Commit 1155a228 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter updates for net-next:

1) Add safeguard to check for NULL tupe in objects updates via
   NFT_MSG_NEWOBJ, this should not ever happen. From Alok Tiwari.

2) Incorrect pointer check in the new destroy rule command,
   from Yang Yingliang.

3) Incorrect status bitcheck in nf_conntrack_udp_packet(),
   from Florian Westphal.

4) Simplify seq_print_acct(), from Ilia Gavrilov.

5) Use 2-arg optimal variant of kfree_rcu() in IPVS,
   from Julian Anastasov.

6) TCP connection enters CLOSE state in conntrack for locally
   originated TCP reset packet from the reject target,
   from Florian Westphal.

The fixes #2 and #3 in this series address issues from the previous pull
nf-next request in this net-next cycle.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 129ff4de 2954fe60

include/linux/netfilter.h

+3 −0
Original line number Diff line number Diff line
@@ -437,11 +437,13 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 
#include <linux/netfilter/nf_conntrack_zones_common.h>



void nf_ct_attach(struct sk_buff *, const struct sk_buff *);

void nf_ct_set_closing(struct nf_conntrack *nfct);

struct nf_conntrack_tuple;

bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,

			 const struct sk_buff *skb);

#else

static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}

static inline void nf_ct_set_closing(struct nf_conntrack *nfct) {}

struct nf_conntrack_tuple;

static inline bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,

				       const struct sk_buff *skb)
@@ -459,6 +461,7 @@ struct nf_ct_hook { 
	bool (*get_tuple_skb)(struct nf_conntrack_tuple *,

			      const struct sk_buff *);

	void (*attach)(struct sk_buff *nskb, const struct sk_buff *skb);

	void (*set_closing)(struct nf_conntrack *nfct);

};

extern const struct nf_ct_hook __rcu *nf_ct_hook;

include/net/ip_vs.h

+1 −0
Original line number Diff line number Diff line
@@ -461,6 +461,7 @@ void ip_vs_stats_free(struct ip_vs_stats *stats); 


/* Multiple chains processed in same tick */

struct ip_vs_est_tick_data {

	struct rcu_head		rcu_head;

	struct hlist_head	chains[IPVS_EST_TICK_CHAINS];

	DECLARE_BITMAP(present, IPVS_EST_TICK_CHAINS);

	DECLARE_BITMAP(full, IPVS_EST_TICK_CHAINS);

include/net/netfilter/nf_conntrack.h

+8 −0
Original line number Diff line number Diff line
@@ -125,6 +125,12 @@ struct nf_conn { 
	union nf_conntrack_proto proto;

};



static inline struct nf_conn *

nf_ct_to_nf_conn(const struct nf_conntrack *nfct)

{

	return container_of(nfct, struct nf_conn, ct_general);

}



static inline struct nf_conn *

nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)

{
@@ -175,6 +181,8 @@ nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo) 


void nf_ct_destroy(struct nf_conntrack *nfct);



void nf_conntrack_tcp_set_closing(struct nf_conn *ct);



/* decrement reference count on a conntrack */

static inline void nf_ct_put(struct nf_conn *ct)

{

net/ipv4/netfilter/nf_reject_ipv4.c

+1 −0
Original line number Diff line number Diff line
@@ -280,6 +280,7 @@ void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb, 
		goto free_nskb;



	nf_ct_attach(nskb, oldskb);

	nf_ct_set_closing(skb_nfct(oldskb));



#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

	/* If we use ip_local_out for bridged traffic, the MAC source on

net/ipv6/netfilter/nf_reject_ipv6.c

+1 −0
Original line number Diff line number Diff line
@@ -345,6 +345,7 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb, 
	nf_reject_ip6_tcphdr_put(nskb, oldskb, otcph, otcplen);



	nf_ct_attach(nskb, oldskb);

	nf_ct_set_closing(skb_nfct(oldskb));



#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

	/* If we use ip6_local_out for bridged traffic, the MAC source on