Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4cb551a1 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for your net-next
tree. This includes better integration with the routing subsystem for
nf_tables, explicit notrack support and smaller updates. More
specifically, they are:

1) Add fib lookup expression for nf_tables, from Florian Westphal. This
   new expression provides a native replacement for iptables addrtype
   and rp_filter matches. This is more flexible though, since we can
   populate the kernel flowi representation to inquire fib to
   accomodate new usecases, such as RTBH through skb mark.

2) Introduce rt expression for nf_tables, from Anders K. Pedersen. This
   new expression allow you to access skbuff route metadata, more
   specifically nexthop and classid fields.

3) Add notrack support for nf_tables, to skip conntracking, requested by
   many users already.

4) Add boilerplate code to allow to use nf_log infrastructure from
   nf_tables ingress.

5) Allow to mangle pkttype from nf_tables prerouting chain, to emulate
   the xtables cluster match, from Liping Zhang.

6) Move socket lookup code into generic nf_socket_* infrastructure so
   we can provide a native replacement for the xtables socket match.

7) Make sure nfnetlink_queue data that is updated on every packets is
   placed in a different cache from read-only data, from Florian Westphal.

8) Handle NF_STOLEN from nf_tables core, also from Florian Westphal.

9) Start round robin number generation in nft_numgen from zero,
   instead of n-1, for consistency with xtables statistics match,
   patch from Liping Zhang.

10) Set GFP_NOWARN flag in skbuff netlink allocations in nfnetlink_log,
    given we retry with a smaller allocation on failure, from Calvin Owens.

11) Cleanup xt_multiport to use switch(), from Gao feng.

12) Remove superfluous check in nft_immediate and nft_cmp, from
    Liping Zhang.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 22ca904a 886bc503

include/net/netfilter/nf_log.h

+5 −0
Original line number Diff line number Diff line
@@ -109,5 +109,10 @@ void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, 
			       const struct net_device *out,

			       const struct nf_loginfo *loginfo,

			       const char *prefix);

void nf_log_l2packet(struct net *net, u_int8_t pf, unsigned int hooknum,

		     const struct sk_buff *skb,

		     const struct net_device *in,

		     const struct net_device *out,

		     const struct nf_loginfo *loginfo, const char *prefix);



#endif /* _NF_LOG_H */

include/net/netfilter/nf_socket.h

0 → 100644
+27 −0
Original line number Diff line number Diff line 
#ifndef _NF_SOCK_H_

#define _NF_SOCK_H_



struct net_device;

struct sk_buff;

struct sock;

struct net;



static inline bool nf_sk_is_transparent(struct sock *sk)

{

	switch (sk->sk_state) {

	case TCP_TIME_WAIT:

		return inet_twsk(sk)->tw_transparent;

	case TCP_NEW_SYN_RECV:

		return inet_rsk(inet_reqsk(sk))->no_srccheck;

	default:

		return inet_sk(sk)->transparent;

	}

}



struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb,

				  const struct net_device *indev);



struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,

				  const struct net_device *indev);



#endif

include/net/netfilter/nft_fib.h

0 → 100644
+31 −0
Original line number Diff line number Diff line 
#ifndef _NFT_FIB_H_

#define _NFT_FIB_H_



struct nft_fib {

	enum nft_registers	dreg:8;

	u8			result;

	u32			flags;

};



extern const struct nla_policy nft_fib_policy[];



int nft_fib_dump(struct sk_buff *skb, const struct nft_expr *expr);

int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr,

		 const struct nlattr * const tb[]);

int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,

		     const struct nft_data **data);





void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs,

			const struct nft_pktinfo *pkt);

void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,

		   const struct nft_pktinfo *pkt);



void nft_fib6_eval_type(const struct nft_expr *expr, struct nft_regs *regs,

			const struct nft_pktinfo *pkt);

void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,

		   const struct nft_pktinfo *pkt);



void nft_fib_store_result(void *reg, enum nft_fib_result r,

			  const struct nft_pktinfo *pkt, int index);

#endif

include/uapi/linux/netfilter/nf_tables.h

+63 −0
Original line number Diff line number Diff line
@@ -758,6 +758,19 @@ enum nft_meta_keys { 
	NFT_META_PRANDOM,

};



/**

 * enum nft_rt_keys - nf_tables routing expression keys

 *

 * @NFT_RT_CLASSID: realm value of packet's route (skb->dst->tclassid)

 * @NFT_RT_NEXTHOP4: routing nexthop for IPv4

 * @NFT_RT_NEXTHOP6: routing nexthop for IPv6

 */

enum nft_rt_keys {

	NFT_RT_CLASSID,

	NFT_RT_NEXTHOP4,

	NFT_RT_NEXTHOP6,

};



/**

 * enum nft_hash_attributes - nf_tables hash expression netlink attributes

 *
@@ -796,6 +809,20 @@ enum nft_meta_attributes { 
};

#define NFTA_META_MAX		(__NFTA_META_MAX - 1)



/**

 * enum nft_rt_attributes - nf_tables routing expression netlink attributes

 *

 * @NFTA_RT_DREG: destination register (NLA_U32)

 * @NFTA_RT_KEY: routing data item to load (NLA_U32: nft_rt_keys)

 */

enum nft_rt_attributes {

	NFTA_RT_UNSPEC,

	NFTA_RT_DREG,

	NFTA_RT_KEY,

	__NFTA_RT_MAX

};

#define NFTA_RT_MAX		(__NFTA_RT_MAX - 1)



/**

 * enum nft_ct_keys - nf_tables ct expression keys

 *
@@ -1109,6 +1136,42 @@ enum nft_gen_attributes { 
};

#define NFTA_GEN_MAX		(__NFTA_GEN_MAX - 1)



/*

 * enum nft_fib_attributes - nf_tables fib expression netlink attributes

 *

 * @NFTA_FIB_DREG: destination register (NLA_U32)

 * @NFTA_FIB_RESULT: desired result (NLA_U32)

 * @NFTA_FIB_FLAGS: flowi fields to initialize when querying the FIB (NLA_U32)

 *

 * The FIB expression performs a route lookup according

 * to the packet data.

 */

enum nft_fib_attributes {

	NFTA_FIB_UNSPEC,

	NFTA_FIB_DREG,

	NFTA_FIB_RESULT,

	NFTA_FIB_FLAGS,

	__NFTA_FIB_MAX

};

#define NFTA_FIB_MAX (__NFTA_FIB_MAX - 1)



enum nft_fib_result {

	NFT_FIB_RESULT_UNSPEC,

	NFT_FIB_RESULT_OIF,

	NFT_FIB_RESULT_OIFNAME,

	NFT_FIB_RESULT_ADDRTYPE,

	__NFT_FIB_RESULT_MAX

};

#define NFT_FIB_RESULT_MAX	(__NFT_FIB_RESULT_MAX - 1)



enum nft_fib_flags {

	NFTA_FIB_F_SADDR	= 1 << 0,	/* look up src */

	NFTA_FIB_F_DADDR	= 1 << 1,	/* look up dst */

	NFTA_FIB_F_MARK		= 1 << 2,	/* use skb->mark */

	NFTA_FIB_F_IIF		= 1 << 3,	/* restrict to iif */

	NFTA_FIB_F_OIF		= 1 << 4,	/* restrict to oif */

};



/**

 * enum nft_trace_attributes - nf_tables trace netlink attributes

 *

net/bridge/netfilter/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -22,6 +22,7 @@ config NFT_BRIDGE_REJECT 


config NF_LOG_BRIDGE

	tristate "Bridge packet logging"

	select NF_LOG_COMMON



endif # NF_TABLES_BRIDGE