Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1ffdd8e1 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for your net-next
tree, the most relevant things in this batch are:

1) Compile masquerade infrastructure into NAT module, from Florian Westphal.
   Same thing with the redirection support.

2) Abort transaction if early initialization of the commit phase fails.
   Also from Florian.

3) Get rid of synchronize_rcu() by using rule array in nf_tables, from
   Florian.

4) Abort nf_tables batch if fatal signal is pending, from Florian.

5) Use .call_rcu nfnetlink from nf_tables to make dumps fully lockless.
   From Florian Westphal.

6) Support to match transparent sockets from nf_tables, from Máté Eckl.

7) Audit support for nf_tables, from Phil Sutter.

8) Validate chain dependencies from commit phase, fall back to fine grain
   validation only in case of errors.

9) Attach dst to skbuff from netfilter flowtable packet path, from
   Jason A. Donenfeld.

10) Use artificial maximum attribute cap to remove VLA from nfnetlink.
    Patch from Kees Cook.

11) Add extension to allow to forward packets through neighbour layer.

12) Add IPv6 conntrack helper support to IPVS, from Julian Anastasov.

13) Add IPv6 FTP conntrack support to IPVS, from Julian Anastasov.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents f39c6b29 d12e1229

include/linux/netfilter/nfnetlink.h

+1 −0
Original line number Diff line number Diff line
@@ -31,6 +31,7 @@ struct nfnetlink_subsystem { 
	const struct nfnl_callback *cb;	/* callback for individual types */

	int (*commit)(struct net *net, struct sk_buff *skb);

	int (*abort)(struct net *net, struct sk_buff *skb);

	void (*cleanup)(struct net *net);

	bool (*valid_genid)(struct net *net, u32 genid);

};

include/net/ip_vs.h

+6 −4
Original line number Diff line number Diff line
@@ -763,14 +763,14 @@ struct ip_vs_app { 
	 *	   2=Mangled but checksum was not updated

	 */

	int (*pkt_out)(struct ip_vs_app *, struct ip_vs_conn *,

		       struct sk_buff *, int *diff);

		       struct sk_buff *, int *diff, struct ip_vs_iphdr *ipvsh);



	/* input hook: Process packet in outin direction, diff set for TCP.

	 * Return: 0=Error, 1=Payload Not Mangled/Mangled but checksum is ok,

	 *	   2=Mangled but checksum was not updated

	 */

	int (*pkt_in)(struct ip_vs_app *, struct ip_vs_conn *,

		      struct sk_buff *, int *diff);

		      struct sk_buff *, int *diff, struct ip_vs_iphdr *ipvsh);



	/* ip_vs_app initializer */

	int (*init_conn)(struct ip_vs_app *, struct ip_vs_conn *);
@@ -1328,8 +1328,10 @@ int register_ip_vs_app_inc(struct netns_ipvs *ipvs, struct ip_vs_app *app, __u16 
int ip_vs_app_inc_get(struct ip_vs_app *inc);

void ip_vs_app_inc_put(struct ip_vs_app *inc);



int ip_vs_app_pkt_out(struct ip_vs_conn *, struct sk_buff *skb);

int ip_vs_app_pkt_in(struct ip_vs_conn *, struct sk_buff *skb);

int ip_vs_app_pkt_out(struct ip_vs_conn *, struct sk_buff *skb,

		      struct ip_vs_iphdr *ipvsh);

int ip_vs_app_pkt_in(struct ip_vs_conn *, struct sk_buff *skb,

		     struct ip_vs_iphdr *ipvsh);



int register_ip_vs_pe(struct ip_vs_pe *pe);

int unregister_ip_vs_pe(struct ip_vs_pe *pe);

include/net/netfilter/nf_socket.h

+2 −4
Original line number Diff line number Diff line
@@ -2,10 +2,8 @@ 
#ifndef _NF_SOCK_H_

#define _NF_SOCK_H_



struct net_device;

struct sk_buff;

struct sock;

struct net;

#include <net/sock.h>

#include <net/inet_timewait_sock.h>



static inline bool nf_sk_is_transparent(struct sock *sk)

{

include/net/netfilter/nf_tables.h

+7 −0
Original line number Diff line number Diff line
@@ -858,6 +858,8 @@ enum nft_chain_flags { 
 *	@name: name of the chain

 */

struct nft_chain {

	struct nft_rule			*__rcu *rules_gen_0;

	struct nft_rule			*__rcu *rules_gen_1;

	struct list_head		rules;

	struct list_head		list;

	struct nft_table		*table;
@@ -867,8 +869,13 @@ struct nft_chain { 
	u8				flags:6,

					genmask:2;

	char				*name;



	/* Only used during control plane commit phase: */

	struct nft_rule			**rules_next;

};



int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);



enum nft_chain_types {

	NFT_CHAIN_T_DEFAULT = 0,

	NFT_CHAIN_T_ROUTE,

include/net/netfilter/nf_tables_core.h

+8 −0
Original line number Diff line number Diff line
@@ -2,6 +2,8 @@ 
#ifndef _NET_NF_TABLES_CORE_H

#define _NET_NF_TABLES_CORE_H



#include <net/netfilter/nf_tables.h>



extern struct nft_expr_type nft_imm_type;

extern struct nft_expr_type nft_cmp_type;

extern struct nft_expr_type nft_lookup_type;
@@ -23,6 +25,12 @@ struct nft_cmp_fast_expr { 
	u8			len;

};



struct nft_immediate_expr {

	struct nft_data		data;

	enum nft_registers	dreg:8;

	u8			dlen;

};



/* Calculate the mask for the nft_cmp_fast expression. On big endian the

 * mask needs to include the *upper* bytes when interpreting that data as

 * something smaller than the full u32, therefore a cpu_to_le32 is done.