net/netfilter/nf_conntrack_expect.c

   1 /* Expectation handling for nf_conntrack. */
   2
   3 /* (C) 1999-2001 Paul `Rusty' Russell
   4  * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
   5  * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
   6  * (c) 2005-2012 Patrick McHardy <kaber@trash.net>
   7  *
   8  * This program is free software; you can redistribute it and/or modify
   9  * it under the terms of the GNU General Public License version 2 as
  10  * published by the Free Software Foundation.
  11  */
  12
  13 #include <linux/types.h>
  14 #include <linux/netfilter.h>
  15 #include <linux/skbuff.h>
  16 #include <linux/proc_fs.h>
  17 #include <linux/seq_file.h>
  18 #include <linux/stddef.h>
  19 #include <linux/slab.h>
  20 #include <linux/err.h>
  21 #include <linux/percpu.h>
  22 #include <linux/kernel.h>
  23 #include <linux/jhash.h>
  24 #include <linux/moduleparam.h>
  25 #include <linux/export.h>
  26 #include <net/net_namespace.h>
  27
  28 #include <net/netfilter/nf_conntrack.h>
  29 #include <net/netfilter/nf_conntrack_core.h>
  30 #include <net/netfilter/nf_conntrack_expect.h>
  31 #include <net/netfilter/nf_conntrack_helper.h>
  32 #include <net/netfilter/nf_conntrack_tuple.h>
  33 #include <net/netfilter/nf_conntrack_zones.h>
  34
  35 unsigned int nf_ct_expect_hsize __read_mostly;
  36 EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
  37
  38 unsigned int nf_ct_expect_max __read_mostly;
  39
  40 static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
  41
  42 /* nf_conntrack_expect helper functions */
  43 void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,
  44                                 u32 portid, int report)
  45 {
  46         struct nf_conn_help *master_help = nfct_help(exp->master);
  47         struct net *net = nf_ct_exp_net(exp);
  48
  49         NF_CT_ASSERT(master_help);
  50         NF_CT_ASSERT(!timer_pending(&exp->timeout));
  51
  52         hlist_del_rcu(&exp->hnode);
  53         net->ct.expect_count--;
  54
  55         hlist_del(&exp->lnode);
  56         master_help->expecting[exp->class]--;
  57
  58         nf_ct_expect_event_report(IPEXP_DESTROY, exp, portid, report);
  59         nf_ct_expect_put(exp);
  60
  61         NF_CT_STAT_INC(net, expect_delete);
  62 }
  63 EXPORT_SYMBOL_GPL(nf_ct_unlink_expect_report);
  64
  65 static void nf_ct_expectation_timed_out(unsigned long ul_expect)
  66 {
  67         struct nf_conntrack_expect *exp = (void *)ul_expect;
  68
  69         spin_lock_bh(&nf_conntrack_lock);
  70         nf_ct_unlink_expect(exp);
  71         spin_unlock_bh(&nf_conntrack_lock);
  72         nf_ct_expect_put(exp);
  73 }
  74
  75 static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple)
  76 {
  77         unsigned int hash;
  78
  79         if (unlikely(!nf_conntrack_hash_rnd)) {
  80                 init_nf_conntrack_hash_rnd();
  81         }
  82
  83         hash = jhash2(tuple->dst.u3.all, ARRAY_SIZE(tuple->dst.u3.all),
  84                       (((tuple->dst.protonum ^ tuple->src.l3num) << 16) |
  85                        (__force __u16)tuple->dst.u.all) ^ nf_conntrack_hash_rnd);
  86         return ((u64)hash * nf_ct_expect_hsize) >> 32;
  87 }
  88
  89 struct nf_conntrack_expect *
  90 __nf_ct_expect_find(struct net *net, u16 zone,
  91                     const struct nf_conntrack_tuple *tuple)
  92 {
  93         struct nf_conntrack_expect *i;
  94         unsigned int h;
  95
  96         if (!net->ct.expect_count)
  97                 return NULL;
  98
  99         h = nf_ct_expect_dst_hash(tuple);
 100         hlist_for_each_entry_rcu(i, &net->ct.expect_hash[h], hnode) {
 101                 if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
 102                     nf_ct_zone(i->master) == zone)
 103                         return i;
 104         }
 105         return NULL;
 106 }
 107 EXPORT_SYMBOL_GPL(__nf_ct_expect_find);
 108
 109 /* Just find a expectation corresponding to a tuple. */
