[linux-block.git] / net / netfilter / nf_conntrack_ecache.c

// SPDX-License-Identifier: GPL-2.0-only
/* Event cache for netfilter. */

/*
 * (C) 2005 Harald Welte <laforge@gnumonks.org>
 * (C) 2005 Patrick McHardy <kaber@trash.net>
 * (C) 2005-2006 Netfilter Core Team <coreteam@netfilter.org>
 * (C) 2005 USAGI/WIDE Project <http://www.linux-ipv6.org>
 */

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

#include <linux/types.h>
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/vmalloc.h>
#include <linux/stddef.h>
#include <linux/err.h>
#include <linux/kernel.h>
#include <linux/netdevice.h>
#include <linux/slab.h>
#include <linux/export.h>

#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_extend.h>

static DEFINE_MUTEX(nf_ct_ecache_mutex);

#define DYING_NULLS_VAL			((1 << 30) + 1)
#define ECACHE_MAX_JIFFIES		msecs_to_jiffies(10)
#define ECACHE_RETRY_JIFFIES		msecs_to_jiffies(10)

enum retry_state {
	STATE_CONGESTED,
	STATE_RESTART,
	STATE_DONE,
};

struct nf_conntrack_net_ecache *nf_conn_pernet_ecache(const struct net *net)
{
	struct nf_conntrack_net *cnet = nf_ct_pernet(net);

	return &cnet->ecache;
}
#if IS_MODULE(CONFIG_NF_CT_NETLINK)
EXPORT_SYMBOL_GPL(nf_conn_pernet_ecache);
#endif

static enum retry_state ecache_work_evict_list(struct nf_conntrack_net *cnet)
{
	unsigned long stop = jiffies + ECACHE_MAX_JIFFIES;
	struct hlist_nulls_head evicted_list;
	enum retry_state ret = STATE_DONE;
	struct nf_conntrack_tuple_hash *h;
	struct hlist_nulls_node *n;
	unsigned int sent;

	INIT_HLIST_NULLS_HEAD(&evicted_list, DYING_NULLS_VAL);

next:
	sent = 0;
	spin_lock_bh(&cnet->ecache.dying_lock);

	hlist_nulls_for_each_entry_safe(h, n, &cnet->ecache.dying_list, hnnode) {
		struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);

		/* The worker owns all entries, ct remains valid until nf_ct_put
		 * in the loop below.
		 */
		if (nf_conntrack_event(IPCT_DESTROY, ct)) {
			ret = STATE_CONGESTED;
			break;
		}

		hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
		hlist_nulls_add_head(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode, &evicted_list);

		if (time_after(stop, jiffies)) {
			ret = STATE_RESTART;
			break;
		}

		if (sent++ > 16) {
			spin_unlock_bh(&cnet->ecache.dying_lock);
			cond_resched();
			goto next;
		}
	}

	spin_unlock_bh(&cnet->ecache.dying_lock);

	hlist_nulls_for_each_entry_safe(h, n, &evicted_list, hnnode) {
		struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);

		hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode);
		nf_ct_put(ct);

		cond_resched();
	}

	return ret;
}

static void ecache_work(struct work_struct *work)
{
	struct nf_conntrack_net *cnet = container_of(work, struct nf_conntrack_net, ecache.dwork.work);
	int ret, delay = -1;

	ret = ecache_work_evict_list(cnet);
	switch (ret) {
	case STATE_CONGESTED:
		delay = ECACHE_RETRY_JIFFIES;
		break;
	case STATE_RESTART:
		delay = 0;
		break;
	case STATE_DONE:
		break;
	}

	if (delay >= 0)
		schedule_delayed_work(&cnet->ecache.dwork, delay);
}

static int __nf_conntrack_eventmask_report(struct nf_conntrack_ecache *e,
					   const u32 events,
					   const u32 missed,
					   const struct nf_ct_event *item)
{
	struct net *net = nf_ct_net(item->ct);
	struct nf_ct_event_notifier *notify;
	u32 old, want;
	int ret;

