Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 59ce9670 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains the first batch of Netfilter updates for
the upcoming 4.5 kernel. This batch contains userspace netfilter header
compilation fixes, support for packet mangling in nf_tables, the new
tracing infrastructure for nf_tables and cgroup2 support for iptables.
More specifically, they are:

1) Two patches to include dependencies in our netfilter userspace
   headers to resolve compilation problems, from Mikko Rapeli.

2) Four comestic cleanup patches for the ebtables codebase, from Ian Morris.

3) Remove duplicate include in the netfilter reject infrastructure,
   from Stephen Hemminger.

4) Two patches to simplify the netfilter defragmentation code for IPv6,
   patch from Florian Westphal.

5) Fix root ownership of /proc/net netfilter for unpriviledged net
   namespaces, from Philip Whineray.

6) Get rid of unused fields in struct nft_pktinfo, from Florian Westphal.

7) Add mangling support to our nf_tables payload expression, from
   Patrick McHardy.

8) Introduce a new netlink-based tracing infrastructure for nf_tables,
   from Florian Westphal.

9) Change setter functions in nfnetlink_log to be void, from
    Rami Rosen.

10) Add netns support to the cttimeout infrastructure.

11) Add cgroup2 support to iptables, from Tejun Heo.

12) Introduce nfnl_dereference_protected() in nfnetlink, from Florian.

13) Add support for mangling pkttype in the nf_tables meta expression,
    also from Florian.

BTW, I need that you pull net into net-next, I have another batch that
requires changes that I don't yet see in net.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 4b402d71 b4aae759

include/linux/netfilter/nf_conntrack_sctp.h

0 → 100644
+13 −0
Original line number Diff line number Diff line 
#ifndef _NF_CONNTRACK_SCTP_H

#define _NF_CONNTRACK_SCTP_H

/* SCTP tracking. */



#include <uapi/linux/netfilter/nf_conntrack_sctp.h>



struct ip_ct_sctp {

	enum sctp_conntrack state;



	__be32 vtag[IP_CT_DIR_MAX];

};



#endif /* _NF_CONNTRACK_SCTP_H */

include/net/net_namespace.h

+3 −0
Original line number Diff line number Diff line
@@ -121,6 +121,9 @@ struct net { 
#if IS_ENABLED(CONFIG_NETFILTER_NETLINK_ACCT)

	struct list_head        nfnl_acct_list;

#endif

#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)

	struct list_head	nfct_timeout_list;

#endif

#endif

#ifdef CONFIG_WEXT_CORE

	struct sk_buff_head	wext_nlevents;

include/net/netfilter/ipv6/nf_defrag_ipv6.h

+1 −2
Original line number Diff line number Diff line
@@ -5,8 +5,7 @@ void nf_defrag_ipv6_enable(void); 


int nf_ct_frag6_init(void);

void nf_ct_frag6_cleanup(void);

struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user);

void nf_ct_frag6_consume_orig(struct sk_buff *skb);

int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user);



struct inet_frags_ctl;

include/net/netfilter/nf_conntrack_timeout.h

+1 −1
Original line number Diff line number Diff line
@@ -104,7 +104,7 @@ static inline void nf_conntrack_timeout_fini(void) 
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */



#ifdef CONFIG_NF_CONNTRACK_TIMEOUT

extern struct ctnl_timeout *(*nf_ct_timeout_find_get_hook)(const char *name);

extern struct ctnl_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, const char *name);

extern void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout);

#endif

include/net/netfilter/nf_tables.h

+32 −2
Original line number Diff line number Diff line
@@ -19,8 +19,6 @@ struct nft_pktinfo { 
	const struct net_device		*out;

	u8				pf;

	u8				hook;

	u8				nhoff;

	u8				thoff;

	u8				tprot;

	/* for x_tables compatibility */

	struct xt_action_param		xt;
@@ -890,6 +888,38 @@ void nft_unregister_chain_type(const struct nf_chain_type *); 
int nft_register_expr(struct nft_expr_type *);

void nft_unregister_expr(struct nft_expr_type *);



int nft_verdict_dump(struct sk_buff *skb, int type,

		     const struct nft_verdict *v);



/**

 *	struct nft_traceinfo - nft tracing information and state

 *

 *	@pkt: pktinfo currently processed

 *	@basechain: base chain currently processed

 *	@chain: chain currently processed

 *	@rule:  rule that was evaluated

 *	@verdict: verdict given by rule

 *	@type: event type (enum nft_trace_types)

 *	@packet_dumped: packet headers sent in a previous traceinfo message

 *	@trace: other struct members are initialised

 */

struct nft_traceinfo {

	const struct nft_pktinfo	*pkt;

	const struct nft_base_chain	*basechain;

	const struct nft_chain		*chain;

	const struct nft_rule		*rule;

	const struct nft_verdict	*verdict;

	enum nft_trace_types		type;

	bool				packet_dumped;

	bool				trace;

};



void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,

		    const struct nft_verdict *verdict,

		    const struct nft_chain *basechain);



void nft_trace_notify(struct nft_traceinfo *info);



#define nft_dereference(p)					\

	nfnl_dereference(p, NFNL_SUBSYS_NFTABLES)