Commit a7b62112 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

1) Skip non-SCTP packets in the new SCTP chunk support for nft_exthdr,
   from Phil Sutter.

2) Simplify TCP option sanity check for TCP packets, also from Phil.

3) Add a new expression to store when the rule has been used last time.

4) Pass the hook state object to log function, from Florian Westphal.

5) Document the new sysctl knobs to tune the flowtable timeouts,
   from Oz Shlomo.

6) Fix snprintf error check in the new nfnetlink_hook infrastructure,
   from Dan Carpenter.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 0a36a75c 24610ed8

Documentation/networking/nf_conntrack-sysctl.rst

+24 −0
Original line number Diff line number Diff line
@@ -177,3 +177,27 @@ nf_conntrack_gre_timeout_stream - INTEGER (seconds) 


	This extended timeout will be used in case there is an GRE stream

	detected.



nf_flowtable_tcp_timeout - INTEGER (seconds)

        default 30



        Control offload timeout for tcp connections.

        TCP connections may be offloaded from nf conntrack to nf flow table.

        Once aged, the connection is returned to nf conntrack with tcp pickup timeout.



nf_flowtable_tcp_pickup - INTEGER (seconds)

        default 120



        TCP connection timeout after being aged from nf flow table offload.



nf_flowtable_udp_timeout - INTEGER (seconds)

        default 30



        Control offload timeout for udp connections.

        UDP connections may be offloaded from nf conntrack to nf flow table.

        Once aged, the connection is returned to nf conntrack with udp pickup timeout.



nf_flowtable_udp_pickup - INTEGER (seconds)

        default 30



        UDP connection timeout after being aged from nf flow table offload.

include/net/netfilter/nf_conntrack_l4proto.h

+12 −8
Original line number Diff line number Diff line
@@ -159,22 +159,26 @@ unsigned int nf_ct_port_nlattr_tuple_size(void); 
extern const struct nla_policy nf_ct_port_nla_policy[];



#ifdef CONFIG_SYSCTL

__printf(3, 4) __cold

__printf(4, 5) __cold

void nf_ct_l4proto_log_invalid(const struct sk_buff *skb,

			       const struct nf_conn *ct,

			       const struct nf_hook_state *state,

			       const char *fmt, ...);

__printf(5, 6) __cold

__printf(4, 5) __cold

void nf_l4proto_log_invalid(const struct sk_buff *skb,

			    struct net *net,

			    u16 pf, u8 protonum,

			    const struct nf_hook_state *state,

			    u8 protonum,

			    const char *fmt, ...);

#else

static inline __printf(5, 6) __cold

void nf_l4proto_log_invalid(const struct sk_buff *skb, struct net *net,

			    u16 pf, u8 protonum, const char *fmt, ...) {}

static inline __printf(3, 4) __cold

static inline __printf(4, 5) __cold

void nf_l4proto_log_invalid(const struct sk_buff *skb,

			    const struct nf_hook_state *state,

			    u8 protonum,

			    const char *fmt, ...) {}

static inline __printf(4, 5) __cold

void nf_ct_l4proto_log_invalid(const struct sk_buff *skb,

			       const struct nf_conn *ct,

			       const struct nf_hook_state *state,

			       const char *fmt, ...) { }

#endif /* CONFIG_SYSCTL */

include/net/netfilter/nf_tables_core.h

+1 −0
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ extern struct nft_expr_type nft_range_type; 
extern struct nft_expr_type nft_meta_type;

extern struct nft_expr_type nft_rt_type;

extern struct nft_expr_type nft_exthdr_type;

extern struct nft_expr_type nft_last_type;



#ifdef CONFIG_NETWORK_SECMARK

extern struct nft_object_type nft_secmark_obj_type;

include/uapi/linux/netfilter/nf_tables.h

+15 −0
Original line number Diff line number Diff line
@@ -1195,6 +1195,21 @@ enum nft_counter_attributes { 
};

#define NFTA_COUNTER_MAX	(__NFTA_COUNTER_MAX - 1)



/**

 * enum nft_last_attributes - nf_tables last expression netlink attributes

 *

 * @NFTA_LAST_SET: last update has been set, zero means never updated (NLA_U32)

 * @NFTA_LAST_MSECS: milliseconds since last update (NLA_U64)

 */

enum nft_last_attributes {

	NFTA_LAST_UNSPEC,

	NFTA_LAST_SET,

	NFTA_LAST_MSECS,

	NFTA_LAST_PAD,

	__NFTA_LAST_MAX

};

#define NFTA_LAST_MAX	(__NFTA_LAST_MAX - 1)



/**

 * enum nft_log_attributes - nf_tables log expression netlink attributes

 *

net/netfilter/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -74,7 +74,7 @@ obj-$(CONFIG_NF_DUP_NETDEV) += nf_dup_netdev.o 
nf_tables-objs := nf_tables_core.o nf_tables_api.o nft_chain_filter.o \

		  nf_tables_trace.o nft_immediate.o nft_cmp.o nft_range.o \

		  nft_bitwise.o nft_byteorder.o nft_payload.o nft_lookup.o \

		  nft_dynset.o nft_meta.o nft_rt.o nft_exthdr.o \

		  nft_dynset.o nft_meta.o nft_rt.o nft_exthdr.o nft_last.o \

		  nft_chain_route.o nf_tables_offload.o \

		  nft_set_hash.o nft_set_bitmap.o nft_set_rbtree.o \

		  nft_set_pipapo.o