	if (!((events | missed) & e->ctmask))
		return 0;

	rcu_read_lock();

	notify = rcu_dereference(net->ct.nf_conntrack_event_cb);
	if (!notify) {
		rcu_read_unlock();
		return 0;
	}

	ret = notify->ct_event(events | missed, item);
	rcu_read_unlock();

	if (likely(ret >= 0 && missed == 0))
		return 0;

	do {
		old = READ_ONCE(e->missed);
		if (ret < 0)
			want = old | events;
		else
			want = old & ~missed;
	} while (cmpxchg(&e->missed, old, want) != old);

	return ret;
}

int nf_conntrack_eventmask_report(unsigned int events, struct nf_conn *ct,
				  u32 portid, int report)
{
	struct nf_conntrack_ecache *e;
	struct nf_ct_event item;
	unsigned int missed;
	int ret;

	if (!nf_ct_is_confirmed(ct))
		return 0;

	e = nf_ct_ecache_find(ct);
	if (!e)
		return 0;

	memset(&item, 0, sizeof(item));

	item.ct = ct;
	item.portid = e->portid ? e->portid : portid;
	item.report = report;

	/* This is a resent of a destroy event? If so, skip missed */
	missed = e->portid ? 0 : e->missed;

	ret = __nf_conntrack_eventmask_report(e, events, missed, &item);
	if (unlikely(ret < 0 && (events & (1 << IPCT_DESTROY)))) {
		/* This is a destroy event that has been triggered by a process,
		 * we store the PORTID to include it in the retransmission.
		 */
		if (e->portid == 0 && portid != 0)
			e->portid = portid;
	}

	return ret;
}
EXPORT_SYMBOL_GPL(nf_conntrack_eventmask_report);

/* deliver cached events and clear cache entry - must be called with locally
 * disabled softirqs */
void nf_ct_deliver_cached_events(struct nf_conn *ct)
{
	struct nf_conntrack_ecache *e;
	struct nf_ct_event item;
	unsigned int events;

	if (!nf_ct_is_confirmed(ct) || nf_ct_is_dying(ct))
		return;

	e = nf_ct_ecache_find(ct);
	if (e == NULL)
		return;

	events = xchg(&e->cache, 0);

	item.ct = ct;
	item.portid = 0;
	item.report = 0;

	/* We make a copy of the missed event cache without taking
	 * the lock, thus we may send missed events twice. However,
	 * this does not harm and it happens very rarely.
	 */
	__nf_conntrack_eventmask_report(e, events, e->missed, &item);
}
EXPORT_SYMBOL_GPL(nf_ct_deliver_cached_events);

void nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
			       struct nf_conntrack_expect *exp,
			       u32 portid, int report)

{
	struct net *net = nf_ct_exp_net(exp);
	struct nf_ct_event_notifier *notify;
	struct nf_conntrack_ecache *e;

	rcu_read_lock();
	notify = rcu_dereference(net->ct.nf_conntrack_event_cb);
	if (!notify)
		goto out_unlock;

	e = nf_ct_ecache_find(exp->master);
	if (!e)
		goto out_unlock;

	if (e->expmask & (1 << event)) {
		struct nf_exp_event item = {
			.exp	= exp,
			.portid	= portid,
			.report = report
		};
		notify->exp_event(1 << event, &item);
	}
out_unlock:
	rcu_read_unlock();
}

void nf_conntrack_register_notifier(struct net *net,
				    const struct nf_ct_event_notifier *new)
{
	struct nf_ct_event_notifier *notify;

	mutex_lock(&nf_ct_ecache_mutex);
	notify = rcu_dereference_protected(net->ct.nf_conntrack_event_cb,
					   lockdep_is_held(&nf_ct_ecache_mutex));
	WARN_ON_ONCE(notify);
	rcu_assign_pointer(net->ct.nf_conntrack_event_cb, new);
	mutex_unlock(&nf_ct_ecache_mutex);
}
EXPORT_SYMBOL_GPL(nf_conntrack_register_notifier);

