Commit 7f3579e1 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

1) Add nfgenmsg field to nfnetlink's struct nfnl_info and use it.

2) Remove nft_ctx_init_from_elemattr() and nft_ctx_init_from_setattr()
   helper functions.

3) Add the nf_ct_pernet() helper function to fetch the conntrack
   pernetns data area.

4) Expose TCP and UDP flowtable offload timeouts through sysctl,
   from Oz Shlomo.

5) Add nfnetlink_hook subsystem to fetch the netfilter hook
   pipeline configuration, from Florian Westphal. This also includes
   a new field to annotate the hook type as metadata.

6) Fix unsafe memory access to non-linear skbuff in the new SCTP
   chunk support for nft_exthdr, from Phil Sutter.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 4e744cb8 c5c6accd

include/linux/netfilter.h

+7 −1
Original line number Diff line number Diff line
@@ -77,12 +77,18 @@ struct nf_hook_state { 
typedef unsigned int nf_hookfn(void *priv,

			       struct sk_buff *skb,

			       const struct nf_hook_state *state);

enum nf_hook_ops_type {

	NF_HOOK_OP_UNDEFINED,

	NF_HOOK_OP_NF_TABLES,

};



struct nf_hook_ops {

	/* User fills in from here down. */

	nf_hookfn		*hook;

	struct net_device	*dev;

	void			*priv;

	u_int8_t		pf;

	u8			pf;

	enum nf_hook_ops_type	hook_ops_type:8;

	unsigned int		hooknum;

	/* Hooks are ordered in ascending priority. */

	int			priority;

include/linux/netfilter/nfnetlink.h

+1 −0
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ struct nfnl_info { 
	struct net		*net;

	struct sock		*sk;

	const struct nlmsghdr	*nlh;

	const struct nfgenmsg	*nfmsg;

	struct netlink_ext_ack	*extack;

};

include/net/netfilter/nf_conntrack.h

+7 −0
Original line number Diff line number Diff line
@@ -346,6 +346,13 @@ nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info) 
	skb_set_nfct(skb, (unsigned long)ct | info);

}



extern unsigned int nf_conntrack_net_id;



static inline struct nf_conntrack_net *nf_ct_pernet(const struct net *net)

{

	return net_generic(net, nf_conntrack_net_id);

}



#define NF_CT_STAT_INC(net, count)	  __this_cpu_inc((net)->ct.stat->count)

#define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)

#define NF_CT_STAT_ADD_ATOMIC(net, count, v) this_cpu_add((net)->ct.stat->count, (v))

include/net/netfilter/nf_flow_table.h

+2 −0
Original line number Diff line number Diff line
@@ -177,6 +177,8 @@ struct flow_offload { 
#define NF_FLOW_TIMEOUT (30 * HZ)

#define nf_flowtable_time_stamp	(u32)jiffies



unsigned long flow_offload_get_timeout(struct flow_offload *flow);



static inline __s32 nf_flow_timeout_delta(unsigned int timeout)

{

	return (__s32)(timeout - nf_flowtable_time_stamp);

include/net/netns/conntrack.h

+8 −0
Original line number Diff line number Diff line
@@ -27,6 +27,10 @@ struct nf_tcp_net { 
	u8 tcp_loose;

	u8 tcp_be_liberal;

	u8 tcp_max_retrans;

#if IS_ENABLED(CONFIG_NF_FLOW_TABLE)

	unsigned int offload_timeout;

	unsigned int offload_pickup;

#endif

};



enum udp_conntrack {
@@ -37,6 +41,10 @@ enum udp_conntrack { 


struct nf_udp_net {

	unsigned int timeouts[UDP_CT_MAX];

#if IS_ENABLED(CONFIG_NF_FLOW_TABLE)

	unsigned int offload_timeout;

	unsigned int offload_pickup;

#endif

};



struct nf_icmp_net {