Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 022c10d6 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

1) Fix error path of nf_tables_updobj(), from Dan Carpenter.

2) Move large structure away from stack in the nf_tables offload
   infrastructure, from Arnd Bergmann.

3) Move indirect flow_block logic to nf_tables_offload.

4) Support for synproxy objects, from Fernando Fernandez Mancera.

5) Support for fwd and dup offload.

6) Add __nft_offload_get_chain() helper, this implicitly fixes missing
   mutex and check for offload flags in the indirect block support,
   patch from wenxu.

7) Remove rules on device unregistration, from wenxu. This includes
   two preparation patches to reuse nft_flow_offload_chain() and
   nft_flow_offload_rule().

Large batch from Jeremy Sowden to make a second pass to the
CONFIG_HEADER_TEST support and a bit of housekeeping:

8) Missing include guard in conntrack label header, from Jeremy Sowden.

9) A few coding style errors: trailing whitespace, incorrect indent in
   Kconfig, and semicolons at the end of function definitions.

10) Remove unused ipt_init() and ip6t_init() declarations.

11) Inline xt_hashlimit, ebt_802_3 and xt_physdev headers. They are
    only used once.

12) Update include directive in several netfilter files.

13) Remove unused include/net/netfilter/ipv6/nf_conntrack_icmpv6.h.

14) Move nf_ip6_ext_hdr() to include/linux/netfilter_ipv6.h

15) Move several synproxy structure definitions to nf_synproxy.h

16) Move nf_bridge_frag_data structure to include/linux/netfilter_bridge.h

17) Clean up static inline definitions in nf_conntrack_ecache.h.

18) Replace defined(CONFIG...) || defined(CONFIG...MODULE) with IS_ENABLED(CONFIG...).

19) Missing inline function conditional definitions based on Kconfig
    preferences in synproxy and nf_conntrack_timeout.

20) Update br_nf_pre_routing_ipv6() definition.

21) Move conntrack code in linux/skbuff.h to nf_conntrack headers.

22) Several patches to remove superfluous CONFIG_NETFILTER and
    CONFIG_NF_CONNTRACK checks in headers, coming from the initial batch
    support for CONFIG_HEADER_TEST for netfilter.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 172ca830 0d32e704

include/linux/netfilter.h

+2 −2
Original line number Diff line number Diff line
@@ -15,7 +15,6 @@ 
#include <linux/netdevice.h>

#include <net/net_namespace.h>



#ifdef CONFIG_NETFILTER

static inline int NF_DROP_GETERR(int verdict)

{

	return -(verdict >> NF_VERDICT_QBITS);
@@ -118,6 +117,7 @@ struct nf_hook_entries { 
	 */

};



#ifdef CONFIG_NETFILTER

static inline struct nf_hook_ops **nf_hook_entries_get_hook_ops(const struct nf_hook_entries *e)

{

	unsigned int n = e->num_hook_entries;
@@ -422,7 +422,7 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 
}

#endif /*CONFIG_NETFILTER*/



#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

#if IS_ENABLED(CONFIG_NF_CONNTRACK)

#include <linux/netfilter/nf_conntrack_zones_common.h>



extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu;

include/linux/netfilter/ipset/ip_set_getport.h

+1 −1
Original line number Diff line number Diff line
@@ -9,7 +9,7 @@ 
extern bool ip_set_get_ip4_port(const struct sk_buff *skb, bool src,

				__be16 *port, u8 *proto);



#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)

#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)

extern bool ip_set_get_ip6_port(const struct sk_buff *skb, bool src,

				__be16 *port, u8 *proto);

#else

include/linux/netfilter/nf_conntrack_common.h

+20 −0
Original line number Diff line number Diff line
@@ -2,6 +2,7 @@ 
#ifndef _NF_CONNTRACK_COMMON_H

#define _NF_CONNTRACK_COMMON_H



#include <linux/atomic.h>

#include <uapi/linux/netfilter/nf_conntrack_common.h>



struct ip_conntrack_stat {
@@ -19,4 +20,23 @@ struct ip_conntrack_stat { 
	unsigned int search_restart;

};



#define NFCT_INFOMASK	7UL

#define NFCT_PTRMASK	~(NFCT_INFOMASK)



struct nf_conntrack {

	atomic_t use;

};



void nf_conntrack_destroy(struct nf_conntrack *nfct);

static inline void nf_conntrack_put(struct nf_conntrack *nfct)

{

	if (nfct && atomic_dec_and_test(&nfct->use))

		nf_conntrack_destroy(nfct);

}

static inline void nf_conntrack_get(struct nf_conntrack *nfct)

{

	if (nfct)

		atomic_inc(&nfct->use);

}



#endif /* _NF_CONNTRACK_COMMON_H */

include/linux/netfilter/x_tables.h

+1 −7
Original line number Diff line number Diff line
@@ -35,15 +35,12 @@ struct xt_action_param { 
	union {

		const void *matchinfo, *targinfo;

	};

#if IS_ENABLED(CONFIG_NETFILTER)

	const struct nf_hook_state *state;

#endif

	int fragoff;

	unsigned int thoff;

	bool hotdrop;

};



#if IS_ENABLED(CONFIG_NETFILTER)

static inline struct net *xt_net(const struct xt_action_param *par)

{

	return par->state->net;
@@ -78,7 +75,6 @@ static inline u_int8_t xt_family(const struct xt_action_param *par) 
{

	return par->state->pf;

}

#endif



/**

 * struct xt_mtchk_param - parameters for match extensions'
@@ -450,9 +446,7 @@ xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu) 
	return cnt;

}



#if IS_ENABLED(CONFIG_NETFILTER)

struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);

#endif



#ifdef CONFIG_COMPAT

#include <net/compat.h>

include/linux/netfilter/xt_hashlimit.h

deleted100644 → 0
+0 −11
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */

#ifndef _XT_HASHLIMIT_H

#define _XT_HASHLIMIT_H



#include <uapi/linux/netfilter/xt_hashlimit.h>



#define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \

			  XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \

			  XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES |\

			  XT_HASHLIMIT_RATE_MATCH)

#endif /*_XT_HASHLIMIT_H*/