Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b8f6a0ee authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

1) Add nft_reg_store64() and nft_reg_load64() helpers, from Ander Juaristi.

2) Time matching support, also from Ander Juaristi.

3) VLAN support for nfnetlink_log, from Michael Braun.

4) Support for set element deletions from the packet path, also from Ander.

5) Remove __read_mostly from conntrack spinlock, from Li RongQing.

6) Support for updating stateful objects, this also includes the initial
   client for this infrastructure: the quota extension. A follow up fix
   for the control plane also comes in this batch. Patches from
   Fernando Fernandez Mancera.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 6938843d aa4095a1

include/net/netfilter/nf_tables.h

+36 −8
Original line number Diff line number Diff line
@@ -2,6 +2,7 @@ 
#ifndef _NET_NF_TABLES_H

#define _NET_NF_TABLES_H



#include <asm/unaligned.h>

#include <linux/list.h>

#include <linux/netfilter.h>

#include <linux/netfilter/nfnetlink.h>
@@ -102,23 +103,28 @@ struct nft_regs { 
	};

};



/* Store/load an u16 or u8 integer to/from the u32 data register.

/* Store/load an u8, u16 or u64 integer to/from the u32 data register.

 *

 * Note, when using concatenations, register allocation happens at 32-bit

 * level. So for store instruction, pad the rest part with zero to avoid

 * garbage values.

 */



static inline void nft_reg_store16(u32 *dreg, u16 val)

static inline void nft_reg_store8(u32 *dreg, u8 val)

{

	*dreg = 0;

	*(u16 *)dreg = val;

	*(u8 *)dreg = val;

}



static inline void nft_reg_store8(u32 *dreg, u8 val)

static inline u8 nft_reg_load8(u32 *sreg)

{

	return *(u8 *)sreg;

}



static inline void nft_reg_store16(u32 *dreg, u16 val)

{

	*dreg = 0;

	*(u8 *)dreg = val;

	*(u16 *)dreg = val;

}



static inline u16 nft_reg_load16(u32 *sreg)
@@ -126,9 +132,14 @@ static inline u16 nft_reg_load16(u32 *sreg) 
	return *(u16 *)sreg;

}



static inline u8 nft_reg_load8(u32 *sreg)

static inline void nft_reg_store64(u32 *dreg, u64 val)

{

	return *(u8 *)sreg;

	put_unaligned(val, (u64 *)dreg);

}



static inline u64 nft_reg_load64(u32 *sreg)

{

	return get_unaligned((u64 *)sreg);

}



static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
@@ -291,17 +302,23 @@ struct nft_expr; 
 *	struct nft_set_ops - nf_tables set operations

 *

 *	@lookup: look up an element within the set

 *	@update: update an element if exists, add it if doesn't exist

 *	@delete: delete an element

 *	@insert: insert new element into set

 *	@activate: activate new element in the next generation

 *	@deactivate: lookup for element and deactivate it in the next generation

 *	@flush: deactivate element in the next generation

 *	@remove: remove element from set

 *	@walk: iterate over all set elemeennts

 *	@walk: iterate over all set elements

 *	@get: get set elements

 *	@privsize: function to return size of set private data

 *	@init: initialize private data of new set instance

 *	@destroy: destroy private data of set instance

 *	@elemsize: element private size

 *

 *	Operations lookup, update and delete have simpler interfaces, are faster

 *	and currently only used in the packet path. All the rest are slower,

 *	control plane functions.

 */

struct nft_set_ops {

	bool				(*lookup)(const struct net *net,
@@ -316,6 +333,8 @@ struct nft_set_ops { 
						  const struct nft_expr *expr,

						  struct nft_regs *regs,

						  const struct nft_set_ext **ext);

	bool				(*delete)(const struct nft_set *set,

						  const u32 *key);



	int				(*insert)(const struct net *net,

						  const struct nft_set *set,
@@ -1108,6 +1127,7 @@ struct nft_object_type { 
 *	@init: initialize object from netlink attributes

 *	@destroy: release existing stateful object

 *	@dump: netlink dump stateful object

 *	@update: update stateful object

 */

struct nft_object_ops {

	void				(*eval)(struct nft_object *obj,
@@ -1122,6 +1142,8 @@ struct nft_object_ops { 
	int				(*dump)(struct sk_buff *skb,

						struct nft_object *obj,

						bool reset);

	void				(*update)(struct nft_object *obj,

						  struct nft_object *newobj);

	const struct nft_object_type	*type;

