Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4d80ecdb authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for you net tree, they
are:

1) Restore __GFP_NORETRY in xt_table allocations to mitigate effects of
   large memory allocation requests, from Michal Hocko.

2) Release IPv6 fragment queue in case of error in fragmentation header,
   this is a follow up to amend patch 83f1999c, from Subash Abhinov
   Kasiviswanathan.

3) Flowtable infrastructure depends on NETFILTER_INGRESS as it registers
   a hook for each flowtable, reported by John Crispin.

4) Missing initialization of info->priv in xt_cgroup version 1, from
   Cong Wang.

5) Give a chance to garbage collector to run after scheduling flowtable
   cleanup.

6) Releasing flowtable content on nft_flow_offload module removal is
   not required at all, there is not dependencies between this module
   and flowtables, remove it.

7) Fix missing xt_rateest_mutex grabbing for hash insertions, also from
   Cong Wang.

8) Move nf_flow_table_cleanup() routine to flowtable core, this patch is
   a dependency for the next patch in this list.

9) Flowtable resources are not properly released on removal from the
   control plane. Fix this resource leak by scheduling removal of all
   entries and explicit call to the garbage collector.

10) nf_ct_nat_offset() declaration is dead code, this function prototype
    is not used anywhere, remove it. From Taehee Yoo.

11) Fix another flowtable resource leak on entry insertion failures,
    this patch also fixes a possible use-after-free. Patch from Felix
    Fietkau.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents a2e5790d 0ff90b6c

include/net/netfilter/nf_conntrack.h

+0 −5
Original line number Diff line number Diff line
@@ -213,11 +213,6 @@ static inline bool nf_ct_kill(struct nf_conn *ct) 
	return nf_ct_delete(ct, 0, 0);

}



/* These are for NAT.  Icky. */

extern s32 (*nf_ct_nat_offset)(const struct nf_conn *ct,

			       enum ip_conntrack_dir dir,

			       u32 seq);



/* Set all unconfirmed conntrack as dying */

void nf_ct_unconfirmed_destroy(struct net *);

include/net/netfilter/nf_flow_table.h

+5 −1
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ struct nf_flowtable_type { 
	struct list_head		list;

	int				family;

	void				(*gc)(struct work_struct *work);

	void				(*free)(struct nf_flowtable *ft);

	const struct rhashtable_params	*params;

	nf_hookfn			*hook;

	struct module			*owner;
@@ -89,12 +90,15 @@ struct flow_offload *flow_offload_alloc(struct nf_conn *ct, 
void flow_offload_free(struct flow_offload *flow);



int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow);

void flow_offload_del(struct nf_flowtable *flow_table, struct flow_offload *flow);

struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_table,

						     struct flow_offload_tuple *tuple);

int nf_flow_table_iterate(struct nf_flowtable *flow_table,

			  void (*iter)(struct flow_offload *flow, void *data),

			  void *data);



void nf_flow_table_cleanup(struct net *net, struct net_device *dev);



void nf_flow_table_free(struct nf_flowtable *flow_table);

void nf_flow_offload_work_gc(struct work_struct *work);

extern const struct rhashtable_params nf_flow_offload_rhash_params;

net/ipv4/netfilter/Kconfig

+1 −2
Original line number Diff line number Diff line
@@ -80,8 +80,7 @@ endif # NF_TABLES 


config NF_FLOW_TABLE_IPV4

	tristate "Netfilter flow table IPv4 module"

	depends on NF_CONNTRACK && NF_TABLES

	select NF_FLOW_TABLE

	depends on NF_FLOW_TABLE

	help

	  This option adds the flow table IPv4 support.

net/ipv4/netfilter/nf_flow_table_ipv4.c

+1 −0
Original line number Diff line number Diff line
@@ -260,6 +260,7 @@ static struct nf_flowtable_type flowtable_ipv4 = { 
	.family		= NFPROTO_IPV4,

	.params		= &nf_flow_offload_rhash_params,

	.gc		= nf_flow_offload_work_gc,

	.free		= nf_flow_table_free,

	.hook		= nf_flow_offload_ip_hook,

	.owner		= THIS_MODULE,

};

net/ipv6/netfilter/Kconfig

+1 −2
Original line number Diff line number Diff line
@@ -73,8 +73,7 @@ endif # NF_TABLES 


config NF_FLOW_TABLE_IPV6

	tristate "Netfilter flow table IPv6 module"

	depends on NF_CONNTRACK && NF_TABLES

	select NF_FLOW_TABLE

	depends on NF_FLOW_TABLE

	help

	  This option adds the flow table IPv6 support.