Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 54b07dca authored by Jan Engelhardt's avatar Jan Engelhardt Committed by Pablo Neira Ayuso
Browse files

netfilter: provide config option to disable ancient procfs parts 



Using /proc/net/nf_conntrack has been deprecated in favour of the
conntrack(8) tool.

Signed-off-by: default avatarJan Engelhardt <jengelh@medozas.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 42c344a3

net/ipv4/netfilter/Kconfig

+1 −1
Original line number Diff line number Diff line
@@ -27,7 +27,7 @@ config NF_CONNTRACK_IPV4 


config NF_CONNTRACK_PROC_COMPAT

	bool "proc/sysctl compatibility with old connection tracking"

	depends on NF_CONNTRACK_IPV4

	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4

	default y

	help

	  This option enables /proc and sysctl compatibility with the old

net/netfilter/Kconfig

+10 −0
Original line number Diff line number Diff line
@@ -83,6 +83,16 @@ config NF_CONNTRACK_ZONES 


	  If unsure, say `N'.



config NF_CONNTRACK_PROCFS

	bool "Supply CT list in procfs (OBSOLETE)"

	default y

	depends on PROC_FS

	---help---

	This option enables for the list of known conntrack entries

	to be shown in procfs under net/netfilter/nf_conntrack. This

	is considered obsolete in favor of using the conntrack(8)

	tool which uses Netlink.



config NF_CONNTRACK_EVENTS

	bool "Connection tracking events"

	depends on NETFILTER_ADVANCED

net/netfilter/nf_conntrack_expect.c

+6 −6
Original line number Diff line number Diff line
@@ -455,7 +455,7 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, 
}

EXPORT_SYMBOL_GPL(nf_ct_expect_related_report);



#ifdef CONFIG_PROC_FS

#ifdef CONFIG_NF_CONNTRACK_PROCFS

struct ct_expect_iter_state {

	struct seq_net_private p;

	unsigned int bucket;
@@ -583,25 +583,25 @@ static const struct file_operations exp_file_ops = { 
	.llseek  = seq_lseek,

	.release = seq_release_net,

};

#endif /* CONFIG_PROC_FS */

#endif /* CONFIG_NF_CONNTRACK_PROCFS */



static int exp_proc_init(struct net *net)

{

#ifdef CONFIG_PROC_FS

#ifdef CONFIG_NF_CONNTRACK_PROCFS

	struct proc_dir_entry *proc;



	proc = proc_net_fops_create(net, "nf_conntrack_expect", 0440, &exp_file_ops);

	if (!proc)

		return -ENOMEM;

#endif /* CONFIG_PROC_FS */

#endif /* CONFIG_NF_CONNTRACK_PROCFS */

	return 0;

}



static void exp_proc_remove(struct net *net)

{

#ifdef CONFIG_PROC_FS

#ifdef CONFIG_NF_CONNTRACK_PROCFS

	proc_net_remove(net, "nf_conntrack_expect");

#endif /* CONFIG_PROC_FS */

#endif /* CONFIG_NF_CONNTRACK_PROCFS */

}



module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);

net/netfilter/nf_conntrack_standalone.c

+2 −2
Original line number Diff line number Diff line
@@ -34,7 +34,7 @@ 


MODULE_LICENSE("GPL");



#ifdef CONFIG_PROC_FS

#ifdef CONFIG_NF_CONNTRACK_PROCFS

int

print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,

            const struct nf_conntrack_l3proto *l3proto,
@@ -396,7 +396,7 @@ static int nf_conntrack_standalone_init_proc(struct net *net) 
static void nf_conntrack_standalone_fini_proc(struct net *net)

{

}

#endif /* CONFIG_PROC_FS */

#endif /* CONFIG_NF_CONNTRACK_PROCFS */



/* Sysctl support */