Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 074fb880 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for your net-next tree:

1) Support for transparent proxying for nf_tables, from Mate Eckl.

2) Patchset to add OS passive fingerprint recognition for nf_tables,
   from Fernando Fernandez. This takes common code from xt_osf and
   place it into the new nfnetlink_osf module for codebase sharing.

3) Lightweight tunneling support for nf_tables.

4) meta and lookup are likely going to be used in rulesets, make them
   direct calls. From Florian Westphal.

A bunch of incremental updates:

5) use PTR_ERR_OR_ZERO() from nft_numgen, from YueHaibing.

6) Use kvmalloc_array() to allocate hashtables, from Li RongQing.

7) Explicit dependencies between nfnetlink_cttimeout and conntrack
   timeout extensions, from Harsha Sharma.

8) Simplify NLM_F_CREATE handling in nf_tables.

9) Removed unused variable in the get element command, from
   YueHaibing.

10) Expose bridge hook priorities through uapi, from Mate Eckl.

And a few fixes for previous Netfilter batch for net-next:

11) Use per-netns mutex from flowtable event, from Florian Westphal.

12) Remove explicit dependency on iptables CT target from conntrack
    zones, from Florian.

13) Fix use-after-free in rmmod nf_conntrack path, also from Florian.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents c1c8626f 483f3fdc

include/linux/netfilter/nf_osf.hinclude/linux/netfilter/nfnetlink_osf.h

+12 −1
Original line number Diff line number Diff line 
#include <uapi/linux/netfilter/nf_osf.h>

/* SPDX-License-Identifier: GPL-2.0 */

#ifndef _NFOSF_H

#define _NFOSF_H



#include <uapi/linux/netfilter/nfnetlink_osf.h>



/* Initial window size option state machine: multiple of mss, mtu or

 * plain numeric value. Can also be made as plain numeric value which
@@ -21,6 +25,8 @@ enum osf_fmatch_states { 
	FMATCH_OPT_WRONG,

};



extern struct list_head nf_osf_fingers[2];



struct nf_osf_finger {

	struct rcu_head			rcu_head;

	struct list_head		finger_entry;
@@ -31,3 +37,8 @@ bool nf_osf_match(const struct sk_buff *skb, u_int8_t family, 
		  int hooknum, struct net_device *in, struct net_device *out,

		  const struct nf_osf_info *info, struct net *net,

		  const struct list_head *nf_osf_fingers);



const char *nf_osf_find(const struct sk_buff *skb,

                        const struct list_head *nf_osf_fingers);



#endif /* _NFOSF_H */

include/linux/netfilter_bridge.h

+0 −11
Original line number Diff line number Diff line
@@ -5,17 +5,6 @@ 
#include <uapi/linux/netfilter_bridge.h>

#include <linux/skbuff.h>



enum nf_br_hook_priorities {

	NF_BR_PRI_FIRST = INT_MIN,

	NF_BR_PRI_NAT_DST_BRIDGED = -300,

	NF_BR_PRI_FILTER_BRIDGED = -200,

	NF_BR_PRI_BRNF = 0,

	NF_BR_PRI_NAT_DST_OTHER = 100,

	NF_BR_PRI_FILTER_OTHER = 200,

	NF_BR_PRI_NAT_SRC = 300,

	NF_BR_PRI_LAST = INT_MAX,

};



#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)



int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb);

include/net/netfilter/nf_conntrack.h

+0 −2
Original line number Diff line number Diff line
@@ -176,8 +176,6 @@ void nf_ct_netns_put(struct net *net, u8 nfproto); 
 */

void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls);



void nf_ct_free_hashtable(void *hash, unsigned int size);



int nf_conntrack_hash_check_insert(struct nf_conn *ct);

bool nf_ct_delete(struct nf_conn *ct, u32 pid, int report);

include/net/netfilter/nf_tables_core.h

+7 −0
Original line number Diff line number Diff line
@@ -71,4 +71,11 @@ extern struct nft_set_type nft_set_hash_fast_type; 
extern struct nft_set_type nft_set_rbtree_type;

extern struct nft_set_type nft_set_bitmap_type;



struct nft_expr;

struct nft_regs;

struct nft_pktinfo;

void nft_meta_get_eval(const struct nft_expr *expr,

		       struct nft_regs *regs, const struct nft_pktinfo *pkt);

void nft_lookup_eval(const struct nft_expr *expr,

		     struct nft_regs *regs, const struct nft_pktinfo *pkt);

#endif /* _NET_NF_TABLES_CORE_H */

include/uapi/linux/netfilter/nf_tables.h

+106 −1
Original line number Diff line number Diff line
@@ -1252,6 +1252,22 @@ enum nft_nat_attributes { 
};

#define NFTA_NAT_MAX		(__NFTA_NAT_MAX - 1)



/**

 * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes

 *

 * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)

 * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)

 * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)

 */

enum nft_tproxy_attributes {

	NFTA_TPROXY_UNSPEC,

	NFTA_TPROXY_FAMILY,

	NFTA_TPROXY_REG_ADDR,

	NFTA_TPROXY_REG_PORT,

	__NFTA_TPROXY_MAX

};

#define NFTA_TPROXY_MAX		(__NFTA_TPROXY_MAX - 1)



/**

 * enum nft_masq_attributes - nf_tables masquerade expression attributes

 *
@@ -1400,7 +1416,8 @@ enum nft_ct_helper_attributes { 
#define NFT_OBJECT_CT_HELPER	3

