Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f41f0319 authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter/nftables/IPVS fixes for net

The following patchset contains Netfilter/IPVS fixes, mostly nftables
fixes, most relevantly they are:

* Fix a crash in the h323 conntrack NAT helper due to expectation list
  corruption, from Alexey Dobriyan.

* A couple of RCU race fixes for conntrack, one manifests by hitting BUG_ON
  in nf_nat_setup_info() and the destroy path, patches from Andrey Vagin and
  me.

* Dump direction attribute in nft_ct only if it is set, from Arturo
  Borrero.

* Fix IPVS bug in its own connection tracking system that may lead to
  copying only 4 bytes of the IPv6 address when initializing the
  ip_vs_conn object, from Michal Kubecek.

* Fix -EBUSY errors in nftables when deleting the rules, chain and tables
  in a row due mixture of asynchronous and synchronous object releasing,
  from me.

* Three fixes for the nf_tables set infrastructure when using intervals and
  mappings, from me.

* Four patches to fixing the nf_tables log, reject and ct expressions from
  the new inet table, from Patrick McHardy.

* Fix memory overrun in the map that is used to dynamically allocate names
  from anonymous sets, also from Patrick.

* Fix a potential oops if you dump a set with NFPROTO_UNSPEC and a table
  name, from Patrick McHardy.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 4a5ab4e2 6d8c00d5

include/net/netfilter/nf_conntrack.h

+2 −0
Original line number Diff line number Diff line
@@ -284,6 +284,8 @@ extern unsigned int nf_conntrack_max; 
extern unsigned int nf_conntrack_hash_rnd;

void init_nf_conntrack_hash_rnd(void);



void nf_conntrack_tmpl_insert(struct net *net, struct nf_conn *tmpl);



#define NF_CT_STAT_INC(net, count)	  __this_cpu_inc((net)->ct.stat->count)

#define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)

include/net/netfilter/nf_tables.h

+5 −4
Original line number Diff line number Diff line
@@ -252,6 +252,7 @@ void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 
 *	@owner: module reference

 *	@policy: netlink attribute policy

 *	@maxattr: highest netlink attribute number

 *	@family: address family for AF-specific types

 */

struct nft_expr_type {

	const struct nft_expr_ops	*(*select_ops)(const struct nft_ctx *,
@@ -262,6 +263,7 @@ struct nft_expr_type { 
	struct module			*owner;

	const struct nla_policy		*policy;

	unsigned int			maxattr;

	u8				family;

};



/**
@@ -320,7 +322,6 @@ static inline void *nft_expr_priv(const struct nft_expr *expr) 
 *	struct nft_rule - nf_tables rule

 *

 *	@list: used internally

 *	@rcu_head: used internally for rcu

 *	@handle: rule handle

 *	@genmask: generation mask

 *	@dlen: length of expression data
@@ -328,7 +329,6 @@ static inline void *nft_expr_priv(const struct nft_expr *expr) 
 */

struct nft_rule {

	struct list_head		list;

	struct rcu_head			rcu_head;

	u64				handle:46,

					genmask:2,

					dlen:16;
@@ -389,7 +389,6 @@ enum nft_chain_flags { 
 *

 *	@rules: list of rules in the chain

 *	@list: used internally

 *	@rcu_head: used internally

 *	@net: net namespace that this chain belongs to

 *	@table: table that this chain belongs to

 *	@handle: chain handle
@@ -401,7 +400,6 @@ enum nft_chain_flags { 
struct nft_chain {

	struct list_head		rules;

	struct list_head		list;

	struct rcu_head			rcu_head;

	struct net			*net;

	struct nft_table		*table;

	u64				handle;
@@ -529,6 +527,9 @@ void nft_unregister_expr(struct nft_expr_type *); 
#define MODULE_ALIAS_NFT_CHAIN(family, name) \

	MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)



#define MODULE_ALIAS_NFT_AF_EXPR(family, name) \

	MODULE_ALIAS("nft-expr-" __stringify(family) "-" name)



#define MODULE_ALIAS_NFT_EXPR(name) \

	MODULE_ALIAS("nft-expr-" name)

include/net/netfilter/nft_reject.h

0 → 100644
+25 −0
Original line number Diff line number Diff line 
#ifndef _NFT_REJECT_H_

#define _NFT_REJECT_H_



struct nft_reject {

	enum nft_reject_types	type:8;

	u8			icmp_code;

};



extern const struct nla_policy nft_reject_policy[];



int nft_reject_init(const struct nft_ctx *ctx,

		    const struct nft_expr *expr,

		    const struct nlattr * const tb[]);



int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr);



void nft_reject_ipv4_eval(const struct nft_expr *expr,

			  struct nft_data data[NFT_REG_MAX + 1],

			  const struct nft_pktinfo *pkt);



void nft_reject_ipv6_eval(const struct nft_expr *expr,

			  struct nft_data data[NFT_REG_MAX + 1],

			  const struct nft_pktinfo *pkt);



#endif

net/ipv4/netfilter/Kconfig

+5 −0
Original line number Diff line number Diff line
@@ -61,6 +61,11 @@ config NFT_CHAIN_NAT_IPV4 
	  packet transformations such as the source, destination address and

	  source and destination ports.



config NFT_REJECT_IPV4

	depends on NF_TABLES_IPV4

	default NFT_REJECT

	tristate



config NF_TABLES_ARP

	depends on NF_TABLES

	tristate "ARP nf_tables support"

net/ipv4/netfilter/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -30,6 +30,7 @@ obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o 
obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o

obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o

obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o

obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o

obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o



# generic IP tables