Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a173e550 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains netfilter updates for net-next, they are:

1) Add the reject expression for the nf_tables bridge family, this
   allows us to send explicit reject (TCP RST / ICMP dest unrech) to
   the packets matching a rule.

2) Simplify and consolidate the nf_tables set dumping logic. This uses
   netlink control->data to filter out depending on the request.

3) Perform garbage collection in xt_hashlimit using a workqueue instead
   of a timer, which is problematic when many entries are in place in
   the tables, from Eric Dumazet.

4) Remove leftover code from the removed ulog target support, from
   Paul Bolle.

5) Dump unmodified flags in the netfilter packet accounting when resetting
   counters, so userspace knows that a counter was in overquota situation,
   from Alexey Perevalov.

6) Fix wrong usage of the bitwise functions in nfnetlink_acct, also from
   Alexey.

7) Fix a crash when adding new set element with an empty NFTA_SET_ELEM_LIST
   attribute.

This patchset also includes a couple of cleanups for xt_LED from
Duan Jiong and for nf_conntrack_ipv4 (using coccinelle) from
Himangi Saraogi.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 388070fa 7d5570ca

include/net/netns/x_tables.h

+0 −6
Original line number Diff line number Diff line
@@ -15,11 +15,5 @@ struct netns_xt { 
	struct ebt_table *frame_filter;

	struct ebt_table *frame_nat;

#endif

#if IS_ENABLED(CONFIG_IP_NF_TARGET_ULOG)

	bool ulog_warn_deprecated;

#endif

#if IS_ENABLED(CONFIG_BRIDGE_EBT_ULOG)

	bool ebt_ulog_warn_deprecated;

#endif

};

#endif

net/bridge/netfilter/Kconfig

+6 −0
Original line number Diff line number Diff line
@@ -14,6 +14,12 @@ config NFT_BRIDGE_META 
	help

	  Add support for bridge dedicated meta key.



config NFT_BRIDGE_REJECT

	tristate "Netfilter nf_tables bridge reject support"

	depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6

	help

	  Add support to reject packets.



config NF_LOG_BRIDGE

	tristate "Bridge packet logging"

net/bridge/netfilter/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -4,6 +4,7 @@ 


obj-$(CONFIG_NF_TABLES_BRIDGE) += nf_tables_bridge.o

obj-$(CONFIG_NFT_BRIDGE_META)  += nft_meta_bridge.o

obj-$(CONFIG_NFT_BRIDGE_REJECT)  += nft_reject_bridge.o



# packet logging

obj-$(CONFIG_NF_LOG_BRIDGE) += nf_log_bridge.o
@@ -36,5 +37,4 @@ obj-$(CONFIG_BRIDGE_EBT_SNAT) += ebt_snat.o 


# watchers

obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_log.o

obj-$(CONFIG_BRIDGE_EBT_ULOG) += ebt_ulog.o

obj-$(CONFIG_BRIDGE_EBT_NFLOG) += ebt_nflog.o

net/bridge/netfilter/nft_reject_bridge.c

0 → 100644
+67 −0
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2014 Pablo Neira Ayuso <pablo@netfilter.org>

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 as

 * published by the Free Software Foundation.

 */



#include <linux/kernel.h>

#include <linux/init.h>

#include <linux/module.h>

#include <linux/netlink.h>

#include <linux/netfilter.h>

#include <linux/netfilter/nf_tables.h>

#include <net/netfilter/nf_tables.h>

#include <net/netfilter/nft_reject.h>



static void nft_reject_bridge_eval(const struct nft_expr *expr,

				 struct nft_data data[NFT_REG_MAX + 1],

				 const struct nft_pktinfo *pkt)

{

	switch (eth_hdr(pkt->skb)->h_proto) {

	case htons(ETH_P_IP):

		return nft_reject_ipv4_eval(expr, data, pkt);

	case htons(ETH_P_IPV6):

		return nft_reject_ipv6_eval(expr, data, pkt);

	default:

		/* No explicit way to reject this protocol, drop it. */

		data[NFT_REG_VERDICT].verdict = NF_DROP;

		break;

	}

}



static struct nft_expr_type nft_reject_bridge_type;

static const struct nft_expr_ops nft_reject_bridge_ops = {

	.type		= &nft_reject_bridge_type,

	.size		= NFT_EXPR_SIZE(sizeof(struct nft_reject)),

	.eval		= nft_reject_bridge_eval,

	.init		= nft_reject_init,

	.dump		= nft_reject_dump,

};



static struct nft_expr_type nft_reject_bridge_type __read_mostly = {

	.family		= NFPROTO_BRIDGE,

	.name		= "reject",

	.ops		= &nft_reject_bridge_ops,

	.policy		= nft_reject_policy,

	.maxattr	= NFTA_REJECT_MAX,

	.owner		= THIS_MODULE,

};



static int __init nft_reject_bridge_module_init(void)

{

	return nft_register_expr(&nft_reject_bridge_type);

}



static void __exit nft_reject_bridge_module_exit(void)

{

	nft_unregister_expr(&nft_reject_bridge_type);

}



module_init(nft_reject_bridge_module_init);

module_exit(nft_reject_bridge_module_exit);



MODULE_LICENSE("GPL");

MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");

MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "reject");

net/ipv4/netfilter/Makefile

+0 −1
Original line number Diff line number Diff line
@@ -57,7 +57,6 @@ obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o 
obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o

obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o

obj-$(CONFIG_IP_NF_TARGET_SYNPROXY) += ipt_SYNPROXY.o

obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o



# generic ARP tables

obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o