Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 89d5e232 authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Conflicts:
	net/netfilter/nf_conntrack_proto_tcp.c

The conflict had to do with overlapping changes dealing with
fixing the use of an "s32" to hold the value returned by
NAT_OFFSET().

Pablo Neira Ayuso says:

====================
The following batch contains Netfilter/IPVS updates for your net-next tree.
More specifically, they are:

* Trivial typo fix in xt_addrtype, from Phil Oester.

* Remove net_ratelimit in the conntrack logging for consistency with other
  logging subsystem, from Patrick McHardy.

* Remove unneeded includes from the recently added xt_connlabel support, from
  Florian Westphal.

* Allow to update conntracks via nfqueue, don't need NFQA_CFG_F_CONNTRACK for
  this, from Florian Westphal.

* Remove tproxy core, now that we have socket early demux, from Florian
  Westphal.

* A couple of patches to refactor conntrack event reporting to save a good
  bunch of lines, from Florian Westphal.

* Fix missing locking in NAT sequence adjustment, it did not manifested in
  any known bug so far, from Patrick McHardy.

* Change sequence number adjustment variable to 32 bits, to delay the
  possible early overflow in long standing connections, also from Patrick.

* Comestic cleanups for IPVS, from Dragos Foianu.

* Fix possible null dereference in IPVS in the SH scheduler, from Daniel
  Borkmann.

* Allow to attach conntrack expectations via nfqueue. Before this patch, you
  had to use ctnetlink instead, thus, we save the conntrack lookup.

* Export xt_rpfilter and xt_HMARK header files, from Nicolas Dichtel.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 15ec80f5 38c67328

Documentation/networking/tproxy.txt

+2 −3
Original line number Diff line number Diff line
@@ -2,9 +2,8 @@ Transparent proxy support 
=========================



This feature adds Linux 2.2-like transparent proxy support to current kernels.

To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in

your kernel config. You will need policy routing too, so be sure to enable that

as well.

To use it, enable the socket match and the TPROXY target in your kernel config.

You will need policy routing too, so be sure to enable that as well.





1. Making non-local sockets work

include/linux/netfilter.h

+5 −3
Original line number Diff line number Diff line
@@ -314,8 +314,8 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 
#endif /*CONFIG_NETFILTER*/



#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

extern void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *) __rcu;

extern void nf_ct_attach(struct sk_buff *, struct sk_buff *);

extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu;

extern void nf_ct_attach(struct sk_buff *, const struct sk_buff *);

extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu;



struct nf_conn;
@@ -325,12 +325,14 @@ struct nfq_ct_hook { 
	size_t (*build_size)(const struct nf_conn *ct);

	int (*build)(struct sk_buff *skb, struct nf_conn *ct);

	int (*parse)(const struct nlattr *attr, struct nf_conn *ct);

	int (*attach_expect)(const struct nlattr *attr, struct nf_conn *ct,

			     u32 portid, u32 report);

};

extern struct nfq_ct_hook __rcu *nfq_ct_hook;



struct nfq_ct_nat_hook {

	void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,

			   u32 ctinfo, int off);

			   u32 ctinfo, s32 off);

};

extern struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook;

#else

include/net/netfilter/nf_conntrack.h

+5 −4
Original line number Diff line number Diff line
@@ -181,8 +181,7 @@ __nf_conntrack_find(struct net *net, u16 zone, 
		    const struct nf_conntrack_tuple *tuple);



extern int nf_conntrack_hash_check_insert(struct nf_conn *ct);

extern void nf_ct_delete_from_lists(struct nf_conn *ct);

extern void nf_ct_dying_timeout(struct nf_conn *ct);

bool nf_ct_delete(struct nf_conn *ct, u32 pid, int report);



extern void nf_conntrack_flush_report(struct net *net, u32 portid, int report);
@@ -235,7 +234,7 @@ static inline bool nf_ct_kill(struct nf_conn *ct) 
}



/* These are for NAT.  Icky. */

extern s16 (*nf_ct_nat_offset)(const struct nf_conn *ct,

extern s32 (*nf_ct_nat_offset)(const struct nf_conn *ct,

			       enum ip_conntrack_dir dir,

			       u32 seq);
@@ -249,7 +248,9 @@ extern void nf_ct_untracked_status_or(unsigned long bits); 


/* Iterate over all conntracks: if iter returns true, it's deleted. */

extern void

nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data);

nf_ct_iterate_cleanup(struct net *net,

		      int (*iter)(struct nf_conn *i, void *data),

		      void *data, u32 portid, int report);

extern void nf_conntrack_free(struct nf_conn *ct);

extern struct nf_conn *

nf_conntrack_alloc(struct net *net, u16 zone,

include/net/netfilter/nf_conntrack_l4proto.h

+0 −7
Original line number Diff line number Diff line
@@ -148,17 +148,10 @@ extern int nf_ct_port_nlattr_tuple_size(void); 
extern const struct nla_policy nf_ct_port_nla_policy[];



#ifdef CONFIG_SYSCTL

#ifdef DEBUG_INVALID_PACKETS

#define LOG_INVALID(net, proto)				\

	((net)->ct.sysctl_log_invalid == (proto) ||	\

	 (net)->ct.sysctl_log_invalid == IPPROTO_RAW)

#else

#define LOG_INVALID(net, proto)				\

	(((net)->ct.sysctl_log_invalid == (proto) ||	\

	  (net)->ct.sysctl_log_invalid == IPPROTO_RAW)	\

	 && net_ratelimit())

#endif

#else

static inline int LOG_INVALID(struct net *net, int proto) { return 0; }

#endif /* CONFIG_SYSCTL */

include/net/netfilter/nf_nat.h

+1 −1
Original line number Diff line number Diff line
@@ -19,7 +19,7 @@ struct nf_nat_seq { 
	u_int32_t correction_pos;



	/* sequence number offset before and after last modification */

	int16_t offset_before, offset_after;

	int32_t offset_before, offset_after;

};



#include <linux/list.h>