Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1ffad6d1 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

===================
Netfilter updates for net-next

The following batch contains Netfilter updates for net-next, they are:

1) Move nft_expr_clone() to nft_dynset, from Paul Gortmaker.

2) Do not include module.h from net/netfilter/nf_tables.h,
   also from Paul.

3) Restrict conntrack sysctl entries to boolean, from Tonghao Zhang.

4) Several patches to add infrastructure to autoload NAT helper
   modules from their respective conntrack helper, this also includes
   the first client of this code in OVS, patches from Flavio Leitner.

5) Add support to match for conntrack ID, from Brett Mastbergen.

6) Spelling fix in connlabel, from Colin Ian King.

7) Use struct_size() from hashlimit, from Gustavo A. R. Silva.

8) Add optimized version of nf_inet_addr_mask(), from Li RongQing.
===================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 19ab5f40 522e4077

include/linux/netfilter.h

+9 −0
Original line number Diff line number Diff line
@@ -41,10 +41,19 @@ static inline void nf_inet_addr_mask(const union nf_inet_addr *a1, 
				     union nf_inet_addr *result,

				     const union nf_inet_addr *mask)

{

#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64

	const unsigned long *ua = (const unsigned long *)a1;

	unsigned long *ur = (unsigned long *)result;

	const unsigned long *um = (const unsigned long *)mask;



	ur[0] = ua[0] & um[0];

	ur[1] = ua[1] & um[1];

#else

	result->all[0] = a1->all[0] & mask->all[0];

	result->all[1] = a1->all[1] & mask->all[1];

	result->all[2] = a1->all[2] & mask->all[2];

	result->all[3] = a1->all[3] & mask->all[3];

#endif

}



int netfilter_init(void);

include/net/netfilter/nf_conntrack_helper.h

+24 −0
Original line number Diff line number Diff line
@@ -15,6 +15,11 @@ 
#include <net/netfilter/nf_conntrack_extend.h>

#include <net/netfilter/nf_conntrack_expect.h>



#define NF_NAT_HELPER_PREFIX		"ip_nat_"

#define NF_NAT_HELPER_NAME(name)	NF_NAT_HELPER_PREFIX name

#define MODULE_ALIAS_NF_NAT_HELPER(name) \

	MODULE_ALIAS(NF_NAT_HELPER_NAME(name))



struct module;



enum nf_ct_helper_flags {
@@ -54,6 +59,8 @@ struct nf_conntrack_helper { 
	unsigned int queue_num;

	/* length of userspace private data stored in nf_conn_help->data */

	u16 data_len;

	/* name of NAT helper module */

	char nat_mod_name[NF_CT_HELPER_NAME_LEN];

};



/* Must be kept in sync with the classes defined by helpers */
@@ -153,4 +160,21 @@ nf_ct_helper_expectfn_find_by_symbol(const void *symbol); 
extern struct hlist_head *nf_ct_helper_hash;

extern unsigned int nf_ct_helper_hsize;



struct nf_conntrack_nat_helper {

	struct list_head list;

	char mod_name[NF_CT_HELPER_NAME_LEN];	/* module name */

	struct module *module;			/* pointer to self */

};



#define NF_CT_NAT_HELPER_INIT(name) \

	{ \

	.mod_name = NF_NAT_HELPER_NAME(name), \

	.module = THIS_MODULE \

	}



void nf_nat_helper_register(struct nf_conntrack_nat_helper *nat);

void nf_nat_helper_unregister(struct nf_conntrack_nat_helper *nat);

int nf_nat_helper_try_module_get(const char *name, u16 l3num,

				 u8 protonum);

void nf_nat_helper_put(struct nf_conntrack_helper *helper);

#endif /*_NF_CONNTRACK_HELPER_H*/

include/net/netfilter/nf_tables.h

+2 −18
Original line number Diff line number Diff line
@@ -2,7 +2,6 @@ 
#ifndef _NET_NF_TABLES_H

#define _NET_NF_TABLES_H



#include <linux/module.h>

#include <linux/list.h>

#include <linux/netfilter.h>

#include <linux/netfilter/nfnetlink.h>
@@ -13,6 +12,8 @@ 
#include <net/netfilter/nf_flow_table.h>

#include <net/netlink.h>



struct module;



#define NFT_JUMP_STACK_SIZE	16



struct nft_pktinfo {
@@ -806,23 +807,6 @@ void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr); 
int nft_expr_dump(struct sk_buff *skb, unsigned int attr,

		  const struct nft_expr *expr);



static inline int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)

{

	int err;



	if (src->ops->clone) {

		dst->ops = src->ops;

		err = src->ops->clone(dst, src);

		if (err < 0)

			return err;

	} else {

		memcpy(dst, src, src->ops->size);

	}



	__module_get(src->ops->type->owner);

	return 0;

}



/**

 *	struct nft_rule - nf_tables rule

 *

include/net/netns/conntrack.h

+3 −3
Original line number Diff line number Diff line
@@ -24,9 +24,9 @@ struct nf_generic_net { 


struct nf_tcp_net {

	unsigned int timeouts[TCP_CONNTRACK_TIMEOUT_MAX];

	unsigned int tcp_loose;

	unsigned int tcp_be_liberal;

	unsigned int tcp_max_retrans;

	int tcp_loose;

	int tcp_be_liberal;

	int tcp_max_retrans;

};



enum udp_conntrack {

include/uapi/linux/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -967,6 +967,7 @@ enum nft_socket_keys { 
 * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)

 * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)

 * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack

 * @NFT_CT_ID: conntrack id

 */

enum nft_ct_keys {

	NFT_CT_STATE,
@@ -993,6 +994,7 @@ enum nft_ct_keys { 
	NFT_CT_SRC_IP6,

	NFT_CT_DST_IP6,

	NFT_CT_TIMEOUT,

	NFT_CT_ID,

	__NFT_CT_MAX

};

#define NFT_CT_MAX		(__NFT_CT_MAX - 1)