Commit cc4e5eec authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Restrict range element expansion in ipset to avoid soft lockup,
   from Jozsef Kadlecsik.

2) Memleak in error path for nf_conntrack_bridge for IPv4 packets,
   from Yajun Deng.

3) Simplify conntrack garbage collection strategy to avoid frequent
   wake-ups, from Florian Westphal.

4) Fix NFNLA_HOOK_FUNCTION_NAME string, do not include module name.

5) Missing chain family netlink attribute in chain description
   in nfnetlink_hook.

6) Incorrect sequence number on nfnetlink_hook dumps.

7) Use netlink request family in reply message for consistency.

8) Remove offload_pickup sysctl, use conntrack for established state
   instead, from Florian Westphal.

9) Translate NFPROTO_INET/ingress to NFPROTO_NETDEV/ingress, since
   NFPROTO_INET is not exposed through nfnetlink_hook.

* git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf:
  netfilter: nfnetlink_hook: translate inet ingress to netdev
  netfilter: conntrack: remove offload_pickup sysctl again
  netfilter: nfnetlink_hook: Use same family as request message
  netfilter: nfnetlink_hook: use the sequence number of the request message
  netfilter: nfnetlink_hook: missing chain family
  netfilter: nfnetlink_hook: strip off module name from hookfn
  netfilter: conntrack: collect all entries in one cycle
  netfilter: nf_conntrack_bridge: Fix memory leak when error
  netfilter: ipset: Limit the maximal range of consecutive elements to add/delete
====================

Link: https://lore.kernel.org/r/20210806151149.6356-1-pablo@netfilter.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 704e624f 269fc695

Documentation/networking/nf_conntrack-sysctl.rst

+0 −10
Original line number Diff line number Diff line
@@ -191,19 +191,9 @@ nf_flowtable_tcp_timeout - INTEGER (seconds) 
        TCP connections may be offloaded from nf conntrack to nf flow table.

        Once aged, the connection is returned to nf conntrack with tcp pickup timeout.



nf_flowtable_tcp_pickup - INTEGER (seconds)

        default 120



        TCP connection timeout after being aged from nf flow table offload.



nf_flowtable_udp_timeout - INTEGER (seconds)

        default 30



        Control offload timeout for udp connections.

        UDP connections may be offloaded from nf conntrack to nf flow table.

        Once aged, the connection is returned to nf conntrack with udp pickup timeout.
 


nf_flowtable_udp_pickup - INTEGER (seconds)

        default 30



        UDP connection timeout after being aged from nf flow table offload.

include/linux/netfilter/ipset/ip_set.h

+3 −0
Original line number Diff line number Diff line
@@ -196,6 +196,9 @@ struct ip_set_region { 
	u32 elements;		/* Number of elements vs timeout */

};



/* Max range where every element is added/deleted in one step */

#define IPSET_MAX_RANGE		(1<<20)



/* The max revision number supported by any set type + 1 */

#define IPSET_REVISION_MAX	9

include/net/netns/conntrack.h

+0 −2
Original line number Diff line number Diff line
@@ -30,7 +30,6 @@ struct nf_tcp_net { 
	u8 tcp_ignore_invalid_rst;

#if IS_ENABLED(CONFIG_NF_FLOW_TABLE)

	unsigned int offload_timeout;

	unsigned int offload_pickup;

#endif

};
@@ -44,7 +43,6 @@ struct nf_udp_net { 
	unsigned int timeouts[UDP_CT_MAX];

#if IS_ENABLED(CONFIG_NF_FLOW_TABLE)

	unsigned int offload_timeout;

	unsigned int offload_pickup;

#endif

};

include/uapi/linux/netfilter/nfnetlink_hook.h

+9 −0
Original line number Diff line number Diff line
@@ -43,6 +43,15 @@ enum nfnl_hook_chain_info_attributes { 
};

#define NFNLA_HOOK_INFO_MAX (__NFNLA_HOOK_INFO_MAX - 1)



enum nfnl_hook_chain_desc_attributes {

	NFNLA_CHAIN_UNSPEC,

	NFNLA_CHAIN_TABLE,

	NFNLA_CHAIN_FAMILY,

	NFNLA_CHAIN_NAME,

	__NFNLA_CHAIN_MAX,

};

#define NFNLA_CHAIN_MAX (__NFNLA_CHAIN_MAX - 1)



/**

 * enum nfnl_hook_chaintype - chain type

 *

net/bridge/netfilter/nf_conntrack_bridge.c

+6 −0
Original line number Diff line number Diff line
@@ -88,6 +88,12 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk, 


			skb = ip_fraglist_next(&iter);

		}



		if (!err)

			return 0;



		kfree_skb_list(iter.frag);



		return err;

	}

slow_path: