 0;
 642         net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, 0);
 643         if (net->ct.expect_hash == NULL)
 644                 goto err1;
 645
 646         if (net_eq(net, &init_net)) {
 647                 nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
 648                                         sizeof(struct nf_conntrack_expect),
 649                                         0, 0, NULL);
 650                 if (!nf_ct_expect_cachep)
 651                         goto err2;
 652         }
 653
 654         err = exp_proc_init(net);
 655         if (err < 0)
 656                 goto err3;
 657
 658         return 0;
 659
 660 err3:
 661         if (net_eq(net, &init_net))
 662                 kmem_cache_destroy(nf_ct_expect_cachep);
 663 err2:
 664         nf_ct_free_hashtable(net->ct.expect_hash, nf_ct_expect_hsize);
 665 err1:
 666         return err;
 667 }
 668
 669 void nf_conntrack_expect_fini(struct net *net)
 670 {
 671         exp_proc_remove(net);
 672         if (net_eq(net, &init_net)) {
 673                 rcu_barrier(); /* Wait for call_rcu() before destroy */
 674                 kmem_cache_destroy(nf_ct_expect_cachep);
 675         }
 676         nf_ct_free_hashtable(net->ct.expect_hash, nf_ct_expect_hsize);
 677 }