Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit abccc587 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
pull request: Netfilter/IPVS fixes for net

The following patchset contains seven Netfilter fixes for your net
tree, they are:

1) Make the NAT infrastructure independent of x_tables, some users are
   already starting to test nf_tables with NAT without enabling x_tables.
   Without this patch for Kconfig, there's a superfluous dependency
   between NAT and x_tables.
2) Allow to use 0 in the cgroup match, the kernel rejects with -EINVAL
   with no good reason. From Daniel Borkmann.

3) Select CONFIG_NF_NAT from the nf_tables NAT expression, this also
   resolves another NAT dependency with x_tables.

4) Use HAVE_JUMP_LABEL instead of CONFIG_JUMP_LABEL in the Netfilter hook
   code as elsewhere in the kernel to resolve toolchain problems, from
   Zhouyi Zhou.

5) Use iptunnel_handle_offloads() to set up tunnel encapsulation
   depending on the offload capabilities, reported by Alex Gartrell
   patch from Julian Anastasov.

6) Fix wrong family when registering the ip_vs_local_reply6() hook,
   also from Julian.

7) Select the NF_LOG_* symbols from NETFILTER_XT_TARGET_LOG. Rafał
   Miłecki reported that when jumping from 3.16 to 3.17-rc, his log
   target is not selected anymore due to changes in the previous
   development cycle to accomodate the full logging support for
   nf_tables.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 04860eb7 d79a61d6

include/linux/netfilter.h

+3 −2
Original line number Diff line number Diff line
@@ -9,6 +9,7 @@ 
#include <linux/in6.h>

#include <linux/wait.h>

#include <linux/list.h>

#include <linux/static_key.h>

#include <uapi/linux/netfilter.h>

#ifdef CONFIG_NETFILTER

static inline int NF_DROP_GETERR(int verdict)
@@ -99,9 +100,9 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg); 


extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];



#if defined(CONFIG_JUMP_LABEL)

#include <linux/static_key.h>

#ifdef HAVE_JUMP_LABEL

extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];



static inline bool nf_hooks_active(u_int8_t pf, unsigned int hook)

{

	if (__builtin_constant_p(pf) &&

net/ipv4/netfilter/Kconfig

+55 −47
Original line number Diff line number Diff line
@@ -82,6 +82,52 @@ config NF_TABLES_ARP 
	help

	  This option enables the ARP support for nf_tables.



config NF_NAT_IPV4

	tristate "IPv4 NAT"

	depends on NF_CONNTRACK_IPV4

	default m if NETFILTER_ADVANCED=n

	select NF_NAT

	help

	  The IPv4 NAT option allows masquerading, port forwarding and other

	  forms of full Network Address Port Translation. This can be

	  controlled by iptables or nft.



if NF_NAT_IPV4



config NF_NAT_SNMP_BASIC

	tristate "Basic SNMP-ALG support"

	depends on NF_CONNTRACK_SNMP

	depends on NETFILTER_ADVANCED

	default NF_NAT && NF_CONNTRACK_SNMP

	---help---



	  This module implements an Application Layer Gateway (ALG) for

	  SNMP payloads.  In conjunction with NAT, it allows a network

	  management system to access multiple private networks with

	  conflicting addresses.  It works by modifying IP addresses

	  inside SNMP payloads to match IP-layer NAT mapping.



	  This is the "basic" form of SNMP-ALG, as described in RFC 2962



	  To compile it as a module, choose M here.  If unsure, say N.



config NF_NAT_PROTO_GRE

	tristate

	depends on NF_CT_PROTO_GRE



config NF_NAT_PPTP

	tristate

	depends on NF_CONNTRACK

	default NF_CONNTRACK_PPTP

	select NF_NAT_PROTO_GRE



config NF_NAT_H323

	tristate

	depends on NF_CONNTRACK

	default NF_CONNTRACK_H323



endif # NF_NAT_IPV4



config IP_NF_IPTABLES

	tristate "IP tables support (required for filtering/masq/NAT)"

	default m if NETFILTER_ADVANCED=n
@@ -170,19 +216,21 @@ config IP_NF_TARGET_SYNPROXY 
	  To compile it as a module, choose M here. If unsure, say N.



# NAT + specific targets: nf_conntrack

config NF_NAT_IPV4

	tristate "IPv4 NAT"

config IP_NF_NAT

	tristate "iptables NAT support"

	depends on NF_CONNTRACK_IPV4

	default m if NETFILTER_ADVANCED=n

	select NF_NAT

	select NF_NAT_IPV4

	select NETFILTER_XT_NAT

	help

	  The IPv4 NAT option allows masquerading, port forwarding and other

	  forms of full Network Address Port Translation.  It is controlled by

	  the `nat' table in iptables: see the man page for iptables(8).

