Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 382a483e authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree. This
large batch that includes fixes for ipset, netfilter ingress, nf_tables
dynamic set instantiation and a longstanding Kconfig dependency problem.
More specifically, they are:

1) Add missing check for empty hook list at the ingress hook, from
   Florian Westphal.

2) Input and output interface are swapped at the ingress hook,
   reported by Patrick McHardy.

3) Resolve ipset extension alignment issues on ARM, patch from Jozsef
   Kadlecsik.

4) Fix bit check on bitmap in ipset hash type, also from Jozsef.

5) Release buckets when all entries have expired in ipset hash type,
   again from Jozsef.

6) Oneliner to initialize conntrack tuple object in the PPTP helper,
   otherwise the conntrack lookup may fail due to random bits in the
   structure holes, patch from Anthony Lineham.

7) Silence a bogus gcc warning in nfnetlink_log, from Arnd Bergmann.

8) Fix Kconfig dependency problems with TPROXY, socket and dup, also
   from Arnd.

9) Add __netdev_alloc_pcpu_stats() to allow creating percpu counters
   from atomic context, this is required by the follow up fix for
   nf_tables.

10) Fix crash from the dynamic set expression, we have to add new clone
    operation that should be defined when a simple memcpy is not enough.
    This resolves a crash when using per-cpu counters with new Patrick
    McHardy's flow table nft support.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 39174291 086f3321

include/linux/netdevice.h

+15 −12
Original line number Diff line number Diff line
@@ -2068,9 +2068,9 @@ struct pcpu_sw_netstats { 
	struct u64_stats_sync   syncp;

};



#define netdev_alloc_pcpu_stats(type)				\

#define __netdev_alloc_pcpu_stats(type, gfp)				\

({									\

	typeof(type) __percpu *pcpu_stats = alloc_percpu(type); \

	typeof(type) __percpu *pcpu_stats = alloc_percpu_gfp(type, gfp);\

	if (pcpu_stats)	{						\

		int __cpu;						\

		for_each_possible_cpu(__cpu) {				\
@@ -2082,6 +2082,9 @@ struct pcpu_sw_netstats { 
	pcpu_stats;							\

})



#define netdev_alloc_pcpu_stats(type)					\

	__netdev_alloc_pcpu_stats(type, GFP_KERNEL);



#include <linux/notifier.h>



/* netdevice notifier chain. Please remember to update the rtnetlink

include/linux/netfilter/ipset/ip_set.h

+1 −1
Original line number Diff line number Diff line
@@ -421,7 +421,7 @@ extern void ip_set_free(void *members); 
extern int ip_set_get_ipaddr4(struct nlattr *nla,  __be32 *ipaddr);

extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr);

extern size_t ip_set_elem_len(struct ip_set *set, struct nlattr *tb[],

			      size_t len);

			      size_t len, size_t align);

extern int ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],

				 struct ip_set_ext *ext);

include/linux/netfilter_ingress.h

+8 −5
Original line number Diff line number Diff line
@@ -5,10 +5,13 @@ 
#include <linux/netdevice.h>



#ifdef CONFIG_NETFILTER_INGRESS

static inline int nf_hook_ingress_active(struct sk_buff *skb)

static inline bool nf_hook_ingress_active(const struct sk_buff *skb)

{

	return nf_hook_list_active(&skb->dev->nf_hooks_ingress,

				   NFPROTO_NETDEV, NF_NETDEV_INGRESS);

#ifdef HAVE_JUMP_LABEL

	if (!static_key_false(&nf_hooks_needed[NFPROTO_NETDEV][NF_NETDEV_INGRESS]))

		return false;

#endif

	return !list_empty(&skb->dev->nf_hooks_ingress);

}



static inline int nf_hook_ingress(struct sk_buff *skb)
@@ -16,8 +19,8 @@ static inline int nf_hook_ingress(struct sk_buff *skb) 
	struct nf_hook_state state;



	nf_hook_state_init(&state, &skb->dev->nf_hooks_ingress,

			   NF_NETDEV_INGRESS, INT_MIN, NFPROTO_NETDEV, NULL,

			   skb->dev, NULL, dev_net(skb->dev), NULL);

			   NF_NETDEV_INGRESS, INT_MIN, NFPROTO_NETDEV,

			   skb->dev, NULL, NULL, dev_net(skb->dev), NULL);

	return nf_hook_slow(skb, &state);

}

include/net/netfilter/nf_tables.h

+14 −2
Original line number Diff line number Diff line
@@ -618,6 +618,8 @@ struct nft_expr_ops { 
	void				(*eval)(const struct nft_expr *expr,

						struct nft_regs *regs,

						const struct nft_pktinfo *pkt);

	int				(*clone)(struct nft_expr *dst,

						 const struct nft_expr *src);

	unsigned int			size;



	int				(*init)(const struct nft_ctx *ctx,
@@ -660,11 +662,21 @@ void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr); 
int nft_expr_dump(struct sk_buff *skb, unsigned int attr,

		  const struct nft_expr *expr);



static inline void nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)

static inline int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)

{

	int err;



	__module_get(src->ops->type->owner);

	if (src->ops->clone) {

		dst->ops = src->ops;

		err = src->ops->clone(dst, src);

		if (err < 0)

			return err;

	} else {

		memcpy(dst, src, src->ops->size);

	}

	return 0;

}



/**

 *	struct nft_rule - nf_tables rule

net/ipv4/netfilter/nf_nat_pptp.c

+1 −1
Original line number Diff line number Diff line
@@ -45,7 +45,7 @@ static void pptp_nat_expected(struct nf_conn *ct, 
	struct net *net = nf_ct_net(ct);

	const struct nf_conn *master = ct->master;

	struct nf_conntrack_expect *other_exp;

	struct nf_conntrack_tuple t;

	struct nf_conntrack_tuple t = {};

	const struct nf_ct_pptp_master *ct_pptp_info;

	const struct nf_nat_pptp *nat_pptp_info;

	struct nf_nat_range range;