Commit 1ecaf17d authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'nf-next-2023-05-18' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 

Florian Westphal says:

====================
Netfilter updates for net-next

nftables updates:

1. Allow key existence checks with maps.
   At the moment the kernel requires userspace to pass a destination
   register for the associated value, make this optional so userspace
   can query if the key exists, just like with normal sets.

2. nftables maintains a counter per set that holds the number of
   elements.  This counter gets decremented on element removal,
   but its only incremented if the set has a upper maximum value.
   Increment unconditionally, this will allow us to update the
   maximum value later on.

3. At DCCP option maching, from Jeremy Sowden.

4. use struct_size macro, from Christophe JAILLET.

Conntrack:

5. Squash holes in struct nf_conntrack_expect, also Christophe JAILLET.

6. Allow clash resolution for GRE Protocol to avoid a packet drop,
   from Faicker Mo.

Flowtable:

Simplify route logic and split large functions into smaller
chunks, from Pablo Neira Ayuso.

* tag 'nf-next-2023-05-18' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  netfilter: flowtable: split IPv6 datapath in helper functions
  netfilter: flowtable: split IPv4 datapath in helper functions
  netfilter: flowtable: simplify route logic
  netfilter: conntrack: allow insertion clash of gre protocol
  netfilter: nft_set_pipapo: Use struct_size()
  netfilter: Reorder fields in 'struct nf_conntrack_expect'
  netfilter: nft_exthdr: add boolean DCCP option matching
  netfilter: nf_tables: always increment set element count
  netfilter: nf_tables: relax set/map validation checks
====================

Link: https://lore.kernel.org/r/20230518100759.84858-1-fw@strlen.de


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 02f8fc1a e05b5362

include/net/netfilter/nf_conntrack_expect.h

+9 −9
Original line number Diff line number Diff line
@@ -26,6 +26,15 @@ struct nf_conntrack_expect { 
	struct nf_conntrack_tuple tuple;

	struct nf_conntrack_tuple_mask mask;



	/* Usage count. */

	refcount_t use;



	/* Flags */

	unsigned int flags;



	/* Expectation class */

	unsigned int class;



	/* Function to call after setup and insertion */

	void (*expectfn)(struct nf_conn *new,

			 struct nf_conntrack_expect *this);
@@ -39,15 +48,6 @@ struct nf_conntrack_expect { 
	/* Timer function; deletes the expectation. */

	struct timer_list timeout;



	/* Usage count. */

	refcount_t use;



	/* Flags */

	unsigned int flags;



	/* Expectation class */

	unsigned int class;



#if IS_ENABLED(CONFIG_NF_NAT)

	union nf_inet_addr saved_addr;

	/* This is the original per-proto part, used to map the

include/net/netfilter/nf_flow_table.h

+2 −2
Original line number Diff line number Diff line
@@ -263,7 +263,7 @@ nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table, 
	up_write(&flow_table->flow_block_lock);

}



int flow_offload_route_init(struct flow_offload *flow,

void flow_offload_route_init(struct flow_offload *flow,

			     const struct nf_flow_route *route);



int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow);

include/uapi/linux/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -859,12 +859,14 @@ enum nft_exthdr_flags { 
 * @NFT_EXTHDR_OP_TCP: match against tcp options

 * @NFT_EXTHDR_OP_IPV4: match against ipv4 options

 * @NFT_EXTHDR_OP_SCTP: match against sctp chunks

 * @NFT_EXTHDR_OP_DCCP: match against dccp otions

 */

enum nft_exthdr_op {

	NFT_EXTHDR_OP_IPV6,

	NFT_EXTHDR_OP_TCPOPT,

	NFT_EXTHDR_OP_IPV4,

	NFT_EXTHDR_OP_SCTP,

	NFT_EXTHDR_OP_DCCP,

	__NFT_EXTHDR_OP_MAX

};

#define NFT_EXTHDR_OP_MAX	(__NFT_EXTHDR_OP_MAX - 1)

net/netfilter/nf_conntrack_proto_gre.c

+1 −0
Original line number Diff line number Diff line
@@ -296,6 +296,7 @@ void nf_conntrack_gre_init_net(struct net *net) 
/* protocol helper struct */

const struct nf_conntrack_l4proto nf_conntrack_l4proto_gre = {

	.l4proto	 = IPPROTO_GRE,

	.allow_clash	 = true,

#ifdef CONFIG_NF_CONNTRACK_PROCFS

	.print_conntrack = gre_print_conntrack,

#endif

net/netfilter/nf_flow_table_core.c

+3 −21
Original line number Diff line number Diff line
@@ -125,9 +125,6 @@ static int flow_offload_fill_route(struct flow_offload *flow, 
		break;

	case FLOW_OFFLOAD_XMIT_XFRM:

	case FLOW_OFFLOAD_XMIT_NEIGH:

		if (!dst_hold_safe(route->tuple[dir].dst))

			return -1;



		flow_tuple->dst_cache = dst;

		flow_tuple->dst_cookie = flow_offload_dst_cookie(flow_tuple);

		break;
@@ -148,27 +145,12 @@ static void nft_flow_dst_release(struct flow_offload *flow, 
		dst_release(flow->tuplehash[dir].tuple.dst_cache);

}



int flow_offload_route_init(struct flow_offload *flow,

void flow_offload_route_init(struct flow_offload *flow,

			    const struct nf_flow_route *route)

{

	int err;



	err = flow_offload_fill_route(flow, route, FLOW_OFFLOAD_DIR_ORIGINAL);

	if (err < 0)

		return err;



	err = flow_offload_fill_route(flow, route, FLOW_OFFLOAD_DIR_REPLY);

	if (err < 0)

		goto err_route_reply;



	flow_offload_fill_route(flow, route, FLOW_OFFLOAD_DIR_ORIGINAL);

	flow_offload_fill_route(flow, route, FLOW_OFFLOAD_DIR_REPLY);

	flow->type = NF_FLOW_OFFLOAD_ROUTE;



	return 0;



err_route_reply:

	nft_flow_dst_release(flow, FLOW_OFFLOAD_DIR_ORIGINAL);



	return err;

}

EXPORT_SYMBOL_GPL(flow_offload_route_init);