Commit d9679cd9 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for net-next:

1) Add support to specify a stateful expression in set definitions,
   this allows users to specify e.g. counters per set elements.

2) Flowtable software counter support.

3) Flowtable hardware offload counter support, from wenxu.

3) Parallelize flowtable hardware offload requests, from Paul Blakey.
   This includes a patch to add one work entry per offload command.

4) Several patches to rework nf_queue refcount handling, from Florian
   Westphal.

4) A few fixes for the flowtable tunnel offload: Fix crash if tunneling
   information is missing and set up indirect flow block as TC_SETUP_FT,
   patch from wenxu.

5) Stricter netlink attribute sanity check on filters, from Romain Bellan
   and Florent Fourcot.

5) Annotations to make sparse happy, from Jules Irenge.

6) Improve icmp errors in debugging information, from Haishuang Yan.

7) Fix warning in IPVS icmp error debugging, from Haishuang Yan.

8) Fix endianess issue in tcp extension header, from Sergey Marinkevich.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 6fe9a949 e19680f8

include/net/flow_offload.h

+2 −1
Original line number Diff line number Diff line
@@ -533,6 +533,7 @@ void flow_indr_block_cb_unregister(struct net_device *dev, 


void flow_indr_block_call(struct net_device *dev,

			  struct flow_block_offload *bo,

			  enum flow_block_command command);

			  enum flow_block_command command,

			  enum tc_setup_type type);



#endif /* _NET_FLOW_OFFLOAD_H */

include/net/netfilter/nf_conntrack_acct.h

+11 −0
Original line number Diff line number Diff line
@@ -65,6 +65,17 @@ static inline void nf_ct_set_acct(struct net *net, bool enable) 
#endif

}



void nf_ct_acct_add(struct nf_conn *ct, u32 dir, unsigned int packets,

		    unsigned int bytes);



static inline void nf_ct_acct_update(struct nf_conn *ct, u32 dir,

				     unsigned int bytes)

{

#if IS_ENABLED(CONFIG_NF_CONNTRACK)

	nf_ct_acct_add(ct, dir, 1, bytes);

#endif

}



void nf_conntrack_acct_pernet_init(struct net *net);



int nf_conntrack_acct_init(void);

include/net/netfilter/nf_flow_table.h

+3 −2
Original line number Diff line number Diff line
@@ -62,7 +62,8 @@ struct nf_flowtable_type { 
};



enum nf_flowtable_flags {

	NF_FLOWTABLE_HW_OFFLOAD		= 0x1,

	NF_FLOWTABLE_HW_OFFLOAD		= 0x1,	/* NFT_FLOWTABLE_HW_OFFLOAD */

	NF_FLOWTABLE_COUNTER		= 0x2,	/* NFT_FLOWTABLE_COUNTER */

};



struct nf_flowtable {
@@ -73,7 +74,7 @@ struct nf_flowtable { 
	struct delayed_work		gc_work;

	unsigned int			flags;

	struct flow_block		flow_block;

	struct mutex			flow_block_lock; /* Guards flow_block */

	struct rw_semaphore		flow_block_lock; /* Guards flow_block */

	possible_net_t			net;

};

include/net/netfilter/nf_queue.h

+5 −2
Original line number Diff line number Diff line
@@ -14,7 +14,10 @@ struct nf_queue_entry { 
	struct sk_buff		*skb;

	unsigned int		id;

	unsigned int		hook_index;	/* index in hook_entries->hook[] */



#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

	struct net_device	*physin;

	struct net_device	*physout;

#endif

	struct nf_hook_state	state;

	u16			size; /* sizeof(entry) + saved route keys */
@@ -35,7 +38,7 @@ void nf_unregister_queue_handler(struct net *net); 
void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict);



void nf_queue_entry_get_refs(struct nf_queue_entry *entry);

void nf_queue_entry_release_refs(struct nf_queue_entry *entry);

void nf_queue_entry_free(struct nf_queue_entry *entry);



static inline void init_hashrandom(u32 *jhash_initval)

{

include/net/netfilter/nf_tables.h

+5 −0
Original line number Diff line number Diff line
@@ -266,6 +266,7 @@ struct nft_set_iter { 
 *	@size: number of set elements

 *	@field_len: length of each field in concatenation, bytes

 *	@field_count: number of concatenated fields in element

 *	@expr: set must support for expressions

 */

struct nft_set_desc {

	unsigned int		klen;
@@ -273,6 +274,7 @@ struct nft_set_desc { 
	unsigned int		size;

	u8			field_len[NFT_REG32_COUNT];

	u8			field_count;

	bool			expr;

};



/**
@@ -416,6 +418,7 @@ struct nft_set_type { 
 *	@policy: set parameterization (see enum nft_set_policies)

 *	@udlen: user data length

 *	@udata: user data

 *	@expr: stateful expression

 * 	@ops: set ops

 * 	@flags: set flags

 *	@genmask: generation mask
@@ -444,6 +447,7 @@ struct nft_set { 
	u16				policy;

	u16				udlen;

	unsigned char			*udata;

	struct nft_expr			*expr;

	/* runtime data below here */

	const struct nft_set_ops	*ops ____cacheline_aligned;

	u16				flags:14,
@@ -846,6 +850,7 @@ static inline void *nft_expr_priv(const struct nft_expr *expr) 
	return (void *)expr->data;

}



int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src);

void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);

int nft_expr_dump(struct sk_buff *skb, unsigned int attr,

		  const struct nft_expr *expr);