Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 10807461 authored Sep 08, 2017 by David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf



Pablo Neira Ayuso says:

====================
Netfilter/IPVS fixes for net

The following patchset contains Netfilter/IPVS fixes for your net tree,
they are:

1) Fix SCTP connection setup when IPVS module is loaded and any scheduler
   is registered, from Xin Long.

2) Don't create a SCTP connection from SCTP ABORT packets, also from
   Xin Long.

3) WARN_ON() and drop packet, instead of BUG_ON() races when calling
   nf_nat_setup_info(). This is specifically a longstanding problem
   when br_netfilter with conntrack support is in place, patch from
   Florian Westphal.

4) Avoid softlock splats via iptables-restore, also from Florian.

5) Revert NAT hashtable conversion to rhashtable, semantics of rhlist
   are different from our simple NAT hashtable, this has been causing
   problems in the recent Linux kernel releases. From Florian.

6) Add per-bucket spinlock for NAT hashtable, so at least we restore
   one of the benefits we got from the previous rhashtable conversion.

7) Fix incorrect hashtable size in memory allocation in xt_hashlimit,
   from Zhizhou Tian.

8) Fix build/link problems with hashlimit and 32-bit arches, to address
   recent fallout from a new hashlimit mode, from Vishwanath Pai.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

parents 91aac563 90c4ae4e

include/net/netfilter/nf_conntrack.h

+1 −2

Original line number	Original line	Diff line number	Diff line
	@@ -17,7 +17,6 @@
	#include <linux/bitops.h>		#include <linux/bitops.h>
	#include <linux/compiler.h>		#include <linux/compiler.h>
	#include <linux/atomic.h>		#include <linux/atomic.h>
	#include <linux/rhashtable.h>

	#include <linux/netfilter/nf_conntrack_tcp.h>		#include <linux/netfilter/nf_conntrack_tcp.h>
	#include <linux/netfilter/nf_conntrack_dccp.h>		#include <linux/netfilter/nf_conntrack_dccp.h>
	@@ -77,7 +76,7 @@ struct nf_conn {
	possible_net_t ct_net;		possible_net_t ct_net;

	#if IS_ENABLED(CONFIG_NF_NAT)		#if IS_ENABLED(CONFIG_NF_NAT)
	struct rhlist_head nat_bysource;		struct hlist_node nat_bysource;
	#endif		#endif
	/* all members below initialized via memset */		/* all members below initialized via memset */
	u8 __nfct_init_offset[0];		u8 __nfct_init_offset[0];

include/net/netfilter/nf_nat.h

+0 −1

Original line number	Original line	Diff line number	Diff line
	#ifndef _NF_NAT_H		#ifndef _NF_NAT_H
	#define _NF_NAT_H		#define _NF_NAT_H
	#include <linux/rhashtable.h>
	#include <linux/netfilter_ipv4.h>		#include <linux/netfilter_ipv4.h>
	#include <linux/netfilter/nf_nat.h>		#include <linux/netfilter/nf_nat.h>
	#include <net/netfilter/nf_conntrack_tuple.h>		#include <net/netfilter/nf_conntrack_tuple.h>

net/ipv4/netfilter/arp_tables.c

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -629,6 +629,7 @@ static void get_counters(const struct xt_table_info *t,

	ADD_COUNTER(counters[i], bcnt, pcnt);		ADD_COUNTER(counters[i], bcnt, pcnt);
	++i;		++i;
			cond_resched();
	}		}
	}		}
	}		}

net/ipv4/netfilter/ip_tables.c

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -776,6 +776,7 @@ get_counters(const struct xt_table_info *t,

	ADD_COUNTER(counters[i], bcnt, pcnt);		ADD_COUNTER(counters[i], bcnt, pcnt);
	++i; /* macro does multi eval of i */		++i; /* macro does multi eval of i */
			cond_resched();
	}		}
	}		}
	}		}

net/ipv6/netfilter/ip6_tables.c

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -795,6 +795,7 @@ get_counters(const struct xt_table_info *t,

	ADD_COUNTER(counters[i], bcnt, pcnt);		ADD_COUNTER(counters[i], bcnt, pcnt);
	++i;		++i;
			cond_resched();
	}		}
	}		}
	}		}