Commit 4b45e079 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next.
This patchset contains updates for the nf_tables register tracking
infrastructure, disable bogus warning when attaching ct helpers,
one namespace pollution fix and few cleanups for the flowtable.

1) Revisit conntrack gc routine to reduce chances of overruning
   the netlink buffer from the event path. From Florian Westphal.

2) Disable warning on explicit ct helper assignment, from Phil Sutter.

3) Read-only expressions do not update registers, mark them as
   NFT_REDUCE_READONLY. Add helper functions to update the register
   tracking information. This patch re-enables the register tracking
   infrastructure.

4) Cancel register tracking in case an expression fully/partially
   clobbers existing data.

5) Add register tracking support for remaining expressions: ct,
   lookup, meta, numgen, osf, hash, immediate, socket, xfrm, tunnel,
   fib, exthdr.

6) Rename init and exit functions for the conntrack h323 helper,
   from Randy Dunlap.

7) Remove redundant field in struct flow_offload_work.

8) Update nf_flow_table_iterate() to pass flowtable to callback.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents e6980b57 217cff36

include/net/netfilter/nf_conntrack_helper.h

+1 −0
Original line number Diff line number Diff line
@@ -177,4 +177,5 @@ void nf_nat_helper_unregister(struct nf_conntrack_nat_helper *nat); 
int nf_nat_helper_try_module_get(const char *name, u16 l3num,

				 u8 protonum);

void nf_nat_helper_put(struct nf_conntrack_helper *helper);

void nf_ct_set_auto_assign_helper_warned(struct net *net);

#endif /*_NF_CONNTRACK_HELPER_H*/

include/net/netfilter/nf_tables.h

+22 −0
Original line number Diff line number Diff line
@@ -126,6 +126,7 @@ struct nft_regs_track { 
	struct {

		const struct nft_expr		*selector;

		const struct nft_expr		*bitwise;

		u8				num_reg;

	} regs[NFT_REG32_NUM];



	const struct nft_expr			*cur;
@@ -1633,4 +1634,25 @@ static inline struct nftables_pernet *nft_pernet(const struct net *net) 
	return net_generic(net, nf_tables_net_id);

}



#define __NFT_REDUCE_READONLY	1UL

#define NFT_REDUCE_READONLY	(void *)__NFT_REDUCE_READONLY



static inline bool nft_reduce_is_readonly(const struct nft_expr *expr)

{

	return expr->ops->reduce == NFT_REDUCE_READONLY;

}



void nft_reg_track_update(struct nft_regs_track *track,

			  const struct nft_expr *expr, u8 dreg, u8 len);

void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len);

void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg);



static inline bool nft_reg_track_cmp(struct nft_regs_track *track,

				     const struct nft_expr *expr, u8 dreg)

{

	return track->regs[dreg].selector &&

	       track->regs[dreg].selector->ops == expr->ops &&

	       track->regs[dreg].num_reg == 0;

}



#endif /* _NET_NF_TABLES_H */

include/net/netfilter/nft_fib.h

+3 −0
Original line number Diff line number Diff line
@@ -37,4 +37,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, 


void nft_fib_store_result(void *reg, const struct nft_fib *priv,

			  const struct net_device *dev);



bool nft_fib_reduce(struct nft_regs_track *track,

		    const struct nft_expr *expr);

#endif

include/net/netfilter/nft_meta.h

+3 −0
Original line number Diff line number Diff line
@@ -6,6 +6,7 @@ 


struct nft_meta {

	enum nft_meta_keys	key:8;

	u8			len;

	union {

		u8		dreg;

		u8		sreg;
@@ -43,4 +44,6 @@ int nft_meta_set_validate(const struct nft_ctx *ctx, 
			  const struct nft_expr *expr,

			  const struct nft_data **data);



bool nft_meta_get_reduce(struct nft_regs_track *track,

			 const struct nft_expr *expr);

#endif

net/bridge/netfilter/nft_meta_bridge.c

+3 −2
Original line number Diff line number Diff line
@@ -87,6 +87,7 @@ static int nft_meta_bridge_get_init(const struct nft_ctx *ctx, 
		return nft_meta_get_init(ctx, expr, tb);

	}



	priv->len = len;

	return nft_parse_register_store(ctx, tb[NFTA_META_DREG], &priv->dreg,

					NULL, NFT_DATA_VALUE, len);

}
@@ -98,6 +99,7 @@ static const struct nft_expr_ops nft_meta_bridge_get_ops = { 
	.eval		= nft_meta_bridge_get_eval,

	.init		= nft_meta_bridge_get_init,

	.dump		= nft_meta_get_dump,

	.reduce		= nft_meta_get_reduce,

};



static bool nft_meta_bridge_set_reduce(struct nft_regs_track *track,
@@ -112,8 +114,7 @@ static bool nft_meta_bridge_set_reduce(struct nft_regs_track *track, 
		if (track->regs[i].selector->ops != &nft_meta_bridge_get_ops)

			continue;



		track->regs[i].selector = NULL;

		track->regs[i].bitwise = NULL;

		__nft_reg_track_cancel(track, i);

	}



	return false;