void nf_conntrack_unregister_notifier(struct net *net)
{
	mutex_lock(&nf_ct_ecache_mutex);
	RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL);
	mutex_unlock(&nf_ct_ecache_mutex);
	/* synchronize_rcu() is called after netns pre_exit */
}
EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier);

void nf_conntrack_ecache_work(struct net *net, enum nf_ct_ecache_state state)
{
	struct nf_conntrack_net *cnet = nf_ct_pernet(net);

	if (state == NFCT_ECACHE_DESTROY_FAIL &&
	    !delayed_work_pending(&cnet->ecache.dwork)) {
		schedule_delayed_work(&cnet->ecache.dwork, HZ);
		net->ct.ecache_dwork_pending = true;
	} else if (state == NFCT_ECACHE_DESTROY_SENT) {
		if (!hlist_nulls_empty(&cnet->ecache.dying_list))
			mod_delayed_work(system_wq, &cnet->ecache.dwork, 0);
		else
			net->ct.ecache_dwork_pending = false;
	}
}

bool nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp)
{
	struct net *net = nf_ct_net(ct);
	struct nf_conntrack_ecache *e;

	switch (net->ct.sysctl_events) {
	case 0:
		 /* assignment via template / ruleset? ignore sysctl. */
		if (ctmask || expmask)
			break;
		return true;
	case 2: /* autodetect: no event listener, don't allocate extension. */
		if (!READ_ONCE(net->ct.ctnetlink_has_listener))
			return true;
		fallthrough;
	case 1:
		/* always allocate an extension. */
		if (!ctmask && !expmask) {
			ctmask = ~0;
			expmask = ~0;
		}
		break;
	default:
		WARN_ON_ONCE(1);
		return true;
	}

	e = nf_ct_ext_add(ct, NF_CT_EXT_ECACHE, gfp);
	if (e) {
		e->ctmask  = ctmask;
		e->expmask = expmask;
	}

	return e != NULL;
}
EXPORT_SYMBOL_GPL(nf_ct_ecache_ext_add);

#define NF_CT_EVENTS_DEFAULT 2
static int nf_ct_events __read_mostly = NF_CT_EVENTS_DEFAULT;

void nf_conntrack_ecache_pernet_init(struct net *net)
{
	struct nf_conntrack_net *cnet = nf_ct_pernet(net);

	net->ct.sysctl_events = nf_ct_events;

	INIT_DELAYED_WORK(&cnet->ecache.dwork, ecache_work);
	INIT_HLIST_NULLS_HEAD(&cnet->ecache.dying_list, DYING_NULLS_VAL);
	spin_lock_init(&cnet->ecache.dying_lock);

	BUILD_BUG_ON(__IPCT_MAX >= 16);	/* e->ctmask is u16 */
}

void nf_conntrack_ecache_pernet_fini(struct net *net)
{
	struct nf_conntrack_net *cnet = nf_ct_pernet(net);

