Commit 321e921d authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

1) Rename 'searched' column to 'clashres' in conntrack /proc/ stats
   to amend a recent patch, from Florian Westphal.

2) Remove unused nft_data_debug(), from YueHaibing.

3) Remove unused definitions in IPVS, also from YueHaibing.

4) Fix user data memleak in tables and objects, this is also amending
   a recent patch, from Jose M. Guisado.

5) Use nla_memdup() to allocate user data in table and objects, also
   from Jose M. Guisado

6) User data support for chains, from Jose M. Guisado

7) Remove unused definition in nf_tables_offload, from YueHaibing.

8) Use kvzalloc() in ip_set_alloc(), from Vasily Averin.

9) Fix false positive reported by lockdep in nfnetlink mutexes,
   from Florian Westphal.

10) Extend fast variant of cmp for neq operation, from Phil Sutter.

11) Implement fast bitwise variant, also from Phil Sutter.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 456afe01 10fdd6d8

include/net/netfilter/nf_tables.h

+2 −7
Original line number Diff line number Diff line
@@ -148,13 +148,6 @@ static inline void nft_data_copy(u32 *dst, const struct nft_data *src, 
	memcpy(dst, src, len);

}



static inline void nft_data_debug(const struct nft_data *data)

{

	pr_debug("data[0]=%x data[1]=%x data[2]=%x data[3]=%x\n",

		 data->data[0], data->data[1],

		 data->data[2], data->data[3]);

}



/**

 *	struct nft_ctx - nf_tables rule/set context

 *
@@ -952,6 +945,8 @@ struct nft_chain { 
					bound:1,

					genmask:2;

	char				*name;

	u16				udlen;

	u8				*udata;



	/* Only used during control plane commit phase: */

	struct nft_rule			**rules_next;

include/net/netfilter/nf_tables_core.h

+11 −0
Original line number Diff line number Diff line
@@ -23,10 +23,19 @@ extern struct nft_object_type nft_secmark_obj_type; 
int nf_tables_core_module_init(void);

void nf_tables_core_module_exit(void);



struct nft_bitwise_fast_expr {

	u32			mask;

	u32			xor;

	enum nft_registers	sreg:8;

	enum nft_registers	dreg:8;

};



struct nft_cmp_fast_expr {

	u32			data;

	u32			mask;

	enum nft_registers	sreg:8;

	u8			len;

	bool			inv;

};



struct nft_immediate_expr {
@@ -66,6 +75,8 @@ struct nft_payload_set { 


extern const struct nft_expr_ops nft_payload_fast_ops;



extern const struct nft_expr_ops nft_bitwise_fast_ops;



extern struct static_key_false nft_counters_enabled;

extern struct static_key_false nft_trace_enabled;

include/uapi/linux/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -208,6 +208,7 @@ enum nft_chain_flags { 
 * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes)

 * @NFTA_CHAIN_FLAGS: chain flags

 * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32)

 * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY)

 */

enum nft_chain_attributes {

	NFTA_CHAIN_UNSPEC,
@@ -222,6 +223,7 @@ enum nft_chain_attributes { 
	NFTA_CHAIN_PAD,

	NFTA_CHAIN_FLAGS,

	NFTA_CHAIN_ID,

	NFTA_CHAIN_USERDATA,

	__NFTA_CHAIN_MAX

};

#define NFTA_CHAIN_MAX		(__NFTA_CHAIN_MAX - 1)

net/netfilter/ipset/ip_set_core.c

+1 −16
Original line number Diff line number Diff line
@@ -250,22 +250,7 @@ EXPORT_SYMBOL_GPL(ip_set_type_unregister); 
void *

ip_set_alloc(size_t size)

{

	void *members = NULL;



	if (size < KMALLOC_MAX_SIZE)

		members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);



	if (members) {

		pr_debug("%p: allocated with kmalloc\n", members);

		return members;

	}



	members = vzalloc(size);

	if (!members)

		return NULL;

	pr_debug("%p: allocated with vmalloc\n", members);



	return members;

	return kvzalloc(size, GFP_KERNEL_ACCOUNT);

}

EXPORT_SYMBOL_GPL(ip_set_alloc);

net/netfilter/ipvs/ip_vs_sync.c

+0 −3
Original line number Diff line number Diff line
@@ -242,9 +242,6 @@ struct ip_vs_sync_thread_data { 
      |                    IPVS Sync Connection (1)                   |

*/



#define SYNC_MESG_HEADER_LEN	4

#define MAX_CONNS_PER_SYNCBUFF	255 /* nr_conns in ip_vs_sync_mesg is 8 bit */



/* Version 0 header */

struct ip_vs_sync_mesg_v0 {

	__u8                    nr_conns;