#define NFT_OBJECT_LIMIT	4

#define NFT_OBJECT_CONNLIMIT	5

#define __NFT_OBJECT_MAX	6

#define NFT_OBJECT_TUNNEL	6

#define __NFT_OBJECT_MAX	7

#define NFT_OBJECT_MAX		(__NFT_OBJECT_MAX - 1)



/**
@@ -1463,6 +1480,13 @@ enum nft_flowtable_hook_attributes { 
};

#define NFTA_FLOWTABLE_HOOK_MAX	(__NFTA_FLOWTABLE_HOOK_MAX - 1)



enum nft_osf_attributes {

	NFTA_OSF_UNSPEC,

	NFTA_OSF_DREG,

	__NFTA_OSF_MAX,

};

#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)



/**

 * enum nft_device_attributes - nf_tables device netlink attributes

 *
@@ -1557,4 +1581,85 @@ enum nft_ng_types { 
};

#define NFT_NG_MAX	(__NFT_NG_MAX - 1)



enum nft_tunnel_key_ip_attributes {

	NFTA_TUNNEL_KEY_IP_UNSPEC,

	NFTA_TUNNEL_KEY_IP_SRC,

	NFTA_TUNNEL_KEY_IP_DST,

	__NFTA_TUNNEL_KEY_IP_MAX

};

#define NFTA_TUNNEL_KEY_IP_MAX	(__NFTA_TUNNEL_KEY_IP_MAX - 1)



enum nft_tunnel_ip6_attributes {

	NFTA_TUNNEL_KEY_IP6_UNSPEC,

	NFTA_TUNNEL_KEY_IP6_SRC,

	NFTA_TUNNEL_KEY_IP6_DST,

	NFTA_TUNNEL_KEY_IP6_FLOWLABEL,

	__NFTA_TUNNEL_KEY_IP6_MAX

};

#define NFTA_TUNNEL_KEY_IP6_MAX	(__NFTA_TUNNEL_KEY_IP6_MAX - 1)



enum nft_tunnel_opts_attributes {

	NFTA_TUNNEL_KEY_OPTS_UNSPEC,

	NFTA_TUNNEL_KEY_OPTS_VXLAN,

	NFTA_TUNNEL_KEY_OPTS_ERSPAN,

	__NFTA_TUNNEL_KEY_OPTS_MAX

};

#define NFTA_TUNNEL_KEY_OPTS_MAX	(__NFTA_TUNNEL_KEY_OPTS_MAX - 1)



enum nft_tunnel_opts_vxlan_attributes {

	NFTA_TUNNEL_KEY_VXLAN_UNSPEC,

	NFTA_TUNNEL_KEY_VXLAN_GBP,

	__NFTA_TUNNEL_KEY_VXLAN_MAX

};

#define NFTA_TUNNEL_KEY_VXLAN_MAX	(__NFTA_TUNNEL_KEY_VXLAN_MAX - 1)



enum nft_tunnel_opts_erspan_attributes {

	NFTA_TUNNEL_KEY_ERSPAN_UNSPEC,

	NFTA_TUNNEL_KEY_ERSPAN_VERSION,

	NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX,

	NFTA_TUNNEL_KEY_ERSPAN_V2_HWID,

	NFTA_TUNNEL_KEY_ERSPAN_V2_DIR,

	__NFTA_TUNNEL_KEY_ERSPAN_MAX

};

#define NFTA_TUNNEL_KEY_ERSPAN_MAX	(__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1)



enum nft_tunnel_flags {

	NFT_TUNNEL_F_ZERO_CSUM_TX	= (1 << 0),

	NFT_TUNNEL_F_DONT_FRAGMENT	= (1 << 1),

	NFT_TUNNEL_F_SEQ_NUMBER		= (1 << 2),

};

#define NFT_TUNNEL_F_MASK	(NFT_TUNNEL_F_ZERO_CSUM_TX | \

				 NFT_TUNNEL_F_DONT_FRAGMENT | \

				 NFT_TUNNEL_F_SEQ_NUMBER)



enum nft_tunnel_key_attributes {

	NFTA_TUNNEL_KEY_UNSPEC,

	NFTA_TUNNEL_KEY_ID,

	NFTA_TUNNEL_KEY_IP,

	NFTA_TUNNEL_KEY_IP6,

	NFTA_TUNNEL_KEY_FLAGS,

	NFTA_TUNNEL_KEY_TOS,

	NFTA_TUNNEL_KEY_TTL,

	NFTA_TUNNEL_KEY_SPORT,

	NFTA_TUNNEL_KEY_DPORT,

	NFTA_TUNNEL_KEY_OPTS,

	__NFTA_TUNNEL_KEY_MAX

};

#define NFTA_TUNNEL_KEY_MAX	(__NFTA_TUNNEL_KEY_MAX - 1)



enum nft_tunnel_keys {

	NFT_TUNNEL_PATH,

	NFT_TUNNEL_ID,

	__NFT_TUNNEL_MAX

};

#define NFT_TUNNEL_MAX	(__NFT_TUNNEL_MAX - 1)



enum nft_tunnel_attributes {

	NFTA_TUNNEL_UNSPEC,

	NFTA_TUNNEL_KEY,

	NFTA_TUNNEL_DREG,

	__NFTA_TUNNEL_MAX

};

#define NFTA_TUNNEL_MAX	(__NFTA_TUNNEL_MAX - 1)



#endif /* _LINUX_NF_TABLES_H */