	cancel_delayed_work_sync(&cnet->ecache.dwork);
}
Commit	Line	Data
d2912cb1	1	// SPDX-License-Identifier: GPL-2.0-only
f6180121 MJ	2	/* Event cache for netfilter. */
f6180121 MJ	3
f229f6ce PM	4	/*
	5	* (C) 2005 Harald Welte <laforge@gnumonks.org>
	6	* (C) 2005 Patrick McHardy <kaber@trash.net>
	7	* (C) 2005-2006 Netfilter Core Team <coreteam@netfilter.org>
	8	* (C) 2005 USAGI/WIDE Project <http://www.linux-ipv6.org>
f6180121 MJ	9	*/
f6180121 MJ	10
5191d70f AS	11	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
5191d70f AS	12
f6180121 MJ	13	#include <linux/types.h>
	14	#include <linux/netfilter.h>
	15	#include <linux/skbuff.h>
	16	#include <linux/vmalloc.h>
	17	#include <linux/stddef.h>
	18	#include <linux/err.h>
f6180121 MJ	19	#include <linux/kernel.h>
f6180121 MJ	20	#include <linux/netdevice.h>
5a0e3ad6	21	#include <linux/slab.h>
bc3b2d7f	22	#include <linux/export.h>
f6180121 MJ	23
f6180121 MJ	24	#include <net/netfilter/nf_conntrack.h>
f6180121	25	#include <net/netfilter/nf_conntrack_core.h>
40d102cd	26	#include <net/netfilter/nf_conntrack_ecache.h>
a0891aa6	27	#include <net/netfilter/nf_conntrack_extend.h>
f6180121	28
e34d5c1a	29	static DEFINE_MUTEX(nf_ct_ecache_mutex);
13b18339	30
2ed3bf18 FW	31	#define DYING_NULLS_VAL ((1 << 30) + 1)
	32	#define ECACHE_MAX_JIFFIES msecs_to_jiffies(10)
	33	#define ECACHE_RETRY_JIFFIES msecs_to_jiffies(10)
9500507c FW	34
	35	enum retry_state {
	36	STATE_CONGESTED,
	37	STATE_RESTART,
	38	STATE_DONE,
	39	};
	40
0d3cc504 FW	41	struct nf_conntrack_net_ecache nf_conn_pernet_ecache(const struct net net)
	42	{
	43	struct nf_conntrack_net *cnet = nf_ct_pernet(net);
	44
	45	return &cnet->ecache;
	46	}
	47	#if IS_MODULE(CONFIG_NF_CT_NETLINK)
	48	EXPORT_SYMBOL_GPL(nf_conn_pernet_ecache);
	49	#endif
	50
2ed3bf18	51	static enum retry_state ecache_work_evict_list(struct nf_conntrack_net *cnet)
9500507c	52	{
2ed3bf18 FW	53	unsigned long stop = jiffies + ECACHE_MAX_JIFFIES;
2ed3bf18 FW	54	struct hlist_nulls_head evicted_list;
63f55acf	55	enum retry_state ret = STATE_DONE;
9500507c FW	56	struct nf_conntrack_tuple_hash *h;
9500507c FW	57	struct hlist_nulls_node *n;
2ed3bf18	58	unsigned int sent;
9500507c	59
2ed3bf18	60	INIT_HLIST_NULLS_HEAD(&evicted_list, DYING_NULLS_VAL);
9500507c	61
2ed3bf18 FW	62	next:
	63	sent = 0;
	64	spin_lock_bh(&cnet->ecache.dying_lock);
	65
	66	hlist_nulls_for_each_entry_safe(h, n, &cnet->ecache.dying_list, hnnode) {
9500507c	67	struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
9500507c	68
2ed3bf18 FW	69	/* The worker owns all entries, ct remains valid until nf_ct_put
2ed3bf18 FW	70	* in the loop below.
63f55acf	71	*/
9500507c FW	72	if (nf_conntrack_event(IPCT_DESTROY, ct)) {
	73	ret = STATE_CONGESTED;
	74	break;
	75	}
	76
2ed3bf18 FW	77	hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
2ed3bf18 FW	78	hlist_nulls_add_head(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode, &evicted_list);
9500507c	79
2ed3bf18	80	if (time_after(stop, jiffies)) {
