Commit d6821c5b authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter/IPVS fixes for net:

1) Add selftest for vrf+conntrack, from Florian Westphal.

2) Extend nfqueue selftest to cover nfqueue, also from Florian.

3) Remove duplicated include in nft_payload, from Wan Jiabing.

4) Several improvements to the nat port shadowing selftest,
   from Phil Sutter.

5) Fix filtering of reply tuple in ctnetlink, from Florent Fourcot.

6) Do not override error with -EINVAL in filter setup path, also
   from Florent.

7) Honor sysctl_expire_nodest_conn regardless conn_reuse_mode for
   reused connections, from yangxingwu.

8) Replace snprintf() by sysfs_emit() in xt_IDLETIMER as reported
   by Coccinelle, from Jing Yao.

9) Incorrect IPv6 tunnel match in flowtable offload, from Will
   Mortensen.

10) Switch port shadow selftest to use socat, from Florian Westphal.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 8d0112ac a2acf0c0

Documentation/networking/ipvs-sysctl.rst

+1 −2
Original line number Diff line number Diff line
@@ -37,8 +37,7 @@ conn_reuse_mode - INTEGER 


	0: disable any special handling on port reuse. The new

	connection will be delivered to the same real server that was

	servicing the previous connection. This will effectively

	disable expire_nodest_conn.

	servicing the previous connection.



	bit 1: enable rescheduling of new connections when it is safe.

	That is, whenever expire_nodest_conn and for TCP sockets, when

net/netfilter/ipvs/ip_vs_core.c

+4 −4
Original line number Diff line number Diff line
@@ -1919,7 +1919,6 @@ ip_vs_in_hook(void *priv, struct sk_buff *skb, const struct nf_hook_state *state 
	struct ip_vs_proto_data *pd;

	struct ip_vs_conn *cp;

	int ret, pkts;

	int conn_reuse_mode;

	struct sock *sk;

	int af = state->pf;
@@ -1997,15 +1996,16 @@ ip_vs_in_hook(void *priv, struct sk_buff *skb, const struct nf_hook_state *state 
	cp = INDIRECT_CALL_1(pp->conn_in_get, ip_vs_conn_in_get_proto,

			     ipvs, af, skb, &iph);



	conn_reuse_mode = sysctl_conn_reuse_mode(ipvs);

	if (conn_reuse_mode && !iph.fragoffs && is_new_conn(skb, &iph) && cp) {

	if (!iph.fragoffs && is_new_conn(skb, &iph) && cp) {

		int conn_reuse_mode = sysctl_conn_reuse_mode(ipvs);

		bool old_ct = false, resched = false;



		if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp->dest &&

		    unlikely(!atomic_read(&cp->dest->weight))) {

			resched = true;

			old_ct = ip_vs_conn_uses_old_conntrack(cp, skb);

		} else if (is_new_conn_expected(cp, conn_reuse_mode)) {

		} else if (conn_reuse_mode &&

			   is_new_conn_expected(cp, conn_reuse_mode)) {

			old_ct = ip_vs_conn_uses_old_conntrack(cp, skb);

			if (!atomic_read(&cp->n_control)) {

				resched = true;

net/netfilter/nf_conntrack_netlink.c

+2 −4
Original line number Diff line number Diff line
@@ -1011,12 +1011,10 @@ ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family) 
						   CTA_TUPLE_REPLY,

						   filter->family,

						   &filter->zone,

						   filter->orig_flags);

		if (err < 0) {

			err = -EINVAL;

						   filter->reply_flags);

		if (err < 0)

			goto err_filter;

	}

	}



	return filter;

net/netfilter/nf_flow_table_offload.c

+2 −2
Original line number Diff line number Diff line
@@ -65,11 +65,11 @@ static void nf_flow_rule_lwt_match(struct nf_flow_match *match, 
		       sizeof(struct in6_addr));

		if (memcmp(&key->enc_ipv6.src, &in6addr_any,

			   sizeof(struct in6_addr)))

			memset(&key->enc_ipv6.src, 0xff,

			memset(&mask->enc_ipv6.src, 0xff,

			       sizeof(struct in6_addr));

		if (memcmp(&key->enc_ipv6.dst, &in6addr_any,

			   sizeof(struct in6_addr)))

			memset(&key->enc_ipv6.dst, 0xff,

			memset(&mask->enc_ipv6.dst, 0xff,

			       sizeof(struct in6_addr));

		enc_keys |= BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS);

		key->enc_control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;

net/netfilter/nft_payload.c

+0 −1
Original line number Diff line number Diff line
@@ -22,7 +22,6 @@ 
#include <linux/icmpv6.h>

#include <linux/ip.h>

#include <linux/ipv6.h>

#include <linux/ip.h>

#include <net/sctp/checksum.h>



static bool nft_payload_rebuild_vlan_hdr(const struct sk_buff *skb, int mac_off,