 110 struct nf_conntrack_expect *
 111 nf_ct_expect_find_get(struct net *net, u16 zone,
 112                       const struct nf_conntrack_tuple *tuple)
 113 {
 114         struct nf_conntrack_expect *i;
 115
 116         rcu_read_lock();
 117         i = __nf_ct_expect_find(net, zone, tuple);
 118         if (i && !atomic_inc_not_zero(&i->use))
 119                 i = NULL;
 120         rcu_read_unlock();
 121
 122         return i;
 123 }
 124 EXPORT_SYMBOL_GPL(nf_ct_expect_find_get);
 125
 126 /* If an expectation for this connection is found, it gets delete from
 127  * global list then returned. */
 128 struct nf_conntrack_expect *
 129 nf_ct_find_expectation(struct net *net, u16 zone,
 130                        const struct nf_conntrack_tuple *tuple)
 131 {
 132         struct nf_conntrack_expect *i, *exp = NULL;
 133         unsigned int h;
 134
 135         if (!net->ct.expect_count)
 136                 return NULL;
 137
 138         h = nf_ct_expect_dst_hash(tuple);
 139         hlist_for_each_entry(i, &net->ct.expect_hash[h], hnode) {
 140                 if (!(i->flags & NF_CT_EXPECT_INACTIVE) &&
 141                     nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
 142                     nf_ct_zone(i->master) == zone) {
 143                         exp = i;
 144                         break;
 145                 }
 146         }
 147         if (!exp)
 148                 return NULL;
 149
 150         /* If master is not in hash table yet (ie. packet hasn't left
 151            this machine yet), how can other end know about expected?
 152            Hence these are not the droids you are looking for (if
 153            master ct never got confirmed, we'd hold a reference to it
 154            and weird things would happen to future packets). */
 155         if (!nf_ct_is_confirmed(exp->master))
 156                 return NULL;
 157
 158         if (exp->flags & NF_CT_EXPECT_PERMANENT) {
 159                 atomic_inc(&exp->use);
 160                 return exp;
 161         } else if (del_timer(&exp->timeout)) {
 162                 nf_ct_unlink_expect(exp);
 163                 return exp;
 164         }
 165
 166         return NULL;
 167 }
 168
 169 /* delete all expectations for this conntrack */
 170 void nf_ct_remove_expectations(struct nf_conn *ct)
 171 {
 172         struct nf_conn_help *help = nfct_help(ct);
 173         struct nf_conntrack_expect *exp;
 174         struct hlist_node *next;
 175
 176         /* Optimization: most connection never expect any others. */
 177         if (!help)
 178                 return;
 179
 180         hlist_for_each_entry_safe(exp, next, &help->expectations, lnode) {
 181                 if (del_timer(&exp->timeout)) {
 182                         nf_ct_unlink_expect(exp);
 183                         nf_ct_expect_put(exp);
 184                 }
 185         }
 186 }
 187 EXPORT_SYMBOL_GPL(nf_ct_remove_expectations);
 188
 189 /* Would two expected things clash? */
 190 static inline int expect_clash(const struct nf_conntrack_expect *a,
 191                                const struct nf_conntrack_expect *b)
 192 {
 193         /* Part covered by intersection of masks must be unequal,
 194            otherwise they clash */
 195         struct nf_conntrack_tuple_mask intersect_mask;
 196         int count;
 197
 198         intersect_mask.src.u.all = a->mask.src.u.all & b->mask.src.u.all;
 199
 200         for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
 201                 intersect_mask.src.u3.all[count] =
 202                         a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
 203         }
 204
 205         return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
 206 }
 207
 208 static inline int expect_matches(const struct nf_conntrack_expect *a,
 209                                  const struct nf_conntrack_expect *b)
 210 {
 211         return a->master == b->master && a->class == b->class &&
 212                 nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
 213                 nf_ct_tuple_mask_equal(&a->mask, &b->mask) &&
 214                 nf_ct_zone(a->master) == nf_ct_zone(b->master);
 215 }
 216
 217 /* Generally a bad idea to call this: could have matched already. */
 218 void nf_ct_unexpect_related(struct nf_conntrack_expect *exp)
 219 {
 220         spin_lock_bh(&nf_conntrack_lock);
 221         if (del_timer(&exp->timeout)) {
 222                 nf_ct_unlink_expect(exp);
 223                 nf_ct_expect_put(exp);
 224         }
 225         spin_unlock_bh(&nf_conntrack_lock);
 226 }
 227 EXPORT_SYMBOL_GPL(nf_ct_unexpect_related);
 228
 229 /* We don't increase the master conntrack refcount for non-fulfilled
 230  * conntracks. During the conntrack destruction, the expectations are
 231  * always killed before the conntrack itself */
 232 struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me)
 233 {
 234         struct nf_conntrack_expect *new;
 235
 236         new = kmem_cache_alloc(nf_ct_expect_cachep, GFP_ATOMIC);
 237         if (!new)
 238                 return NULL;
 239
 240         new->master = me;
 241         atomic_set(&new->use, 1);
 242         return new;
 243 }
 244 EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
 245
 246 void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,
 247                        u_int8_t family,
 248                        const union nf_inet_addr *saddr,
 249                        const union nf_inet_addr *daddr,
 250                        u_int8_t proto, const __be16 *src, const __be16 *dst)
 251 {
 252         int len;
 253
 254         if (family == AF_INET)
 255                 len = 4;
 256         else
 257                 len = 16;
 258
 259         exp->flags = 0;
 260         exp->class = class;
 261         exp->expectfn = NULL;
 262         exp->helper = NULL;
 263         exp->tuple.src.l3num = family;
 264         exp->tuple.dst.protonum = proto;
 265
 266         if (saddr) {
 267                 memcpy(&exp->tuple.src.u3, saddr, len);
 268                 if (sizeof(exp->tuple.src.u3) > len)
 269                         /* address needs to be cleared for nf_ct_tuple_equal */
 270                         memset((void *)&exp->tuple.src.u3 + len, 0x00,
 271                                sizeof(exp->tuple.src.u3) - len);
 272                 memset(&exp->mask.src.u3, 0xFF, len);
 273                 if (sizeof(exp->mask.src.u3) > len)
 274                         memset((void *)&exp->mask.src.u3 + len, 0x00,
 275                                sizeof(exp->mask.src.u3) - len);
 276         } else {
 277                 memset(&exp->tuple.src.u3, 0x00, sizeof(exp->tuple.src.u3));
 278                 memset(&exp->mask.src.u3, 0x00, sizeof(exp->mask.src.u3));
 279         }
 280
 281         if (src) {
 282                 exp->tuple.src.u.all = *src;
 283                 exp->mask.src.u.all = htons(0xFFFF);
 284         } else {
 285                 exp->tuple.src.u.all = 0;
 286                 exp->mask.src.u.all = 0;
 287         }
 288
 289         memcpy(&exp->tuple.dst.u3, daddr, len);
 290         if (sizeof(exp->tuple.dst.u3) > len)
 291                 /* address needs to be cleared for nf_ct_tuple_equal */
 292                 memset((void *)&exp->tuple.dst.u3 + len, 0x00,
 293                        sizeof(exp->tuple.dst.u3) - len);
 294
 295         exp->tuple.dst.u.all = *dst;
 296 }
 297 EXPORT_SYMBOL_GPL(nf_ct_expect_init);
 298
 299 static void nf_ct_expect_free_rcu(struct rcu_head *head)
 300 {
 301         struct nf_conntrack_expect *exp;
 302
 303         exp = container_of(head, struct nf_conntrack_expect, rcu);
 304         kmem_cache_free(nf_ct_expect_cachep, exp);
 305 }
 306
 307 void nf_ct_expect_put(struct nf_conntrack_expect *exp)
 308 {
 309         if (atomic_dec_and_test(&exp->use))
 310                 call_rcu(&exp->rcu, nf_ct_expect_free_rcu);
 311 }
 312 EXPORT_SYMBOL_GPL(nf_ct_expect_put);
 313
 314 static int nf_ct_expect_insert(struct nf_conntrack_expect *exp)
 315 {
 316         struct nf_conn_help *master_help = nfct_help(exp->master);
 317         struct nf_conntrack_helper *helper;
 318         struct net *net = nf_ct_exp_net(exp);
 319         unsigned int h = nf_ct_expect_dst_hash(&exp->tuple);
 320
 321         /* two references : one for hash insert, one for the timer */
 322         atomic_add(2, &exp->use);
 323
 324         hlist_add_head(&exp->lnode, &master_help->expectations);
 325         master_help->expecting[exp->class]++;
 326
 327         hlist_add_head_rcu(&exp->hnode, &net->ct.expect_hash[h]);
 328         net->ct.expect_count++;
 329
 330         setup_timer(&exp->timeout, nf_ct_expectation_timed_out,
 331                     (unsigned long)exp);
 332         helper = rcu_dereference_protected(master_help->helper,
 333                                            lockdep_is_held(&nf_conntrack_lock));
 334         if (helper) {
 335                 exp->timeout.expires = jiffies +
 336                         helper->expect_policy[exp->class].timeout * HZ;
 337         }
 338         add_timer(&exp->timeout);
 339
 340         NF_CT_STAT_INC(net, expect_create);
 341         return 0;
 342 }
 343
 344 /* Race with expectations being used means we could have none to find; OK. */
 345 static void evict_oldest_expect(struct nf_conn *master,
 346                                 struct nf_conntrack_expect *new)
 347 {
 348         struct nf_conn_help *master_help = nfct_help(master);
 349         struct nf_conntrack_expect *exp, *last = NULL;
 350
 351         hlist_for_each_entry(exp, &master_help->expectations, lnode) {
 352                 if (exp->class == new->class)
 353                         last = exp;
 354         }
 355
 356         if (last && del_timer(&last->timeout)) {
 357                 nf_ct_unlink_expect(last);
 358                 nf_ct_expect_put(last);
 359         }
 360 }
 361
 362 static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
 363 {
 364         const struct nf_conntrack_expect_policy *p;
 365         struct nf_conntrack_expect *i;
 366         struct nf_conn *master = expect->master;
 367         struct nf_conn_help *master_help = nfct_help(master);
 368         struct nf_conntrack_helper *helper;
 369         struct net *net = nf_ct_exp_net(expect);
 370         struct hlist_node *next;
 371         unsigned int h;
 372         int ret = 1;
 373
 374         if (!master_help) {
 375                 ret = -ESHUTDOWN;
 376                 goto out;
 377         }
 378         h = nf_ct_expect_dst_hash(&expect->tuple);
 379         hlist_for_each_entry_safe(i, next, &net->ct.expect_hash[h], hnode) {
 380                 if (expect_matches(i, expect)) {
 381                         if (del_timer(&i->timeout)) {
 382                                 nf_ct_unlink_expect(i);
 383                                 nf_ct_expect_put(i);
 384                                 break;
 385                         }
 386                 } else if (expect_clash(i, expect)) {
 387                         ret = -EBUSY;
 388                         goto out;
 389                 }
 390         }
 391         /* Will be over limit? */
 392         helper = rcu_dereference_protected(master_help->helper,
 393                                            lockdep_is_held(&nf_conntrack_lock));
 394         if (helper) {
 395                 p = &helper->expect_policy[expect->class];
 396                 if (p->max_expected &&
 397                     master_help->expecting[expect->class] >= p->max_expected) {
 398                         evict_oldest_expect(master, expect);
 399                         if (master_help->expecting[expect->class]
 400                                                 >= p->max_expected) {
 401                                 ret = -EMFILE;
 402                                 goto out;
 403                         }
 404                 }
 405         }
 406
 407         if (net->ct.expect_count >= nf_ct_expect_max) {
 408                 net_warn_ratelimited("nf_conntrack: expectation table full\n");
 409                 ret = -EMFILE;
 410         }
 411 out:
 412         return ret;
 413 }
 414
 415 int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
 416                                 u32 portid, int report)
 417 {
 418         int ret;
 419
 420         spin_lock_bh(&nf_conntrack_lock);
 421         ret = __nf_ct_expect_check(expect);
 422         if (ret <= 0)
 423                 goto out;
 424
 425         ret = nf_ct_expect_insert(expect);
 426         if (ret < 0)
 427                 goto out;
 428         spin_unlock_bh(&nf_conntrack_lock);
 429         nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report);
 430         return ret;
 431 out:
 432         spin_unlock_bh(&nf_conntrack_lock);
 433         return ret;
 434 }
 435 EXPORT_SYMBOL_GPL(nf_ct_expect_related_report);
 436
 437 #ifdef CONFIG_NF_CONNTRACK_PROCFS
 438 struct ct_expect_iter_state {
 439         struct seq_net_private p;
 440         unsigned int bucket;
 441 };
 442
 443 static struct hlist_node *ct_expect_get_first(struct seq_file *seq)
 444 {
 445         struct net *net = seq_file_net(seq);
 446         struct ct_expect_iter_state *st = seq->private;
 447         struct hlist_node *n;
 448
 449         for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) {
 450                 n = rcu_dereference(hlist_first_rcu(&net->ct.expect_hash[st->bucket]));
 451                 if (n)
 452                         return n;
 453         }
 454         return NULL;
 455 }
 456
 457 static struct hlist_node *ct_expect_get_next(struct seq_file *seq,
 458                                              struct hlist_node *head)
 459 {
 460         struct net *net = seq_file_net(seq);
 461         struct ct_expect_iter_state *st = seq->private;
 462
 463         head = rcu_dereference(hlist_next_rcu(head));
 464         while (head == NULL) {
 465                 if (++st->bucket >= nf_ct_expect_hsize)
 466                         return NULL;
 467                 head = rcu_dereference(hlist_first_rcu(&net->ct.expect_hash[st->bucket]));
 468         }
 469         return head;
 470 }
 471
 472 static struct hlist_node *ct_expect_get_idx(struct seq_file *seq, loff_t pos)
 473 {
 474         struct hlist_node *head = ct_expect_get_first(seq);
 475
 476         if (head)
 477                 while (pos && (head = ct_expect_get_next(seq, head)))
 478                         pos--;
 479         return pos ? NULL : head;
 480 }
 481
 482 static void *exp_seq_start(struct seq_file *seq, loff_t *pos)
 483         __acquires(RCU)
 484 {
 485         rcu_read_lock();
 486         return ct_expect_get_idx(seq, *pos);
 487 }
 488
 489 static void *exp_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 490 {
 491         (*pos)++;
 492         return ct_expect_get_next(seq, v);
 493 }
 494
 495 static void exp_seq_stop(struct seq_file *seq, void *v)
 496         __releases(RCU)
 497 {
 498         rcu_read_unlock();
 499 }
 500
 501 static int exp_seq_show(struct seq_file *s, void *v)
 502 {
 503         struct nf_conntrack_expect *expect;
 504         struct nf_conntrack_helper *helper;
 505         struct hlist_node *n = v;
 506         char *delim = "";
 507
 508         expect = hlist_entry(n, struct nf_conntrack_expect, hnode);
 509
 510         if (expect->timeout.function)
 511                 seq_printf(s, "%ld ", timer_pending(&expect->timeout)
 512                            ? (long)(expect->timeout.expires - jiffies)/HZ : 0);
 513         else
 514                 seq_printf(s, "- ");
 515         seq_printf(s, "l3proto = %u proto=%u ",
 516                    expect->tuple.src.l3num,
 517                    expect->tuple.dst.protonum);
 518         print_tuple(s, &expect->tuple,
 519                     __nf_ct_l3proto_find(expect->tuple.src.l3num),
