netfilter: conntrack: add nf_conntrack_events autodetect mode

This adds the new nf_conntrack_events=2 mode and makes it the
default.

This leverages the earlier flag in struct net to allow to avoid
the event extension as long as no event listener is active in
the namespace.

This avoids, for most cases, allocation of ct->ext area.
A followup patch will take further advantage of this by avoiding
calls down into the event framework if the extension isn't present.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/Documentation/networking/nf_conntrack-sysctl.rst b/Documentation/networking/nf_conntrack-sysctl.rst
index 311128a..834945e 100644 (file)
--- a/Documentation/networking/nf_conntrack-sysctl.rst
+++ b/Documentation/networking/nf_conntrack-sysctl.rst
@@ -34,10 +34,13 @@ nf_conntrack_count - INTEGER (read-only)
 
 nf_conntrack_events - BOOLEAN
        - 0 - disabled
-       - not 0 - enabled (default)
+       - 1 - enabled
+       - 2 - auto (default)
 
        If this option is enabled, the connection tracking code will
        provide userspace with connection tracking events via ctnetlink.
+       The default allocates the extension if a userspace program is
+       listening to ctnetlink events.
 
 nf_conntrack_expect_max - INTEGER
        Maximum size of expectation table.  Default value is

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 7b078ec..082a2fd 100644 (file)
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1736,7 +1736,8 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
        ecache = tmpl ? nf_ct_ecache_find(tmpl) : NULL;
 
-       if (!nf_ct_ecache_ext_add(ct, ecache ? ecache->ctmask : 0,
+       if ((ecache || net->ct.sysctl_events) &&
+           !nf_ct_ecache_ext_add(ct, ecache ? ecache->ctmask : 0,
                                  ecache ? ecache->expmask : 0,
                                  GFP_ATOMIC)) {
                nf_conntrack_free(ct);

diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
index 2f0b52f..8698b34 100644 (file)
--- a/net/netfilter/nf_conntrack_ecache.c
+++ b/net/netfilter/nf_conntrack_ecache.c
@@ -302,12 +302,27 @@ bool nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp
        struct net *net = nf_ct_net(ct);
        struct nf_conntrack_ecache *e;
 
-       if (!ctmask && !expmask && net->ct.sysctl_events) {
-               ctmask = ~0;
-               expmask = ~0;
+       switch (net->ct.sysctl_events) {
+       case 0:
+                /* assignment via template / ruleset? ignore sysctl. */
+               if (ctmask || expmask)
+                       break;
+               return true;
+       case 2: /* autodetect: no event listener, don't allocate extension. */
+               if (!READ_ONCE(net->ct.ctnetlink_has_listener))
+                       return true;
+               fallthrough;
+       case 1:
+               /* always allocate an extension. */
+               if (!ctmask && !expmask) {
+                       ctmask = ~0;
+                       expmask = ~0;
+               }
+               break;
+       default:
+               WARN_ON_ONCE(1);
+               return true;
        }
-       if (!ctmask && !expmask)
-               return false;
 
        e = nf_ct_ext_add(ct, NF_CT_EXT_ECACHE, gfp);
        if (e) {
@@ -319,7 +334,7 @@ bool nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp
 }
 EXPORT_SYMBOL_GPL(nf_ct_ecache_ext_add);
 
-#define NF_CT_EVENTS_DEFAULT 1
+#define NF_CT_EVENTS_DEFAULT 2
 static int nf_ct_events __read_mostly = NF_CT_EVENTS_DEFAULT;
 
 void nf_conntrack_ecache_pernet_init(struct net *net)

diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 3e1afd1..948884d 100644 (file)
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -693,7 +693,7 @@ static struct ctl_table nf_ct_sysctl_table[] = {
                .mode           = 0644,
                .proc_handler   = proc_dou8vec_minmax,
                .extra1         = SYSCTL_ZERO,
-               .extra2         = SYSCTL_ONE,
+               .extra2         = SYSCTL_TWO,
        },
 #endif
 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP