Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0bc4c070 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next. Briefly
speaking, cleanups and minor fixes for ipset from Jozsef Kadlecsik and
Serget Popovich, more incremental updates to make br_netfilter a better
place from Florian Westphal, ARP support to the x_tables mark match /
target from and context Zhang Chunyu and the addition of context to know
that the x_tables runs through nft_compat. More specifically, they are:

1) Fix sparse warning in ipset/ip_set_hash_ipmark.c when fetching the
   IPSET_ATTR_MARK netlink attribute, from Jozsef Kadlecsik.

2) Rename STREQ macro to STRNCMP in ipset, also from Jozsef.

3) Use skb->network_header to calculate the transport offset in
   ip_set_get_ip{4,6}_port(). From Alexander Drozdov.

4) Reduce memory consumption per element due to size miscalculation,
   this patch and follow up patches from Sergey Popovich.

5) Expand nomatch field from 1 bit to 8 bits to allow to simplify
   mtype_data_reset_flags(), also from Sergey.

6) Small clean for ipset macro trickery.

7) Fix error reporting when both ip_set_get_hostipaddr4() and
   ip_set_get_extensions() from per-set uadt functions.

8) Simplify IPSET_ATTR_PORT netlink attribute validation.

9) Introduce HOST_MASK instead of hardcoded 32 in ipset.

10) Return true/false instead of 0/1 in functions that return boolean
    in the ipset code.

11) Validate maximum length of the IPSET_ATTR_COMMENT netlink attribute.

12) Allow to dereference from ext_*() ipset macros.

13) Get rid of incorrect definitions of HKEY_DATALEN.

14) Include linux/netfilter/ipset/ip_set.h in the x_tables set match.

15) Reduce nf_bridge_info size in br_netfilter, from Florian Westphal.

16) Release nf_bridge_info after POSTROUTING since this is only needed
    from the physdev match, also from Florian.

17) Reduce size of ipset code by deinlining ip_set_put_extensions(),
    from Denys Vlasenko.

18) Oneliner to add ARP support to the x_tables mark match/target, from
    Zhang Chunyu.

19) Add context to know if the x_tables extension runs from nft_compat,
    to address minor problems with three existing extensions.

20) Correct return value in several seqfile *_show() functions in the
    netfilter tree, from Joe Perches.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 17032ae3 861fb107

include/linux/netfilter/ipset/ip_set.h

+6 −26
Original line number Diff line number Diff line
@@ -122,13 +122,13 @@ struct ip_set_skbinfo { 
struct ip_set;



#define ext_timeout(e, s)	\

(unsigned long *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT])

((unsigned long *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT]))

#define ext_counter(e, s)	\

(struct ip_set_counter *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COUNTER])

((struct ip_set_counter *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COUNTER]))

#define ext_comment(e, s)	\

(struct ip_set_comment *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COMMENT])

((struct ip_set_comment *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COMMENT]))

#define ext_skbinfo(e, s)	\

(struct ip_set_skbinfo *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_SKBINFO])

((struct ip_set_skbinfo *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_SKBINFO]))



typedef int (*ipset_adtfn)(struct ip_set *set, void *value,

			   const struct ip_set_ext *ext,
@@ -533,29 +533,9 @@ bitmap_bytes(u32 a, u32 b) 
#include <linux/netfilter/ipset/ip_set_timeout.h>

#include <linux/netfilter/ipset/ip_set_comment.h>



static inline int

int

ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set,

		      const void *e, bool active)

{

	if (SET_WITH_TIMEOUT(set)) {

		unsigned long *timeout = ext_timeout(e, set);



		if (nla_put_net32(skb, IPSET_ATTR_TIMEOUT,

			htonl(active ? ip_set_timeout_get(timeout)

				: *timeout)))

			return -EMSGSIZE;

	}

	if (SET_WITH_COUNTER(set) &&

	    ip_set_put_counter(skb, ext_counter(e, set)))

		return -EMSGSIZE;

	if (SET_WITH_COMMENT(set) &&

	    ip_set_put_comment(skb, ext_comment(e, set)))

		return -EMSGSIZE;

	if (SET_WITH_SKBINFO(set) &&

	    ip_set_put_skbinfo(skb, ext_skbinfo(e, set)))

		return -EMSGSIZE;

	return 0;

