netfilter: conntrack: add nf_conntrack_events autodetect mode

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2111270
Upstream Status: commit 90d1daa

Changes: SYSCTL_TWO macro does not exist in cs9.

commit 90d1daa
Author: Florian Westphal <[email protected]>
Date:   Mon Apr 25 15:15:43 2022 +0200

    netfilter: conntrack: add nf_conntrack_events autodetect mode

    This adds the new nf_conntrack_events=2 mode and makes it the
    default.

    This leverages the earlier flag in struct net to allow to avoid
    the event extension as long as no event listener is active in
    the namespace.

    This avoids, for most cases, allocation of ct->ext area.
    A followup patch will take further advantage of this by avoiding
    calls down into the event framework if the extension isn't present.

    Signed-off-by: Florian Westphal <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>

Signed-off-by: Florian Westphal <[email protected]>

Author: fw-strlen

Documentation/networking/nf_conntrack-sysctl.rst

@@ -34,10 +34,13 @@ nf_conntrack_count - INTEGER (read-only)
 
 nf_conntrack_events - BOOLEAN
 	- 0 - disabled
-	- not 0 - enabled (default)
+	- 1 - enabled
+	- 2 - auto (default)
 
 	If this option is enabled, the connection tracking code will
 	provide userspace with connection tracking events via ctnetlink.
+	The default allocates the extension if a userspace program is
+	listening to ctnetlink events.
 
 nf_conntrack_expect_max - INTEGER
 	Maximum size of expectation table.  Default value is

net/netfilter/nf_conntrack_core.c

@@ -1747,7 +1747,8 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 	ecache = tmpl ? nf_ct_ecache_find(tmpl) : NULL;
 
-	if (!nf_ct_ecache_ext_add(ct, ecache ? ecache->ctmask : 0,
+	if ((ecache || net->ct.sysctl_events) &&
+	    !nf_ct_ecache_ext_add(ct, ecache ? ecache->ctmask : 0,
 				  ecache ? ecache->expmask : 0,
 				  GFP_ATOMIC)) {
 		nf_conntrack_free(ct);

net/netfilter/nf_conntrack_ecache.c

@@ -302,12 +302,27 @@ bool nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp
 	struct net *net = nf_ct_net(ct);
 	struct nf_conntrack_ecache *e;
 
-	if (!ctmask && !expmask && net->ct.sysctl_events) {
-		ctmask = ~0;
-		expmask = ~0;
+	switch (net->ct.sysctl_events) {
+	case 0:
+		 /* assignment via template / ruleset? ignore sysctl. */
+		if (ctmask || expmask)
+			break;
+		return true;
+	case 2: /* autodetect: no event listener, don't allocate extension. */
+		if (!READ_ONCE(net->ct.ctnetlink_has_listener))
+			return true;
+		fallthrough;
+	case 1:
+		/* always allocate an extension. */
+		if (!ctmask && !expmask) {
+			ctmask = ~0;
+			expmask = ~0;
+		}
+		break;
+	default:
+		WARN_ON_ONCE(1);
+		return true;
 	}
-	if (!ctmask && !expmask)
-		return false;
 
 	e = nf_ct_ext_add(ct, NF_CT_EXT_ECACHE, gfp);
 	if (e) {
@@ -319,7 +334,7 @@ bool nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp
 }
 EXPORT_SYMBOL_GPL(nf_ct_ecache_ext_add);
 
-#define NF_CT_EVENTS_DEFAULT 1
+#define NF_CT_EVENTS_DEFAULT 2
 static int nf_ct_events __read_mostly = NF_CT_EVENTS_DEFAULT;
 
 void nf_conntrack_ecache_pernet_init(struct net *net)

net/netfilter/nf_conntrack_standalone.c

@@ -619,6 +619,10 @@ enum nf_ct_sysctl_index {
 	__NF_SYSCTL_CT_LAST_SYSCTL,
 };
 
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+static const int two = 2;
+#endif
+
 #define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1)
 
 static struct ctl_table nf_ct_sysctl_table[] = {
@@ -690,7 +694,7 @@ static struct ctl_table nf_ct_sysctl_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dou8vec_minmax,
 		.extra1 	= SYSCTL_ZERO,
-		.extra2 	= SYSCTL_ONE,
+		.extra2		= (void *)&two,
 	},
 #endif
 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP