Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 99d20a46 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for your net-next
tree:

1) No need to set ttl from reject action for the bridge family, from
   Taehee Yoo.

2) Use a fixed timeout for flow that are passed up from the flowtable
   to conntrack, from Florian Westphal.

3) More preparation patches for tproxy support for nf_tables, from Mate
   Eckl.

4) Remove unnecessary indirection in core IPv6 checksum function, from
   Florian Westphal.

5) Use nf_ct_get_tuplepr() from openvswitch, instead of opencoding it.
   From Florian Westphal.

6) socket match now selects socket infrastructure, instead of depending
   on it. From Mate Eckl.

7) Patch series to simplify conntrack tuple building/parsing from packet
   path and ctnetlink, from Florian Westphal.

8) Fetch timeout policy from protocol helpers, instead of doing it from
   core, from Florian Westphal.

9) Merge IPv4 and IPv6 protocol trackers into conntrack core, from
   Florian Westphal.

10) Depend on CONFIG_NF_TABLES_IPV6 and CONFIG_IP6_NF_IPTABLES
    respectively, instead of IPV6. Patch from Mate Eckl.

11) Add specific function for garbage collection in conncount,
    from Yi-Hung Wei.

12) Catch number of elements in the connlimit list, from Yi-Hung Wei.

13) Move locking to nf_conncount, from Yi-Hung Wei.

14) Series of patches to add lockless tree traversal in nf_conncount,
    from Yi-Hung Wei.

15) Resolve clash in matching conntracks when race happens, from
    Martynas Pumputis.

16) If connection entry times out, remove template entry from the
    ip_vs_conn_tab table to improve behaviour under flood, from
    Julian Anastasov.

17) Remove useless parameter from nf_ct_helper_ext_add(), from Gao feng.

18) Call abort from 2-phase commit protocol before requesting modules,
    make sure this is done under the mutex, from Florian Westphal.

19) Grab module reference when starting transaction, also from Florian.

20) Dynamically allocate expression info array for pre-parsing, from
    Florian.

21) Add per netns mutex for nf_tables, from Florian Westphal.

22) A couple of patches to simplify and refactor nf_osf code to prepare
    for nft_osf support.

23) Break evaluation on missing socket, from Mate Eckl.

24) Allow to match socket mark from nft_socket, from Mate Eckl.

25) Remove dependency on nf_defrag_ipv6, now that IPv6 tracker is
    built-in into nf_conntrack. From Florian Westphal.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents c4c5551d 24c458c4

include/linux/netfilter/nfnetlink.h

+1 −0
Original line number Diff line number Diff line
@@ -29,6 +29,7 @@ struct nfnetlink_subsystem { 
	__u8 subsys_id;			/* nfnetlink subsystem ID */

	__u8 cb_count;			/* number of callbacks */

	const struct nfnl_callback *cb;	/* callback for individual types */

	struct module *owner;

	int (*commit)(struct net *net, struct sk_buff *skb);

	int (*abort)(struct net *net, struct sk_buff *skb);

	void (*cleanup)(struct net *net);

include/linux/netfilter_ipv4.h

+0 −11
Original line number Diff line number Diff line
@@ -23,9 +23,6 @@ struct nf_queue_entry; 
#ifdef CONFIG_INET

__sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,

		       unsigned int dataoff, u_int8_t protocol);

__sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,

			       unsigned int dataoff, unsigned int len,

			       u_int8_t protocol);

int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,

		bool strict);

int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry);
@@ -35,14 +32,6 @@ static inline __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook, 
{

	return 0;

}

static inline __sum16 nf_ip_checksum_partial(struct sk_buff *skb,

					     unsigned int hook,

					     unsigned int dataoff,

					     unsigned int len,

					     u_int8_t protocol)

{

	return 0;

}

static inline int nf_ip_route(struct net *net, struct dst_entry **dst,

			      struct flowi *fl, bool strict)

{

include/linux/netfilter_ipv6.h

+0 −5
Original line number Diff line number Diff line
@@ -30,11 +30,6 @@ struct nf_ipv6_ops { 
	void (*route_input)(struct sk_buff *skb);

	int (*fragment)(struct net *net, struct sock *sk, struct sk_buff *skb,

			int (*output)(struct net *, struct sock *, struct sk_buff *));

	__sum16 (*checksum)(struct sk_buff *skb, unsigned int hook,

			    unsigned int dataoff, u_int8_t protocol);

	__sum16 (*checksum_partial)(struct sk_buff *skb, unsigned int hook,

				    unsigned int dataoff, unsigned int len,

				    u_int8_t protocol);

	int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl,

		     bool strict);

	int (*reroute)(struct sk_buff *skb, const struct nf_queue_entry *entry);

include/net/ip_vs.h

+17 −1
Original line number Diff line number Diff line
@@ -335,6 +335,11 @@ enum ip_vs_sctp_states { 
	IP_VS_SCTP_S_LAST

};



/* Connection templates use bits from state */

#define IP_VS_CTPL_S_NONE		0x0000

#define IP_VS_CTPL_S_ASSURED		0x0001

#define IP_VS_CTPL_S_LAST		0x0002



/* Delta sequence info structure

 * Each ip_vs_conn has 2 (output AND input seq. changes).

 * Only used in the VS/NAT.
@@ -1221,7 +1226,7 @@ struct ip_vs_conn *ip_vs_conn_new(const struct ip_vs_conn_param *p, int dest_af, 
				  struct ip_vs_dest *dest, __u32 fwmark);

void ip_vs_conn_expire_now(struct ip_vs_conn *cp);



const char *ip_vs_state_name(__u16 proto, int state);

const char *ip_vs_state_name(const struct ip_vs_conn *cp);



void ip_vs_tcp_conn_listen(struct ip_vs_conn *cp);

int ip_vs_check_template(struct ip_vs_conn *ct, struct ip_vs_dest *cdest);
@@ -1289,6 +1294,17 @@ ip_vs_control_add(struct ip_vs_conn *cp, struct ip_vs_conn *ctl_cp) 
	atomic_inc(&ctl_cp->n_control);

}



/* Mark our template as assured */

static inline void

ip_vs_control_assure_ct(struct ip_vs_conn *cp)

{

	struct ip_vs_conn *ct = cp->control;



	if (ct && !(ct->state & IP_VS_CTPL_S_ASSURED) &&

	    (ct->flags & IP_VS_CONN_F_TEMPLATE))

		ct->state |= IP_VS_CTPL_S_ASSURED;

}



/* IPVS netns init & cleanup functions */

int ip_vs_estimator_net_init(struct netns_ipvs *ipvs);

int ip_vs_control_net_init(struct netns_ipvs *ipvs);

include/net/ipv6.h

+0 −28
Original line number Diff line number Diff line
@@ -574,34 +574,6 @@ static inline bool ipv6_prefix_equal(const struct in6_addr *addr1, 
}

#endif



struct inet_frag_queue;



enum ip6_defrag_users {

	IP6_DEFRAG_LOCAL_DELIVER,

	IP6_DEFRAG_CONNTRACK_IN,

	__IP6_DEFRAG_CONNTRACK_IN	= IP6_DEFRAG_CONNTRACK_IN + USHRT_MAX,

	IP6_DEFRAG_CONNTRACK_OUT,

	__IP6_DEFRAG_CONNTRACK_OUT	= IP6_DEFRAG_CONNTRACK_OUT + USHRT_MAX,

	IP6_DEFRAG_CONNTRACK_BRIDGE_IN,

	__IP6_DEFRAG_CONNTRACK_BRIDGE_IN = IP6_DEFRAG_CONNTRACK_BRIDGE_IN + USHRT_MAX,

};



void ip6_frag_init(struct inet_frag_queue *q, const void *a);

extern const struct rhashtable_params ip6_rhash_params;



/*

 *	Equivalent of ipv4 struct ip

 */

struct frag_queue {

	struct inet_frag_queue	q;



	int			iif;

	__u16			nhoffset;

	u8			ecn;

};



void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq);



static inline bool ipv6_addr_any(const struct in6_addr *a)

{

#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64