Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 52e01b84 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for your net-next
tree, they are:

1) Stash ctinfo 3-bit field into pointer to nf_conntrack object from
   sk_buff so we only access one single cacheline in the conntrack
   hotpath. Patchset from Florian Westphal.

2) Don't leak pointer to internal structures when exporting x_tables
   ruleset back to userspace, from Willem DeBruijn. This includes new
   helper functions to copy data to userspace such as xt_data_to_user()
   as well as conversions of our ip_tables, ip6_tables and arp_tables
   clients to use it. Not surprinsingly, ebtables requires an ad-hoc
   update. There is also a new field in x_tables extensions to indicate
   the amount of bytes that we copy to userspace.

3) Add nf_log_all_netns sysctl: This new knob allows you to enable
   logging via nf_log infrastructure for all existing netnamespaces.
   Given the effort to provide pernet syslog has been discontinued,
   let's provide a way to restore logging using netfilter kernel logging
   facilities in trusted environments. Patch from Michal Kubecek.

4) Validate SCTP checksum from conntrack helper, from Davide Caratti.

5) Merge UDPlite conntrack and NAT helpers into UDP, this was mostly
   a copy&paste from the original helper, from Florian Westphal.

6) Reset netfilter state when duplicating packets, also from Florian.

7) Remove unnecessary check for broadcast in IPv6 in pkttype match and
   nft_meta, from Liping Zhang.

8) Add missing code to deal with loopback packets from nft_meta when
   used by the netdev family, also from Liping.

9) Several cleanups on nf_tables, one to remove unnecessary check from
   the netlink control plane path to add table, set and stateful objects
   and code consolidation when unregister chain hooks, from Gao Feng.

10) Fix harmless reference counter underflow in IPVS that, however,
    results in problems with the introduction of the new refcount_t
    type, from David Windsor.

11) Enable LIBCRC32C from nf_ct_sctp instead of nf_nat_sctp,
    from Davide Caratti.

12) Missing documentation on nf_tables uapi header, from Liping Zhang.

13) Use rb_entry() helper in xt_connlimit, from Geliang Tang.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents e60df624 2851940f

Documentation/networking/netfilter-sysctl.txt

0 → 100644
+10 −0
Original line number Diff line number Diff line 
/proc/sys/net/netfilter/* Variables:



nf_log_all_netns - BOOLEAN

	0 - disabled (default)

	not 0 - enabled



	By default, only init_net namespace can log packets into kernel log

	with LOG target; this aims to prevent containers from flooding host

	kernel log. If enabled, this target also works in other network

	namespaces. This variable is only accessible from init_net.

include/linux/netfilter/x_tables.h

+9 −0
Original line number Diff line number Diff line
@@ -167,6 +167,7 @@ struct xt_match { 


	const char *table;

	unsigned int matchsize;

	unsigned int usersize;

#ifdef CONFIG_COMPAT

	unsigned int compatsize;

#endif
@@ -207,6 +208,7 @@ struct xt_target { 


	const char *table;

	unsigned int targetsize;

	unsigned int usersize;

#ifdef CONFIG_COMPAT

	unsigned int compatsize;

#endif
@@ -287,6 +289,13 @@ int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto, 
int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,

		    bool inv_proto);



int xt_match_to_user(const struct xt_entry_match *m,

		     struct xt_entry_match __user *u);

int xt_target_to_user(const struct xt_entry_target *t,

		      struct xt_entry_target __user *u);

int xt_data_to_user(void __user *dst, const void *src,

		    int usersize, int size);



void *xt_copy_counters_from_user(const void __user *user, unsigned int len,

				 struct xt_counters_info *info, bool compat);

include/linux/skbuff.h

+18 −14
Original line number Diff line number Diff line
@@ -585,7 +585,6 @@ static inline bool skb_mstamp_after(const struct skb_mstamp *t1, 
 *	@cloned: Head may be cloned (check refcnt to be sure)

 *	@ip_summed: Driver fed us an IP checksum

 *	@nohdr: Payload reference only, must not modify header

 *	@nfctinfo: Relationship of this skb to the connection

 *	@pkt_type: Packet class

 *	@fclone: skbuff clone status

 *	@ipvs_property: skbuff is owned by ipvs
@@ -598,7 +597,7 @@ static inline bool skb_mstamp_after(const struct skb_mstamp *t1, 
 *	@nf_trace: netfilter packet trace flag

 *	@protocol: Packet protocol from driver

 *	@destructor: Destruct function

 *	@nfct: Associated connection, if any

 *	@_nfct: Associated connection, if any (with nfctinfo bits)

 *	@nf_bridge: Saved data about a bridged frame - see br_netfilter.c

 *	@skb_iif: ifindex of device we arrived on

 *	@tc_index: Traffic control index
@@ -671,7 +670,7 @@ struct sk_buff { 
	struct	sec_path	*sp;

#endif

#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

	struct nf_conntrack	*nfct;

	unsigned long		 _nfct;

#endif

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

	struct nf_bridge_info	*nf_bridge;
@@ -724,7 +723,6 @@ struct sk_buff { 
	__u8			pkt_type:3;

	__u8			pfmemalloc:1;

	__u8			ignore_df:1;

	__u8			nfctinfo:3;



	__u8			nf_trace:1;

	__u8			ip_summed:2;
@@ -841,6 +839,7 @@ static inline bool skb_pfmemalloc(const struct sk_buff *skb) 
#define SKB_DST_NOREF	1UL

#define SKB_DST_PTRMASK	~(SKB_DST_NOREF)



#define SKB_NFCT_PTRMASK	~(7UL)

/**

 * skb_dst - returns skb dst_entry

 * @skb: buffer
@@ -3558,6 +3557,15 @@ static inline void skb_remcsum_process(struct sk_buff *skb, void *ptr, 
	skb->csum = csum_add(skb->csum, delta);

}



static inline struct nf_conntrack *skb_nfct(const struct sk_buff *skb)

{

#if IS_ENABLED(CONFIG_NF_CONNTRACK)

	return (void *)(skb->_nfct & SKB_NFCT_PTRMASK);

#else

	return NULL;

#endif

}



#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

void nf_conntrack_destroy(struct nf_conntrack *nfct);

static inline void nf_conntrack_put(struct nf_conntrack *nfct)
@@ -3586,8 +3594,8 @@ static inline void nf_bridge_get(struct nf_bridge_info *nf_bridge) 
static inline void nf_reset(struct sk_buff *skb)

{

#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

	nf_conntrack_put(skb->nfct);

	skb->nfct = NULL;

	nf_conntrack_put(skb_nfct(skb));

	skb->_nfct = 0;

#endif

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

	nf_bridge_put(skb->nf_bridge);
@@ -3607,10 +3615,8 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src, 
			     bool copy)

{

#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

	dst->nfct = src->nfct;

	nf_conntrack_get(src->nfct);

	if (copy)

		dst->nfctinfo = src->nfctinfo;

	dst->_nfct = src->_nfct;

	nf_conntrack_get(skb_nfct(src));

#endif

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

	dst->nf_bridge  = src->nf_bridge;
@@ -3625,7 +3631,7 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src, 
static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src)

{

#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

	nf_conntrack_put(dst->nfct);

	nf_conntrack_put(skb_nfct(dst));

#endif

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

	nf_bridge_put(dst->nf_bridge);
@@ -3657,9 +3663,7 @@ static inline bool skb_irq_freeable(const struct sk_buff *skb) 
#if IS_ENABLED(CONFIG_XFRM)

		!skb->sp &&

#endif

#if IS_ENABLED(CONFIG_NF_CONNTRACK)

		!skb->nfct &&

#endif

		!skb_nfct(skb) &&

		!skb->_skb_refdst &&

		!skb_has_frag_list(skb);

}

include/net/ip_vs.h

+7 −5
Original line number Diff line number Diff line
@@ -1421,7 +1421,7 @@ static inline void ip_vs_dest_put(struct ip_vs_dest *dest) 


static inline void ip_vs_dest_put_and_free(struct ip_vs_dest *dest)

{

	if (atomic_dec_return(&dest->refcnt) < 0)

	if (atomic_dec_and_test(&dest->refcnt))

		kfree(dest);

}
@@ -1554,10 +1554,12 @@ static inline void ip_vs_notrack(struct sk_buff *skb) 
	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);



	if (!ct || !nf_ct_is_untracked(ct)) {

		nf_conntrack_put(skb->nfct);

		skb->nfct = &nf_ct_untracked_get()->ct_general;

		skb->nfctinfo = IP_CT_NEW;

		nf_conntrack_get(skb->nfct);

		struct nf_conn *untracked;



		nf_conntrack_put(&ct->ct_general);

		untracked = nf_ct_untracked_get();

		nf_conntrack_get(&untracked->ct_general);

		nf_ct_set(skb, untracked, IP_CT_NEW);

	}

#endif

}

include/net/netfilter/ipv4/nf_conntrack_ipv4.h

+1 −0
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4; 


extern struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4;

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4;

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4;

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;

#ifdef CONFIG_NF_CT_PROTO_DCCP

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4;