}

		      const void *e, bool active);



#define IP_SET_INIT_KEXT(skb, opt, set)			\

	{ .bytes = (skb)->len, .packets = 1,		\

include/linux/netfilter/x_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -62,6 +62,7 @@ struct xt_mtchk_param { 
	void *matchinfo;

	unsigned int hook_mask;

	u_int8_t family;

	bool nft_compat;

};



/**
@@ -92,6 +93,7 @@ struct xt_tgchk_param { 
	void *targinfo;

	unsigned int hook_mask;

	u_int8_t family;

	bool nft_compat;

};



/* Target destructor parameters */

include/linux/skbuff.h

+5 −3
Original line number Diff line number Diff line
@@ -170,13 +170,15 @@ struct nf_bridge_info { 
		BRNF_PROTO_UNCHANGED,

		BRNF_PROTO_8021Q,

		BRNF_PROTO_PPPOE

	} orig_proto;

	} orig_proto:8;

	bool			pkt_otherhost;

	unsigned int		mask;

	struct net_device	*physindev;

	union {

		struct net_device *physoutdev;

		char neigh_header[8];

	};

};

#endif



struct sk_buff_head {

net/bridge/br_netfilter.c

+17 −2
Original line number Diff line number Diff line
@@ -129,6 +129,14 @@ static struct nf_bridge_info *nf_bridge_info_get(const struct sk_buff *skb) 
	return skb->nf_bridge;

}



static void nf_bridge_info_free(struct sk_buff *skb)

{

	if (skb->nf_bridge) {

		nf_bridge_put(skb->nf_bridge);

		skb->nf_bridge = NULL;

	}

}



static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)

{

	struct net_bridge_port *port;
@@ -841,6 +849,7 @@ static int br_nf_push_frag_xmit(struct sock *sk, struct sk_buff *skb) 
	skb_copy_to_linear_data_offset(skb, -data->size, data->mac, data->size);

	__skb_push(skb, data->encap_size);



	nf_bridge_info_free(skb);

	return br_dev_queue_push_xmit(sk, skb);

}
@@ -850,8 +859,10 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb) 
	int frag_max_size;

	unsigned int mtu_reserved;



	if (skb_is_gso(skb) || skb->protocol != htons(ETH_P_IP))

	if (skb_is_gso(skb) || skb->protocol != htons(ETH_P_IP)) {

		nf_bridge_info_free(skb);

		return br_dev_queue_push_xmit(sk, skb);

	}



	mtu_reserved = nf_bridge_mtu_reduction(skb);

	/* This is wrong! We should preserve the original fragment
@@ -877,6 +888,7 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb) 


		ret = ip_fragment(sk, skb, br_nf_push_frag_xmit);

	} else {

		nf_bridge_info_free(skb);

		ret = br_dev_queue_push_xmit(sk, skb);

	}
@@ -885,6 +897,7 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb) 
#else

static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb)

{

	nf_bridge_info_free(skb);

	return br_dev_queue_push_xmit(sk, skb);

}

#endif
@@ -973,6 +986,8 @@ static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb) 
				       nf_bridge->neigh_header,

				       ETH_HLEN - ETH_ALEN);

	skb->dev = nf_bridge->physindev;



	nf_bridge->physoutdev = NULL;

	br_handle_frame_finish(NULL, skb);

}

net/bridge/netfilter/ebt_stp.c

+4 −2
Original line number Diff line number Diff line
@@ -164,8 +164,10 @@ static int ebt_stp_mt_check(const struct xt_mtchk_param *par) 
	    !(info->bitmask & EBT_STP_MASK))

		return -EINVAL;

	/* Make sure the match only receives stp frames */

	if (!ether_addr_equal(e->destmac, bridge_ula) ||

	    !ether_addr_equal(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC))

	if (!par->nft_compat &&

	    (!ether_addr_equal(e->destmac, bridge_ula) ||

	     !ether_addr_equal(e->destmsk, msk) ||

	     !(e->bitmask & EBT_DESTMAC)))

		return -EINVAL;



	return 0;