Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 855404ef authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
netfilter/IPVS updates for net-next

The following patchset contains Netfilter updates for your net-next tree,
they are:

* Add full port randomization support. Some crazy researchers found a way
  to reconstruct the secure ephemeral ports that are allocated in random mode
  by sending off-path bursts of UDP packets to overrun the socket buffer of
  the DNS resolver to trigger retransmissions, then if the timing for the
  DNS resolution done by a client is larger than usual, then they conclude
  that the port that received the burst of UDP packets is the one that was
  opened. It seems a bit aggressive method to me but it seems to work for
  them. As a result, Daniel Borkmann and Hannes Frederic Sowa came up with a
  new NAT mode to fully randomize ports using prandom.

* Add a new classifier to x_tables based on the socket net_cls set via
  cgroups. These includes two patches to prepare the field as requested by
  Zefan Li. Also from Daniel Borkmann.

* Use prandom instead of get_random_bytes in several locations of the
  netfilter code, from Florian Westphal.

* Allow to use the CTA_MARK_MASK in ctnetlink when mangling the conntrack
  mark, also from Florian Westphal.

* Fix compilation warning due to unused variable in IPVS, from Geert
  Uytterhoeven.

* Add support for UID/GID via nfnetlink_queue, from Valentina Giusti.

* Add IPComp extension to x_tables, from Fan Du.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents a1d4b03a 82a37132

Documentation/cgroups/net_cls.txt

+5 −0
Original line number Diff line number Diff line
@@ -6,6 +6,8 @@ tag network packets with a class identifier (classid). 


The Traffic Controller (tc) can be used to assign

different priorities to packets from different cgroups.

Also, Netfilter (iptables) can use this tag to perform

actions on such packets.



Creating a net_cls cgroups instance creates a net_cls.classid file.

This net_cls.classid value is initialized to 0.
@@ -32,3 +34,6 @@ tc class add dev eth0 parent 10: classid 10:1 htb rate 40mbit 
 - creating traffic class 10:1



tc filter add dev eth0 parent 10: protocol ip prio 10 handle 1: cgroup



configuring iptables, basic example:

iptables -A OUTPUT -m cgroup ! --cgroup 0x100001 -j DROP

include/linux/cgroup_subsys.h

+2 −2
Original line number Diff line number Diff line
@@ -31,7 +31,7 @@ SUBSYS(devices) 
SUBSYS(freezer)

#endif



#if IS_SUBSYS_ENABLED(CONFIG_NET_CLS_CGROUP)

#if IS_SUBSYS_ENABLED(CONFIG_CGROUP_NET_CLASSID)

SUBSYS(net_cls)

#endif
@@ -43,7 +43,7 @@ SUBSYS(blkio) 
SUBSYS(perf)

#endif



#if IS_SUBSYS_ENABLED(CONFIG_NETPRIO_CGROUP)

#if IS_SUBSYS_ENABLED(CONFIG_CGROUP_NET_PRIO)

SUBSYS(net_prio)

#endif

include/linux/netdevice.h

+1 −1
Original line number Diff line number Diff line
@@ -1444,7 +1444,7 @@ struct net_device { 
	/* max exchange id for FCoE LRO by ddp */

	unsigned int		fcoe_ddp_xid;

#endif

#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)

#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)

	struct netprio_map __rcu *priomap;

#endif

	/* phy device may attach itself for hardware timestamping */

include/linux/netfilter/ipset/ip_set.h

+0 −1
Original line number Diff line number Diff line
@@ -331,7 +331,6 @@ extern ip_set_id_t ip_set_get_byname(struct net *net, 
				     const char *name, struct ip_set **set);

extern void ip_set_put_byindex(struct net *net, ip_set_id_t index);

extern const char *ip_set_name_byindex(struct net *net, ip_set_id_t index);

extern ip_set_id_t ip_set_nfnl_get(struct net *net, const char *name);

extern ip_set_id_t ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index);

extern void ip_set_nfnl_put(struct net *net, ip_set_id_t index);

include/net/cls_cgroup.h

+12 −28
Original line number Diff line number Diff line
@@ -16,17 +16,16 @@ 
#include <linux/cgroup.h>

#include <linux/hardirq.h>

#include <linux/rcupdate.h>

#include <net/sock.h>



#if IS_ENABLED(CONFIG_NET_CLS_CGROUP)

struct cgroup_cls_state

{

#ifdef CONFIG_CGROUP_NET_CLASSID

struct cgroup_cls_state {

	struct cgroup_subsys_state css;

	u32 classid;

};



void sock_update_classid(struct sock *sk);

struct cgroup_cls_state *task_cls_state(struct task_struct *p);



#if IS_BUILTIN(CONFIG_NET_CLS_CGROUP)

static inline u32 task_cls_classid(struct task_struct *p)

{

	u32 classid;
@@ -41,33 +40,18 @@ static inline u32 task_cls_classid(struct task_struct *p) 


	return classid;

}

#elif IS_MODULE(CONFIG_NET_CLS_CGROUP)

static inline u32 task_cls_classid(struct task_struct *p)

{

	struct cgroup_subsys_state *css;

	u32 classid = 0;



	if (in_interrupt())

		return 0;



	rcu_read_lock();

	css = task_css(p, net_cls_subsys_id);

	if (css)

		classid = container_of(css,

				       struct cgroup_cls_state, css)->classid;

	rcu_read_unlock();



	return classid;

}

#endif

#else /* !CGROUP_NET_CLS_CGROUP */

static inline void sock_update_classid(struct sock *sk)

{

}

	u32 classid;



static inline u32 task_cls_classid(struct task_struct *p)

	classid = task_cls_classid(current);

	if (classid != sk->sk_classid)

		sk->sk_classid = classid;

}

#else /* !CONFIG_CGROUP_NET_CLASSID */

static inline void sock_update_classid(struct sock *sk)

{

	return 0;

}

#endif /* CGROUP_NET_CLS_CGROUP */

#endif /* CONFIG_CGROUP_NET_CLASSID */

#endif  /* _NET_CLS_CGROUP_H */