	  This enables the `nat' table in iptables. This allows masquerading,

	  port forwarding and other forms of full Network Address Port

	  Translation.



	  To compile it as a module, choose M here.  If unsure, say N.



if NF_NAT_IPV4

if IP_NF_NAT



config IP_NF_TARGET_MASQUERADE

	tristate "MASQUERADE target support"
@@ -214,47 +262,7 @@ config IP_NF_TARGET_REDIRECT 
	(e.g. when running oldconfig). It selects

	CONFIG_NETFILTER_XT_TARGET_REDIRECT.



endif



config NF_NAT_SNMP_BASIC

	tristate "Basic SNMP-ALG support"

	depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4

	depends on NETFILTER_ADVANCED

	default NF_NAT && NF_CONNTRACK_SNMP

	---help---



	  This module implements an Application Layer Gateway (ALG) for

	  SNMP payloads.  In conjunction with NAT, it allows a network

	  management system to access multiple private networks with

	  conflicting addresses.  It works by modifying IP addresses

	  inside SNMP payloads to match IP-layer NAT mapping.



	  This is the "basic" form of SNMP-ALG, as described in RFC 2962



	  To compile it as a module, choose M here.  If unsure, say N.



# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),

# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.

# From kconfig-language.txt:

#

#           <expr> '&&' <expr>                   (6)

#

# (6) Returns the result of min(/expr/, /expr/).



config NF_NAT_PROTO_GRE

	tristate

	depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE



config NF_NAT_PPTP

	tristate

	depends on NF_CONNTRACK && NF_NAT_IPV4

	default NF_NAT_IPV4 && NF_CONNTRACK_PPTP

	select NF_NAT_PROTO_GRE



config NF_NAT_H323

	tristate

	depends on NF_CONNTRACK && NF_NAT_IPV4

	default NF_NAT_IPV4 && NF_CONNTRACK_H323

endif # IP_NF_NAT



# mangle + specific targets

config IP_NF_MANGLE

net/ipv4/netfilter/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -43,7 +43,7 @@ obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o 
# the three instances of ip_tables

obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o

obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o

obj-$(CONFIG_NF_NAT_IPV4) += iptable_nat.o

obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o

obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o

obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o

net/ipv6/netfilter/Kconfig

+19 −7
Original line number Diff line number Diff line
@@ -60,6 +60,16 @@ config NF_LOG_IPV6 
	depends on NETFILTER_ADVANCED

	select NF_LOG_COMMON



config NF_NAT_IPV6

	tristate "IPv6 NAT"

	depends on NF_CONNTRACK_IPV6

	depends on NETFILTER_ADVANCED

	select NF_NAT

	help

	  The IPv6 NAT option allows masquerading, port forwarding and other

	  forms of full Network Address Port Translation. This can be

	  controlled by iptables or nft.



config IP6_NF_IPTABLES

	tristate "IP6 tables support (required for filtering)"

	depends on INET && IPV6
@@ -232,19 +242,21 @@ config IP6_NF_SECURITY 


         If unsure, say N.



config NF_NAT_IPV6

	tristate "IPv6 NAT"

config IP6_NF_NAT

	tristate "ip6tables NAT support"

	depends on NF_CONNTRACK_IPV6

	depends on NETFILTER_ADVANCED

	select NF_NAT

	select NF_NAT_IPV6

	select NETFILTER_XT_NAT

	help

	  The IPv6 NAT option allows masquerading, port forwarding and other

	  forms of full Network Address Port Translation. It is controlled by

	  the `nat' table in ip6tables, see the man page for ip6tables(8).

	  This enables the `nat' table in ip6tables. This allows masquerading,

	  port forwarding and other forms of full Network Address Port

	  Translation.



	  To compile it as a module, choose M here.  If unsure, say N.



if NF_NAT_IPV6

if IP6_NF_NAT



config IP6_NF_TARGET_MASQUERADE

	tristate "MASQUERADE target support"
@@ -265,7 +277,7 @@ config IP6_NF_TARGET_NPT 


	  To compile it as a module, choose M here.  If unsure, say N.



endif # NF_NAT_IPV6

endif # IP6_NF_NAT



endif # IP6_NF_IPTABLES

net/ipv6/netfilter/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -8,7 +8,7 @@ obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o 
obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o

obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o

obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o

obj-$(CONFIG_NF_NAT_IPV6) += ip6table_nat.o

obj-$(CONFIG_IP6_NF_NAT) += ip6table_nat.o



# objects for l3 independent conntrack

nf_conntrack_ipv6-y  :=  nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o