9500507c FW	81	ret = STATE_RESTART;
	82	break;
	83	}
2ed3bf18 FW	84
	85	if (sent++ > 16) {
	86	spin_unlock_bh(&cnet->ecache.dying_lock);
	87	cond_resched();
	88	goto next;
	89	}
9500507c FW	90	}
9500507c FW	91
2ed3bf18	92	spin_unlock_bh(&cnet->ecache.dying_lock);
9500507c	93
2ed3bf18 FW	94	hlist_nulls_for_each_entry_safe(h, n, &evicted_list, hnnode) {
	95	struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
	96
2ed3bf18 FW	97	hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode);
	98	nf_ct_put(ct);
	99
	100	cond_resched();
	101	}
9500507c FW	102
	103	return ret;
	104	}
	105
	106	static void ecache_work(struct work_struct *work)
	107	{
9027ce0b	108	struct nf_conntrack_net *cnet = container_of(work, struct nf_conntrack_net, ecache.dwork.work);
2ed3bf18 FW	109	int ret, delay = -1;
	110
	111	ret = ecache_work_evict_list(cnet);
	112	switch (ret) {
	113	case STATE_CONGESTED:
	114	delay = ECACHE_RETRY_JIFFIES;
	115	break;
	116	case STATE_RESTART:
	117	delay = 0;
	118	break;
	119	case STATE_DONE:
	120	break;
9500507c FW	121	}
9500507c FW	122
9500507c	123	if (delay >= 0)
9027ce0b	124	schedule_delayed_work(&cnet->ecache.dwork, delay);
9500507c FW	125	}
9500507c FW	126
b3afdc17	127	static int __nf_conntrack_eventmask_report(struct nf_conntrack_ecache *e,
8dd8678e FW	128	const u32 events,
8dd8678e FW	129	const u32 missed,
b3afdc17	130	const struct nf_ct_event *item)
3c435e2e	131	{
b3afdc17	132	struct net *net = nf_ct_net(item->ct);
3c435e2e	133	struct nf_ct_event_notifier *notify;
8dd8678e	134	u32 old, want;
b3afdc17 FW	135	int ret;
	136
	137	if (!((events \| missed) & e->ctmask))
	138	return 0;
	139
	140	rcu_read_lock();
	141
	142	notify = rcu_dereference(net->ct.nf_conntrack_event_cb);
	143	if (!notify) {
	144	rcu_read_unlock();
	145	return 0;
	146	}
	147
b86c0e64	148	ret = notify->ct_event(events \| missed, item);
b3afdc17 FW	149	rcu_read_unlock();
	150
	151	if (likely(ret >= 0 && missed == 0))
	152	return 0;
	153
8dd8678e FW	154	do {
	155	old = READ_ONCE(e->missed);
	156	if (ret < 0)
	157	want = old \| events;
	158	else
	159	want = old & ~missed;
	160	} while (cmpxchg(&e->missed, old, want) != old);
b3afdc17 FW	161
	162	return ret;
	163	}
	164
	165	int nf_conntrack_eventmask_report(unsigned int events, struct nf_conn *ct,
	166	u32 portid, int report)
	167	{
3c435e2e	168	struct nf_conntrack_ecache *e;
478374a3	169	struct nf_ct_event item;
8dd8678e	170	unsigned int missed;
b3afdc17	171	int ret;
478374a3 FW	172
478374a3 FW	173	if (!nf_ct_is_confirmed(ct))
b3afdc17	174	return 0;
3c435e2e FW	175
	176	e = nf_ct_ecache_find(ct);
	177	if (!e)
b3afdc17	178	return 0;
3c435e2e	179
478374a3 FW	180	memset(&item, 0, sizeof(item));
	181
	182	item.ct = ct;
	183	item.portid = e->portid ? e->portid : portid;
	184	item.report = report;
	185
	186	/* This is a resent of a destroy event? If so, skip missed */
	187	missed = e->portid ? 0 : e->missed;
	188
b3afdc17 FW	189	ret = __nf_conntrack_eventmask_report(e, events, missed, &item);
