Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 751fcac1 authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables 



Pablo Neira Ayuso says:

====================
nf_tables updates for net-next

The following patchset contains the following nf_tables updates,
mostly updates from Patrick McHardy, they are:

* Add the "inet" table and filter chain type for this new netfilter
  family: NFPROTO_INET. This special table/chain allows IPv4 and IPv6
  rules, this should help to simplify the burden in the administration
  of dual stack firewalls. This also includes several patches to prepare
  the infrastructure for this new table and a new meta extension to
  match the layer 3 and 4 protocol numbers, from Patrick McHardy.

* Load both IPv4 and IPv6 conntrack modules in nft_ct if the rule is used
  in NFPROTO_INET, as we don't certainly know which one would be used,
  also from Patrick McHardy.

* Do not allow to delete a table that contains sets, otherwise these
  sets become orphan, from Patrick McHardy.

* Hold a reference to the corresponding nf_tables family module when
  creating a table of that family type, to avoid the module deletion
  when in use, from Patrick McHardy.

* Update chain counters before setting the chain policy to ensure that
  we don't leave the chain in inconsistent state in case of errors (aka.
  restore chain atomicity). This also fixes a possible leak if it fails
  to allocate the chain counters if no counters are passed to be restored,
  from Patrick McHardy.

* Don't check for overflows in the table counter if we are just renaming
  a chain, from Patrick McHardy.

* Replay the netlink request after dropping the nfnl lock to load the
  module that supports provides a chain type, from Patrick.

* Fix chain type module references, from Patrick.

* Several cleanups, function renames, constification and code
  refactorizations also from Patrick McHardy.

* Add support to set the connmark, this can be used to set it based on
  the meta mark (similar feature to -j CONNMARK --restore), from
  Kristian Evensen.

* A couple of fixes to the recently added meta/set support and nft_reject,
  and fix missing chain type unregistration if we fail to register our
  the family table/filter chain type, from myself.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents bfec4c3b cf4dfa85

include/net/netfilter/nf_tables.h

+33 −14
Original line number Diff line number Diff line
@@ -13,9 +13,10 @@ struct nft_pktinfo { 
	struct sk_buff			*skb;

	const struct net_device		*in;

	const struct net_device		*out;

	u8				hooknum;

	const struct nf_hook_ops	*ops;

	u8				nhoff;

	u8				thoff;

	u8				tprot;

	/* for x_tables compatibility */

	struct xt_action_param		xt;

};
@@ -29,7 +30,8 @@ static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, 
	pkt->skb = skb;

	pkt->in = pkt->xt.in = in;

	pkt->out = pkt->xt.out = out;

	pkt->hooknum = pkt->xt.hooknum = ops->hooknum;

	pkt->ops = ops;

	pkt->xt.hooknum = ops->hooknum;

	pkt->xt.family = ops->pf;

}
@@ -421,6 +423,8 @@ struct nft_stats { 
	u64 pkts;

};



#define NFT_HOOK_OPS_MAX		2



/**

 *	struct nft_base_chain - nf_tables base chain

 *
@@ -431,8 +435,8 @@ struct nft_stats { 
 *	@chain: the chain

 */

struct nft_base_chain {

	struct nf_hook_ops		ops;

	enum nft_chain_type		type;

	struct nf_hook_ops		ops[NFT_HOOK_OPS_MAX];

	const struct nf_chain_type	*type;

	u8				policy;

	struct nft_stats __percpu	*stats;

	struct nft_chain		chain;
@@ -443,7 +447,7 @@ static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chai 
	return container_of(chain, struct nft_base_chain, chain);

}



unsigned int nft_do_chain_pktinfo(struct nft_pktinfo *pkt,

unsigned int nft_do_chain(struct nft_pktinfo *pkt,

			  const struct nf_hook_ops *ops);



/**
@@ -475,6 +479,8 @@ struct nft_table { 
 *	@nhooks: number of hooks in this family

 *	@owner: module owner

 *	@tables: used internally

 *	@nops: number of hook ops in this family

 *	@hook_ops_init: initialization function for chain hook ops

 *	@hooks: hookfn overrides for packet validation

 */

struct nft_af_info {
@@ -483,23 +489,36 @@ struct nft_af_info { 
	unsigned int			nhooks;

	struct module			*owner;

	struct list_head		tables;

	unsigned int			nops;

	void				(*hook_ops_init)(struct nf_hook_ops *,

							 unsigned int);

	nf_hookfn			*hooks[NF_MAX_HOOKS];

};



int nft_register_afinfo(struct net *, struct nft_af_info *);

void nft_unregister_afinfo(struct nft_af_info *);



/**

 * 	struct nf_chain_type - nf_tables chain type info

 *

 * 	@name: name of the type

 * 	@type: numeric identifier

 * 	@family: address family

 * 	@owner: module owner

 * 	@hook_mask: mask of valid hooks

 * 	@hooks: hookfn overrides

 */

struct nf_chain_type {

	unsigned int		hook_mask;

	const char			*name;

	enum nft_chain_type		type;

	nf_hookfn		*fn[NF_MAX_HOOKS];

	struct module		*me;

	int				family;

	struct module			*owner;

	unsigned int			hook_mask;

	nf_hookfn			*hooks[NF_MAX_HOOKS];

};



int nft_register_chain_type(struct nf_chain_type *);

void nft_unregister_chain_type(struct nf_chain_type *);

int nft_register_chain_type(const struct nf_chain_type *);

void nft_unregister_chain_type(const struct nf_chain_type *);



int nft_register_expr(struct nft_expr_type *);

void nft_unregister_expr(struct nft_expr_type *);

include/net/netfilter/nf_tables_ipv4.h

+4 −1
Original line number Diff line number Diff line
@@ -15,9 +15,12 @@ nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt, 


	nft_set_pktinfo(pkt, ops, skb, in, out);



	pkt->xt.thoff = ip_hdrlen(pkt->skb);

	ip = ip_hdr(pkt->skb);

	pkt->tprot = ip->protocol;

	pkt->xt.thoff = ip_hdrlen(pkt->skb);

	pkt->xt.fragoff = ntohs(ip->frag_off) & IP_OFFSET;

}



extern struct nft_af_info nft_af_ipv4;



#endif

include/net/netfilter/nf_tables_ipv6.h

+3 −0
Original line number Diff line number Diff line
@@ -21,10 +21,13 @@ nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt, 
	if (protohdr < 0)

		return -1;



	pkt->tprot = protohdr;

	pkt->xt.thoff = thoff;

	pkt->xt.fragoff = frag_off;



	return 0;

}



extern struct nft_af_info nft_af_ipv6;



#endif

include/net/netns/nftables.h

+1 −0
Original line number Diff line number Diff line
@@ -10,6 +10,7 @@ struct netns_nftables { 
	struct list_head	commit_list;

	struct nft_af_info	*ipv4;

	struct nft_af_info	*ipv6;

	struct nft_af_info	*inet;

	struct nft_af_info	*arp;

	struct nft_af_info	*bridge;

	u8			gencursor;

include/uapi/linux/netfilter.h

+1 −0
Original line number Diff line number Diff line
@@ -53,6 +53,7 @@ enum nf_inet_hooks { 


enum {

	NFPROTO_UNSPEC =  0,

	NFPROTO_INET   =  1,

	NFPROTO_IPV4   =  2,

	NFPROTO_ARP    =  3,

	NFPROTO_BRIDGE =  7,