 520                     __nf_ct_l4proto_find(expect->tuple.src.l3num,
 521                                        expect->tuple.dst.protonum));
 522
 523         if (expect->flags & NF_CT_EXPECT_PERMANENT) {
 524                 seq_printf(s, "PERMANENT");
 525                 delim = ",";
 526         }
 527         if (expect->flags & NF_CT_EXPECT_INACTIVE) {
 528                 seq_printf(s, "%sINACTIVE", delim);
 529                 delim = ",";
 530         }
 531         if (expect->flags & NF_CT_EXPECT_USERSPACE)
 532                 seq_printf(s, "%sUSERSPACE", delim);
 533
 534         helper = rcu_dereference(nfct_help(expect->master)->helper);
 535         if (helper) {
 536                 seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name);
 537                 if (helper->expect_policy[expect->class].name)
 538                         seq_printf(s, "/%s",
 539                                    helper->expect_policy[expect->class].name);
 540         }
 541
 542         return seq_putc(s, '\n');
 543 }
 544
 545 static const struct seq_operations exp_seq_ops = {
 546         .start = exp_seq_start,
 547         .next = exp_seq_next,
 548         .stop = exp_seq_stop,
 549         .show = exp_seq_show
 550 };
 551
 552 static int exp_open(struct inode *inode, struct file *file)
 553 {
 554         return seq_open_net(inode, file, &exp_seq_ops,
 555                         sizeof(struct ct_expect_iter_state));
 556 }
 557
 558 static const struct file_operations exp_file_ops = {
 559         .owner   = THIS_MODULE,
 560         .open    = exp_open,
 561         .read    = seq_read,
 562         .llseek  = seq_lseek,
 563         .release = seq_release_net,
 564 };
 565 #endif /* CONFIG_NF_CONNTRACK_PROCFS */
 566
 567 static int exp_proc_init(struct net *net)
 568 {
 569 #ifdef CONFIG_NF_CONNTRACK_PROCFS
 570         struct proc_dir_entry *proc;
 571
 572         proc = proc_create("nf_conntrack_expect", 0440, net->proc_net,
 573                            &exp_file_ops);
 574         if (!proc)
 575                 return -ENOMEM;
 576 #endif /* CONFIG_NF_CONNTRACK_PROCFS */
 577         return 0;
 578 }
 579
 580 static void exp_proc_remove(struct net *net)
 581 {
 582 #ifdef CONFIG_NF_CONNTRACK_PROCFS
 583         remove_proc_entry("nf_conntrack_expect", net->proc_net);
 584 #endif /* CONFIG_NF_CONNTRACK_PROCFS */
 585 }
 586
 587 module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
 588
 589 int nf_conntrack_expect_pernet_init(struct net *net)
 590 {
 591         int err = -ENOMEM;
 592
 593         net->ct.expect_count = 0;
 594         net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, 0);
 595         if (net->ct.expect_hash == NULL)
 596                 goto err1;
 597
 598         err = exp_proc_init(net);
 599         if (err < 0)
 600                 goto err2;
 601
 602         return 0;
 603 err2:
 604         nf_ct_free_hashtable(net->ct.expect_hash, nf_ct_expect_hsize);
 605 err1:
 606         return err;
 607 }
 608
 609 void nf_conntrack_expect_pernet_fini(struct net *net)
 610 {
 611         exp_proc_remove(net);
 612         nf_ct_free_hashtable(net->ct.expect_hash, nf_ct_expect_hsize);
 613 }
 614
 615 int nf_conntrack_expect_init(void)
 616 {
 617         if (!nf_ct_expect_hsize) {
 618                 nf_ct_expect_hsize = nf_conntrack_htable_size / 256;
 619                 if (!nf_ct_expect_hsize)
 620                         nf_ct_expect_hsize = 1;
 621         }
 622         nf_ct_expect_max = nf_ct_expect_hsize * 4;
 623         nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
 624                                 sizeof(struct nf_conntrack_expect),
 625                                 0, 0, NULL);
 626         if (!nf_ct_expect_cachep)
 627                 return -ENOMEM;
 628         return 0;
 629 }
 630
 631 void nf_conntrack_expect_fini(void)
 632 {
 633         rcu_barrier(); /* Wait for call_rcu() before destroy */
 634         kmem_cache_destroy(nf_ct_expect_cachep);
 635 }