Commit 4218b0e2 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 



Florian Westphal says:

====================
Netfilter updates for net-next

following patch set includes netfilter updates for your *net-next* tree.

1. Replace pr_debug use with nf_log infra for debugging in sctp
   conntrack.
2. Remove pr_debug calls, they are either useless or we have better
   options in place.
3. Avoid repeated load of ct->status in some spots.
   Some bit-flags cannot change during the lifeetime of
   a connection, so no need to re-fetch those.
4. Avoid uneeded nesting of rcu_read_lock during tuple lookup.
5. Remove the CLUSTERIP target.  Marked as obsolete for years,
   and we still have WARN splats wrt. races of the out-of-band
   /proc interface installed by this target.
6. Add static key to nf_tables to avoid the retpoline mitigation
   if/else if cascade provided the cpu doesn't need the retpoline thunk.
7. add nf_tables objref calls to the retpoline mitigation workaround.
8. Split parts of nft_ct.c that do not need symbols exported by
   the conntrack modules and place them in nf_tables directly.
   This allows to avoid indirect call for 'ct status' checks.
9. Add 'destroy' commands to nf_tables.  They are identical
   to the existing 'delete' commands, but do not indicate
   an error if the referenced object (set, chain, rule...)
   did not exist, from Fernando.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 387f5f7d f80a612d

include/net/netfilter/nf_tables_core.h

+16 −0
Original line number Diff line number Diff line
@@ -61,6 +61,16 @@ struct nft_immediate_expr { 
extern const struct nft_expr_ops nft_cmp_fast_ops;

extern const struct nft_expr_ops nft_cmp16_fast_ops;



struct nft_ct {

	enum nft_ct_keys	key:8;

	enum ip_conntrack_dir	dir:8;

	u8			len;

	union {

		u8		dreg;

		u8		sreg;

	};

};



struct nft_payload {

	enum nft_payload_bases	base:8;

	u8			offset;
@@ -140,6 +150,8 @@ void nft_rt_get_eval(const struct nft_expr *expr, 
		     struct nft_regs *regs, const struct nft_pktinfo *pkt);

void nft_counter_eval(const struct nft_expr *expr, struct nft_regs *regs,

                      const struct nft_pktinfo *pkt);

void nft_ct_get_fast_eval(const struct nft_expr *expr,

			  struct nft_regs *regs, const struct nft_pktinfo *pkt);



enum {

	NFT_PAYLOAD_CTX_INNER_TUN	= (1 << 0),
@@ -164,4 +176,8 @@ void nft_payload_inner_eval(const struct nft_expr *expr, struct nft_regs *regs, 
			    const struct nft_pktinfo *pkt,

			    struct nft_inner_tun_ctx *ctx);



void nft_objref_eval(const struct nft_expr *expr, struct nft_regs *regs,

		     const struct nft_pktinfo *pkt);

void nft_objref_map_eval(const struct nft_expr *expr, struct nft_regs *regs,

			 const struct nft_pktinfo *pkt);

#endif /* _NET_NF_TABLES_CORE_H */

include/uapi/linux/netfilter/nf_tables.h

+14 −0
Original line number Diff line number Diff line
@@ -98,6 +98,13 @@ enum nft_verdicts { 
 * @NFT_MSG_GETFLOWTABLE: get flow table (enum nft_flowtable_attributes)

 * @NFT_MSG_DELFLOWTABLE: delete flow table (enum nft_flowtable_attributes)

 * @NFT_MSG_GETRULE_RESET: get rules and reset stateful expressions (enum nft_obj_attributes)

 * @NFT_MSG_DESTROYTABLE: destroy a table (enum nft_table_attributes)

 * @NFT_MSG_DESTROYCHAIN: destroy a chain (enum nft_chain_attributes)

 * @NFT_MSG_DESTROYRULE: destroy a rule (enum nft_rule_attributes)

 * @NFT_MSG_DESTROYSET: destroy a set (enum nft_set_attributes)

 * @NFT_MSG_DESTROYSETELEM: destroy a set element (enum nft_set_elem_attributes)

 * @NFT_MSG_DESTROYOBJ: destroy a stateful object (enum nft_object_attributes)

 * @NFT_MSG_DESTROYFLOWTABLE: destroy flow table (enum nft_flowtable_attributes)

 */

enum nf_tables_msg_types {

	NFT_MSG_NEWTABLE,
@@ -126,6 +133,13 @@ enum nf_tables_msg_types { 
	NFT_MSG_GETFLOWTABLE,

	NFT_MSG_DELFLOWTABLE,

	NFT_MSG_GETRULE_RESET,

	NFT_MSG_DESTROYTABLE,

	NFT_MSG_DESTROYCHAIN,

	NFT_MSG_DESTROYRULE,

	NFT_MSG_DESTROYSET,

	NFT_MSG_DESTROYSETELEM,

	NFT_MSG_DESTROYOBJ,

	NFT_MSG_DESTROYFLOWTABLE,

	NFT_MSG_MAX,

};

net/ipv4/netfilter/Kconfig

+0 −14
Original line number Diff line number Diff line
@@ -259,20 +259,6 @@ config IP_NF_MANGLE 


	  To compile it as a module, choose M here.  If unsure, say N.



config IP_NF_TARGET_CLUSTERIP

	tristate "CLUSTERIP target support"

	depends on IP_NF_MANGLE

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	select NF_CONNTRACK_MARK

	select NETFILTER_FAMILY_ARP

	help

	  The CLUSTERIP target allows you to build load-balancing clusters of

	  network servers without having a dedicated load-balancing

	  router/server/switch.



	  To compile it as a module, choose M here.  If unsure, say N.



config IP_NF_TARGET_ECN

	tristate "ECN target support"

	depends on IP_NF_MANGLE

net/ipv4/netfilter/Makefile

+0 −1
Original line number Diff line number Diff line
@@ -39,7 +39,6 @@ obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o 
obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o



# targets

obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o

obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o

obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o

obj-$(CONFIG_IP_NF_TARGET_SYNPROXY) += ipt_SYNPROXY.o

net/ipv4/netfilter/ipt_CLUSTERIP.c

deleted100644 → 0
+0 −929

File deleted.

Preview size limit exceeded, changes collapsed.