	190	if (unlikely(ret < 0 && (events & (1 << IPCT_DESTROY)))) {
	191	/* This is a destroy event that has been triggered by a process,
	192	* we store the PORTID to include it in the retransmission.
9291f090	193	*/
b3afdc17 FW	194	if (e->portid == 0 && portid != 0)
b3afdc17 FW	195	e->portid = portid;
3c435e2e	196	}
9291f090	197
3c435e2e FW	198	return ret;
	199	}
	200	EXPORT_SYMBOL_GPL(nf_conntrack_eventmask_report);
	201
f6180121 MJ	202	/* deliver cached events and clear cache entry - must be called with locally
f6180121 MJ	203	* disabled softirqs */
a0891aa6	204	void nf_ct_deliver_cached_events(struct nf_conn *ct)
f6180121	205	{
a0891aa6	206	struct nf_conntrack_ecache *e;
58020f77	207	struct nf_ct_event item;
8dd8678e	208	unsigned int events;
e34d5c1a	209
ad88b7a6	210	if (!nf_ct_is_confirmed(ct) \|\| nf_ct_is_dying(ct))
b3afdc17	211	return;
ad88b7a6	212
a0891aa6 PNA	213	e = nf_ct_ecache_find(ct);
a0891aa6 PNA	214	if (e == NULL)
b3afdc17	215	return;
a0891aa6 PNA	216
	217	events = xchg(&e->cache, 0);
	218
58020f77	219	item.ct = ct;
15e47304	220	item.portid = 0;
58020f77 TZ	221	item.report = 0;
58020f77 TZ	222
b3afdc17 FW	223	/* We make a copy of the missed event cache without taking
	224	* the lock, thus we may send missed events twice. However,
	225	* this does not harm and it happens very rarely.
	226	*/
	227	__nf_conntrack_eventmask_report(e, events, e->missed, &item);
f6180121	228	}
13b18339	229	EXPORT_SYMBOL_GPL(nf_ct_deliver_cached_events);
f6180121	230
ecdfb48c FW	231	void nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
	232	struct nf_conntrack_expect *exp,
	233	u32 portid, int report)
	234
	235	{
	236	struct net *net = nf_ct_exp_net(exp);
bd1431db	237	struct nf_ct_event_notifier *notify;
ecdfb48c FW	238	struct nf_conntrack_ecache *e;
	239
	240	rcu_read_lock();
bd1431db	241	notify = rcu_dereference(net->ct.nf_conntrack_event_cb);
ecdfb48c FW	242	if (!notify)
	243	goto out_unlock;
	244
	245	e = nf_ct_ecache_find(exp->master);
	246	if (!e)
	247	goto out_unlock;
	248
	249	if (e->expmask & (1 << event)) {
	250	struct nf_exp_event item = {
	251	.exp = exp,
	252	.portid = portid,
	253	.report = report
	254	};
b86c0e64	255	notify->exp_event(1 << event, &item);
ecdfb48c FW	256	}
	257	out_unlock:
	258	rcu_read_unlock();
	259	}
	260
b86c0e64 FW	261	void nf_conntrack_register_notifier(struct net *net,
b86c0e64 FW	262	const struct nf_ct_event_notifier *new)
010c7d6f	263	{
b56f2d55	264	struct nf_ct_event_notifier *notify;
e34d5c1a PNA	265
e34d5c1a PNA	266	mutex_lock(&nf_ct_ecache_mutex);
70e9942f	267	notify = rcu_dereference_protected(net->ct.nf_conntrack_event_cb,
b56f2d55	268	lockdep_is_held(&nf_ct_ecache_mutex));
b86c0e64	269	WARN_ON_ONCE(notify);
cf778b00	270	rcu_assign_pointer(net->ct.nf_conntrack_event_cb, new);
e34d5c1a	271	mutex_unlock(&nf_ct_ecache_mutex);
010c7d6f PM	272	}
	273	EXPORT_SYMBOL_GPL(nf_conntrack_register_notifier);
	274