};
@@ -1410,10 +1432,16 @@ struct nft_trans_elem { 


struct nft_trans_obj {

	struct nft_object		*obj;

	struct nft_object		*newobj;

	bool				update;

};



#define nft_trans_obj(trans)	\

	(((struct nft_trans_obj *)trans->data)->obj)

#define nft_trans_obj_newobj(trans) \

	(((struct nft_trans_obj *)trans->data)->newobj)

#define nft_trans_obj_update(trans)	\

	(((struct nft_trans_obj *)trans->data)->update)



struct nft_trans_flowtable {

	struct nft_flowtable		*flowtable;

include/uapi/linux/netfilter/nf_tables.h

+7 −0
Original line number Diff line number Diff line
@@ -636,6 +636,7 @@ enum nft_lookup_attributes { 
enum nft_dynset_ops {

	NFT_DYNSET_OP_ADD,

	NFT_DYNSET_OP_UPDATE,

	NFT_DYNSET_OP_DELETE,

};



enum nft_dynset_flags {
@@ -799,6 +800,9 @@ enum nft_exthdr_attributes { 
 * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)

 * @NFT_META_BRI_IIFPVID: packet input bridge port pvid

 * @NFT_META_BRI_IIFVPROTO: packet input bridge vlan proto

 * @NFT_META_TIME_NS: time since epoch (in nanoseconds)

 * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday)

 * @NFT_META_TIME_HOUR: hour of day (in seconds)

 */

enum nft_meta_keys {

	NFT_META_LEN,
@@ -831,6 +835,9 @@ enum nft_meta_keys { 
	NFT_META_OIFKIND,

	NFT_META_BRI_IIFPVID,

	NFT_META_BRI_IIFVPROTO,

	NFT_META_TIME_NS,

	NFT_META_TIME_DAY,

	NFT_META_TIME_HOUR,

};



/**

include/uapi/linux/netfilter/nfnetlink_log.h

+11 −0
Original line number Diff line number Diff line
@@ -33,6 +33,15 @@ struct nfulnl_msg_packet_timestamp { 
	__aligned_be64	usec;

};



enum nfulnl_vlan_attr {

	NFULA_VLAN_UNSPEC,

	NFULA_VLAN_PROTO,		/* __be16 skb vlan_proto */

	NFULA_VLAN_TCI,			/* __be16 skb htons(vlan_tci) */

	__NFULA_VLAN_MAX,

};



#define NFULA_VLAN_MAX (__NFULA_VLAN_MAX + 1)



enum nfulnl_attr_type {

	NFULA_UNSPEC,

	NFULA_PACKET_HDR,
@@ -54,6 +63,8 @@ enum nfulnl_attr_type { 
	NFULA_HWLEN,			/* hardware header length */

	NFULA_CT,                       /* nf_conntrack_netlink.h */

	NFULA_CT_INFO,                  /* enum ip_conntrack_info */

	NFULA_VLAN,			/* nested attribute: packet vlan info */

	NFULA_L2HDR,			/* full L2 header */



	__NFULA_MAX

};

net/netfilter/nf_conntrack_core.c

+1 −2
Original line number Diff line number Diff line
@@ -73,8 +73,7 @@ struct conntrack_gc_work { 
};



static __read_mostly struct kmem_cache *nf_conntrack_cachep;

static __read_mostly spinlock_t nf_conntrack_locks_all_lock;

static __read_mostly DEFINE_SPINLOCK(nf_conntrack_locks_all_lock);

static DEFINE_SPINLOCK(nf_conntrack_locks_all_lock);

static __read_mostly bool nf_conntrack_locks_all;



/* every gc cycle scans at most 1/GC_MAX_BUCKETS_DIV part of table */

net/netfilter/nf_conntrack_labels.c

+1 −1
Original line number Diff line number Diff line
@@ -11,7 +11,7 @@ 
#include <net/netfilter/nf_conntrack_ecache.h>

#include <net/netfilter/nf_conntrack_labels.h>



static __read_mostly DEFINE_SPINLOCK(nf_connlabels_lock);

static DEFINE_SPINLOCK(nf_connlabels_lock);



static int replace_u32(u32 *address, u32 mask, u32 new)

{