Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4c38cd61 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter updates for your net-next tree,
they are:

1) Remove useless debug message when deleting IPVS service, from
   Yannick Brosseau.

2) Get rid of compilation warning when CONFIG_PROC_FS is unset in
   several spots of the IPVS code, from Arnd Bergmann.

3) Add prandom_u32 support to nft_meta, from Florian Westphal.

4) Remove unused variable in xt_osf, from Sudip Mukherjee.

5) Don't calculate IP checksum twice from netfilter ipv4 defrag hook
   since fixing af_packet defragmentation issues, from Joe Stringer.

6) On-demand hook registration for iptables from netns. Instead of
   registering the hooks for every available netns whenever we need
   one of the support tables, we register this on the specific netns
   that needs it, patchset from Florian Westphal.

7) Add missing port range selection to nf_tables masquerading support.

BTW, just for the record, there is a typo in the description of
5f6c253e ("netfilter: bridge: register hooks only when bridge
interface is added") that refers to the cluster match as deprecated, but
it is actually the CLUSTERIP target (which registers hooks
inconditionally) the one that is scheduled for removal.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents d24ad3fc 8a6bf5da

include/linux/netfilter.h

+11 −18
Original line number Original line Diff line number Diff line
@@ -141,22 +141,6 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg); 




#ifdef HAVE_JUMP_LABEL

#ifdef HAVE_JUMP_LABEL

extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];

extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];



static inline bool nf_hook_list_active(struct list_head *hook_list,

				       u_int8_t pf, unsigned int hook)

{

	if (__builtin_constant_p(pf) &&

	    __builtin_constant_p(hook))

		return static_key_false(&nf_hooks_needed[pf][hook]);



	return !list_empty(hook_list);

}

#else

static inline bool nf_hook_list_active(struct list_head *hook_list,

				       u_int8_t pf, unsigned int hook)

{

	return !list_empty(hook_list);

}

#endif

#endif





int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state);

int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state);
@@ -177,9 +161,18 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, 
				 int (*okfn)(struct net *, struct sock *, struct sk_buff *),

				 int (*okfn)(struct net *, struct sock *, struct sk_buff *),

				 int thresh)

				 int thresh)

{

{

	struct list_head *hook_list = &net->nf.hooks[pf][hook];

	struct list_head *hook_list;



#ifdef HAVE_JUMP_LABEL

	if (__builtin_constant_p(pf) &&

	    __builtin_constant_p(hook) &&

	    !static_key_false(&nf_hooks_needed[pf][hook]))

		return 1;

#endif



	hook_list = &net->nf.hooks[pf][hook];





	if (nf_hook_list_active(hook_list, pf, hook)) {

	if (!list_empty(hook_list)) {

		struct nf_hook_state state;

		struct nf_hook_state state;





		nf_hook_state_init(&state, hook_list, hook, thresh,

		nf_hook_state_init(&state, hook_list, hook, thresh,

include/linux/netfilter/x_tables.h

+4 −2
Original line number Original line Diff line number Diff line
@@ -200,6 +200,9 @@ struct xt_table { 
	u_int8_t af;		/* address/protocol family */

	u_int8_t af;		/* address/protocol family */

	int priority;		/* hook order */

	int priority;		/* hook order */





	/* called when table is needed in the given netns */

	int (*table_init)(struct net *net);



	/* A unique name... */

	/* A unique name... */

	const char name[XT_TABLE_MAXNAMELEN];

	const char name[XT_TABLE_MAXNAMELEN];

};

};
@@ -408,8 +411,7 @@ xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu) 
	return cnt;

	return cnt;

}

}





struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);

struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);

void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);





#ifdef CONFIG_COMPAT

#ifdef CONFIG_COMPAT

#include <net/compat.h>

#include <net/compat.h>

include/linux/netfilter_arp/arp_tables.h

+5 −4
Original line number Original line Diff line number Diff line
@@ -48,10 +48,11 @@ struct arpt_error { 
}

}





extern void *arpt_alloc_initial_table(const struct xt_table *);

extern void *arpt_alloc_initial_table(const struct xt_table *);

extern struct xt_table *arpt_register_table(struct net *net,

int arpt_register_table(struct net *net, const struct xt_table *table,

					    const struct xt_table *table,

			const struct arpt_replace *repl,

					    const struct arpt_replace *repl);

			const struct nf_hook_ops *ops, struct xt_table **res);

extern void arpt_unregister_table(struct xt_table *table);

void arpt_unregister_table(struct net *net, struct xt_table *table,

			   const struct nf_hook_ops *ops);

extern unsigned int arpt_do_table(struct sk_buff *skb,

extern unsigned int arpt_do_table(struct sk_buff *skb,

				  const struct nf_hook_state *state,

				  const struct nf_hook_state *state,

				  struct xt_table *table);

				  struct xt_table *table);

include/linux/netfilter_ipv4/ip_tables.h

+5 −4
Original line number Original line Diff line number Diff line
@@ -24,10 +24,11 @@ 




extern void ipt_init(void) __init;

extern void ipt_init(void) __init;





extern struct xt_table *ipt_register_table(struct net *net,

int ipt_register_table(struct net *net, const struct xt_table *table,

					   const struct xt_table *table,

		       const struct ipt_replace *repl,

					   const struct ipt_replace *repl);

		       const struct nf_hook_ops *ops, struct xt_table **res);

extern void ipt_unregister_table(struct net *net, struct xt_table *table);

void ipt_unregister_table(struct net *net, struct xt_table *table,

			  const struct nf_hook_ops *ops);





/* Standard entry. */

/* Standard entry. */

struct ipt_standard {

struct ipt_standard {

include/linux/netfilter_ipv6/ip6_tables.h

+5 −4
Original line number Original line Diff line number Diff line
@@ -25,10 +25,11 @@ 
extern void ip6t_init(void) __init;

extern void ip6t_init(void) __init;





extern void *ip6t_alloc_initial_table(const struct xt_table *);

extern void *ip6t_alloc_initial_table(const struct xt_table *);

extern struct xt_table *ip6t_register_table(struct net *net,

int ip6t_register_table(struct net *net, const struct xt_table *table,

					    const struct xt_table *table,

			const struct ip6t_replace *repl,

					    const struct ip6t_replace *repl);

			const struct nf_hook_ops *ops, struct xt_table **res);

extern void ip6t_unregister_table(struct net *net, struct xt_table *table);

void ip6t_unregister_table(struct net *net, struct xt_table *table,

			   const struct nf_hook_ops *ops);

extern unsigned int ip6t_do_table(struct sk_buff *skb,

extern unsigned int ip6t_do_table(struct sk_buff *skb,

				  const struct nf_hook_state *state,

				  const struct nf_hook_state *state,

				  struct xt_table *table);

				  struct xt_table *table);