b86c0e64	275	void nf_conntrack_unregister_notifier(struct net *net)
010c7d6f	276	{
e34d5c1a	277	mutex_lock(&nf_ct_ecache_mutex);
70e9942f	278	RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL);
e34d5c1a	279	mutex_unlock(&nf_ct_ecache_mutex);
bd1431db	280	/* synchronize_rcu() is called after netns pre_exit */
010c7d6f PM	281	}
	282	EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier);
	283
1379940b FW	284	void nf_conntrack_ecache_work(struct net *net, enum nf_ct_ecache_state state)
1379940b FW	285	{
0418b989	286	struct nf_conntrack_net *cnet = nf_ct_pernet(net);
1379940b FW	287
1379940b FW	288	if (state == NFCT_ECACHE_DESTROY_FAIL &&
9027ce0b FW	289	!delayed_work_pending(&cnet->ecache.dwork)) {
9027ce0b FW	290	schedule_delayed_work(&cnet->ecache.dwork, HZ);
1379940b FW	291	net->ct.ecache_dwork_pending = true;
1379940b FW	292	} else if (state == NFCT_ECACHE_DESTROY_SENT) {
2ed3bf18 FW	293	if (!hlist_nulls_empty(&cnet->ecache.dying_list))
	294	mod_delayed_work(system_wq, &cnet->ecache.dwork, 0);
	295	else
	296	net->ct.ecache_dwork_pending = false;
1379940b FW	297	}
	298	}
	299
b0a7ab4a FW	300	bool nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp)
	301	{
	302	struct net *net = nf_ct_net(ct);
	303	struct nf_conntrack_ecache *e;
	304
90d1daa4 FW	305	switch (net->ct.sysctl_events) {
	306	case 0:
	307	/* assignment via template / ruleset? ignore sysctl. */
	308	if (ctmask \|\| expmask)
	309	break;
	310	return true;
	311	case 2: /* autodetect: no event listener, don't allocate extension. */
	312	if (!READ_ONCE(net->ct.ctnetlink_has_listener))
	313	return true;
	314	fallthrough;
	315	case 1:
	316	/* always allocate an extension. */
	317	if (!ctmask && !expmask) {
	318	ctmask = ~0;
	319	expmask = ~0;
	320	}
	321	break;
	322	default:
	323	WARN_ON_ONCE(1);
	324	return true;
b0a7ab4a	325	}
b0a7ab4a FW	326
	327	e = nf_ct_ext_add(ct, NF_CT_EXT_ECACHE, gfp);
	328	if (e) {
	329	e->ctmask = ctmask;
	330	e->expmask = expmask;
	331	}
	332
	333	return e != NULL;
	334	}
	335	EXPORT_SYMBOL_GPL(nf_ct_ecache_ext_add);
	336
90d1daa4	337	#define NF_CT_EVENTS_DEFAULT 2
a0891aa6 PNA	338	static int nf_ct_events __read_mostly = NF_CT_EVENTS_DEFAULT;
a0891aa6 PNA	339
fc3893fd	340	void nf_conntrack_ecache_pernet_init(struct net *net)
a0891aa6	341	{
0418b989	342	struct nf_conntrack_net *cnet = nf_ct_pernet(net);
1379940b	343
a0891aa6	344	net->ct.sysctl_events = nf_ct_events;
9027ce0b	345
9027ce0b	346	INIT_DELAYED_WORK(&cnet->ecache.dwork, ecache_work);
2ed3bf18 FW	347	INIT_HLIST_NULLS_HEAD(&cnet->ecache.dying_list, DYING_NULLS_VAL);
2ed3bf18 FW	348	spin_lock_init(&cnet->ecache.dying_lock);
1015c3de	349
8dd8678e	350	BUILD_BUG_ON(__IPCT_MAX >= 16); /* e->ctmask is u16 */
3fe0f943	351	}
a0891aa6	352
3fe0f943 G	353	void nf_conntrack_ecache_pernet_fini(struct net *net)
3fe0f943 G	354	{
0418b989	355	struct nf_conntrack_net *cnet = nf_ct_pernet(net);
1379940b	356
9027ce0b	357	cancel_delayed_work_sync(&cnet->ecache.dwork);
3fe0f943	358	}